Probably Modified Trojan VBS/Valg.A

Discussion in 'NOD32 version 2 Forum' started by COSMO26, Feb 27, 2005.

Thread Status:
Not open for further replies.
  1. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    C:\WINDOWS\HELP\TSHOOT00.CHM »CHM »/w0dvd_result.htm nets Probably Modified Trojan VBS/Valg.A
    When NOD32 Updated Only Offers "Leave" when run in "Clean", am I now going to rely on Downloading TDS anti-Troj , VX2, etc. per Blackspear's prior directions, and go to HiJack This post site if all fails. Ran SafeMode NOD32 "Clean", Spybot S&D, Stinger; I have to still download the others but want to be sure that's the right plan. Win Me, IE6, FireFox 1.0.1 (Default) all updated - IE6 Temp files/Offline Content Deleted . Many Thanks! P.S. Failed to see yesterday the tiny "1" in the compacted Scan Log column from 2 days ago and Wish NOD32 had a More Obvious "You Have Virus" Alert. Will post in "Futures" section.

     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you just try a reboot with a further scan. Failing this, place your system in Safe Mode and run a scan. I think the first method should work.

    Let us know how you go...

    Cheers :D

    PS: could you please alter the font size of your post.
     
  3. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Thanks, Blackspear! In MS Explorer C:\Windows\HELP: TSHOOT00.CHM reads as a 364kb "HTML Compiled Help File" dated 6-8-2000, the same date as 98% of all Help files I see. Have Run "Clean" Twice in Safe Mode and Twice in Regular Mode and still only get "LEAVE" option; All NOD32 configured per YOU, except I'm stand-alone and No MAPI. If this doesn't appear to be a necessary part of (ie) a working car engine, could I just zip it Vs. Delete in case I need it back? With Win Me I could make a Restore Point just in case, even though the supposed Virus would remain? Many Thanks! Any other strategy appreciated.
     
    Last edited: Feb 27, 2005
  4. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
  5. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Thanks, Al. I ran Kapersky & Trend Micro Europe Online checks (Stinger prior) and they say "OK". Submitted to Samples@ Eset for False Positive check, although not sure how they prioritize what to check, if at all. The location of the Problem File is Windows\Help and is seen in Explorer. At Install, the Win_9.cab file with TSHOOT00.CHM in it is deposited in Windows\Options\Install and I can find the Win_9.cab file on C: and on the Re-Installation CD. Trouble is I don't know how to get to the level beyond Win_9.cab to get at TSHOOT00.CHM unless the Extraction command does it where Explorer can't. Will wait to see if any other ideas pop up before attempting what I'm not good at. Thanks again.
     
    Last edited: Feb 28, 2005
  6. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Yes, the "extract" tool will let you get at the files within the CAB file. I forget the syntax for it, and I do not have WinME handy right now. If you run "extract /?" from the command line, it should tell you the syntax.

    If you have Winzip 9, I believe this can open up the CAB file for you.

    Another way to get at the file is through Start --> Programs --> Accessories --> System Tools --> System Information, then Tools --> System Configuration Utility (or just go to Start --> Run... --> msconfig). Somewhere in there is an option to "Extract file". This should also be another way to get at this file within the CAB.

    http://support.microsoft.com/kb/129605/EN-US/
    http://support.microsoft.com/kb/265371/EN-US/
     
  7. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    Extracted TSHOOT00.chm to My Documents from C:\Windows\Options\Install. It Tested Same Probable Mod'd Trojan Warning I got from the \HELP file. If ESET doesn't declare a False Positive, what are my options? Thanks!
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you send the file to Eset: samples@nod32.com and place a link to this thread. If you do not hear from Eset within 3 days (allows for weekends), please advise us...

    Let us know how you go…

    Cheers :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    He's already done so :-] I'll look into it tomorrow as soon as I come to the office and will hasten our guys a bit :-]
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    No worries Marcos, I couldn't see where he mentioned doing so.

    Cheers :D
     
  11. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    • Authentium AV lists (1) variant of VBS/VALG.A. Free Scan of Windows\HELP, Temp Internet Files, and My Documents (where First Warning site & (2) extracted TSHOOT00.chm is) showed 278 Files Scanned/-0- Cleaned/-0- Viruses;
    • The Scan Finished with TSHOOT00.CHM sitting in the Scan Window.
    • A Coincidence it Finished There? Don't know-
     
  12. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Hi Cosmo26. I also run windows me. Nod is showing the same exact trojan in my help file. A few years ago, I ran norton antivirus. Everytime I would go to certain pages in the help section...Norton would pop up an alert saying.."Malicious code detected" I had a friend to look at it at the time, and he said it was the way the code was written in the help file.

    Norton couldn't clean it or quarantine it either. Hopefully the same thing is going on here. I'll be following this thread closely....Just to be on the safe side. :)
     
  13. Visiting

    Visiting Guest

    7 days later and still no definite answer from eset about this....is it a false positive or not?
     
  14. me

    me Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    33
    Location:
    New Baden, IL
    Just ran a NOD32 on demand scan on my Windows ME system and I also get C:\WINDOWS\HELP\TSHOOT00.CHM »CHM »/w0dvd_result.htm - probably modified trojan VBS/Valg.A in my scan log. Earlier today I ran Trojan Hunter and PestPatrol on demand scans without any hits. My system is not experiencing any problems so I'm inclined to think this is a false positive.
     
  15. sagarat

    sagarat Guest

    We have a coulpe of windows XP systems that were installed "over" ME, in a different directory (XP in C:\winXP, ME in c:\Windows)

    Recently, we have been getting that warning about TSHOOT00.CHM in the inactive ME directory. Since that directory is not used, I simply renamed the file to stop the warnings.
     
  16. me

    me Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    33
    Location:
    New Baden, IL
    NOD32 Signature database update v1.1019 (which I installed this AM) appears to have fixed the problem as I no longer get the false positive when I scan file C:\WINDOWS\HELP\TSHOOT00.CHM with NOD32.
     
  17. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    My Scan today is Free of Alerts for TSHOOT00.chm. A nice learning experience with Thanks to all who helped me!
     
  18. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Same here. I just did an on demand scan. The file is no longer being detected :)
     
  19. Visiting

    Visiting Guest

    We have a coulpe of windows XP systems that were installed "over" ME, in a different directory (XP in C:\winXP, ME in c:\Windows)

    Recently, we have been getting that warning about TSHOOT00.CHM in the inactive ME directory. Since that directory is not used, I simply renamed the file to stop the warnings.
    -------------------------------

    That makes no sense to me! NOD32 should not just be scanning for file names, so why renaming it would stop the error is beyond me! Is it using a signature or looking for a name?
     
  20. sagarat

    sagarat Guest

    Sorry, I should of said I renamed the extension, from TSHOOT00.CHM to TSHOOT00.CHM' . Since we scan with extension filter, NOD didn't see it.
     
Thread Status:
Not open for further replies.