Posted 17 December 2008 - 03:56 AM
I basically downloaded a rar file that had a JPG within it, and I had the 'Hide extensions for known file types' activated so didn't realise that it was a .exe in disguise, had I de-selected the hide extensions option I would have realise it was a .exe and would have left it alone. But stupidly I clicked on the JPG, school boy error I know, and it did nothing, so that then made me suspicious. Then I uploaded rar file, re-downloaded it to make sure everything worked ok, and inside the rar file was one of these JPGs that is really a .exe.
I first downloaded the initial rar that contained the mysterious JPG/.exe file I clicked on the JPG and nothing happened, but now it seems to be generating these files everytime I compress to rar. When I first compress something the file size increases slightly, which is obviously the opposite of what should happen, and when I unpack it the JPG isn't there. Then, when I upload it, and then re-download it the file appears!!?? I have tried various file hosting sites and it happens on all of them so it isn't site specific.
I then tried uploading a small rar I downloaded, a completely new file from here, one that I didn't initially compress, after uploading and re-downloading that, it agin seemed to have this mysterious file inside. That really baffled me because I didn't compress it, I just downloaded it, re-upped it, the downloaded it again. So I decided to change the name of the JPF from .exe to .JPG, this then turned the JPG icon into a .exe installer type icon and AVG popped up and said 'warning hidden file extension .exe' .
I scanned the rar file with the JPG inside and AVG, Malware & Spybot didn't detect anything. I made sure I used ATF Cleaner to clear out temporary files prior to scanning too. Mediafire wouldn't sucessfully upload the rar file with the JPG inside, it said 'bad archive' but other hosting sites had no problem with it. So I tried to upload it in it's JPG form to Kaspersky online search, that wouldn't allow me to upload it, but other sites did. Again, those that did came back with nothing. So I tried to scan my system with Kaspersky and F-Secure online, again they both found nothing!?!
Everything I've scanned it with has the latest definitions, all my Windows updates are current, Java is current with all old instances removed, and I even switched off system restore to eliminate any files being stored by that. I looked on AVG website and their info on 'hidden file extension.exe' is very vague and not helful at all. I tried to locate exactly what this was, looked on loads of forums etc and the only things that seemed remotely similar were ZPharaoh virus and sasser worm. So I scanned with a sasser worm tool, that came back negative. The ZPharaoh virus doesn't seem to have a patch and all the info I found on that said that it would create certain files in the system folder and registry and possibly in root drives, I did thorough searchs for said files and again I found nothing. I'm hoping it isn't the ZPharaoh because that looks like a right nasty virus, attaching itself to all exe files, which will them corrup any files you open using that program.
I unistalled winrar, removed every instance of it from my machine even the registry, I also ran registry mechanic. I then installed a new different winrar and if I compress a file the file size still increases slightly but if I then unpack it straight away there is no JPG.exe inside, but as before, if I upload somewhere, then download that rar agin and unpack, low and behold the JPG appears again?!
Obviously what ever this is, is still on my machine and is regenerating itself! I haven't opened any programs for a few days, just in case. I have back ups but maybe my external back up drive may possibly be infected too. But I've seen no deterioration in performance, no strange system activity so it's either a new virus that's set to activate on a specific date and is currently dormant from an attacking point of view until said date or it's just some kind of false scare?!
I find it strange that AVG only found it when I re-named the JPG.exe back to JPG and then it gave no information on exactly what type of virus it was. Maybe that is because they don't have the answers yet, or maybe it's a load of old cobblers?! I'm still not opening any programs until I clear the matter up, whatever it is it's still there but nothing detects it and currently seems like a false positive. Perhaps you could ask your friends at AVG about this because I'm naturally concerned.
I could wipe my drive but it may be a mental mission for nothing, and if it is a really nasty one waiting to go off then I will have to delete every file I own and right now I'm definitely not going to do that unless it's absolutely necessary because it would take me a lifetime to put everything back to how it was etc.
If anyone could advise me on this or offer up any information it would be seriously appreciated. Thanks