How did I get this?

Discussion in 'Virus Information' started by t.cruise, Feb 23, 2005.

  1. t.cruise

    t.cruise Guest

    I have a decent firewall, an antivirus program with updated definitions, and practice very
    safe Internet (Road Runner connection) surfing. I don't use a preview pane In Outlook
    Express, don't accept Active AX from any site, and don't open email attachments unless
    I've looked at the source code in text first with my text only email monitor. I'd been
    using Ad-Aware SE, but switched to Xoftspy. Yesterday an XoftSpy drive scan found the
    W32.Coflop@mm worm on my system. It was not there two days earlier. When I read the
    details about the worm at SARC, it says that it's delivered by email. I hadn't opened any
    email attachments, or any HTML email with scripts. I am the only person who uses this
    system. My firewall is running fine. Would someone please give me an idea as to how this
    worm might have gotten on my system, and what sort of precautions I can take, other than
    those that I have already, to avoid more infections?
     
    t.cruise, Feb 23, 2005
    #1
    1. Advertisements

  2. We can't tell you how you got it but you should NOT have switched. Ad-aware is a known and
    well respected non-viral anti malware application Xoptspy is not and it certinly isn't an
    anti virus application.

    Chances are it is a False Positive.

    http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
    "XoftSpy was listed on this page because of concerns with false positives "

    Now my questions are --
    What file was declared as having the Coflop and was it deleted and what anti virus software
    are you using ?


    --
    Dave




    | I have a decent firewall, an antivirus program with updated definitions, and practice very
    | safe Internet (Road Runner connection) surfing. I don't use a preview pane In Outlook
    | Express, don't accept Active AX from any site, and don't open email attachments unless
    | I've looked at the source code in text first with my text only email monitor. I'd been
    | using Ad-Aware SE, but switched to Xoftspy. Yesterday an XoftSpy drive scan found the
    | W32.Coflop@mm worm on my system. It was not there two days earlier. When I read the
    | details about the worm at SARC, it says that it's delivered by email. I hadn't opened any
    | email attachments, or any HTML email with scripts. I am the only person who uses this
    | system. My firewall is running fine. Would someone please give me an idea as to how this
    | worm might have gotten on my system, and what sort of precautions I can take, other than
    | those that I have already, to avoid more infections?
    | --
    |
    | T.C.
    | t__cruise@[NoSpam]hotmail.com
    | Remove [NoSpam] to reply
    |
    |
    |
     
    David H. Lipman, Feb 23, 2005
    #2
    1. Advertisements

  3. t.cruise

    Bigbruva Guest

    I don't have any experience with XoftSpy but I am curious as to why your
    anti-spyware scanner found a mass-mailing worm but your AV app didn't!

    Did you see any of the behaviors of this worm on your machine or did you
    only see the notification from Xoftspy?
    This could have been a false positive.

    BB
     
    Bigbruva, Feb 23, 2005
    #3
  4. t.cruise

    t.cruise Guest

    None of the registry entries which the worm should have caused were there. But I am
    curious as to why the file:

    C:\Windows\ST6UNST.EXE

    has a modified date of 2/19/05. Would a worm/virus have modified that file? If so,
    without doing an sfc/scannow, or a repair install, can I replace that file with the
    original one from the Windows XP CD using the MSCONFIG Expand File utility? If so where
    on the CD is it located?

    BTW, I was also curious as to why my antivirus program didn't catch it. I do know that
    all antivirus programs are not 100 % effective in catching all viruses/worms. On another
    system XoftSpy found 64 viruses/trojans/worms/spyware/malware, which had been missed by
    Norton and Ad-Aware SE. They were NOT false positives. That system was exhibiting
    symptoms, and when it was cleaned with XoftSpy the system ran fine again.

    T.C.


     
    t.cruise, Feb 23, 2005
    #4
  5. Please submit 'ST6UNST.EXE' to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against several different AV vendor's scanners.

    Another way to submit is to send the suspect file to the following email address
    scan<at>virustotal.com
    { replace <at> with @ } with only the word SCAN as the subject.

    Please post back the EXACT results.


    --
    Dave




    | None of the registry entries which the worm should have caused were there. But I am
    | curious as to why the file:
    |
    | C:\Windows\ST6UNST.EXE
    |
    | has a modified date of 2/19/05. Would a worm/virus have modified that file? If so,
    | without doing an sfc/scannow, or a repair install, can I replace that file with the
    | original one from the Windows XP CD using the MSCONFIG Expand File utility? If so where
    | on the CD is it located?
    |
    | BTW, I was also curious as to why my antivirus program didn't catch it. I do know that
    | all antivirus programs are not 100 % effective in catching all viruses/worms. On another
    | system XoftSpy found 64 viruses/trojans/worms/spyware/malware, which had been missed by
    | Norton and Ad-Aware SE. They were NOT false positives. That system was exhibiting
    | symptoms, and when it was cleaned with XoftSpy the system ran fine again.
    |
    | T.C.
    |
    |
    | | > I don't have any experience with XoftSpy but I am curious as to why your
    | > anti-spyware scanner found a mass-mailing worm but your AV app didn't!
    | >
    | > Did you see any of the behaviors of this worm on your machine or did you
    | > only see the notification from Xoftspy?
    | > This could have been a false positive.
    | >
    | > BB
     
    David H. Lipman, Feb 23, 2005
    #5
  6. t.cruise

    t.cruise Guest

    I am aware that XoftSpy is NOT an antivirus program. I mentioned that I have an antivirus
    program (AVG), a firewall (Zone Alarm), AND Xoftspy (for spyware/malware/etc.)

    Here's the portion of the XoftSpy log that's pertinent:

    <ScanningRegValuesChanged>
    </ScanningRegValuesChanged>
    <FILE PATH = "W32.Coflop@mm C:\WINDOWS\System32\SOL.EXE"/>
    <FILE PATH = "C:\WINDOWS\System32\SOL.EXE"/>
    </Scanning>

    <Information Message = "Starting to Quarantine 1 Items"/>
    <Quarantines>
    <QTFILE PATH = "C:\Program Files\XoftSpy\Quarantine\Quarantine23-02-2005-00-59-01.xpy" />
    <INFO ACTION = "Added"/>
    <INFO TIME = "23-02-2005-00-59-01"/>
    <QInformation Message = "Quarantining File W32.Coflop@mm - C:\WINDOWS\System32\SOL.EXE"/>
    </Quarantines>
    <QInformation Message = "Quarantining File REG BACKUP -
    C:\DOCUME~1\Tom\LOCALS~1\Temp\regbackup.reg"/>
    <Removal>
    <SW NAME = "W32.Coflop@mm ">
    <FILE NAME = "C:\WINDOWS\System32\SOL.EXE"/>
    <FILE RES = "C:\WINDOWS\System32\SOL.EXE Successfully ReMoved"/>
    </SW>
    </Removal>
    </Session>

    T.C.


     
    t.cruise, Feb 23, 2005
    #6
  7. t.cruise

    t.cruise Guest

    Server response

    --------------------------------------------------------------------------------

    Results of a file scan
    This is the report of the scanning done over "ST6UNST.EXE" file that VirusTotal processed
    on 02/23/2005 at 23:46:07 (CET).
    Antivirus Version Update Result
    AntiVir 6.29.0.16 02.23.2005 no virus found
    AVG 718 02.22.2005 no virus found
    BitDefender 7.0 02.23.2005 no virus found
    ClamAV devel-20050130 02.22.2005 no virus found
    DrWeb 4.32b 02.23.2005 no virus found
    eTrust-Iris 7.1.194.0 02.23.2005 no virus found
    eTrust-Vet 11.7.0.0 02.23.2005 no virus found
    Fortinet 2.51 02.23.2005 no virus found
    F-Prot 3.16a 02.23.2005 no virus found
    Ikarus 2.32 02.23.2005 no virus found
    Kaspersky 4.0.2.24 02.23.2005 no virus found
    NOD32v2 1.1007 02.23.2005 no virus found
    Norman 5.70.10 02.22.2005 no virus found
    Panda 8.02.00 02.23.2005 no virus found
    Sybari 7.5.1314 02.23.2005 no virus found
    Symantec 8.0 02.23.2005 no virus found


    It's still strange to me that the file had been modified on the 19th of this month. Thank
    you for the link...

    T.C.
     
    t.cruise, Feb 23, 2005
    #7
  8. Stop using IE and OE and use firefox and thunderbird instead.
    Install spyware blaster,spybot,script sentry,script defender to name a
    few. I have more listed on my site.
    -max
     
    What's in a Name?, Feb 23, 2005
    #8
  9. False Positive !

    Dump XoftSpy and get to know the following web site.

    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    --
    Dave




    | Server response
    |
    | --------------------------------------------------------------------------------
    |
    | Results of a file scan
    | This is the report of the scanning done over "ST6UNST.EXE" file that VirusTotal processed
    | on 02/23/2005 at 23:46:07 (CET).
    | Antivirus Version Update Result
    | AntiVir 6.29.0.16 02.23.2005 no virus found
    | AVG 718 02.22.2005 no virus found
    | BitDefender 7.0 02.23.2005 no virus found
    | ClamAV devel-20050130 02.22.2005 no virus found
    | DrWeb 4.32b 02.23.2005 no virus found
    | eTrust-Iris 7.1.194.0 02.23.2005 no virus found
    | eTrust-Vet 11.7.0.0 02.23.2005 no virus found
    | Fortinet 2.51 02.23.2005 no virus found
    | F-Prot 3.16a 02.23.2005 no virus found
    | Ikarus 2.32 02.23.2005 no virus found
    | Kaspersky 4.0.2.24 02.23.2005 no virus found
    | NOD32v2 1.1007 02.23.2005 no virus found
    | Norman 5.70.10 02.22.2005 no virus found
    | Panda 8.02.00 02.23.2005 no virus found
    | Sybari 7.5.1314 02.23.2005 no virus found
    | Symantec 8.0 02.23.2005 no virus found
    |
    |
    | It's still strange to me that the file had been modified on the 19th of this month. Thank
    | you for the link...
    |
    | T.C.
    |
    |
    | --------------------------------------------------------------------------------
    |
    | www.virustotal.com :: @ Hispasec Sistemas 2004 :: e-mail
    | | > Please submit 'ST6UNST.EXE' to Virus Total --
    | > http://www.virustotal.com/flash/index_en.html
    | > The submission will then be tested against several different AV vendor's scanners.
    | >
    | > Another way to submit is to send the suspect file to the following email address
    | > scan<at>virustotal.com
    | > { replace <at> with @ } with only the word SCAN as the subject.
    | >
    | > Please post back the EXACT results.
    | >
    | >
    | > --
    | > Dave
    | >
    | >
    | >
    | >
    | > | > | None of the registry entries which the worm should have caused were there. But I am
    | > | curious as to why the file:
    | > |
    | > | C:\Windows\ST6UNST.EXE
    | > |
    | > | has a modified date of 2/19/05. Would a worm/virus have modified that file? If so,
    | > | without doing an sfc/scannow, or a repair install, can I replace that file with the
    | > | original one from the Windows XP CD using the MSCONFIG Expand File utility? If so
    | where
    | > | on the CD is it located?
    | > |
    | > | BTW, I was also curious as to why my antivirus program didn't catch it. I do know
    | that
    | > | all antivirus programs are not 100 % effective in catching all viruses/worms. On
    | another
    | > | system XoftSpy found 64 viruses/trojans/worms/spyware/malware, which had been missed
    | by
    | > | Norton and Ad-Aware SE. They were NOT false positives. That system was exhibiting
    | > | symptoms, and when it was cleaned with XoftSpy the system ran fine again.
    | > |
    | > | T.C.
    | > |
    | > |
    | > | | > | > I don't have any experience with XoftSpy but I am curious as to why your
    | > | > anti-spyware scanner found a mass-mailing worm but your AV app didn't!
    | > | >
    | > | > Did you see any of the behaviors of this worm on your machine or did you
    | > | > only see the notification from Xoftspy?
    | > | > This could have been a false positive.
    | > | >
    | > | > BB
    | >
    | >
    |
    |
     
    David H. Lipman, Feb 23, 2005
    #9
  10. t.cruise

    Catamount Guest

    Hah...is quarentined Solataire!

     
    Catamount, Feb 24, 2005
    #10
  11. t.cruise

    SG Guest

    T.C.

    Have you uninstalled any apps on or after 2/19/05?
    ST6UNST.EXE is a Visual Basic application removal utility.

    All the best,
     
    SG, Feb 24, 2005
    #11
  12. t.cruise

    t.cruise Guest

    When one does not have anything helpful to contribute, one should not respond.

    T.C.


     
    t.cruise, Feb 27, 2005
    #12
  13. | When one does not have anything helpful to contribute, one should not respond.
    |
    | T.C.
    |
    |
    | || Hah...is quarentined Solataire!
    ||


    Depends on the POV. The post was not un-helpful.
     
    David H. Lipman, Feb 27, 2005
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.