Spyware, Viruses, & Security forum

General discussion

Multiple virus warnings in the past week

by Pickums1283 / July 24, 2008 4:48 PM PDT

I don?t know what is going on with my computer lately, but since last Friday, I have been having nonstop virus warnings. Background info:

Windows XP under a limited account
Avira free Home Edition is my antivirus program
I use either Firefox (with AdBlock plus and Noscript) or Opera for a browser
I regularly run scans with Superantispyware Free Edition, Spybot Search & Destroy, Blacklight Rootkit Eliminator and online scans with Ewido/AVG antispyware, Kaspersky, and Windows Live One Care. I have Spyware Blaster and Spyware guard installed as well.

The first problem I noticed was I know one day a couple weeks ago, I updated Firefox to 2.0.0.16 and one day last week, I came on and my computer actually downgraded it to 2.0.0.15, but was saying it was updating the software!

A couple days later, I got a virus warning from Avira. And then another (both from Firefox cache). And then a third (from Opera cache). I set heuristics on high so I expect a lot of false positives (FP), but for months now, I have not had any noticeable problem with viruses. All three of these were HEUR/HTML.malware, which I think are known for FP. Then while running an Ewido antispyware scan, 4 warnings came up in a matter of a minute span, all Trojans. The 4 trojans all come from under AOL files, which has been on my computer since 2006 and I have not even used AOL software in months, but I noticed each warning popping up from Avira as those files were being scanned through Ewido's spyware scanner. Two of the warnings were a TR/Agent.1524328, one was a a TR/Agent.141672, and the last was a a TR/Agent.1489328.

Since then, I have sent all of the files to be analyzed. The 3 HEURs came back false positives, but the 4 Trojans came back as malware. The malware was located in the following:

C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsrollb.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslaeu.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acscore.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\EU\acslaeu.exe

It's weird because if you Google the above terms, a thread on Bit Defender's webpage states they are false positives.

The day I received the results of those viruses, I got 2 more warnings from Avira, another HEUR/HTML.malware (which came back as another False Positive) and a warning that a Firefox cache file contained recognition patterns of the SPR/Tool.eBlaster (riskware), which came back as malware. Today I got 4 more warnings- 2 were TR/StartPage.HMH (found in C:\Documents and Settings\User name\ Local Settings\Temp\nsv27.tmp\utility.dll), one was ANOTHER HEUR/HTML.malware (found in Firefox cache), and the fourth was TR/PSW.Lmir.UMK.1 [trojan] (found in Firefox cache). Results are not in yet on whether they are FP or malware.

I ran other scans and the results are:

Superantispyware- clean except for cookies
Spybot- clean except for cookies
Blacklight Rootkit- clean
Ewido- clean except for cookies
Malwarebytes Antimalware- clean
Kaspersky- clean

I try to think I have fairly good internet surfing habits- I only visit the same pages whenever I come (I know- not that they can?t be hacked), I never download from unknown sources, I never open emails that I don?t know the sender of, I don?t go near porn. I have not been on any strange webpages or anything. I don?t understand why all of a sudden, I am getting nonstop warnings from Avira. I tried getting help on their forum, but no one has been able to help me. I really don?t want to resort to it, but I am about to just reformat the entire computer. The other thing is, I can?t find any information on any of these viruses.

Also, is there anyway to find out what web page the cache came from?

Discussion is locked
You are posting a reply to: Multiple virus warnings in the past week
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Multiple virus warnings in the past week
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Unless you'll check the "history"
by Donna Buenaventura / July 25, 2008 12:48 AM PDT
>>>is there anyway to find out what web page the cache came from?

Unless you'll check the "history" using the browser. Since most of the stuff is in the temporary location, I wonder if after you clean-up the temporary files using CCleaner http://www.ccleaner.com ... Antivir antivirus will find anything else?

>>>C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acsrollb.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acslaeu.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\Suite\comps\acscore.exe
C:\Program Files\Common Files\AOL\Backup\ACS\Rollback\EU\acslaeu.exe

Since you are familiar with this software and you actually have it since 2006, it's false positive because you have heuristics set to high.
Add it in ignore, if the scanner continue to detect it as malware and if they have not 'fix' the detection after you've reported it to them.
You mention that you are not using it anymore, why not uninstall the AOL software? Not a fix but I thought since you are not using it anymore, might as well remove Happy
But if you prefer to keep, you need to configure Avira to ignore them until Avira fixed the issue?

Have you also tried lowering the heuristics setting (the default setting) to see if the scanner will continue to detect it?
Collapse -
Thanks for replying
by Pickums1283 / July 25, 2008 4:26 AM PDT

I do use CCleaner every few days to clear out all of my temp files, as well as ATF to clean up whatever, for some reason, CCleaner doesn't. After I clean all of the temp files out, usually the only thing Avira finds are the viruses now hiding in the System Restore, which I will just clear it after the detection.

I thought maybe those 4 AOL files were FP, but when I sent the files to Avira, as well as both the suspected trojans and SPR/tool.eBlaster that came out of Firefox cache, to be analysed, the analyses all came back as malware. The files are already in quarantine so I don't know if there is any way I could run them through another antivirus to test them. If something is malicious and put in quarantine, can anything still be detected in it?

I did actually just remove AOL off of my computer yesterday since, like you said and on top of the sudden virus detections, I no longer use it and figured there was no point in having it take up space, so I have been on cleaning up the huge mess it left behind. Wink

Thanks for your help!
Nikki

Collapse -
Nikki...
by Donna Buenaventura / July 25, 2008 5:45 AM PDT
In reply to: Thanks for replying

Yes, good idea to clear the restore point and then create a clean and new restore point.

>>>I thought maybe those 4 AOL files were FP, but when I sent the files to Avira, as well as both the suspected trojans and SPR/tool.eBlaster that came out of Firefox cache, to be analysed, the analyses all came back as malware. The files are already in quarantine so I don't know if there is any way I could run them through another antivirus to test them. If something is malicious and put in quarantine, can anything still be detected in it?
That depends on the another malware scanner:
1. If it's malicious to them
2. If their scanner is programmed to scan also other malware scanner's quarantine area. Example: Ad-aware sometimes will find the quarantine items by Spybot-S&D.

>>>I did actually just remove AOL off of my computer yesterday since, like you said and on top of the sudden virus detections, I no longer use it and figured there was no point in having it take up space, so I have been on cleaning up the huge mess it left behind.
Happy

I also use ATF-Cleaner (in addition to Window Washer by Webroot) and it's another good one to clean the system from temp file.

Also using Karen's Cookie Viewer: http://www.karenware.com/powertools/ptcookie.asp because some cookies is undetectable by other 'cleaners' and Karen's Cookie Viewer able to find and get rid of it.

Collapse -
I gave
by Pickums1283 / July 25, 2008 11:47 AM PDT
In reply to: Nikki...

Virus Total a try to see if any of their programs would detect any maliciousness, but everything came up clean. I also scanned quarantine with a few of my other programs and everything came up clean as well. I was starting to think of restoring the quarantined files to a floppy disk and scanning them from them, but I am not sure if that would be a smart move.

I ran a scan earlier and I was expecting about 4 warnings considering I haven't cleaned out system restore yet, but only one came up- in system restore of course- and it wasn't even any of the malware that should have been in system restore. It was another trojan, but one with a new and different name.

Is Window Washer like CCleaner and ATF? I'll also take a look at the Cookie Viewer program as well.

Thanks!

Collapse -
Only if you really need those files
by Donna Buenaventura / July 25, 2008 4:53 PM PDT
In reply to: I gave

The items in quarantine should stay there unless you really those files. If it's unneeded files, even though false positive.. I would not restore it just for curiosity because you'll never know until it's 'in action'.
Also, if the said quarantined items are related to programs that you already remove (e.g. AOL software), it is no use to restore and test for scanning them.

Don't worry about the trojan in the System Restore as long as you will not restore to that restore point. Best is to delete those restore points and start a clean restore point.

Yes, Window Washer is like CCleaner, ATF-Cleaner but it's not freeware: http://www.webroot.com/En_US/consumer-products-windowwasher.html
The reason I like Window Washer is because it has other options that is not available in freeware cleaners (e.g. scheduled clean-up) but the freeware is good enough for users who don't need additional settings Happy

Yes, give Cookie Viewer a try. Let it scan the whole drive for cookies and you'll have the option to view what's on that cookies.

Collapse -
Good point
by Pickums1283 / July 26, 2008 11:42 AM PDT

Since none of the files are important, I'll leave them be. I'm gonna go clear out system restore as soon as I am done here.

I'll give that cookie scanner a try. Thanks for suggesting it and thanks a lot for your help Wink

Nikki

Collapse -
warnings
by erniebautistaii / July 26, 2008 1:35 PM PDT
In reply to: Good point

Good morning, just new user on this forum. i would just like to ask what to do if there is Several warnings appear as i scan my avira antivir.

Prior to that the usual WARNING appear is only 2 warnings.. then now there is 174 warnings. but there is no virus detected. what should i do in order to get rid with those several warnings? does this affect my comp system?

thank you.

Collapse -
You're welcome
by Donna Buenaventura / July 26, 2008 1:35 PM PDT
In reply to: Good point

You are 'on it' and that's important Happy

Collapse -
what would I do?
by erniebautistaii / July 26, 2008 2:11 PM PDT

Good morning, just new user on this forum. i would just like to ask what to do if there is Several warnings appear as i scan my avira antivir.

Prior to that the usual WARNING appear is only 2 warnings.. then now there is 174 warnings. but there is no virus detected. what should i do in order to get rid with those several warnings? does this affect my comp system?

thank you.

Collapse -
(NT) Please Start Your Own Thread (New Thread Button). :D
by tobeach / July 26, 2008 2:46 PM PDT
In reply to: what would I do?
Collapse -
I can not fine the right page to ask a new question
by sham1313 / October 21, 2008 2:09 AM PDT

i have seen the place before where you can start a new queston, but can not fine it now. will you help me fine the right page?
thank you sham1313

Collapse -
Create a NEW thread.........
by Marianna Schmudlach / October 21, 2008 2:50 AM PDT
Collapse -
Thank you
by sham1313 / October 21, 2008 3:51 AM PDT

nest time I have a little free time i can ask my question. sham1313

Collapse -
(NT) Okiedokie :) You Are Very Welcome !
by Marianna Schmudlach / October 21, 2008 4:37 AM PDT
In reply to: Thank you
Collapse -
i am not sure that
by sham1313 / October 21, 2008 9:37 AM PDT

it was the place for my new question, because it says this Spyware, viruses, & security forum. i did click new thread and ask my question. so well see what happens. thanks sham1313

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

GIVEAWAY

Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.