ClamWin Free Antivirus :: View topic - I also scanned a friend's computer not my own and found this

Posted: Tue Mar 07, 2017 6:20 am

-------------------------------------------------------------------------------

/media/ubuntu/OS/Program Files (x86)/Common Files/Apple/Mobile Device Support/Mingler.exe: Win.Trojan.Agent-1365924 FOUND
/media/ubuntu/OS/Program Files (x86)/GUM8333.tmp/GoogleCrashHandler.exe: Win.Trojan.Agent-1372195 FOUND
/media/ubuntu/OS/Program Files (x86)/GUM8333.tmp/GoogleUpdateBroker.exe: Win.Worm.Chir-2439 FOUND
/media/ubuntu/OS/Program Files (x86)/GUM8333.tmp/GoogleUpdateOnDemand.exe: Win.Worm.Chir-2439 FOUND
/media/ubuntu/OS/Program Files (x86)/HDTotalS/HDTotalS-bg.exe: Win.Adware.Agent-1332373 FOUND
/media/ubuntu/OS/Program Files (x86)/HDTotalS/Uninstall.exe: Win.Trojan.Agent-1249990 FOUND
/media/ubuntu/OS/Program Files (x86)/Highlightly/IE/HighlightlyClientIE.dll: Win.Adware.Agent-1327657 FOUND
/media/ubuntu/OS/ProgramData/Temp/{3023EBDA-BF1B-4831-B347-E5018555F26E}/PostBuild.exe: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/ProgramData/Temp/{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}/PostBuild.exe: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/ProgramData/Temp/{DCCAD079-F92C-44DA-B258-624FC6517A5A}/PostBuild.exe: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/ProgramData/Temp/{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}/PostBuild.exe: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/ProgramData/MFAData/SelfUpd/avgmfapx.exe: Win.Worm.Chir-2036 FOUND
/media/ubuntu/OS/ProgramData/MFAData/SelfUpd/avgntdumpx.exe: Win.Worm.Chir-1858 FOUND
/media/ubuntu/OS/swsetup/APP/Multimedia/CyberLink/HPMediaSmartDVD/4.0.1.3902/HPMSDVD/hp/tmp/src/MediaSmart DVD.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/swsetup/APP/Multimedia/CyberLink/HPMSTSMusic/3.2.1.3910/HPMSTSMusic/hp/tmp/src/HP.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/swsetup/APP/Multimedia/CyberLink/MSTSDVDMenuPack/4.0.1.3715/HPMSTSDVDMenu/hp/tmp/src/HP.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/swsetup/APP/Multimedia/CyberLink/MSTSMovieThemes/4.0.1.3715/HPMSTSMovieTheme/hp/tmp/src/HP.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/swsetup/APP/Multimedia/CyberLink/Power2Go/6.1.3810/src/Power2Go.msi: Win.Worm.Palevo-39167 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/19475/a11947.exe: Win.Adware.Agent-1116002 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/IdleCrawler/IdleProfile.exe: Win.Trojan.Agent-1140576 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/IdleCrawler/uninstall.exe: Win.Trojan.Agent-1140576 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/02BWYQ1X/Setup[1].exe: Win.Trojan.15493331-1 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/02BWYQ1X/ViewPlaySetup[1].exe: Win.Trojan.15493331-1 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Microsoft/Windows/Temporary Internet Files/Content.IE5/6K7GPKL7/Setup[1].exe: Win.Trojan.Agent-1140576 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Smartbar/Application/amfclgbdpgndipgoegfpkkgobahigbcl/GoogleChromeRemotePlugin.dll: Win.Adware.Agent-1302481 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Smartbar/Application/helperbar@helperbar.com/components/SmartbarFireFoxRemotePlugin_28.dll: Win.Adware.Linkury-3999 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Smartbar/Application/Interop.SHDocVw.dll: Win.Adware.Linkury-2970 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Temp/jki67B7.tmp: Win.Adware.Domaiq-316 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Temp/3069446241: Win.Trojan.Agent-1140576 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Temp/3551229692: Win.Trojan.15493331-1 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Temp/5bdb0f77-f307-4538-bce3-07c7d63e6c92/software/OptimizerPro.exe: Win.Trojan.Agent-1144374 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Google/Chrome/User Data/Default/File System/001/t/00/00000000: Win.Adware.Domaiq-1 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Local/Google/Chrome/User Data/WidevineCDM/1.4.4.600/_platform_specific/win_x86/widevinecdm.dll: Win.Trojan.Nimnul-23 FOUND
/media/ubuntu/OS/Users/Brian/AppData/Roaming/Microsoft/Crypto/RSA/S-1-5-21-2266226277-38424506-3487242090-1001/4bd07e1ba952c6aa9bf83a8d98c08949_76330c93-3c53-49e3-b754-246979998df6: Win.Trojan.Agent-5497009-0 FOUND
/media/ubuntu/OS/Windows/assembly/GAC_MSIL/Interop.SHDocVw/1.1.0.0__84542ff99aed6a4d/Interop.SHDocVw.dll: Win.Adware.Linkury-2970 FOUND
/media/ubuntu/OS/Windows/Installer/202e9.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/Windows/Installer/20306.msi: Win.Worm.Palevo-39167 FOUND
/media/ubuntu/OS/Windows/Installer/20332.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/Windows/Installer/20353.msi: Win.Worm.Runouce-879 FOUND
/media/ubuntu/OS/Windows/Installer/20358.msi: Win.Worm.Runouce-879 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 5943094
Engine version: 0.99.2
Scanned directories: 39215
Scanned files: 210175
Infected files: 40
Total errors: 1
Data scanned: 54082.44 MB
Data read: 70006.63 MB (ratio 0.77:1)
Time: 10187.179 sec (169 m 47 s)

Posted: Wed Mar 08, 2017 1:23 am

I think I might have a worm on my friend's computer after uploading a file to virustotal.com
This is what Kaspersky and Eset have found:

Kaspersky: not-a-virus:RiskTool.Win32.Agent.ihv
ESET-NOD32 : Win32/SpeedingUpMyPC.I

Avira, Bitdefender, and Sophos haven't detected the file as malware.

I know that worms can spread to removable media such as USB flash drives, so I would like to know if it's a worm or not, so that I can decide whether to copy his pictures and music files safely onto a USB thumb drive.

Your help is much appreciated.

Posted: Wed Mar 08, 2017 3:43 am

Judging by the name of the program it is probably a potentially unwanted program (PUP). Pups are not really malware, but they can be used by malware authors and are sometimes associated with malware. Here is a small list of PUPs: packers, remote administration tools (RAT), some scripts, torrent downloaders, some adware, and programs that let you use a commercial program without paying for it. Pups are sometimes placed on your computer without your knowledge--such as when you download a file over the web.

Some AVs let you automatically quarantine/delete PUPS or ignore them. My suggestion is to delete any PUPs that you find--unless you wanted the program and know when it was downloaded.

Regards,

Posted: Wed Mar 08, 2017 10:46 pm

OK, what about these three, though? Are these three files really trojan horses?

/media/ubuntu/OS/Users/Brian/AppData/Local/IdleCrawler/IdleProfile.exe

Avira: TR/Click.234152
Bitdefender: safe
ESET-NOD32: safe
Kaspersky: Trojan-Clicker.JS.Agent.pp
Sophos: Mal/Generic-L

/media/ubuntu/OS/Users/Brian/AppData/Local/IdleCrawler/uninstall.exe

Avira: TR/Click.Agent.obbbk
Bitdefender: safe
ESET-NOD32: safe
Kaspersky: Trojan-Clicker.Win32.Agent.cbim
Sophos: safe

/media/ubuntu/OS/Users/Brian/AppData/Local/Smartbar/Application/amfclgbdpgndipgoegfpkkgobahigbcl/GoogleChromeRemotePlugin.dll

Avira: safe
Bitdefender: Gen:Adware.Heur.ku9@g1zf5Rci
ESET-NOD32: Gen:Adware.Heur.ku9@g1zf5Rci
Kaspersky: Gen:Adware.Heur.ku9@g1zf5Rci
Sophos: safe

I'm more concerned about the first two. Are these really trojan horses?

Posted: Thu Mar 09, 2017 2:06 am

There's no way I can tell if the files are infected because I don't have a copy of them.

When I was preparing virus signatures for Clam AV from 2008-2013, I used a rule when I couldn't detect anything malicious about a file: Here is the rule: I needed at least 2 of these AVs to detect a file as infected before I believed it: Avira, Bitdefender, Eset, Kaspersky, and Sophos. Apply this rule to your files.

Another helpful rule: look at the source of the file to get an idea as to whether or not it is malicious. Did you get them from someone you trust or did you get them from somewhere on the wild and wooly web/internet (including email/download site)? If you didn't ask for the files, you probably don't want/need them.

Regards,