 |
 | Trojan.Agent-107288 |  |
|
hajime
|
|
hi,
please I need help, I found these trojan "Trojan.Agent-107288" in my Notepad.exe file.... I tried but I can't to remove using ClamWin ... follows Clamwin report: Scan Started Mon Jun 01 07:48:03 2009 ------------------------------------------------------------------------------- C:\pagefile.sys: Permission denied C:\WINDOWS\NOTEPAD.EXE: Trojan.Agent-107288 FOUND C:\WINDOWS\system32\config\default: Permission denied C:\WINDOWS\system32\config\SAM: Permission denied C:\WINDOWS\system32\config\SECURITY: Permission denied C:\WINDOWS\system32\config\software: Permission denied C:\WINDOWS\system32\config\system: Permission denied C:\WINDOWS\system32\dllcache\notepad.exe: Trojan.Agent-107288 FOUND C:\WINDOWS\system32\notepad.exe: Trojan.Agent-107288 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 570834 Engine version: 0.95.1 Scanned directories: 3491 Scanned files: 31845 Infected files: 3 Data scanned: 6319.52 MB Data read: 6858.09 MB (ratio 0.92:1) Time: 2048.344 sec (34 m 8 s) |
|||||||||||
|
|||||||||||||
 |
| |
|
GuitarBob
|
|
What is your Infected Files option in ClamWin? It comes with a default of Report Only. You can also set it to Quarantine or to Remove (use carefully). If you have it set to the default, that is why it is not removed or quarantined, so you can change it, then rescan and it will be removed or quarantined.
I keep my option set to Report Only. If you quarantine or remove a file that is a false positive detection (not a real infection) on an important Windows sytemt file or program file, you will lose access to Windows or your program. When I get a detection, I upload a copy of the file to Jotti at https://virusscan.jotti.org/en on the web or to VirusTotal at https://www.virustotal.com/ on the web. Either service will can the file for free with multile antivirus programs--including Clam. If several other AVs besides Clam find an infection, it is probably a real one and not a false positive. I like to see at least 5 AVs say it is infected. If it's a real infection, you can manually remove it or change the Infected Files option to Quarantine, rescan, and it will be taken care of. If the file turns out to be a false positive, you should upload a copy of it to Clam, starting at https://www.clamav.net/sendvirus/ on the web. When you get to the upload page, be sure to indicate it is a false positve infection, tell them the exact name of the virus, and tell them why you think it is a false positive. Clam will adjust the signature within a couple of days for Clam AV (and ClamWin too). If the infection is real, and it keeps coming back, try a scan with the free Cureit program from Dr. Web or Malwarebytes' Anti-Malware program. Both are good at cleaning up an infection. Visit the ClamWin Antimalware page for more help. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
hajime
|
|
hi !
first I just selected "Move to Quarentine Folder" ( C:/Documents and Settings .../Temp ) ; but don't removed, so I change to "Remove (Use Carefully)" ; but the virus (or not ?) continues in my computer .... I will continue to check, tks ! |
|||||||||||
|
|||||||||||||
|
| |
|
hajime
|
|
hi;
I send the file "Notepad.exe" to https://virusscan.jotti.org for test and I receive a report: Filename: notepad.exe Status: Scan finished. 0 out of 20 scanners reported malware. Scan taken on: Tue 12 May 2009 21:58:23 (CET) Permalink File size: 70144 bytes Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5: b53b0f7aa341430fe73a9bd26a6441b5 SHA1: 9733acfae959c7b7d4184a548dcbbcde2b9c0e12 All anti-virus engines says "Found Nothing" so I send the file to https://www.virustotal.com and the report says: File mynotepad.exe received on 2009.05.30 16:12:24 (UTC) Current status: finished Result: 2/39 (5.13%) Antivirus Version Last Update Result ClamAV 0.94.1 2009.05.30 Trojan.Agent-107288 eSafe 7.0.17.0 2009.05.27 Win32.Worm.AutoRun.u Additional information File size: 70144 bytes MD5 : b53b0f7aa341430fe73a9bd26a6441b5 SHA1 : 9733acfae959c7b7d4184a548dcbbcde2b9c0e12 SHA256: 83fff21b1467d33e563f6d8e321ed78785adfa5f6d2f93bc490de9dbfc70e5dc PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x739D timedatestamp.....: 0x41107CC3 (Wed Aug 4 08:05:55 2004) machinetype.......: 0x14C (Intel I386) ( 3 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x7748 0x7800 6.28 6752013b6f209cdd90b5a0debb59f58d .data 0x9000 0x1BA8 0x800 1.15 3fd82fcc3cf0c0692e0e466248ee3fbf .rsrc 0xB000 0x8D50 0x8E00 5.44 79f9a31ca1357187c0dae78b74928f95 ( 0 imports ) ( 0 exports ) TrID : File type identification Win32 Executable MS Visual C++ (generic) (53.1%) Windows Screen Saver (18.4%) Win32 Executable Generic (12.0%) Win32 Dynamic Link Library (generic) (10.6%) Generic Win/DOS Executable (2.8%) ThreatExpert: https://www.threatexpert.com/report.aspx?md5=b53b0f7aa341430fe73a9bd26a6441b5 ssdeep: 1536:lwOnbNQKLjWDyy1o5ReVJUEbooPRrKKRPkmCB:fNQKPWDyDReVJltZrpRMma PEiD : - CWSandbox: https://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=b53b0f7aa341430fe73a9bd26a6441b5 RDS : NSRL Reference Data Set ( Microsoft ) MSDN Disc 2443.2: notepad.exeMSDN Disc 2443.4: notepad.exe |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
If the trojan keeps coming back, then there is another piece of malware that is reinstalling it. Disable System Restore and run Windows Cleanup. Then try setting ClamWin's Unload Infected Programs From Computer Memory preference and run a memory scan. If that doesn't work, try a complete scan in Safe Mode (hit F8 key continuously upon bootup). Finally, if that doesn't work, download and scan with Malwarebytes and then Dr. Web's Cureit. Do whatever they suggest (cure, restart, etc.). If the trojan is gone, enable System Restore.
Please get back here with results. Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
If only a couple of antiviruses on the online scanning services find an infection, it is probably a false positive, and you should let Clam AV know about it (see my previous post for the location on the web to report it). If it were a real infection, you would probably have many more than a couple of AVs spotting something.
Regards, |
|||||||||||
|
|||||||||||||
|
| |
|
hajime
|
|
hi;
the virus continues on my computer, then I cleaned all temp files and disabled System Restore; turn off my pc (not restart); turn on as Administrator in Safe Mode; executed ClamWin with "Remove" option; ClaWin found the same virus and removed ; I restart the pc in normal mode, scan again and the ClamWin don't found any virus ! yeah, the file Notepad.exe was removed, so I copy from my notebook this file... thanks for all |
|||||||||||
|
|||||||||||||
|
| |
|
GuitarBob
|
|
If the "virus" comes back after notepad is reinstalled, it was a false positive detection--not a real virus. In that case, upload a copy of the file to Clam, starting at https://www.clamav.net/sendvirus/ on the web. Check the false positive block, tell them the name of the "virus," and tell why it is a false positive.
Regards, |
|||||||||||
|
|||||||||||||
|
 | Trojan.Agent-107288 | |
|
||
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.