Hi there
Amon keeps finding this virus/trojan and each time I delete it another one with a different file ending appears. I've had c:\windows\system32\psdrvcheck.it win32\startpage.uu trojan and a few other ones including one for c:\Programm files\Pinnacle\Shared Files\InstantCDDVD\IntstantInfo.KOR

I rang Eset and they said it was being spread by adaware programs. Do I need to do anything else other than delete it and try another adaware program to find the problem? They suggested Counterspy. Thanks Andie

Hi Andie, can you post a log from the Nod32 Control Centre> Logs> Virus Log

This may tell us a little more of where the file is located.

Cheers ;D

Hi Blackspear
Thanks for your help. Hope this is what you wanted..

{QUOTE-> Hi Blackspear
Thanks for your help. Hope this is what you wanted.. <-QUOTE}Can you copy and paste the log, just cross out your personal info. I'd like to see exactly where the file is located.

Cheers ;D

Andie, from what I have just read, you have been hit by a CWS variant, and as such you will need to download and run “Hijack This” found here (http://www.wilderssecurity.com/showthread.php?t=12516) and post your log at one of the forums found at A-SAP (http://asap.maddoktor2.com/).

The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com (http://forums.spywareinfo.com/index.php) and CastleCops.com (http://castlecops.com/forums.html). Be sure to read their posting policy in the links at their log review forum sections prior to posting.

Once your system is clean I would suggest that you take a look here: Why did I get infected in the first place (http://www.wilderssecurity.com/showthread.php?t=27971)? Also, for further information on security and how to make your system that much stronger, see here (http://www.wilderssecurity.com/showthread.php?t=62972), as well there are discussions here (http://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25) and even more here (http://www.wilderssecurity.com/showthread.php?t=43117).

Hope this helps...

Let us know how you go.

Cheers ;D

Thanks Blackspear
Nothing funny is going on with my computer, so wondering if it is a false positive. After Amon came up with the message and I deleted the file the NOD scan didn't find anything.

Thanks for the links. That Hijack stuff sounds a bit complicated..does the file unzip itself? Andie

Hi Craig,

Could this be the same one as posted here:
http://www.wilderssecurity.com/showthread.php?t=75076

It could be a file from Pinnacle InstantCopy.
http://www.greatis.com/appdata/a/_/_sysdir__psdrvcheck.exe.htm

Maybe I'm wrong, I don't have that program.

Maybe a good idea if those with that warning submit it to Eset so they can have a look at it.
In the meanwhile a second opinion from some Online-scanners like Jotti's and/or KAV can also tell something.

Well, I have to leave it up to Eset ;)
Cheers, Jan.

{QUOTE-> Hi Craig,

Could this be the same one as posted here:
http://www.wilderssecurity.com/showthread.php?t=75076

It could be a file from Pinnacle InstantCopy.
http://www.greatis.com/appdata/a/_/_sysdir__psdrvcheck.exe.htm

Maybe a good idea if those with that warning submit it to Eset so they can have a look at it. <-QUOTE}Very nice catch there Jan, I would say so.

Cheers ;D

Oops oops :-[

I mis-read the original posting; my fault, sorry ! :-[

That file at the Greatis-site is: PSDrvCheck.exe

So sorry :-[ :-[ :-[

Hi,

May I ask Eset, and the original poster, what the status is at the moment about those files?
Thanks ;)

I knew that a friend of mine has Pinnacle Instant CD/DVD SE on her machine.
Yesterday I asked her to send me some of these files.
I just got them.
Of course I don't know whether it are the same files as those who gave that warning.

Some info about them:

PSDrvCheck.IT
Version 1.0.0.63
MD5 : 82d551de0dc65c7dbd8cc85a1a9d1bd4

InstantInfo.KOR
Version 1.1.0.14
MD5 : 1bb92c6fc9b768ad2fe2adc9eba61914

Both files scanned at Jotti : clean.

Eset, if you like, I could submit those files to you :)

Cheers, Jan.

Gorilla (not sure if it's the same poster) got a email reply - it's fixed.

{QUOTE-> Gorilla (not sure if it's the same poster) got a email reply - it's fixed. <-QUOTE}

OK, thanks Happy Bytes :)

dudus, you are most welcome ;D

{QUOTE-> Gorilla (not sure if it's the same poster) got a email reply - it's fixed. <-QUOTE}Thanks Happy Bytes.

Cheers ;D

Yeah, it got fixed about 28 hours ago :-]

{QUOTE-> Yeah, it got fixed about 28 hours ago :-] <-QUOTE}

That's almost correct, it was fixed 2 days ago assuming that we have now tomorrow. ;D

Thanks again to Eset ! :D

Please forgive me for asking (without intention to bashing or something like that): could a confirmation been posted that it was a FP and was fixed?
Anyhow, I'm glad we know it now and I am happy that it was fixed so quickly :D

Cheers, Jan.

Yes, it was a f/p. ;)

If you consider that we have time differences all over the world and if you consider when a f/p gets fixed here TODAY that it might be already a fixed update available YESTERDAY for some areas then there wasn't even a f/p who wouldn't probably appear TOMORROW somewhere ;D ;D ;D

[BLEEP] - just deleted a trial MP3 editor because it had the same DLLs in it and on 04/11 they were found in a full scan .. got to download it again now...

{QUOTE-> [BLEEP] - just deleted a trial MP3 editor because it had the same DLLs in it and on 04/11 they were found in a full scan .. got to download it again now... <-QUOTE}

Make sure that you have current virus patterns. ;)

Edited by FanJ:

removed unfriendly posting from me.

:-[

Apologies to all

{QUOTE-> Make sure that you have current virus patterns. ;) <-QUOTE}


I was current - I was erring on the side of caution - but did think it odd that on the daily scan on the 11th I had 3 positives inside a zip archive, then on the 12th, none - also - I did NOT find the files in quarantine, and the file was still there - obviously ONE of the profiles doesn't have quarantine/delete set properly.... it's getting a little confusing to know which profile I must check though now.. this was a 2.5 beta on my wife's home machine...

{QUOTE-> Please forgive me for asking (without intention to bashing or something like that): could a confirmation been posted that it was a FP and was fixed?
Anyhow, I'm glad we know it now and I am happy that it was fixed so quickly <-QUOTE}


I too would like to see a list of f/p somewhere so that we can check if something we're about to clean up is worth the cleanup effort, or not... perhaps using the username/password already issued for updates this could be in some kind of user only area?

As the man said, I did get an email stating it was fixed in double quick time.

This truely is a great product with great support I am so glad I took the plunge and moved away from Nortons.

PS. I only posted my question once any similar posts are not related to me.

Eset Mod Thanks alot.