Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System 32 trojan horse detected?


  • Please log in to reply
9 replies to this topic

#1 thisisRW

thisisRW

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:42 AM

Posted 01 September 2015 - 08:03 AM

My antivirus, Panda Free Antivirus, detected a trojan horse in system 32. The path is: c:\Windows\system32\oobe\OEM\OOBE.cmd and it's called Deldir.A. The Panda database has this information on it.

What do I do? Is this for real? How dangerous is it?



BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:42 AM

Posted 01 September 2015 - 09:00 AM

I'm leaning toward that detection as being a false positive. But, since Panda says it isn't, best to scan the file at VirusTotal - Free Online Virus and Malware Scan. It will be scanned

by multiple well known security programs.

You can post the results if you like or if other programs say the same as Panda please let us know.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 thisisRW

thisisRW
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:42 AM

Posted 01 September 2015 - 09:12 AM

I turned hidden files on, yet I can't find the file my antivirus references. It's currently in quarantine by my antivirus. Should I restore it?

 

Here's a screenshot: https://photos-5.dropbox.com/t/2/AADdR9JwFNNXcbHdMhyLE62zq7VmRia1QbRFwRIWgyNUlw/12/130731802/png/32x32/1/1441123200/0/2/Screenshot%202015-09-01%2011.11.24.png/CJqeqz4gASACIAMgBCAFIAYgBygBKAc/BOHGsq5fF79KXUYEEyINQQ9XWEkobUfQelM-ENXhXAM?size=1280x960&size_mode=2


Edited by thisisRW, 01 September 2015 - 09:15 AM.


#4 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:42 AM

Posted 01 September 2015 - 09:21 AM

I would have no qualms about restoring it as I think it is a false positive.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 thisisRW

thisisRW
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:42 AM

Posted 01 September 2015 - 09:26 AM

I can find the folder and the file by using the run command, but I tried dragging it to VirusTotal and it won't accept it and still can't find the folder. What should I do now?



#6 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:42 AM

Posted 01 September 2015 - 09:42 AM

Did you move the file out of quarantine? If so, the usual procedure is once Virus Total is opened is to select to upload a file and then locating and double clicking

on the file and that allows Virus Total to upload it to its site.

 

EDIT: I just checked...once you are at Virus Total...click on Choose File...then locate the file and double click on it to upload.


Edited by buddy215, 01 September 2015 - 09:47 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 thisisRW

thisisRW
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:42 AM

Posted 01 September 2015 - 10:02 AM

Since I was still having troubles, I copy-pasted the file to my desktop and scanned it from there. Only Panda detects it as a trojan, so it must be a false positive?



#8 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:42 AM

Posted 01 September 2015 - 10:05 AM

Yep...false positive. You could report that to Panda...though I don't know how much attention you would get as you are using a free version.

If Panda allows it in their settings, tell Panda to ignore that file if it comes up again.


Edited by buddy215, 01 September 2015 - 10:08 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 thisisRW

thisisRW
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:42 AM

Posted 01 September 2015 - 10:08 AM

Thank you for the help! :)



#10 buddy215

buddy215

  • BC Advisor
  • 12,605 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:01:42 AM

Posted 01 September 2015 - 10:09 AM

You're welcome....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users