Ewido Scan - Very Strange

Discussion in 'ewido anti-spyware forum' started by Albinoni, Mar 16, 2006.

Thread Status:
Not open for further replies.
  1. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    I just updated and did a full scan of my C drive on my desktop PC with Ewido and have never encountered a strange problem as this.

    After the scan was over which took just under 1 hrd it found 164 infected objects.

    Most are Dropper.VB.lu and the rest Tracking Cookie Tacode and Tracking Cookie Esomniture. Now I know both Tacoda and Esomniture is related or associated with Firefox Mozilla as I do use Firefox quite often as my Web Browser and not matter what if I delete Tacode I can guarantee you after a few days it will come back when I re use Firefox.

    The strange this is the Dropper VB.lu. Now listed under the patch is a pile of MP3 files (these are my MP3 music files that I save on my HDD ) and liested beside the piles of MP3 files are progs that I had never even knew about nor do they exist on my HDD, apart from the songs that I have in my MP3 files folders. These progs listed are just unheard off and I dont know where on earth they came from.

    Also when I save any prog I download it goes directly into my Internet Downloads located on the C drive again, once again I had a load of progs listed in which I never seen or had on my PC.

    Also under the Status it says Cleaned with backup, is this normal.

    Here is an example:

    C:\FOUND.000\FILE0000.CHK -> Dropper.VB.lu : Cleaned with backup
    C:\FOUND.000\FILE0001.CHK -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\xzxzxzxzxzxz.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\WinGlobe 2.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Filemanag v3.01.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Teleport Pro v1.29.2018.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\SpyAnytime PC Spy v2.24.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Set Machine v2.42A.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\ProKon v10.0k.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Flash2X EXE Packager v1.0.1.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Fast Browser Pro v6.4.1.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Portslook V1.4.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Neurosolutions 2.3 Developer.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Trading Solutions 2.1 End Of Day Edition.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Tray Helper v3.9.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Zmei Mail Sender 1.06.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Easy Mail Plus 1.7.93.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\International Clock v5.8.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Text Recordster v1.9.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\FlashFXP v2.2.951 BETA.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Arc DVD Copy v1.1.5.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Smart Undelete v2.6.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Virtual DJ Studio v4.11.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\BlindWrite Suite v5.2.24.161.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Focus Audio Converter v3.1.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\RamSmash v1.3.6.2006.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\MIDI To MP3 Maker v3.0.70.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\The Sims 2 Open for Business.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\FIFA Soccer 06.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\NBA Live 2006.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\MX vs. ATV Unleashed.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Final Fantasy VII.exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Troy (2004).exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\_\Ultimate Avengers (2006).exe -> Dropper.VB.lu : Cleaned with backup
    C:\Internet Downloads\WinRar 3.51\Patch.exe -> Downloader.VB.ts : Cleaned with backup
    C:\MP3 Files\_\xzxzxzxzxzxz.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Age of Mythology.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Unreal Tournament.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Star Wars Jedi Knight II.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Family Guy the Movie (2005).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Mean Girls (2004).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Johnson Family Vacation.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Being John Malkovich (1999).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\White Noise(2005).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Collateral (2004).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\The Transporter 2 (2005).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Sky High (2005).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Alien vs. Predator (2004).exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\KeyLogger Pro 2.0.1..exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Ultra Iso Media Edition 7.6.5.1225.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Alcohol 120% 1.9.5.3823.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\Photoplorer v2.03d.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\DreamSoft AIO.exe -> Dropper.VB.lu : Cleaned with backup
    C:\MP3 Files\_\FTP Synchronizer Enterprise v1.4.1.exe -> Dropper.VB.lu : Cleaned with backup

    Another thing I forgot to mention is that I'm using NOD32 as my AntiVirus but why on earth was this allowed to happen, I mean for Ewido to find 162 threats or logs like what I've listed above is not funny at all.

    Also I scanned my PC a few days ago in Safe Mode using NOD32 and it came out clean.
     
    Last edited: Mar 16, 2006
  2. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    I just had a quick look at our sample of this downloader... You should never ever run any of these files!
     
  3. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Ok, unfortunately these are definitely valid detections!
     
  4. steveke

    steveke Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    90
    Albinoni

    As far as the Tacoda cookies, and possibly the others, there may be a way to prevent them from reoccurring. In this thread "Ewido keeps finding the same problems!" at post #20, Ratchet found a way to keep them from coming back.

    http://ww.wilderssecurity.com/showthread.php?t=121147&highlight=tacoda

    It involves going into the folder and opening the cookies so that the "clean and block" feature of Ewido can be used. I believe the "block" is important as Tacoda piggybacks on other cookies.

    Ratchet confirmed by revisiting sites and scanning and finding no more Tacoda.
     
  5. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia

    The very strange this is that when I tried to go to the source, i.e say C:\MP3 files or C:\Internet Downloads, non of these files listed above were there and in my MP3 folders I only had the MP3 files that I placed there myself which have been there for a while.

    Also I did a full scan with NOD32 in safe mode an yet nothing was found, PC came out clean.
     
  6. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Also how do I set Ewido to clean and block ?
     
  7. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    When did you check? Before or after the ewido scan? Does your explorer show hidden files?
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    you have a file sharing application installed ?

    those look like they're the works of a p2p worm
     
  9. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    As you unfortunately deleted the files from quarantine, I've just uploaded the Dropper.VB.ul sample we have in our database to VirusTotal and here is the result... I've also analysed it and it does indeed create all these files.
     

    Attached Files:

  10. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    And here are the created files...
     

    Attached Files:

  11. steveke

    steveke Registered Member

    Joined:
    Feb 1, 2006
    Posts:
    90

    "Clean and block" is an option only in the Ewido guard.

    That is why Ratchet had to go into the cookie folder for firefox and open the cookies-to bring up the Ewido guard alarm-so that he could use the "clean and block"
     
  12. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    This all happened after my Ewido scan not before.

    Windows explorer does show all hidden files.
     
  13. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    What "happened"? The files were already there and have been detected and removed by ewido, that's all what happened :)
     
  14. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    Yes I do use P2P i.e Limewire Professional and Shareaza as my P2P but not sure if these are files sharing as well or would you classify them as file sharing.

    I have been using both these progs for a long time and have nevert ever had issues like this.
     
  15. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi those are file sharing apps, yeah
    and the worm you have is p2p worm alcan. the worm does install and drop a wealth of malware, including spyware and backdoors.
     
  16. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    So how did this worm get through and why wasnt it stopped.

    What do you suggest I do now ?
     
  17. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    You are not running the ewido guard, are you? NOD definitely missed it, was the Bitdefender guard active?
     
  18. Albinoni

    Albinoni Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    709
    Location:
    Perth, Western Australia
    No my Ewido expired a week ago so now only using Ewido as a trojan on demand scanner its not running in real time, though I do have Spybot S&D, Adaware SE Professional and also MS Antispyware all running in real time.

    Sorry I run Bitdefender on a totally different PC plus if I had it on this PC I would not be having two AV progs running in real time, i.e NOD32 and BD Pro 9.
     
  19. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'm sure you didn't mean to say you have two Av's running in real time.
     
  20. azumi21

    azumi21 Registered Member

    Joined:
    Aug 16, 2004
    Posts:
    129

    Renew your ewido, guard on, max setting, auto updates.

    Uninstall spybot, adaware, m$ spyware (they are useless and probably just get in the way).

    Get rid of your p2p (you are just begging for infections).
    You should run RootkitRevealer to see if you have more fun hidden items.

    NOD is a great AV, but nothing is perfect. Make sure your IMON/AMON settings are on max.
     
  21. lordpake

    lordpake Registered Member

    Joined:
    Aug 7, 2004
    Posts:
    563
    Location:
    Helsinki ~ European Union
    Actually the apps themselves (those two listed) are safe. It takes user action to download infected stuff. Just using common sense when downloading and good antivirus etc should keep you safe.
     
Thread Status:
Not open for further replies.