PDA

View Full Version : virus or not?



DragonSlayer
2007-02-24, 16:26
Can anybody make heads or tails as to whether this is a virus or not?

S&D dtected nothing also.

steamwiz
2007-02-24, 19:56
HI

WE need a bit more information... like the name of the file, it's location ... what program found it ?

The first jpg shows the file you uploaded... the second shows the file which was uploaded before yours, (by the look if it)

It would be better if you Copied & pasted the full results from the scan as well, you have not shown vital parts from the top & bottom of the scan..

steam

DragonSlayer
2007-02-25, 01:46
This is the full scan of the file which is a zipped file of WinZip 10. Both reports are of the same file at the same time with the various apps being run sequentialy and subsequently posting those results.

On board scanners: S&D found nothing
a squared found nothing
AVG Free "Virus found Proxy"

Online scanners: Trend Micro found nothing
Panda found nothing
After all the scanning thought that AVG was a False Positive, but AVG can provide no information on this. After googleing decided to run the above scan which returned the above results. Seems to be a mix of different results. Still leaning towards a false positive as the majority of the most well known show nothing.
The one online scanner that I had used in the past "MWAV" which had found hidden trojan files when no other could, I am unable to use because on repair it deletes my Quickbooks files; with no option to select individual files to scan or repair. Will check tomarrow AM to see if perhaps they have changed things to give me more options.
Am one to be safe rather than sorry.

steamwiz
2007-02-25, 01:55
A download of WinZip 10 ?

It wouldn't be a crack by any chance, & you want to be sure it is safe before running it ?

steam

DragonSlayer
2007-02-25, 02:07
yes

Running for over a year, didn't start getting a hit from AVG untill about 3 weeks ago.
Doing a gogle on the "PCK/NS Pack packer does concern me now as it is possible that it is a clever bot program. The only listing was in what appears to be spanish and translating if it is in fact this is a bot but then again maybe not.

DragonSlayer
2007-02-25, 02:14
This is what came up when I goggled the PCK/NSPack packer shown in the Antivir hit:

3 - Mytob.PJ. It installs BOT and it controls the PC via IRC
_____________________________________________________________

http://www.vsantivirus.com/mytob-pj.htm

Name: Mytob.PJ Names NOD32: Win32/Mytob.PJ
Type: Worm of Internet Alias: Mytob.PJ,
Backdoor.Win32.PcClient.GV, Email Worm.Mydoom.22, I-Worm/Mytob.AHE,
Net-Worm.Win32.Mytob.bi, Trojan-Downloader.Win32.Agent.mg,
W32/MyTob.DJ!net, W32/Mytob.gen, W32/Mytob.gen@MM, W32/Mytob-DJ,
Win32.Worm.Mytob.X.Gen, Win32/Mytob.PJ, Worm.Mytob.bi, Worm/Mytob.ND
Date: 20/feb/06 Platform: Windows So large 32-bit:
34.676 bytes (NSPACK) Worm that propagates massively by
electronic mail. It uses the functionalities of a troyano of
type BOT to control the PC infected via IRC. A BOT is a program
robot that acts as a user and is prepared to respond or to act
automatically executing certain commandos. Also it modifies
file HOSTS to avoid that the user can accede to certain pages and
sites of certain updates of antivirus, and is able to finalize certain
tasks related to several applications of security. When it is
executed, it creates the following file in the folder of the system:
c:\windows\system32\winsvc32.exe NOTE:
"c:\windows\system32" can vary according to the installed
operating system (with that name by defect in Windows XP and Windows
Server 2003, like "c:\winnt\system32" in Windows NT and 2000 and
"c:\windows\system" in Windows 9x and ME). The worm modifies
the following branches of the registry to ensure its automatic
completion in each new resumption the infected equipment:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINDOWS
SYSTEM = c:\windows\system32\winsvc32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices WINDOWS
SYSTEM = c:\windows\system32\winsvc32.exe Modifica the values of the
following entrance in the registry, to change the configuration of the
zone of security of Internet:
HKEY_CURRENT_USER\Software\Microsoft
\Windows\CurrentVersion\InternetSettings\Zones\3 In Windows XP with
SP2, also modifies the following entrance to lower the level of
security in the infected equipment (political of the fire-resistant
ones): HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start = "4" the worm propagates by electronic mail being sent like
associate to all the found directions of email in different archives
from the infected machine. For it, it obtains electronic
directions of the notebook of Windows and all the archives of the
following folders: C:\WINDOWS\Temporary Internet You case out \
C:\Documents and Settings\[usuario ] \Configuración local\Archivos
temporary of Internet \ c:\windows\system32 \ Also looks for
directions in archives with the following extensions, all the local
units of the C to and inclusively: adb asp cgi dbx htm html jsp
php sht tbb txt wab xml the worm avoids to be sent to those directions
whose name contains some of the following chains: -. _ -._!@
edu gov mil abuses accoun acketst admin anyone arin. avp Berkeley
borlan bsd bugs certific contact example feste Fido foo. fsf. gnu
gold-certs google gov. help hotmail IANA ibm.com icrosof icrosoft IETF
info inpris isc.o isi.e kernel linux listserv math mit.e mozilla msn.
mydomai nobody nodomai noone not nothing ntivi page bulging PGP
postmaster privacy sendmail rating RFC-ED ripe. root ruslis samples
secur service site soft somebody someone sopho Spam spm submit support
syma tanford.e the.bat UNIX Usenet utgers.ed to webmaster www you your
the worm uses its own motor smtp to send the messages

DragonSlayer
2007-02-25, 02:32
When I do a goggle of Virusbuster results: "virus Packed /NSPack" the following comes back:NSPack is an advanced Win64/32/.NET executable file compressor, capable of reducing the file size of 64-bit and 32-bit Windows programs by as much as 60%. (NSPack"s compression ratio improves upon the industry-standard zip file format by as much as 10-20%.) NSPack makes Windows 95/98/NT/2000/XP/2003 programs and libraries smaller, and decrease load times across networks, and download times from the internet;

But it also says that it could be disguised from the hit, some information about the dolphins; as I know that I didn't open any emails or go to any sites about the dolphins it can't be a trojan from that.

How does one go about verifing as to wheter it is or isn't a trojan!

To me the above makes more sense as it is a compression program.

DragonSlayer
2007-02-25, 15:11
Latest progress;

Downloaded mwave from Microworld; Ran it in scam only mode checking the file in qustion first; no hit. Ran in scan only for memory locations. 9 critical hits, 156 errors. Ran scan only for register, same 9 hits and same 156 errors.
Progessed thru the different check location options.

I one thing that bothered me was that of the 9 critical hits, 3 were for "gain-gator" 3 were for "Inkjets" and then a couple of others. So I ran one of the onboard scanners which is supposed to look for the "gain-gator", it failed to detect any problems.

Went back to mave and reran & clean mode once again going step by step process; memory, register, files, etc.

All indicated files and hits removed, the only problem so far is that upon intial connect to internet asked if I wanted to restore Yahoo as home page, checked yes and went on my merry way. AVG is running as I type so will post the results upon conclusion.

DragonSlayer
2007-02-27, 01:41
AVG still showing "virus found proxy". Unable to ask for help from them to explain - searver is always busy.

Fortunatly mwave seems to have corrected the previous problem that I had as all is well with the Quicken files and folders.

steamwiz
2007-02-28, 20:57
HI

"virus found proxy" could well be a false positive from AVG's heuristic scanner...

Have the actual file scanned at jotti or virustotal...

if it appears to be a false positive, compress (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description, as well as the password you used to archive it with.

If it is a false positive , turn off AVG's heuristic scanning, and scan again...

If it shows clean, that still doesn't mean the file is clean, but it will confirm that it is AVG's heuristics which is finding it.

steam

DragonSlayer
2007-03-02, 01:06
Thanks for the site: All but one, including AVG, "no virus found"

Prevx1 V2 03.02.2007 Generic.Email.Worm

Would tend to submit as false positive.

Again, Thanks for the reply and site, will have to bookmark:)

steamwiz
2007-03-02, 01:15
You're welcome...

did you scan with AVG with the heuristic scanner turned off ?...


To turn off AVG's hueristic scanning...

1. Right click the AVG icon in the systray & Launch AVG Control Center

2. Right click Resident shield > Properties > Un-check Use Heuristic analysis > apply > OK

Scan with AVG again...

If it shows clean, that still doesn't mean the file is clean, but it will confirm that it is AVG's heuristics which is finding it.

Then send it to virus@grisoft.com & let them check it out ...

steam

DragonSlayer
2007-03-02, 13:46
hueristic scanning was turned off and still a hit on both files and the System32/.dll file change.
Both evan tho the same program, just in two different locations, have been sent to grisoft as requested. Did not zip as they are already zipped files, only in rar.

DragonSlayer
2007-03-02, 16:26
steamwiz:

Reply from Grisoft, must say very fast return reply. Only thing dissapointed about is no better clarification of "virus found proxy"; what exactly is that.

Reply" ""
Please let me inform you that very strange program code
obfuscation used in this file therefore it is detected by heuristic
analysis. Due to nature of this file (it is crack) this file will not be
removed from AVG detection

steamwiz
2007-03-02, 21:06
HI

I've never been able to find out exactly what they mean by "virus found proxy" ... it usually ends up that such files are a false positive.. the code they refer to, may well be just the fact that it is a crack... I think I've done all I can for you... the moral of this is... if you want to be safe, don't use cracks, & after all, there's only one way to look at it... cracks are stealing.

steam