So 'K flags this file on the server

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Have Kaspersky on a few non big brother computers at work and today I
get a warning about an infected file on a server that is dated June 1,
2010.    Skipped the file as I sure wasn't going to delete it as I
wasn't sure if it was a false positive.   Send it to VirusTotal and
27/43 have it flagged as a trojan.   McAfee has it listed, so I go to
a big brother computer, ensure McAfee def's are up to date, scan the
file and it shows it as clean.  Go figure.   I'll send an e-mail to IT
and tell them I believe it is an infected file and hope they do
something LOL.

BTW, my home laptop (Avira AntiVi r- free version) also caught it.

Here is the VT scan results: http://tinyurl.com/6hoswub

Re: So 'K flags this file on the server


| Have Kaspersky on a few non big brother computers at work and today I
| get a warning about an infected file on a server that is dated June 1,
| 2010.    Skipped the file as I sure wasn't going to delete it as I
| wasn't sure if it was a false positive.   Send it to VirusTotal and
| 27/43 have it flagged as a trojan.   McAfee has it listed, so I go to
| a big brother computer, ensure McAfee def's are up to date, scan the
| file and it shows it as clean.  Go figure.   I'll send an e-mail to IT
| and tell them I believe it is an infected file and hope they do
| something LOL.

| BTW, my home laptop (Avira AntiVi r- free version) also caught it.

| Here is the VT scan results: http://tinyurl.com/6hoswub

Ozzy, could you please upload a copy to http://www.uploadmalware.com /

Let me know when you have uploaded it.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: So 'K flags this file on the server

wrote:
| Here is the VT scan results:http://tinyurl.com/6hoswub
Quoted text here. Click to load it

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
It has been uploaded...

Re: So 'K flags this file on the server


| wrote:
|| Here is the VT scan results:http://tinyurl.com/6hoswub

Quoted text here. Click to load it


| It has been uploaded...

Got it.
Thanx !

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: So 'K flags this file on the server


| It has been uploaded...

It could have network capabilities as is created a named pipe;  pipe\zhtGvbkgla

and created....

C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

It modifies Winlogon to load the above executable.

HKLM\?SOFTWARE\?Microsoft\?Windows NT\?CurrentVersion\?Winlogon
Taskman = C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

Wants to communicate with;  ChatAddiction.ServeUsers.com   but didn't.

Creates a Mutex of;  xxx_fejh__frg65fx


--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: So 'K flags this file on the server



|| It has been uploaded...

| It could have network capabilities as is created a named pipe;  pipe\zhtGvbkgla

| and created....

| C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

| It modifies Winlogon to load the above executable.

| HKLM\?SOFTWARE\?Microsoft\?Windows NT\?CurrentVersion\?Winlogon
| Taskman = C:\RECYCLER\S-1-5-21-5663603721-5924204633-458313251-5821\nvapbar.exe

| Wants to communicate with;  ChatAddiction.ServeUsers.com   but didn't.

| Creates a Mutex of;  xxx_fejh__frg65fx


A different run was;
C:\RECYCLER\S-1-5-21-8294212165-5304022291-433821651-2720\nvapbar.exe

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: So 'K flags this file on the server

wrote:
Quoted text here. Click to load it

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Thanks for the info!

Site Timeline