Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sophos Says Hjt Is Infected


  • Please log in to reply
5 replies to this topic

#1 rayandmaura

rayandmaura

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 05 August 2007 - 01:53 PM

I have just put in a clean drive and installed windows. I ran a sophos scan and it was clean. After installing HJT and running another sophos scan it came back with infections. Does any one know if HJT shows false positives in sophos. The scan said HJT and a system restore point had infection immediately after the HGT installation. I dont recall seeing anything about this on BC or anywhere else about this issue. If anyone knows please let me know .Thank You.... rayandmaura


Moved from the XP Forum. ~acklan~

Edited by acklan, 05 August 2007 - 03:05 PM.


BC AdBot (Login to Remove)

 


m

#2 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:11:57 AM

Posted 05 August 2007 - 02:03 PM

Interesting. I could not find anything about hijack this giving a false positive in Sophos AV.

my comment would be to uninstall the hijack this that you have and download the latest version from trend micro.

http://www.trendsecure.com/portal/en-US/th...p?page=download
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#3 rayandmaura

rayandmaura
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 05 August 2007 - 03:02 PM

I just downloaded this HJT from trend last night. This is the second time and drive that this has happened to. Here is what it looks like.> Virus 'Mal/VB-M' found in file c:\Documents and Settings\Owner\My Documents\PROGRAMS\HJTInstall.exe1.exe\FILE:0000.....>>> Virus 'Mal/VB-M' found in file c:\System Volume Information\_restore{C49ED535-97D6-4EFF-ADA9-B4FA8D6705E3}\RP293\A0072862.exe. This IS a clean drive or at least it was until I downloaded HJT. So either its a false positive or the application itself is corrupt.Maybe someone there could install the new HJT on a pc and scan with sophos to see whats up? If the HJT is not bundled with malware itself. then maybe there should be some kind of warning about this as its quite aggravating to be infected by the very program thats supposed to be helping. Or to have the program setting off false positives with other respected AV apps Or were just running in circles. I got so worried seeing that HJT was infected that I removed the infected/ false positive infected drive and put in a new one. Only to have the same thing happen as soon as I downloaded HJT again..........Food for thought.
rayandmaura

#4 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:11:57 AM

Posted 05 August 2007 - 03:51 PM

I just scanned with Jotti and VirusTotal,

Jotti
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Virus Total:
AhnLab-V3 2007.8.3.0 2007.08.03 -
AntiVir 7.4.0.57 2007.08.03 -
Authentium 4.93.8 2007.08.03 -
Avast 4.7.1029.0 2007.08.05 -
AVG 7.5.0.476 2007.08.05 -
BitDefender 7.2 2007.08.05 -
CAT-QuickHeal 9.00 2007.08.04 -
ClamAV 0.91 2007.08.05 -
DrWeb 4.33 2007.08.05 -
eSafe 7.0.15.0 2007.07.31 suspicious Trojan/Worm
eTrust-Vet 31.1.5032 2007.08.04 -
Ewido 4.0 2007.08.05 -
FileAdvisor 1 2007.08.05 -
Fortinet 2.91.0.0 2007.08.05 -
F-Prot 4.3.2.48 2007.08.03 -
F-Secure 6.70.13030.0 2007.08.03 -
Ikarus T3.1.1.8 2007.08.05 -
Kaspersky 4.0.2.24 2007.08.05 -
McAfee 5090 2007.08.03 -
Microsoft 1.2704 2007.08.05 -
NOD32v2 2438 2007.08.05 -
Norman 5.80.02 2007.08.03 -
Panda 9.0.0.4 2007.08.05 Suspicious file
Prevx1 V2 2007.08.05 -
Rising 19.34.40.00 2007.08.03 -
Sophos 4.19.0 2007.08.01 -
Sunbelt 2.2.907.0 2007.08.04 -
Symantec 10 2007.08.05 -
TheHacker 6.1.7.162 2007.08.04 -
VBA32 3.12.2.2 2007.08.04 -
VirusBuster 4.3.26:9 2007.08.05 -
Webwasher-Gateway 6.0.1 2007.08.03 Win32.ModifiedUPX.gen!90 (suspicious)

Try scanning with these and see your results

here is the file info, yours should match

File size: 396288 bytes
MD5: c4ca7416a6df6d95075f81d9e3b41ad1
SHA1: 6ebbb54156e21ac20c27ca1fb8b3ddcacc919

It looks like your version of Sophos is detecting the file compression method as a possible trojan,

If your file info does not match or your scan results are different, let us know.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#5 rayandmaura

rayandmaura
  • Topic Starter

  • Members
  • 104 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 05 August 2007 - 05:45 PM

When I use the site you use it says clean but when I use sophos through David Lippmans Multy AV scanner which connects directly to Sophos I get this....Sophos Anti-Virus
Version 4.19.0 [Win32/Intel]
Virus data version 4.19E, July 2007
Includes detection for 257792 viruses, trojans and worms
Copyright © 1989-2007 Sophos Plc, www.sophos.com

System time 16:39:38, System date 05 August 2007
Command line qualifiers are: -di -remove -f -all -mime -mbr -noc -archive -opt=ISCabinet --stop-scan

IDE directory is: c:\AV-CLS\Sophos

Using IDE file soh-aa.ide
Using IDE file keylo-tl.ide
Using IDE file agen-fzk.ide
Using IDE file keyge-bl.ide
Using IDE file agen-fzl.ide
Using IDE file agen-fzq.ide
Using IDE file killavdx.ide
Using IDE file tilbt-kc.ide
Using IDE file silly-ao.ide
Using IDE file rbot-gsp.ide
Using IDE file rbot-gsn.ide
Using IDE file legm-arg.ide
Using IDE file ag-fzi.ide
Using IDE file line-glg.ide
Using IDE file dloa-bcp.ide
Using IDE file c99shl-a.ide
Using IDE file qqro-adp.ide
Using IDE file potty-b.ide
Using IDE file delmp3-a.ide
Using IDE file diale-ep.ide
Using IDE file sdbo-dfo.ide
Using IDE file dloa-azc.ide
Using IDE file sdbt-dgo.ide
Using IDE file nogata-a.ide
Using IDE file dorfgen.ide
Using IDE file clip.ide
Using IDE file bozo-a.ide
Using IDE file delf-exl.ide
Using IDE file enclag-a.ide
Using IDE file dloa-bck.ide
Using IDE file dorf-n.ide
Using IDE file fujck-am.ide
Using IDE file dld-bcn.ide
Using IDE file banlo-ct.ide
Using IDE file ircbt-ww.ide
Using IDE file iroff-am.ide
Using IDE file banlo-cw.ide
Using IDE file agen-fyv.ide
Using IDE file baysur-b.ide
Using IDE file agob-aix.ide
Using IDE file akbot-as.ide
Using IDE file droprk-a.ide
Using IDE file dwara-a.ide
Using IDE file dwnl-gxa.ide
Using IDE file loadme-a.ide
Using IDE file looke-dm.ide
Using IDE file frawrm-a.ide
Using IDE file outlaw-b.ide
Using IDE file poebo-mn.ide
Using IDE file poison-c.ide
Using IDE file banhos-c.ide
Using IDE file prort-dk.ide
Using IDE file psw-ef.ide
Using IDE file ibot-a.ide
Using IDE file rbot-gsj.ide
Using IDE file hupig-sl.ide
Using IDE file kespo-a.ide
Using IDE file riler-y.ide
Using IDE file rmtsvc-b.ide
Using IDE file romara.ide
Using IDE file rubble-a.ide
Using IDE file rubble-c.ide
Using IDE file rubbleb.ide
Using IDE file agen-fzg.ide
Using IDE file sdbo-dgm.ide
Using IDE file sdbt-dgj.ide
Using IDE file sdbt-dgn.ide
Using IDE file agentfzd.ide
Using IDE file servu-ew.ide
Using IDE file sifdc-am.ide
Using IDE file silfd-h.ide
Using IDE file agentfza.ide
Using IDE file slyfdcan.ide
Using IDE file smdl-gen.ide
Using IDE file kik-a.ide
Using IDE file sohan-z.ide
Using IDE file sohana-y.ide
Using IDE file tilbt-kb.ide
Using IDE file laqma-a.ide
Using IDE file vanbotaz.ide
Using IDE file zapch-dn.ide
Using IDE file zlob-adh.ide

Full Scanning

>>> Virus 'Mal/VB-M' found in file C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Removal successful

1 master boot record swept.
1 file swept in 6 seconds.
1 virus was discovered.
1 file out of 1 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
Ending Sophos Anti-Virus.


raynadmaura

#6 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:11:57 AM

Posted 05 August 2007 - 06:11 PM

The sophos that you are using is not up to date, the latest definitions scanned with at Virustotal are dated 08-01-2007.
Yours are from july it looks like a false positive.
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users