NOD Virus Detected win32/startPage. uu trojan

Hi there
Amon keeps finding this virus/trojan and each time I delete it another one with a different file ending appears. I've had c:\windows\system32\psdrvcheck.it win32\startpage.uu trojan and a few other ones including one for c:\Programm files\Pinnacle\Shared Files\InstantCDDVD\IntstantInfo.KOR

I rang Eset and they said it was being spread by adaware programs. Do I need to do anything else other than delete it and try another adaware program to find the problem? They suggested Counterspy. Thanks Andie

 

Hi Andie, can you post a log from the Nod32 Control Centre> Logs> Virus Log

This may tell us a little more of where the file is located.

Cheers

 

Hi Blackspear
Thanks for your help. Hope this is what you wanted..

 

Can you copy and paste the log, just cross out your personal info. I'd like to see exactly where the file is located.

Cheers

 

Andie, from what I have just read, you have been hit by a CWS variant, and as such you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP.

The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

Once your system is clean I would suggest that you take a look here: Why did I get infected in the first place? Also, for further information on security and how to make your system that much stronger, see here, as well there are discussions here and even more here.

Hope this helps...

Let us know how you go.

Cheers

 

Thanks Blackspear
Nothing funny is going on with my computer, so wondering if it is a false positive. After Amon came up with the message and I deleted the file the NOD scan didn't find anything.

Thanks for the links. That Hijack stuff sounds a bit complicated..does the file unzip itself? Andie

 

Hi Craig,

Could this be the same one as posted here:
https://www.wilderssecurity.com/showthread.php?t=75076

It could be a file from Pinnacle InstantCopy.
http://www.greatis.com/appdata/a/_/_sysdir__psdrvcheck.exe.htm

Maybe I'm wrong, I don't have that program.

Maybe a good idea if those with that warning submit it to Eset so they can have a look at it.
In the meanwhile a second opinion from some Online-scanners like Jotti's and/or KAV can also tell something.

Well, I have to leave it up to Eset
Cheers, Jan.

 

Very nice catch there Jan, I would say so.

Cheers

 

Oops oops

I mis-read the original posting; my fault, sorry !

That file at the Greatis-site is: PSDrvCheck.exe

So sorry

 

Hi,

May I ask Eset, and the original poster, what the status is at the moment about those files?
Thanks

I knew that a friend of mine has Pinnacle Instant CD/DVD SE on her machine.
Yesterday I asked her to send me some of these files.
I just got them.
Of course I don't know whether it are the same files as those who gave that warning.

Some info about them:

PSDrvCheck.IT
Version 1.0.0.63
MD5 : 82d551de0dc65c7dbd8cc85a1a9d1bd4

InstantInfo.KOR
Version 1.1.0.14
MD5 : 1bb92c6fc9b768ad2fe2adc9eba61914

Both files scanned at Jotti : clean.

Eset, if you like, I could submit those files to you

Cheers, Jan.

 

Gorilla (not sure if it's the same poster) got a email reply - it's fixed.

 

OK, thanks Happy Bytes

 

dudus, you are most welcome

 

Thanks Happy Bytes.

Cheers

 

Yeah, it got fixed about 28 hours ago :-]

 

That's almost correct, it was fixed 2 days ago assuming that we have now tomorrow.

 

Thanks again to Eset !

Please forgive me for asking (without intention to bashing or something like that): could a confirmation been posted that it was a FP and was fixed?
Anyhow, I'm glad we know it now and I am happy that it was fixed so quickly

Cheers, Jan.

 

Yes, it was a f/p.

If you consider that we have time differences all over the world and if you consider when a f/p gets fixed here TODAY that it might be already a fixed update available YESTERDAY for some areas then there wasn't even a f/p who wouldn't probably appear TOMORROW somewhere

 

[BLEEP] - just deleted a trial MP3 editor because it had the same DLLs in it and on 04/11 they were found in a full scan .. got to download it again now...

 

Make sure that you have current virus patterns.

 

Edited by FanJ:

removed unfriendly posting from me.



Apologies to all

 

I was current - I was erring on the side of caution - but did think it odd that on the daily scan on the 11th I had 3 positives inside a zip archive, then on the 12th, none - also - I did NOT find the files in quarantine, and the file was still there - obviously ONE of the profiles doesn't have quarantine/delete set properly.... it's getting a little confusing to know which profile I must check though now.. this was a 2.5 beta on my wife's home machine...

 

I too would like to see a list of f/p somewhere so that we can check if something we're about to clean up is worth the cleanup effort, or not... perhaps using the username/password already issued for updates this could be in some kind of user only area?

 

As the man said, I did get an email stating it was fixed in double quick time.

This truely is a great product with great support I am so glad I took the plunge and moved away from Nortons.

PS. I only posted my question once any similar posts are not related to me.

Eset Mod Thanks alot.