need advice!!! Adware.SpywareStorm

Discussion in 'ewido anti-spyware forum' started by Cscampxp, Apr 29, 2006.

Thread Status:
Not open for further replies.
  1. Cscampxp

    Cscampxp Registered Member

    Joined:
    Oct 25, 2005
    Posts:
    34
    I was doing my weekly ewido scan and i was surprised that something came up as i was scanning my system

    Ewido found an Adware.SpywareStorm

    C:\WINDOWS\Downloaded Program Files\Install.dll

    anyone had anything like this? Could it be false positive? I checked the downloaded files folder and it doesnt seem to be there.
     
  2. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,303
    Location:
    England
  3. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The location you refer to, i.e.:- C:\WINDOWS\Downloaded Program Files, is where Active X is normally downloaded to. Adware-SpyStormer is known to D/L install.dll to that location, so if the file exists it is not likely to be a false positive:-

    http://vil.nai.com/vil/content/v_137581.htm

    When you searched for the file, did you have your 'hidden' files unhidden?:-

    http://www.bleepingcomputer.com/forums/index.php?showtutorial=62

    I would go into safe mode and scan with ewido, let it quarantine what it finds; you can always restore files from quarantine if a mistake is made.
     
  4. Cscampxp

    Cscampxp Registered Member

    Joined:
    Oct 25, 2005
    Posts:
    34
    Yeah! i did check if the file is hidden since its a .dll file but its not in the folder. ...Let me email Ewido and ask also them just to make sure.

    Thanks Guys!
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Why don,t u upload the file to virus total or jotti, just to see.
     
  6. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    Can I inject on this thread? Ewido 3.5 found this on my system also in c:\WINDOWS\Downloaded Program Files\Content.1\Install.dll. last night. Booted to safe mode and Ewido found it again. Turned off System Restore. Saw no such folder/file in this location when I navigated there. Then I let Ewido clean the item "with backup", as recommended on warning screen. I uploaded quarantined file to both Jotti and Virus Total today and all scanners said "not infected". I'm not sure if this means Ewido "cleaned" the quarantined file so the scanners would say this, or that it may be a False Positive. I understand the quarantined files are encrypted, so as I got no read error messages I assume those scan services can read encrypted files OK? Googled and searched MS Help KnowledgeBase and found no install.dll file that is legitimately associated with Windows. Ewido scan today finds nothing so I assume it doesn't recreate itself on reboot. Thus I turned back on my System Restore. So do you think it safe to let Ewido permanently remove the file from my system now?
     
    Last edited: May 3, 2006
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm intrigued to know exactly what ewido has found. Is it possible to right click the file and check its properties?

    Since the C:\WINDOWS\Downloaded Program Files location is used for downloaded Active X, if you permanently deleted the file the worst that could happen is that you need to D/L some Active X again; which should be no problem. However, as you say, there is no legitimate file called Install.dll. That is why it would be interesting to know what 'properties' the file has.

    I would wait and see whether Cscampxp posts back, having contacted ewido, before doing anything permanent, the file is quite safe in quarantine. Perhaps you could submit the file to ewido for analysis?:-

    http://www.ewido.net/en/malware/
     
  8. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    I think it's too late to submit to Ewido, as my Ewido 3.5 has already cleaned with backup last night. The file properties of the .dat file in the quarantine folder shows it was created yesterday at 8:46 pm (precisely when I did the Safe Mode Ewido scan & clean). Properties also show it is 143KB. That webpage says it is for uploading files "not already detected as infected (& I assume they mean "cleaned") by their product".
     
  9. Cscampxp

    Cscampxp Registered Member

    Joined:
    Oct 25, 2005
    Posts:
    34
    I got an email today from Ewido but its asking me again to upload the file. I thought i already did the first time so i copied and zipped my downloaded files folder. I dont know if they can find anything in there coz like what buttoni did, it's not hidden in the folder.

    Ewido's email also said that i can send a hjackthis log file i dont get whyo_O but like what i said i sent them my Downloaded files folder.

    As soon as they get back to me ill let you guys know. Meanwhile, ima try to scan using Ewido again see if it still comes up.
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The 016 entries in a HJT log will detail all the downloaded Active X on your system - it would be interesting to know whether the Install.dll shows up. It would also be relevant to know whether you have any auto-starts you should not have, or any other sign of infection.

    I wonder if it is possible to navigate to C:\Program Files\ewido\security suite\Quarantine and upload the encrypted file to ewido?
     
  11. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    Well I even went into my registry with regedit and looked to see if any of the things showing in the above Mcafee vil.nai.com info showed and NONE of those HKLM entries are in my registry, including the entry for the the c:\WINDOWS\DPF\CONFLICT.1\Install.dll item. Either Ewido cleaned it out, or could this alert have been a false positive on a legitimate file for some other software. One reason I'm bewildered is that I suffered (nearly year ago) a driveby download of SpywareStormer that I finally succeeded in interrupting before it fully installed (by closing connection when asked for credit card info). Cleaned it from my system completely, I think. The most popular antispyware scanners could see no traces of it. That very same day I had just scanned pc with SpySweeper, Spybot, Adaware and Avast. Also, this time no lightning bolt desktop icon for SpywareStormer appeared as last time, none of the directories, folders or files I got last time appeared (I saved my documentation and checked!) and have not been experiencing any odd pc behavior prior to ewido's recent detection.

    I believe I can account for all 016 entries in my HJT log as being legitimate. Here it is if you'd like to see it:

    ~~HJT log snipped....Bubba~~

    The three shown in red with no info are in order: Trend Micro Housecall, TLIEF Flash Object (Dell Chat Sessions), and Panda Active Scan Installer Class

    No Install.dll 016 there.

    I have the file in question showing on the ewido quarantine screen & the .dat encrypted file is sitting in the quarantine folder, but don't know how ewido wants a suspect/FP file sent to them (email attachment? what email address?). Is the encrypted .dat file in the ewido quarantine folder what they would want to look at? I thought that was already "cleaned" and thus useless now for analysis.
     
    Last edited: May 5, 2006
  12. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    You can also send us your quarantine files. Use this website http://www.ewido.net/en/malware/ to send us the files or send us an email:
    submit -at- ewido dot net
     
  13. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    I just submitted the file to Ewido for analysis. Appears to have gone through successfully. Thanks for your instructions and I look forward to the reply regarding the file. I continue to experience no odd pc behavior and no other programs I have tried to access appear to be malfunctioning for lack of this Install.dll file. Thanks for such an easy to use product, Ewido developers!
     
    Last edited: May 5, 2006
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    @ buttoni

    Wilders no longer handles HJT log analysis nor does it allow logs to be posted except in those circumstances mentioned here. As per that Announcement I have snipped out the original HJT log. If by chance Ewido Support wishes to see it they do have access to it.

    Bubba
     
  15. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    Sorry, had read about this policy change and forgot. Won't happen again.
     
  16. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    my granddad has that on his computer
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I hope u were able to fix it for him. ;) :D



    snowbound
     
  18. Cscampxp

    Cscampxp Registered Member

    Joined:
    Oct 25, 2005
    Posts:
    34
    Whoa! i think it's the Panda Active scan

    buttoni, i also have the Panda Active Scan Installer Class so im assuming this is just a false positive
     
  19. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    Well, might be. But when ewido found the last false positive for me relating to Panda's Active Scan, it show the file to be in the \Active Scan folder. The time I was infected with SpywareStormer, this is not where it was found. On that occasion, I did a Start,Search on "Spywarestormer" and it found in in 4-5 places, but not at all related to Panda. So I'm not saying you might not be right about it being Panda related FP, but this may not be the case. I'd look a little further. I actually had entire folders with SpywareStormer files in them I had to manually delete. Did you find any on your system?
     
    Last edited: May 13, 2006
  20. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    i killed it and a bunch of other spyware
     
Thread Status:
Not open for further replies.