Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ClamAV found Win.Trojan.Expiro


  • Please log in to reply
5 replies to this topic

#1 The Wren

The Wren

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 06 February 2013 - 04:50 PM

I have been having difficulties with some of my home computers, so I used a Ubuntu boot disk to scan with ClamTk to see if I could find anything, since prior attempts to scan with MBAM found nothing. After successfully finding some nasties on that computer, I then decided to scan my workhorse PC:

Lenovo W520
Win7 Pro 64
Intel Core i7-2720QM (2.20GHz, 6MB L3)

I have not been having any noticeable issues with my laptop, but Clam found numerous threats of Win.Trojan.Expiro-(119,142,148,186,236,284,289,308,336,362,368), mostly in the Windows folder. It also found Win.Trojan.Pasta-365, Win.Trojan.Chiton-19, and Heuristics.Encrypted.PDF in my temp and program files folders. I deleted all the latter threats, but kept the Expiro ones, because I was afraid it might blow out my Windows installation.

I could really use help to remove the remaining threats from my system.

Thanks,
-- The Wren

BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:03 PM

Posted 06 February 2013 - 06:18 PM

It'd help if you provided some log so we can see what files were indicated.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 The Wren

The Wren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 06 February 2013 - 07:00 PM

Here is what I saved from the clam log:

ClamTk, v4.44
Wed Feb 6 20:35:30 2013
ClamAV Signatures: 1762937
Directories Scanned:

...
Found 27 possible threats (276752 files scanned).

/media/Windows7_OS/Users/David/AppData/Local/Temp/072811233046/ZAFFSetup.exe Win.Trojan.Pasta-365
/media/Windows7_OS/Users/David/AppData/Local/Temp/QuickTimeInstaller.exe Win.Trojan.Chiton-19
/media/Windows7_OS/Windows/Installer/c7fc8b9.msp Win.Trojan.Expiro-236
/media/Windows7_OS/Windows/SysWOW64/resmon.exe Win.Trojan.Expiro-289
/media/Windows7_OS/Windows/SysWOW64/colorcpl.exe Win.Trojan.Expiro-119
/media/Windows7_OS/Windows/SysWOW64/DpiScaling.exe Win.Trojan.Expiro-142
/media/Windows7_OS/Windows/SysWOW64/fontview.exe Win.Trojan.Expiro-362
/media/Windows7_OS/Windows/SysWOW64/ssText3d.scr Win.Trojan.Expiro-368
/media/Windows7_OS/Windows/SysWOW64/SystemPropertiesDataExecutionPrevention.exe Win.Trojan.Expiro-284
/media/Windows7_OS/Windows/SysWOW64/winver.exe Win.Trojan.Expiro-336
/media/Windows7_OS/Windows/winsxs/wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40/colorcpl.exe Win.Trojan.Expiro-119
/media/Windows7_OS/Windows/winsxs/wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c/resmon.exe Win.Trojan.Expiro-289
/media/Windows7_OS/cygwin/download/http%3a%2f%2fmirrors.xmission.com%2fcygwin%2f/release/tetex/tetex-base/tetex-base-3.0.0-3.tar.bz2 Heuristics.Encrypted.PDF
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_7a1e2959bc43abd5/DpiScaling.exe Win.Trojan.Expiro-142
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-fontview_31bf3856ad364e35_6.1.7600.16385_none_443a636317ca9b75/fontview.exe Win.Trojan.Expiro-362
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_c9b9bfc685ed05d3/SystemPropertiesDataExecutionPrevention.exe Win.Trojan.Expiro-284
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-sstext3d_31bf3856ad364e35_6.1.7601.17514_none_06402269bdde4ced/ssText3d.scr Win.Trojan.Expiro-368
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00/winver.exe Win.Trojan.Expiro-336
/media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce/iexpress.exe Win.Trojan.Expiro-148
/media/Windows7_OS/Windows/WLXPGSS.SCR Win.Trojan.Expiro-308
/media/Windows7_OS/Install Files/CygwinDownload/download/http%3a%2f%2fmirrors.xmission.com%2fcygwin%2f/release/tetex/tetex-base/tetex-base-3.0.0-3.tar.bz2 Heuristics.Encrypted.PDF
/media/Windows7_OS/Program Files (x86)/Common Files/microsoft shared/Virtualization Handler/CVHSVC.EXE Win.Trojan.Expiro-236
/media/Windows7_OS/Program Files (x86)/Common Files/Windows Live/.cache/183889da1cc471a26/d-PhotoLibrary.msp Win.Trojan.Expiro-308
/media/Windows7_OS/ProgramData/Microsoft/OEMOffice14/OStarter/en-us/click2run.msi Win.Trojan.Expiro-186
/media/Windows7_OS/SWTOOLS/WindowsLive_2011/NEUTRAL/D-PHOTOLIBRARY.CAB Win.Trojan.Expiro-308
/media/Windows7_OS/Windows/Installer/$PatchCache$/Managed/00004109D60090400100000000F01FEC/14.0.4763/CVHSVC.EXE Win.Trojan.Expiro-186
/media/Windows7_OS/Windows/Installer/19621.msp

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:03 PM

Posted 06 February 2013 - 10:13 PM

Could be false positives.

Get a cup of coffee and..

Upload those files to http://www.virustotal.com/ for security check.

If the file is listed as already analyzed, click on Reanalyse file now button.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 The Wren

The Wren
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:03 PM

Posted 07 February 2013 - 12:17 AM

Thank you for the incredibly quick and helpful response. I've scanned the files and ClamAV was the only one that came up on any of them -- must be a false positive, as you say.

Here are the results for the files I didn't already delete (in case it's helpful for anyone else in future):

----- /media/Windows7_OS/Users/David/AppData/Local/Temp/072811233046/ZAFFSetup.exe Win.Trojan.Pasta-365
----- /media/Windows7_OS/Users/David/AppData/Local/Temp/QuickTimeInstaller.exe Win.Trojan.Chiton-19
(1/45) /media/Windows7_OS/Windows/Installer/c7fc8b9.msp Win.Trojan.Expiro-236
(1/45) /media/Windows7_OS/Windows/SysWOW64/resmon.exe Win.Trojan.Expiro-289
(1/46) /media/Windows7_OS/Windows/SysWOW64/colorcpl.exe Win.Trojan.Expiro-119
(1/46) /media/Windows7_OS/Windows/SysWOW64/DpiScaling.exe Win.Trojan.Expiro-142
(1/46) /media/Windows7_OS/Windows/SysWOW64/fontview.exe Win.Trojan.Expiro-362
(1/46) /media/Windows7_OS/Windows/SysWOW64/ssText3d.scr Win.Trojan.Expiro-368
(1/46) /media/Windows7_OS/Windows/SysWOW64/SystemPropertiesDataExecutionPrevention.exe Win.Trojan.Expiro-284
(1/46) /media/Windows7_OS/Windows/SysWOW64/winver.exe Win.Trojan.Expiro-336
(1/46) /media/Windows7_OS/Windows/winsxs/wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40/colorcpl.exe Win.Trojan.Expiro-119
(1/46) /media/Windows7_OS/Windows/winsxs/wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c/resmon.exe Win.Trojan.Expiro-289
----- /media/Windows7_OS/cygwin/download/http%3a%2f%2fmirrors.xmission.com%2fcygwin%2f/release/tetex/tetex-base/tetex-base-3.0.0-3.tar.bz2 Heuristics.Encrypted.PDF
(1/46) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-dpiscaling_31bf3856ad364e35_6.1.7600.16385_none_7a1e2959bc43abd5/DpiScaling.exe Win.Trojan.Expiro-142
(1/46) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-fontview_31bf3856ad364e35_6.1.7600.16385_none_443a636317ca9b75/fontview.exe Win.Trojan.Expiro-362
(1/46) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-s..executionprevention_31bf3856ad364e35_6.1.7600.16385_none_c9b9bfc685ed05d3/SystemPropertiesDataExecutionPrevention.exe Win.Trojan.Expiro-284
(1/46) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-sstext3d_31bf3856ad364e35_6.1.7601.17514_none_06402269bdde4ced/ssText3d.scr Win.Trojan.Expiro-368
(1/45) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00/winver.exe Win.Trojan.Expiro-336
(1/46) /media/Windows7_OS/Windows/winsxs/x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce/iexpress.exe Win.Trojan.Expiro-148
(0/46) /media/Windows7_OS/Windows/WLXPGSS.SCR Win.Trojan.Expiro-308
----- /media/Windows7_OS/Install Files/CygwinDownload/download/http%3a%2f%2fmirrors.xmission.com%2fcygwin%2f/release/tetex/tetex-base/tetex-base-3.0.0-3.tar.bz2 Heuristics.Encrypted.PDF
(1/46) /media/Windows7_OS/Program Files (x86)/Common Files/microsoft shared/Virtualization Handler/CVHSVC.EXE Win.Trojan.Expiro-236
(0/45) /media/Windows7_OS/Program Files (x86)/Common Files/Windows Live/.cache/183889da1cc471a26/d-PhotoLibrary.msp Win.Trojan.Expiro-308
(1/43) /media/Windows7_OS/ProgramData/Microsoft/OEMOffice14/OStarter/en-us/click2run.msi Win.Trojan.Expiro-186
(0/46) /media/Windows7_OS/SWTOOLS/WindowsLive_2011/NEUTRAL/D-PHOTOLIBRARY.CAB Win.Trojan.Expiro-308
(1/46) /media/Windows7_OS/Windows/Installer/$PatchCache$/Managed/00004109D60090400100000000F01FEC/14.0.4763/CVHSVC.EXE Win.Trojan.Expiro-186
----- /media/Windows7_OS/Windows/Installer/19621.msp

Thank you again!

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,663 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:03:03 PM

Posted 07 February 2013 - 12:19 AM

It definitely looks like false positives.
I'd disregard those findings by Clam.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users