Worm Infections...

Discussion in 'other anti-virus software' started by sweater, Jun 14, 2006.

Thread Status:
Not open for further replies.
  1. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    I have NOD32 trial version on my system, but I think it's not effective in detecting up worms. I visited some "dangerous sites" flag by MaAcfee Site Advisor with their red warning signs....confident that NOD32 is good enough to protect me. Using my limited acct, firewall, WinPatrol monitor, Firefox browser etc...I don't felt anything unusual when I am surfing. But after surfing I scans my system w all of the available scanners in pc and found nothing (only spyware cookies were detected by Ewido). Lastly, I scan with ClamWin Anti-virus...and to my surprise it founds lots of Worms in my pc.

    What can you say bout this kind of worms? Is this really safe to permanently be deleted coz they are now in Clamwin Quarantine folder.


    efault/Cache/_CACHE_003_'
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/C98D912Bd01: Worm.JS.Redlof.A FOUND
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/C98D912Bd01: moved to 'C:/Documents and Settings/All Users/.clamwin/quarantine/C98D912Bd01'
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/3CC995D3d01: Worm.JS.Redlof.A FOUND
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/3CC995D3d01: moved to 'C:/Documents and Settings/All Users/.clamwin/quarantine/3CC995D3d01'
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/75545513d01: Worm.JS.Redlof.A FOUND
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/75545513d01: moved to 'C:/Documents and Settings/All Users/.clamwin/quarantine/75545513d01'
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/38D6BD0Dd01: Worm.JS.Redlof.A FOUND
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/38D6BD0Dd01: moved to 'C:/Documents and Settings/All Users/.clamwin/quarantine/38D6BD0Dd01'
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/75545512d01: Worm.JS.Redlof.A FOUND
    C:/Documents and Settings/Gemini1/Local Settings/Application Data/Mozilla/Firefox/Profiles/2uzbtxmh.default/Cache/75545512d01: moved to 'C:/Documents and Settings/All


    -- summary --
    Known viruses: 56596
    Engine version: 0.88.2
    Scanned directories: 1214
    Scanned files: 26341
    Infected files: 506
    Not moved: 5
    Data scanned: 1821.74 MB
    Time: 878.891 sec (14 m 38 s)
     
  2. ASpace

    ASpace Guest


    Your limited account and Firefox protected you .

    Can you drop ESET a line telling them the site you suspect
    support(at)eset.us
     
  3. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i dont know much about clamwin, but it could be false positives?

    by "But after surfing I scans my system w all of the available scanners in pc and found nothing" do you mean you scanned using other online scanners, KAV, etc.?
     
  4. sweater

    sweater Registered Member

    Joined:
    Jun 24, 2005
    Posts:
    1,674
    Location:
    Philippines, the Political Dynasty Capital of the
    I don't use online scanners coz my connection is slow, so I just rely on the installed updated scanners on my system. Maybe, you can try installing ClamWin anti-virus free on your system and let's see what it will possibly found on your machine.

    One major flaw...it's scanner is very slow...but it do find something that others couldn't. But, still I doubt if I could really trust it, that's why I post here for what it found.
     
  5. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i trialled Dr Web once and it found about 10 things that NOD32 didn't detect, but they were all false positives (and yes, were reported to dr web as such).

    maybe someone who uses and knows clamwin better than i do can say whether it is prone to false positives...i know all AVs are, but some seem to find more than others.

    other than that, i can only suggest restoring file from quarantine and uploading to virus total to see if others detect it as anything.
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    the best solution is to send an e-mail to sample[at]nod32.com with the website you visited and additionally to include the link to this thread.

    You may also try to send those files in quarantine to the same address. Restore them to your desktop for example, put them in a password protected archive and send. ;)
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    First of all, those are in your temp. internet files so run CCleaner Basic first if you don't have that installed already- http://www.ccleaner.com/downloadbuilds.asp and scan again.For a second opinion, if you don't have it installed, download and run http://www.emsisoft.com/en/software/free/ It is very good with 'Worm' detection & removal.If this program says your clean, then it's probably a false positive.
     
  8. ASpace

    ASpace Guest


    You mean samples(at)nod32.com or samples(at)eset.com
    note s


    ;)
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The file detected by some AVs as Redlof.A that I've briefly analysed is not malicious. We'll see what files you've got and whether they are benign or malicious.
     
  10. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Redlof, which was first spotted in 2002 if i remember right, is a polymorphic VisualBasic-based worm, able to infect scripting/hypertext files.
    Since it's polymorphic a lot of "wannabe scanners" might produce false positives with this because of extremly short signatures without any fixed offset .
     
Thread Status:
Not open for further replies.