Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer

ASC + AV and iobit cloud false negative


Recommended Posts

My neices laptop had a virus.

I reinstalled it and reinfected it.

 

i used a pen drive to install ASC + AV which found no viruses.

i swept the pen with ASC + AV nothing found on my PC (win 7)

used my pen to install ASC + AV after re-installing XP pro and it started doing the exact same thing...

 

Put pen back in my pc still nothing found.

on the pen drive i found the file autorun.inf

opening in notepad revealed that it was not a txt file but a 1mb executable...

 

I uploaded the file to iobits cloud which said it was safe and it was a txt file...

 

This is no txt file!

 

Where can i send it to get a person to take a proper look at it as i believe this to me a brand new virus?

 

Thanks

Link to comment
Share on other sites

autorun files

 

Hi Toppack,

My keyboard program automatically transferred itself to autorun from being a standard program, the inference being that virus/malware has the ability to change its characteristics.

SO therefor he should goto the Spyware/malware section for further guidence

 

Roy

Link to comment
Share on other sites

scrd01 is probably correct,

but It might be that .inf file might have info for loading the program from a hard-drive and is confused by it being run from a flash-stick ?

(Those .inf files have Program file Path info)

I have seen loading configuration problems similar to that before.

Link to comment
Share on other sites

Hi all!

 

You are correct Toppack... from your link:

Structure of an INF file

 

The structure of an INF file is very similar to that of an INI file; it contains various sections that specify the files to be copied, changes to the registry, etc. All INF files contain a [version] section with a Signature value specifying the version of Windows that the INF file is meant for. The signature is commonly $CHICAGO$ (for Windows 9x) or $WINDOWS NT$ (for Windows NT/2K/XP) Most of the remaining sections are user-defined and contain information specific to the component being installed. An example of a INF file might have something like this:

[autorun] open=program.exe What this would do is open the program.exe file automatically whenever the media containing the file (in its root directory) is connected to the computer. This can be dangerous, as there is no way to tell whether such a file exists before inserting the media. Since Windows XP, however, this feature has been replaced with a menu forcing the user to choose which action to take.

INF Files can sometimes be dangerous on Windows 2000 as they may allow viruses to autorun without prompting.[citation needed]

[autorun] open=program.exe icon=cd.ico 'icon=*.ico' command replaces any old/default drive icon with the specified one. [autorun] can be replaced by [AutoRun] or [Autorun].

Also please see this. Everything I can find in addition indicates this is most likely a virus.

 

The following is to comwarrior:

This is very unclear:

My neices laptop had a virus.

I reinstalled it and reinfected it.

Can you please clarify? What did you reinstall and what was the method of reinstallation, did you obtain a new clean download or use the old one. Had you sucessfully removed the virus? If so... how... please clarify!;-)

 

Also... the details in your member CP (Control Panel), are they yours or your nieces. If they are yours and you used to have ASC/AV Pro, why are you now using the free?

 

Where can i send it to get a person to take a proper look at it as i believe this to me a brand new virus?

You can attach the file to a post in the New threats submit section for examination with a warning that the file is most likely a threat. Zip it if you have to... I don't think it will be so large that you will have to though.

 

What protections does your Neice use and what is her OS?

 

I agree with Roy(scrd01) that you do open a thread in the Spyware/Malware removal section! Please follow these guidelines to post there!

 

I do hope you come back and review this thread.

 

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites

Hi guys, thanks for the info.

I have successfully re-installed my nieces laptop and as far as i can tell my desktop is not infected. I do believe ASC had a part in this.

 

Here is an ASCII extract from the autorun.inf

 

;©WIgê>�Ë*óûwͨ©�¤Ñü¾Â�Öé½8�åüac˜vDFxx�#`m2Í.�šÙª³Wx`YÖ1Ss�×é*@{‰Øu0-ÉLLRwPå�ECì;³ÉDÀ&‡%¾ŒëŸ¤’ììÆ��,hÖ¤�Œ3;ØÃЗê*S}ed$-·>�¡¶‡žA2QÚ�ø�$�nŒ¶ÌYÇõWî«bÃþX�ų6�àÛ,2=ą̀#µ&ÔÄ�FAÑ�º¯¹È¯�óAŸO3*ù»ÛЃ¥�áÅúV[ÚývÁv-ðÜ‘dsÿºg�B�Ì�Žë�å88qm!ªm�
;¡2Tõ#(P>^ßç®�°¡V�Ë2-�#ë ¡�Âë*²X�<|Àÿ���°l”A˜÷%Æ|ƒ†rÔ®	ž�ù-@¸�£Ñ«åµH<Õ䩇„lÆg‘ï�f8¿`hãÏó�>j‚úxþµ¨ ЮӈeKHÆ�IµÁ.*¿4�ÁIÁÝ�”�>i¦¼���H’1@� eðADþk#'�U�õF��y@¶»|‹%úìR•�cLÈä�U�$VæNLÒP
;KÊr×�·�=½UçÙ¢Q¨‡�î��^•œÃ�¥ß��/��ij�ÈWµ �‹"�UN?�mñ–ÊÖv]l²wˆ?Y«À
;qݹßi7Yîxl?æÓvZ4Û�Ù�Åp�T���¤�_ùC��î�l»�h�ëØ2ÚÎA$™â9Ó*Ÿ”�"ÊFŸ©Öé>�QcØcn‘3MýEA�Õ*Q<T	ª`ÂHäÐ¥A¹´úF͆�ßÊ~=ô�‡Ê�Ï7-�|ÊO�d�»m}5F�Q;w�îä†Äº•Îp4æ»Rs›�_š��d楿Ü{œÝžãYê�Ç^>ÖÒÊl´�Þ'*�QÊÀpê/�¤�3�]��\‰™hJÑê¤�é�f|&�j�ÝíÿQåŸoAÏ]³W׉‚w¬˜�<•ÒQÅÆà�]nçX>7Ü�Ýä8é§Õ�âAe�Ó�rˆ�5{Í„µ‡�Q4Jk¼ê0TÈ@ò`;ßÕÆ/GâÒÿ²ÃeI�ãú„�à¼=£þDØF*}1Zf�n�7E•jŠ�ÁÖAšñêêͱ�ý¦¶(�ø“PåÒŒ�^¾�¡¤PÖ
;Õœ»	'ïT¶¼�ûÿ�Ê�"�Å��A�/Ýkbª

 

As you can see, this is NOT a text file nor have i ever seen anything like it except when opening up and EXE or BIN.

 

I have the malware fighter on my pc and it does not pick it up ether... I believe it makes the file look like a txt file to fool AV and AMW software. This make me think it might be new and should be reported.

Link to comment
Share on other sites

Hi comwarrior.

 

Thanks for that.

 

Please see this post. Follow those instructions with a warning of the potential threat included in your PM (Private Message) to Cicely!

 

When you say that you reinstalled... do you mean you reformatted?

 

Where did you get the file you suspect carries the infection?

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites

The file was present on a pen drive that i'd used to install ASC +AV and malware onto my neices laptop.

ASC & MW found noting on her laptop...

The pen was plugged into my PC and manually scanned while i completely wipped (deleted partition and did a full format) her drive.

The scan was negative.

i reinstalled XP pro on her laptop and plugged in the pen to install drivers and ASC.

i looked away and looked back when into my computer and found no pen drive listed as a drive.

in computer manager (disk manger) i confirmed the pen was recognised and had a drive letter. I unplugged and re-pluged it in but i plugged it in the lower USB port. it 'reinstalled' the pen and thats when i noticed it was 'installing' a "magnetic disk" and thats when alarm bells rang...

 

I can confirm the autorun.inf was not present this morning when i grabbed ASC to install on her laptop as the pen had no files on.

Link to comment
Share on other sites

i've sent a PM to cic, but it didn't give me the option to attack the file.

 

To clarify,

My profile is my PC.

I'm on ASC +av free because my original license for ASC has expired and i've switched from ASC and AVG antivirus to ASC +AV

 

My nieces laptop is one i have refurbished for her from ebay. the hard drive was one of my spare ones.

It's a compaq evo N1050V fixed and upgraded by me :mrgreen:

 

she started uni about 2 weeks ago, i believe someone their released the virus...

 

symptoms;

The laptop was fine doing normal office stuff, but both firefox 15 and IE were REALLY slugish loading pages. She was alerted to a problem when 'the virus' sent me an odd link over facebook chat. I phoned her immediately and told to to turn off her laptop and change her FB and hotmail passwords.

 

virustotal reports it's ok, here is the results

https://www.virustotal.com/file/9419078281243860cebe501bcc2de257661931f0af5c0bc72d7f9eafcb0c872a/analysis/1349658667/

 

edit:

the cloud link is as follows

http://cloud.iobit.com/index.php?id=14bb8bdea22ff80012ef39b0f2d1f36b324b5759b8e5e9395ff2f5cd5584ac55c675633d666f6e01ea521ab82a104232b822cf832b11842d9dbb&signature=782dd462d008b05e1b

 

edit2:

posted her

http://forums.iobit.com/showthread.php?p=83906#post83906

 

Also, it has changed the pens ICON to a folder... grrr!

Link to comment
Share on other sites

passwords

 

Hi Comwarrior,

3 things

1

changing the passwords on her laptop wont help

IT HAS TO BE DONE ON A CLEAN ONE.

 

2

the comment re > I < loaded the the virus from my pen drive.

is the pen drive compromised?

 

3

You make tha attachment via the down arrow next to the paper clip symbol

Roy

Link to comment
Share on other sites

Thanks everybody!

 

Cicely has also been asked to review this thread as well as the one comwarrior was kind enough to create on the New Threats section.

 

As you reformatted your Nieces machine and are confident you have not infected yours... I would forget about the advisements concerning the Malware Removal section unless your machine becomes symptomatic.

 

I would be most curious to see what becomes of this as virustotal has nothing and I hope that the Iobit team will inform us.

 

This though, I don't understand:

she started uni about 2 weeks ago, i believe someone their released the virus...

Do you speak of uniblue? What is uni?

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites

Hi Roy.

 

Hi Comwarrior,

3 things

1

changing the passwords on her laptop wont help

IT HAS TO BE DONE ON A CLEAN ONE.

 

2

the comment re > I < loaded the the virus from my pen drive.

is the pen drive compromised?

 

3

You make tha attachment via the down arrow next to the paper clip symbol

Roy

 

The machine is clean as the HD has been wiped and the OS reinstalled.

I'm sure that comwarrior will check the pen drive out as comwarrior seems to be a knowledgable user.

It is not possible to make attachments in a (PM)Private Message which is what comwarrior was referring to as I asked him/her to... (sorry, I forgot this ):neutral:

 

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites

if im reading this correctly

 

Hi Comwarrior,

 

Daughters laptop infected

scanned via pen

Which then was also infected

reformatted daughters laptop (cleaned)

Re-infected daughters laptop from pen

Infected YOUR PC, re comment Grrr.

 

Sounds like a rootkit.

BOTH need to be cleaned, and the rootkit to be identified

 

 

Roy

 

3.05 v 3.06

live long and prosper Melvin

Link to comment
Share on other sites

Hi comwarrior and Roy.

 

Hi Comwarrior,

 

Daughters laptop infected

scanned via pen

Which then was also infected

reformatted daughters laptop (cleaned)

Re-infected daughters laptop from pen

Infected YOUR PC, re comment Grrr.

 

Sounds like a rootkit.

BOTH need to be cleaned, and the rootkit to be identified

 

 

Roy

 

3.05 v 3.06

live long and prosper Melvin

 

Perhaps my understanding is the one that is not clear! This is mine:

 

It was the Nieces computer that was infected. The infection was removed to the pen, so that it could be examined by comwarrior. The files were inspected on comwarrior's machine, but no executions were allowed. The Neice's machine was eventually reformatted including the disk being wiped. (It is clean)

 

The only machine that could be suspect is comwarrior's, but comwarrior is confident that didn't happen as the files were only examined on his machine.

 

I agree that it does sound like a rootkit... but it has been eliminated by the wipe and reformat on the Niece's machine (which comwarrior built) and isolated to the pen drive for examination and submitted to the engineers/programmers for examination on the New Threats thread..

 

The Niece's computer was reformatted twice.

 

Sincerely,

-Mel

Live long and prosper!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...