Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.pws.banker1.7976


  • Please log in to reply
9 replies to this topic

#1 mournlight

mournlight

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 03 February 2014 - 08:15 AM

Hi.  I downloaded a file and then checked it online on virustotal before opening it.  It warned that it showed infected with trojan.pws.banker1.7976     on one of the 20 or so scans it does.  I run mbam, and did a scan of just that file, and it didn't find anything. I then did a full scan of my system,  and it hasn't found one by this name, although it did find 7 other issues that were fixed.  McAfee didn't find anything.  I'd like to make sure I don't have this on my machine, though..  Any help is appreciated.  I think I should also find out how to check files BEFORE I download them, and would appreciate guidance on the right way I should have done this. (Is it possible to check a file before you download it?)  I also realize that maybe the site that reported it as containing a virus is actually  the danger, and that maybe those 19 checks that found it as clean are right, but I don't know how to tell.  Thank you.

 

Here are the two mbam logs:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.30.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
tc :: COMPUTER [administrator]

Protection: Enabled

2/2/2014 9:03:02 PM
mbam-log-2014-02-02 (21-03-02).txt

Scan type: Custom scan (C:\Users\tc\Downloads\PDF-To-Word.exe|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 1
Time elapsed: 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)    

 

and then the full scan:

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.30.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
tc :: COMPUTER [administrator]

Protection: Enabled

2/2/2014 9:22:27 PM
mbam-log-2014-02-02 (21-22-27).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 370749
Time elapsed: 1 hour(s), 54 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 9
C:\Users\tc\Desktop\Art & Stories\Downloads\iLividSetupV1.exe (PUP.Optional.Bandoo) -> No action taken.
C:\Users\tc\Documents\invoic4.zip (Trojan.Dofoil) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\invoice.324324.zip (Trojan.Dofoil) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\order.3423423.zip (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\Photo_17.07.2013_ID0586755654.zip (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\invoic4\invoice.324324.exe (Trojan.Dofoil) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\invoice.324324\invoice.324324.exe (Trojan.Dofoil) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\order.3423423\order.3423423.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\Users\tc\Documents\Photo_17.07.2013_ID0586755654\Photo _ 17.07.2013_ ID9775002633.jpeg.exe (Trojan.Inject) -> Quarantined and deleted successfully.

(end)

 

(I sent iLivid to the recycle bin.)



BC AdBot (Login to Remove)

 


m

#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:17 PM

Posted 03 February 2014 - 10:50 AM

Hi mournlight and welcome to BleepingComputer! :welcome:

 

Can you include the link to virustotal.com scan result for the file please?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 mournlight

mournlight
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 05 February 2014 - 08:52 PM

Okay, here's attempt five to paste the bit of info I have:

 

I didn't save a link from that site - I'm sorry but I didn't know to do that.  I did take a screen shot of the report, though. I hope this helps!  ..... and, attempt number five fails.  I can't find a way to upload or paste a bmp, jpg, or doc.  Every way I try gives me an error message.  I know this isn't what you are looking for, but here's a retype of the first few lines from the screen shot of that report.  Feel free to point me to instructions for pasting or uploading: 

 

SHA256:     22e1ea61a59c4b278e168b01f76bc3d60825d2c7fc477760030970d3ee5b0dcb

File name:  PDF-To-Word.exe

Detection ratio:  1/48

Analysis date:  2014-01-19 22:05L21 UTC

Antivirus                 Result                                      Update

DrWeb                    Trojan.PWS.Banker1.7976     20140119

 

AVG,

Ad-Aware,

Agnitum and all the rest - green checkmarks



#4 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:17 PM

Posted 05 February 2014 - 10:42 PM

No problem, SHA256 hash value can be search in virustotal.com for checking, thanks for your effort for typing this. :)

That file got report by only one scanner, there's big chance to be False Positive.

The file PDF-TO-WORD.exe belongs to any program? Where it is located? Is it the program installer? So I can check further.

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#5 mournlight

mournlight
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 09 February 2014 - 11:37 AM

Hi -

The only place the file exists is in the recycle bin, unopened.  I never opened the file for it to create an uninstaller.  I've checked the registry and see nothing with any form of the file name.  I've checked for hiddden programs from the date/time that I downloaded the file, and find nothing else that happened that was suspicious or unexpected. 

Does that answer your question?

And, if you don't mind, would you tell me how I should have posted that info from virustotal?  I still see no way to do that.

Thanks!



#6 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:17 PM

Posted 09 February 2014 - 11:56 AM

Follow these steps:

  1. Check the actual place where the file located by right click > properties > Origin.
  2. Restore the file from the recycle bin.
  3. Open virustotal.com
  4. Click "Choose file" and select the file by the location you got from step 1
  5. Click "Scan it!"
  6. Click "Reanalyze"
  7. Wait for it to finished and post virustotal scan URL here.
  8. Delete that file back to recycle bin. (Don't open it.)

And yes, that answered my question, if you didn't open the file yet, no damage had done to your computer, and MBAM scan cleaned up a lot of other "high risks" items. :)

 

Thank you.


Edited by Sirawit, 09 February 2014 - 11:58 AM.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#7 mournlight

mournlight
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 11 February 2014 - 03:35 PM

It got a lot more hits this time:

https://www.virustotal.com/en/file/22e1ea61a59c4b278e168b01f76bc3d60825d2c7fc477760030970d3ee5b0dcb/analysis/1392150836/



#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:17 PM

Posted 11 February 2014 - 11:16 PM

This file is maybe malicious, checking the virustotal you gave me, looks like it is a program installer that bundled adware/pup in it, I will talk with my colleagues for conclusion, please be patient.

Thank you.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 mournlight

mournlight
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 13 February 2014 - 06:25 PM

Thank you.  I will check back every couple of days.



#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:12:17 PM

Posted 13 February 2014 - 11:13 PM

ok, after discussing about virustotal analyst, that file is a program installer that bundled with adware, so please be caution when install pdf to word, don't forget to uncheck anything offered with it. The file itself is not malicious.

Thank you.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users