Probably Modified Trojan VBS/Valg.A

C:\WINDOWS\HELP\TSHOOT00.CHM »CHM »/w0dvd_result.htm nets Probably Modified Trojan VBS/Valg.A
When NOD32 Updated Only Offers "Leave" when run in "Clean", am I now going to rely on Downloading TDS anti-Troj , VX2, etc. per Blackspear's prior directions, and go to HiJack This post site if all fails. Ran SafeMode NOD32 "Clean", Spybot S&D, Stinger; I have to still download the others but want to be sure that's the right plan. Win Me, IE6, FireFox 1.0.1 (Default) all updated - IE6 Temp files/Offline Content Deleted . Many Thanks! P.S. Failed to see yesterday the tiny "1" in the compacted Scan Log column from 2 days ago and Wish NOD32 had a More Obvious "You Have Virus" Alert. Will post in "Futures" section.

 

Can you just try a reboot with a further scan. Failing this, place your system in Safe Mode and run a scan. I think the first method should work.

Let us know how you go...

Cheers

PS: could you please alter the font size of your post.

 

Thanks, Blackspear! In MS Explorer C:\Windows\HELP: TSHOOT00.CHM reads as a 364kb "HTML Compiled Help File" dated 6-8-2000, the same date as 98% of all Help files I see. Have Run "Clean" Twice in Safe Mode and Twice in Regular Mode and still only get "LEAVE" option; All NOD32 configured per YOU, except I'm stand-alone and No MAPI. If this doesn't appear to be a necessary part of (ie) a working car engine, could I just zip it Vs. Delete in case I need it back? With Win Me I could make a Restore Point just in case, even though the supposed Virus would remain? Many Thanks! Any other strategy appreciated.

 

I believe the original TSHOOT00.CHM can be found in the Win_9.cab file on the original WinME installation CD. You may try extracting and comparing it. You may even extract the original file to an MS-DOS boot floppy disk, boot to the floppy, and then copy the clean file over the suspicious one.

http://support.microsoft.com/?kbid=272610
http://support.microsoft.com/kb/129605/EN-US/

 

Thanks, Al. I ran Kapersky & Trend Micro Europe Online checks (Stinger prior) and they say "OK". Submitted to Samples@ Eset for False Positive check, although not sure how they prioritize what to check, if at all. The location of the Problem File is Windows\Help and is seen in Explorer. At Install, the Win_9.cab file with TSHOOT00.CHM in it is deposited in Windows\Options\Install and I can find the Win_9.cab file on C: and on the Re-Installation CD. Trouble is I don't know how to get to the level beyond Win_9.cab to get at TSHOOT00.CHM unless the Extraction command does it where Explorer can't. Will wait to see if any other ideas pop up before attempting what I'm not good at. Thanks again.

 

Yes, the "extract" tool will let you get at the files within the CAB file. I forget the syntax for it, and I do not have WinME handy right now. If you run "extract /?" from the command line, it should tell you the syntax.

If you have Winzip 9, I believe this can open up the CAB file for you.

Another way to get at the file is through Start --> Programs --> Accessories --> System Tools --> System Information, then Tools --> System Configuration Utility (or just go to Start --> Run... --> msconfig). Somewhere in there is an option to "Extract file". This should also be another way to get at this file within the CAB.

http://support.microsoft.com/kb/129605/EN-US/
http://support.microsoft.com/kb/265371/EN-US/

 

Extracted TSHOOT00.chm to My Documents from C:\Windows\Options\Install. It Tested Same Probable Mod'd Trojan Warning I got from the \HELP file. If ESET doesn't declare a False Positive, what are my options? Thanks!

 

Can you send the file to Eset: samples@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us...

Let us know how you go…

Cheers

 

He's already done so :-] I'll look into it tomorrow as soon as I come to the office and will hasten our guys a bit :-]

 

No worries Marcos, I couldn't see where he mentioned doing so.

Cheers

 

• Authentium AV lists (1) variant of VBS/VALG.A. Free Scan of Windows\HELP, Temp Internet Files, and My Documents (where First Warning site & (2) extracted TSHOOT00.chm is) showed 278 Files Scanned/-0- Cleaned/-0- Viruses;

• The Scan Finished with TSHOOT00.CHM sitting in the Scan Window.
  
• A Coincidence it Finished There? Don't know-

 

Hi Cosmo26. I also run windows me. Nod is showing the same exact trojan in my help file. A few years ago, I ran norton antivirus. Everytime I would go to certain pages in the help section...Norton would pop up an alert saying.."Malicious code detected" I had a friend to look at it at the time, and he said it was the way the code was written in the help file.

Norton couldn't clean it or quarantine it either. Hopefully the same thing is going on here. I'll be following this thread closely....Just to be on the safe side.

 

7 days later and still no definite answer from eset about this....is it a false positive or not?

 

Just ran a NOD32 on demand scan on my Windows ME system and I also get C:\WINDOWS\HELP\TSHOOT00.CHM »CHM »/w0dvd_result.htm - probably modified trojan VBS/Valg.A in my scan log. Earlier today I ran Trojan Hunter and PestPatrol on demand scans without any hits. My system is not experiencing any problems so I'm inclined to think this is a false positive.

 

We have a coulpe of windows XP systems that were installed "over" ME, in a different directory (XP in C:\winXP, ME in c:\Windows)

Recently, we have been getting that warning about TSHOOT00.CHM in the inactive ME directory. Since that directory is not used, I simply renamed the file to stop the warnings.

 

NOD32 Signature database update v1.1019 (which I installed this AM) appears to have fixed the problem as I no longer get the false positive when I scan file C:\WINDOWS\HELP\TSHOOT00.CHM with NOD32.

 

My Scan today is Free of Alerts for TSHOOT00.chm. A nice learning experience with Thanks to all who helped me!

 

Same here. I just did an on demand scan. The file is no longer being detected

 

We have a coulpe of windows XP systems that were installed "over" ME, in a different directory (XP in C:\winXP, ME in c:\Windows)

Recently, we have been getting that warning about TSHOOT00.CHM in the inactive ME directory. Since that directory is not used, I simply renamed the file to stop the warnings.
-------------------------------

That makes no sense to me! NOD32 should not just be scanning for file names, so why renaming it would stop the error is beyond me! Is it using a signature or looking for a name?

 

Sorry, I should of said I renamed the extension, from TSHOOT00.CHM to TSHOOT00.CHM' . Since we scan with extension filter, NOD didn't see it.