need advice!!! Adware.SpywareStorm

I was doing my weekly ewido scan and i was surprised that something came up as i was scanning my system

Ewido found an Adware.SpywareStorm

C:\WINDOWS\Downloaded Program Files\Install.dll

anyone had anything like this? Could it be false positive? I checked the downloaded files folder and it doesnt seem to be there.

 

The location you refer to, i.e.:- C:\WINDOWS\Downloaded Program Files, is where Active X is normally downloaded to. Adware-SpyStormer is known to D/L install.dll to that location, so if the file exists it is not likely to be a false positive:-

http://vil.nai.com/vil/content/v_137581.htm

When you searched for the file, did you have your 'hidden' files unhidden?:-

http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

I would go into safe mode and scan with ewido, let it quarantine what it finds; you can always restore files from quarantine if a mistake is made.

 

Yeah! i did check if the file is hidden since its a .dll file but its not in the folder. ...Let me email Ewido and ask also them just to make sure.

Thanks Guys!

 

Why don,t u upload the file to virus total or jotti, just to see.

 

Can I inject on this thread? Ewido 3.5 found this on my system also in c:\WINDOWS\Downloaded Program Files\Content.1\Install.dll. last night. Booted to safe mode and Ewido found it again. Turned off System Restore. Saw no such folder/file in this location when I navigated there. Then I let Ewido clean the item "with backup", as recommended on warning screen. I uploaded quarantined file to both Jotti and Virus Total today and all scanners said "not infected". I'm not sure if this means Ewido "cleaned" the quarantined file so the scanners would say this, or that it may be a False Positive. I understand the quarantined files are encrypted, so as I got no read error messages I assume those scan services can read encrypted files OK? Googled and searched MS Help KnowledgeBase and found no install.dll file that is legitimately associated with Windows. Ewido scan today finds nothing so I assume it doesn't recreate itself on reboot. Thus I turned back on my System Restore. So do you think it safe to let Ewido permanently remove the file from my system now?

 

I'm intrigued to know exactly what ewido has found. Is it possible to right click the file and check its properties?

Since the C:\WINDOWS\Downloaded Program Files location is used for downloaded Active X, if you permanently deleted the file the worst that could happen is that you need to D/L some Active X again; which should be no problem. However, as you say, there is no legitimate file called Install.dll. That is why it would be interesting to know what 'properties' the file has.

I would wait and see whether Cscampxp posts back, having contacted ewido, before doing anything permanent, the file is quite safe in quarantine. Perhaps you could submit the file to ewido for analysis?:-

http://www.ewido.net/en/malware/

 

I think it's too late to submit to Ewido, as my Ewido 3.5 has already cleaned with backup last night. The file properties of the .dat file in the quarantine folder shows it was created yesterday at 8:46 pm (precisely when I did the Safe Mode Ewido scan & clean). Properties also show it is 143KB. That webpage says it is for uploading files "not already detected as infected (& I assume they mean "cleaned") by their product".

 

I got an email today from Ewido but its asking me again to upload the file. I thought i already did the first time so i copied and zipped my downloaded files folder. I dont know if they can find anything in there coz like what buttoni did, it's not hidden in the folder.

Ewido's email also said that i can send a hjackthis log file i dont get why but like what i said i sent them my Downloaded files folder.

As soon as they get back to me ill let you guys know. Meanwhile, ima try to scan using Ewido again see if it still comes up.

 

The 016 entries in a HJT log will detail all the downloaded Active X on your system - it would be interesting to know whether the Install.dll shows up. It would also be relevant to know whether you have any auto-starts you should not have, or any other sign of infection.

I wonder if it is possible to navigate to C:\Program Files\ewido\security suite\Quarantine and upload the encrypted file to ewido?

 

Well I even went into my registry with regedit and looked to see if any of the things showing in the above Mcafee vil.nai.com info showed and NONE of those HKLM entries are in my registry, including the entry for the the c:\WINDOWS\DPF\CONFLICT.1\Install.dll item. Either Ewido cleaned it out, or could this alert have been a false positive on a legitimate file for some other software. One reason I'm bewildered is that I suffered (nearly year ago) a driveby download of SpywareStormer that I finally succeeded in interrupting before it fully installed (by closing connection when asked for credit card info). Cleaned it from my system completely, I think. The most popular antispyware scanners could see no traces of it. That very same day I had just scanned pc with SpySweeper, Spybot, Adaware and Avast. Also, this time no lightning bolt desktop icon for SpywareStormer appeared as last time, none of the directories, folders or files I got last time appeared (I saved my documentation and checked!) and have not been experiencing any odd pc behavior prior to ewido's recent detection.

I believe I can account for all 016 entries in my HJT log as being legitimate. Here it is if you'd like to see it:

~~HJT log snipped....Bubba~~

The three shown in red with no info are in order: Trend Micro Housecall, TLIEF Flash Object (Dell Chat Sessions), and Panda Active Scan Installer Class

No Install.dll 016 there.

I have the file in question showing on the ewido quarantine screen & the .dat encrypted file is sitting in the quarantine folder, but don't know how ewido wants a suspect/FP file sent to them (email attachment? what email address?). Is the encrypted .dat file in the ewido quarantine folder what they would want to look at? I thought that was already "cleaned" and thus useless now for analysis.

 

You can also send us your quarantine files. Use this website http://www.ewido.net/en/malware/ to send us the files or send us an email:
submit -at- ewido dot net

 

I just submitted the file to Ewido for analysis. Appears to have gone through successfully. Thanks for your instructions and I look forward to the reply regarding the file. I continue to experience no odd pc behavior and no other programs I have tried to access appear to be malfunctioning for lack of this Install.dll file. Thanks for such an easy to use product, Ewido developers!

 

@ buttoni

Wilders no longer handles HJT log analysis nor does it allow logs to be posted except in those circumstances mentioned here. As per that Announcement I have snipped out the original HJT log. If by chance Ewido Support wishes to see it they do have access to it.

Bubba

 

Sorry, had read about this policy change and forgot. Won't happen again.

 

my granddad has that on his computer

 

I hope u were able to fix it for him.



snowbound

 

Whoa! i think it's the Panda Active scan

buttoni, i also have the Panda Active Scan Installer Class so im assuming this is just a false positive

 

Well, might be. But when ewido found the last false positive for me relating to Panda's Active Scan, it show the file to be in the \Active Scan folder. The time I was infected with SpywareStormer, this is not where it was found. On that occasion, I did a Start,Search on "Spywarestormer" and it found in in 4-5 places, but not at all related to Panda. So I'm not saying you might not be right about it being Panda related FP, but this may not be the case. I'd look a little further. I actually had entire folders with SpywareStormer files in them I had to manually delete. Did you find any on your system?

 

i killed it and a bunch of other spyware