dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3053

grey22
@telus.net

grey22

Anon

Hijackthis. Win32:Kuang2

I did what I'm supposed to before posting my hijackthis.

Please do not delete.

Avast caught "Win32:Kuang2"

I saved the name to a notepad, and got the error in the jpeg when I tried to open it.

I'm trying not to offend the mods, or anybody. Please don't get hysterical.

Here's my hijackthis.

Logfile of HijackThis v1.99.0
Scan saved at 9:33:13 PM, on 2/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\Program Files\PREVX\Prevx Home\PXAgent.exe
C:\Documents and Settings\Dell PC\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107687531996
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Prevx Agent - Prevx Ltd. - C:\Program Files\PREVX\Prevx Home\PXAgent.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9

Premium Member

said by grey22:

I did what I'm supposed to before posting my hijackthis.
No; You have not.

grey22
@telus.net

grey22

Anon

No ?

What am I missing ?

graycorgi
Premium Member
join:2004-02-23

graycorgi to grey22

Premium Member

to grey22
Maybe you said Hijackthis instead of HJT Log? I don't think they'd be that nitpicky though.

I guess he is saying either your post isnt in the perfect format [not that it should matter] or that you didn't run all of the tools the top of the link said you should have.
graycorgi

graycorgi

Premium Member

I believe the manual removal instructions from TM will help you with this:

»www.trendmicro.com/vinfo ··· VSect=Sn

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to grey22

Premium Member

to grey22
Rightclick on your file Positive.txt and from the drop down menu choose *Open with* and then choose *notepad*. Copy and paste the contents back here.

Your HijackThis log doesn't show anything as to why Avast is giving you that alert.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to grey22

Premium Member

to grey22
I am puzzled why you just don't delete it from your desktop.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

said by John2g:

I am puzzled why you just don't delete it from your desktop.
Delete what? The text file he saved? I don't think that is what is the problem.

The picture of his desktop shows the Avast log info he created in a text file. That is what he needs to open with Notepad so he can copy the report here. Then we can see what it is Avast is alerting on

Read what he said:
quote:
Avast caught "Win32:Kuang2"

I saved the name to a notepad, and got the error in the jpeg when I tried to open it.

grey22
@telus.net

grey22

Anon

Click for full size
Avast got rid of it. It's in the chest, I think it's called.

I took a picture of where it was, and yes, I deleted that notepad text of the name of that virus. It was just the name.

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

1 edit

CalamityJane

Premium Member

That looks like a false postive grey22.

The active scan folder is for the Panda online virus scan.

Zip up that file that AVAST found from the chest and send it to them for analysis

grey22
@telus.net

grey22

Anon

imscan.zip
643,678 bytes
I don't know where to submit it. I'm going out now.

Here's the zipped virus. Do Not Open. Just submit it to av companies.

Mods. I hope you let them submit it. I don't know how ?

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Ok, submitted the file to Avast for you grey.

None of the other AVs detect it as infected and it certainly looks like it is from Panda Software.

File: imscan.dll
Status:

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
Packers detected:
None

AntiVir
No viruses found (0.63 seconds taken)

Avast
Win32:Kuang2 (3.03 seconds taken)

AVG Antivirus
No viruses found (2.09 seconds taken)

BitDefender
No viruses found (0.34 seconds taken)

ClamAV
No viruses found (0.50 seconds taken)

Dr.Web
No viruses found (0.50 seconds taken)

F-Prot Antivirus
No viruses found (0.07 seconds taken)

Fortinet
No viruses found (0.43 seconds taken)

Kaspersky Anti-Virus
No viruses found (0.63 seconds taken)

mks_vir
No viruses found (0.23 seconds taken)

NOD32
No viruses found (0.39 seconds taken)

Norman Virus Control
No viruses found (0.17 seconds taken)

Allnew
MVM
join:2003-02-01
Denmark- EU.

1 edit

1 recommendation

Allnew to grey22

MVM

to grey22
Its a FP.
Copy and pasted from this topic at the Avast forums.

NOTE: If you (did) use an AV-product of PANDA, be prepared to get a harmless "false positive" about it from avast, because PANDA don't encrypt their files, so that avast (and lots of other scanners !!) CORRECTLY identify (harmless) pieces/strings of virus code in it
(infamous examples: "KUANG2" & "MATYAS" detected in files like imscan.dll & PAV.sig)
For more details, please read HERE

Link here.
»forum.avast.com/index.ph ··· c=5373.0

And more info here.:)
»www.avast.com/eng/faq_panda.html

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane

Premium Member

Thanks, allnew!

I have to wonder why Avast doesn't just fix it instead of explaining it away like that. 11 other avs in my post above did not scream on the Panda file.

From your link I found their FAQ - a little easier to read
»www.avast.com/eng/faq_panda.html
quote:
We canĀ“t do anything about that, only recommend not to use two or more antiviral programs at the same time, or put that files to the list of exclusions, so they will not be scanned anymore.
But, I still have to wonder why they think most users are going to find that FAQ and read it. Seems it would just be easier to fix the darn thing like the others have.

Allnew
MVM
join:2003-02-01
Denmark- EU.

Allnew

MVM

I think that its a matter of principal for them.
I recall a topic , i think it was in their own forum, where
a Avast guy said, that it was Panda who ought to encrypt the sig files, and not Avast who should fix anything.
Still it would be much easier if they just fixed it, as you said yourself.