BleepingComputer.com: Need Help In Scanning A File... It Acts Bizarre Depending On How It Is Scanned

hello,

i've got a file that i suspect. it is an exe (for example's sake, let's say somefile.exe).

when i run kaperksy to 'scan this file' it skips it! kapersky's status of the scan tells me that it skipped the file and the reason was 'by rights'

i have no idea what that means, and their website/help is not giving me any further insight.

so, i changed the name of the file to somefile.exe.txt, and rescanned. it seemed to understand that the file had packed componants, and unpacked successfully and scanned the innards of the file just fine. it didn't find any threats.

however, what bothers me is that the second i rename the file back to a somefile.exe... i can no longer scan it! what is going on?

i can scan other exe files just fine.

in fact, when i try to upload that one particular exe file, kapersky's online file scanner acts all goofy as if i hadn't submitted a file at all. i've submitted other files to their online file scanner and processed them just fine, so it's definitely related to just this one.

anyone have any ideas what might be happening?

thanks

For the sake of argument upload the file to Jotti Scan
http://virusscan.jotti.org/

"Object is locked skipped" or "Access Denied" notations in a scan -> This is normal as a files are locked by the operating system or running programs during use for protection, so scanners cannot access them. The Object is locked skipped detections are normally not malware nor are they infected. Skipped a file for reason 'by rights' can mean you are not running a scan as administrator and do not have permission so the scan skips that file.

This post has been edited by quietman7: 07 December 2007 - 11:50 PM

oh wow! when i tried to submit the file to the online virus scanner i got the following error:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

that mean that i've got a virus currently running on my machine? oh poop.

Try disabling your Firewall and resubmit the file to Jotti's malware scan.

Did you physically search for and confirm the size of the file?
Can you provide the specific name and its location on your system?

hello,

thanks for replying

here's the summary and answer to the various questions:

firewall shut off

i did check the file size, it's not zero.

when i change the extension to .txt i can upload it fine

the file is located at the following:

S:\_____ck 4 virus\INFECTED.exe.txt 140,288 bytes

i can't upload it from any machine (tried 3 different computers - arguably they could all be infected)

i have successfully uploaded other .exe files to various online virus scanners and the system didn't hesitate at all. worked fine

i have avgfree installed and it has a heart attack each time i try to touch the damn file LOL

and, yes, i did shut off avg and try to upload the bizarre .exe file (i shut off virus protection via the control panel of the app, and then went into task manager and killed all the avg processes manually)

so, now i'm thinking that exe file has some amazing trojan/virus/malware stuff in it, AND that i am infected with something

the file should NOT be locked by anyone and in fact, i can change the file name without problem. except when i called it a .exe file, then things get really weird. i haven't run the file, and for safety's sake, have the file renamed to a .txt extension to keep it from executing by mistake.

i'm wondering if there are any good debuggers or monitors around that would let me see who's locking/touching the file?

thanks!

This post has been edited by audre: 09 December 2007 - 03:05 AM

Hi audre

Download this program:

submit files packer

Highlight the file you (want) and right-click and selecting copy.

Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example grinler.cab).

Then go to:
http://www.bleepingcomputer.com/submit-malware.php
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.


Stelios

hello,

i've uploaded the cab file per your instructions!

thanks so much

We will see what Grinler has to say!!!

Have Patience!



Stelios

Farstone Driveclone Pro v3.0 keygen program

Norman is showing it as W32/Delf.AXIP.