14 replies to this topic

[steve1368]

Did my regular scanning with online trend micro virus scan, then with avast. Nothing surfaced, all OK.

Then scanned with a squared. Got 2 items as malware.

Filename:
C:\WINDOWS\system32\AS-Exp2.ocx
C:\WINDOWS\system32\AS-IFce1.ocx

Diagnosis:
Backdoor.MSWord.Nutshell
Backdoor.MSWord.Nutshell

This time I didn't delete anything [ if you remember,I had a bad experience b4, http://forum.CCleane...wtopic=1426&hl= ]

Wondering if those are false positives.

Cheers

[rridgely]

I believe that those are trojans. Try a scan with ewido to see if it finds them as well. http://www.ewido.net/en/

Wait to see what Tarun or DjLizard say but I personally would remove those. If ewido finds them than I would deffinately remove them. Also remember to update ewido before you scan with it.

[Tarun]

Upload them to here: http://virusscan.jotti.org/

[steve1368]

Tarun, on Jun 30 2005, 02:09 AM, said:

Upload them to here:  http://virusscan.jotti.org/

<{POST_SNAPBACK}>

Did that last night, no virus indicated.

Steve

[steve1368]

rridgely, on Jun 30 2005, 01:14 AM, said:

I believe that those are trojans. Try a scan with ewido to see if it finds them as well. http://www.ewido.net/en/

Wait to see what Tarun or DjLizard say but I personally would remove those. If ewido finds them than I would deffinately remove them. Also remember to update ewido before you scan with it.

<{POST_SNAPBACK}>

Will try that tonite.Thanks

[rridgely]

Did you see This that trojan is the most popular detection of a2 for the past three days. It's been known for a while that their were vulnerabilities in word. Let us know if ewido finds the infections as well. If not I bet it's a new infection that will be added to the rest of the scanners soon. Though you never know it could be a false positive. I dought that it is I'm sure we will probably here more about that trojan soon. Good luck .

[steve1368]

rridgely, on Jun 30 2005, 01:14 AM, said:

I believe that those are trojans. Try a scan with ewido to see if it finds them as well. http://www.ewido.net/en/

Wait to see what Tarun or DjLizard say but I personally would remove those. If ewido finds them than I would deffinately remove them. Also remember to update ewido before you scan with it.

<{POST_SNAPBACK}>

Did that, nothing found

Tarun, on Jun 30 2005, 02:09 AM, said:

Upload them to here:  http://virusscan.jotti.org/

<{POST_SNAPBACK}>

Did it again for the 2nd time , nothing found.


I scanned again with a squared this evening. Guess...this time nothing found. I'm truly puzzled. The only thing I did last nite was to run my regular Tarun's anti-malware package, that's it, nothing else.

Now, nothing found with a squared.

I'm delighted but also very puzzled, how "backdoor" can just disappear ?

Anybody has any clue ?

Steve

[rridgely]

Since you know where the infected files are look for them manually maybe they were deleated by the malware scanners you ran. Do you have an AV with an active scanner maybe that deleated it.

[DjLizard]

deleted, not deleated.

[Andavari]

steve1368, on Jun 30 2005, 08:47 AM, said:

I'm delighted but also very puzzled, how "backdoor" can just disappear ?

<{POST_SNAPBACK}>

Suppose if it's at all sophisticated enough to know it's being scanned it may "deactivate or hide" itself. Or your antivirus/antimalware may have already taken care of it since trojans, worms, etc., are usually automatically deleted since they aren't necessary executibles.

[steve1368]

rridgely, on Jul 1 2005, 03:14 AM, said:

Since you know where the infected files are look for them manually maybe they were deleated by the malware scanners you ran. Do you have an AV with an active scanner maybe that deleated it.

<{POST_SNAPBACK}>

Andavari, on Jul 1 2005, 04:54 AM, said:

Suppose if it's at all sophisticated enough to know it's being scanned it may "deactivate or hide" itself. Or your antivirus/antimalware may have already taken care of it since trojans, worms, etc., are usually automatically deleted since they aren't necessary executibles.

<{POST_SNAPBACK}>

Did a manual check , both files still there.
I have avast home resident scanner, msas & outpost pro running all the time.

Is there anyway to check further to be really sure, or should I just post here my current HJT log for analysis.

[rridgely]

It couldnt hurt to post a HJT log. Try this: refind the infected files then right click on them and choose to scan them with Avast see if it detects them as malware.

[steve1368]

rridgely, on Jul 1 2005, 12:55 PM, said:

It couldnt hurt to post a HJT log. Try this: refind the infected files then right click on them and choose to scan them with Avast see if it detects them as malware.

<{POST_SNAPBACK}>

Did that with avast & ewido.....nothing

I'll post my new hijack this log in a new topic.
Hopefully nothing nasty.

Thanks

[milutzu_k]

Hi all. About AS-IFce1.ocx I have nothing to say, but I know that AS-Exp2.ocx is an ActiveX control I have used in my VB6 projects. Unfortunately I lost it so I've no GUID to compare. If I'll find anything I'll be back. In my opinion u don't have to be worried about them.

[milutzu_k]

So... as-exp2.ocx - Ariad Explorer Controls
as-ifce1.ocx - Ariad Interface Components
Ariad components was made by Cyotek which was taken by Innovasys.