backdoor.pclient.B (or is it) and railroad tycoon 3

G

Guest

Since the security update last week, Norton AV 2005 detects the above named
nasty in a temp file called efipsk.sys and deletes it every time I try to
play RT3. But scans in safe and normal mode find no infection. Symantec
analysts can't seem to help, either. Reinstalling the CD allows the basic
game to play without anything being detected, but when the coast to coast
expansion pack is installed (now tried from two different sources), up pops
the NAV alert. Can't find anything in registry as described by Symantec.
Hijack This logs analysed automatically seem clean. Any ideas???
 
D

David H. Lipman

From: "toadhall31" <[email protected]>

| Since the security update last week, Norton AV 2005 detects the above named
| nasty in a temp file called efipsk.sys and deletes it every time I try to
| play RT3. But scans in safe and normal mode find no infection. Symantec
| analysts can't seem to help, either. Reinstalling the CD allows the basic
| game to play without anything being detected, but when the coast to coast
| expansion pack is installed (now tried from two different sources), up pops
| the NAV alert. Can't find anything in registry as described by Symantec.
| Hijack This logs analysed automatically seem clean. Any ideas???

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

You called "efipsk.sys" a "temp file". However files with the extension SYS are rarely if
ever temporary files. They are system or hardware drivers.

Is it because it was found such as...
C:\DOCUME~1\<account>\LOCALS~1\Temp\efipsk.sys

If not, where is the file "efipsk.sys" located ?


Please submit a sample of "efipsk.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
G

Guest

David H. Lipman said:
From: "toadhall31" <[email protected]>

| Since the security update last week, Norton AV 2005 detects the above named
| nasty in a temp file called efipsk.sys and deletes it every time I try to
| play RT3. But scans in safe and normal mode find no infection. Symantec
| analysts can't seem to help, either. Reinstalling the CD allows the basic
| game to play without anything being detected, but when the coast to coast
| expansion pack is installed (now tried from two different sources), up pops
| the NAV alert. Can't find anything in registry as described by Symantec.
| Hijack This logs analysed automatically seem clean. Any ideas???

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

You called "efipsk.sys" a "temp file". However files with the extension SYS are rarely if
ever temporary files. They are system or hardware drivers.

Is it because it was found such as...
C:\DOCUME~1\<account>\LOCALS~1\Temp\efipsk.sys

If not, where is the file "efipsk.sys" located ?


Please submit a sample of "efipsk.sys" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi Dave: You describe exactly where efipsk was found, which is why I mistakenly described it as a temp file. I'll attempt the submission to Virus Total you suggest, though NAV is deleting the file so not quite sure how that will work out. Thanks
Click to expand...
 
G

Guest

Hello again Dave:

I posted the back up of the file to Virus Total and the scans came back
empty. Here's the log:

VirusTotalVirusTotal is a free file analisys service that works using
several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple
antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "465162D8.sys", received in
VirusTotal at 10.04.2006, 12:30:49 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 10.04.2006 no virus found
Authentium 4.93.8 10.03.2006 no virus found
Avast 4.7.892.0 10.03.2006 no virus found
AVG 386 10.03.2006 no virus found
BitDefender 7.2 10.04.2006 no virus found
CAT-QuickHeal 8.00 10.03.2006 no virus found
ClamAV devel-20060426 10.04.2006 no virus found
DrWeb 4.33 10.04.2006 no virus found
eTrust-InoculateIT 23.73.13 10.04.2006 no virus found
eTrust-Vet 30.3.3114 10.04.2006 no virus found
Ewido 4.0 10.04.2006 no virus found
Fortinet 2.82.0.0 10.04.2006 no virus found
F-Prot 3.16f 10.03.2006 no virus found
F-Prot4 4.2.1.29 10.04.2006 no virus found
Ikarus 0.2.65.0 10.04.2006 no virus found
Kaspersky 4.0.2.24 10.04.2006 no virus found
McAfee 4865 10.03.2006 no virus found
Microsoft 1.1603 10.04.2006 no virus found
NOD32v2 1.1789 10.04.2006 no virus found
Norman 5.90.23 10.04.2006 no virus found
Panda 9.0.0.4 10.03.2006 no virus found
Sophos 4.10.0 10.04.2006 no virus found
Symantec 8.0 10.04.2006 no virus found
TheHacker 6.0.1.091 10.04.2006 no virus found
UNA 1.83 10.03.2006 no virus found
VBA32 3.11.1 10.03.2006 no virus found
VirusBuster 4.3.7:9 10.03.2006 no virus found


Aditional Information
File size: 34401 bytes
MD5: 0bd574fb7c47d215f198f035cb8680c2
SHA1: 1ffe9377bd609986898d04356a16c552379727b0
packers: XORCrypt

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee
the harmlessness of a file. Currently, there is not any solution that offers
a 100% effectiveness rate for detecting viruses and malware.
 
D

David H. Lipman

From: "toadhall31" <[email protected]>


| Hello again Dave:
|
| I posted the back up of the file to Virus Total and the scans came back
| empty. Here's the log:
|
| VirusTotalVirusTotal is a free file analisys service that works using
| several antivirus engines.
|
| Select file : DistributeSSL
|
| Enter your email, choose the file to be scanned with multiple
| antivirus engines and click Send.Menu:
| News Hot news in the virus/antivirus sector.
| Estadisticas Statistics of VirusTotal procesing.
| Virustotal More info about Virustotal.
|
| STATUS: FINISHEDComplete scanning result of "465162D8.sys", received in
| VirusTotal at 10.04.2006, 12:30:49 (CET).
|
| Antivirus Version Update Result
| AntiVir 7.2.0.22 10.04.2006 no virus found
| Authentium 4.93.8 10.03.2006 no virus found
| Avast 4.7.892.0 10.03.2006 no virus found
| AVG 386 10.03.2006 no virus found
| BitDefender 7.2 10.04.2006 no virus found
| CAT-QuickHeal 8.00 10.03.2006 no virus found
| ClamAV devel-20060426 10.04.2006 no virus found
| DrWeb 4.33 10.04.2006 no virus found
| eTrust-InoculateIT 23.73.13 10.04.2006 no virus found
| eTrust-Vet 30.3.3114 10.04.2006 no virus found
| Ewido 4.0 10.04.2006 no virus found
| Fortinet 2.82.0.0 10.04.2006 no virus found
| F-Prot 3.16f 10.03.2006 no virus found
| F-Prot4 4.2.1.29 10.04.2006 no virus found
| Ikarus 0.2.65.0 10.04.2006 no virus found
| Kaspersky 4.0.2.24 10.04.2006 no virus found
| McAfee 4865 10.03.2006 no virus found
| Microsoft 1.1603 10.04.2006 no virus found
| NOD32v2 1.1789 10.04.2006 no virus found
| Norman 5.90.23 10.04.2006 no virus found
| Panda 9.0.0.4 10.03.2006 no virus found
| Sophos 4.10.0 10.04.2006 no virus found
| Symantec 8.0 10.04.2006 no virus found
| TheHacker 6.0.1.091 10.04.2006 no virus found
| UNA 1.83 10.03.2006 no virus found
| VBA32 3.11.1 10.03.2006 no virus found
| VirusBuster 4.3.7:9 10.03.2006 no virus found
|
| Aditional Information
| File size: 34401 bytes
| MD5: 0bd574fb7c47d215f198f035cb8680c2
| SHA1: 1ffe9377bd609986898d04356a16c552379727b0
| packers: XORCrypt
|


Not even Symantec flags this. Make sure you NAV/SAV Signatures oare up-to-date !

It looks like a False Positive declaration.
 
G

Guest

Hello Dave.

A false positive is my suspicion too, after some investigation. Thanks you
for your help.

Best regards
 
D

David H. Lipman

From: "toadhall31" <[email protected]>

|
| Hello Dave.
|
| A false positive is my suspicion too, after some investigation. Thanks you
| for your help.
|
| Best regards

YW.
Remember the note on the Virus News Groups for future reference { and I hope you will NOT
need them :) }
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

HELP: Three unknown services K.EXE, GXF.EXE and FRLCT.EXE - anyone any ideas? 23
Regsvr.exe locks me out of task manager and regedit 7
explorer.exe issue 1
More vrtumondo help 1
Pop Up MALWARE: trojan.vundo, winfixer2005, winantivirus etc. 12
KRiLE and Zvi Netiv... for old times sake 8
7/7 and 2/4 False Pos. incl. Spybot, LANguard, VNC 2
[Update] RipIt4Me v.1.4.4.0 3

Top