Author Topic: Avast! Found Two (Read 5158 times)

drmsucks · « **on:** July 25, 2008, 12:18:55 AM »

Win XP SP3, HP Laptop, Core 2 Duo @ 2.0 GHZ, 2 GB DDR2 mem, Geforce Go 7600

Wife was playing solitaire, Avast! found libcurl.dll from the YPOPS directory, classified it as a Win2132: Trojan - Gen. I quarantined it and ran a scan. Avast! found A0013263.dll in Sys Restore and I quarantined that. I deleted all Restore Points, ran SAS, Mbam and HJT.
SAS and Mbam came up clean. Logs attached.

YPOPS is a legit program that she uses to POP Yahoo mail - don't know about libcurl.dll except that I have it in the YPOPS directory on my computer - no complaints from Avast!.

Her computer seems to run normally.

Thanks for the help!

[recovering disk space -- attachment deleted by admin]

alucard786 · « **Reply #1 on:** July 25, 2008, 01:29:16 AM »

ur log seems to be clean......

evilfantasy · « **Reply #2 on:** July 25, 2008, 02:29:55 AM »

Looks fine.

drmsucks · « **Reply #3 on:** July 25, 2008, 09:48:49 AM »

Quote from: alucard786 on July 25, 2008, 01:29:16 AM

ur log seems to be clean......

Please refrain from commenting in the Computer Virus and Spyware section unless and until you receive the Malware Specialist designation from the CH Forum. Untrained gratuitous comments are potentially very harmful.

From the Virus and Spyware sticky (http://www.computerhope.com/forum/index.php/topic,46313.0.html):

"If you receive advice from someone other than the approved Malware Removal Specialists, you do so at your own risk. We are not responsible if you take potentially inaccurate/harmful advice from someone who is not a designated helper. Anyone interested in joining the crew must have a good amount of experience and submit references to CBMatt (Chris) in a PM. References will be checked. Others posting advice without approval are subject to have their posts removed immediately as the wrong advice is too risky."

drmsucks · « **Reply #4 on:** July 25, 2008, 09:51:58 AM »

Quote from: evilfantasy on July 25, 2008, 02:29:55 AM

Looks fine.

Thanks, Evil. Any idea what the A0013263.dll belongs to?

I'm guessing that the libcurl.dll is a false positive.

Thanks for taking a look!

evilfantasy · « **Reply #5 on:** July 25, 2008, 04:35:21 PM »

libcurl.dll is related to a keylogger I believe and the other file might be a Windows file that was also part of the libcurl.dll.

Use the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

drmsucks · « **Reply #6 on:** July 25, 2008, 09:51:23 PM »

Thanks. Will run Kaspersky tonight and post log tomorrow.

drmsucks · « **Reply #7 on:** July 26, 2008, 12:01:29 AM »

Here's Kaspersky.

[recovering disk space -- attachment deleted by admin]

evilfantasy · « **Reply #8 on:** July 26, 2008, 12:04:56 AM »

All clear, looks like Avast! did it's job good.

The libcurl.dll was the malicious file and I'm thinking that A0013263.dll was the libcurl file after Windows renamed it and added it to System Restore.

drmsucks · « **Reply #9 on:** July 26, 2008, 12:47:17 AM »

Thanks, Evil. About 20 min ago I did a fast scan with Spyware Terminator on my machine (different machine from this thread) and it also identified YPOPS2/libcurl.dll as a trojan! I submitted it to Virus Total and only 2 of their scanners identified it - and, oddly enough, AVAST! wasn't one of them! ST, of course, isn't on the list.

I deleted YPOPS, re-scanned and came up clean. I may submit an HJT log tomorrow just to be sure.

Thanks for your help.

evilfantasy · « **Reply #10 on:** July 26, 2008, 01:04:56 AM »

It might not be a bad idea to go to the Avast! viruses and worms forum and ask there. They may want yoou to zip a copy of the dll so they can take a closer look at it. If it's a false positive then they should know so they can fix it.

That dll must do something suspicious for Avast! to be picking up on it.

drmsucks · « **Reply #11 on:** July 26, 2008, 10:38:14 AM »

Quote from: evilfantasy on July 26, 2008, 01:04:56 AM

That dll must do something suspicious for Avast! to be picking up on it.

Yep - and two scanners at Virus Total thought so too.

As for sending it to Avast!, I deleted the file from both machines. Actually, it might be in Avast!'s quarantine on my wife's computer; if so, I'll get it off to Avast!.

Thanks for the link.

evilfantasy · « **Reply #12 on:** July 26, 2008, 10:49:31 AM »

For all they're worth in the end an AV only does what it's told to. They can't tell 'good' from 'bad'.

Computer Hope Forum

News:

Author Topic: Avast! Found Two (Read 5158 times)

drmsucks

Avast! Found Two

alucard786

Re: Avast! Found Two

evilfantasy

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

evilfantasy

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

evilfantasy

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

evilfantasy

Re: Avast! Found Two

drmsucks

Re: Avast! Found Two

evilfantasy

Re: Avast! Found Two