[tomdkat]

So, I'm helping a friend deal with a virus infection. Their system was infected with "Personal AntiVirus". During the process of dealing with this, I scanned the system using two different free anti-virus apps, AntiVir 9 and AVG 8.5. I had each installed at different times, so I installed one, scanned, then uninstalled and installed the other.

AntiVir detected an infection in a file called "mailswitch.ocx" that AVG 8.5 didn't detect. So, I uploaded the file to the "Jotti" and "Virus Total" online scanner sites to double check.

Attached are screenshots of the results. Given SO many anti-virus apps found the file to be infected, I didn't think AntiVir had detected a false positive.

So, I sent the file (along with the screenshots) to AVG support for further analysis. They replied that their analysis lab did NOT find an infection of any kind.

How do I determine which is right? According to the Jotti and Virus Total sites, NOD32, Kaspersky, and AVG all agree while AntiVir and several others all agree.

I DO know the online scanner sites are NOT intended to be definitive or 100% accurate.

Be forewarned, the attachments are rather large in size.

Thanks!

Peace...

[perfume]

Dear tomdkat,
I think this is one of the best questions posted since i became a member! Keeping apart the jotti and virustotal, did you find any abnormal behaviour in you're friend's comp. to warrant a search for a virus? With due apologies to your experience and seniority,can you kindly go thru' this wiki. article ? Link: http://wiki.answers.com/Q/How_do_you...computer_virus

[Byteman]

Hi,

The file mailswitch.ocx is not part of the Personal Antivirus rogue program.....but it most likely is some type of "badware"

I looked at about 15 posts around the Net about the same file (which of course may have a lot of variants, either benign or bad....)

Seems sometimes it is part of Trueswitch and it can...

Quote:

Creates c:\windows\MailSwitch.ocx

http://www.prevx.com/filenames/66550...Bn%5D.EXE.html

Or, Yahoo mail which uses trueswitch...

Our mainstay malware tool ComboFix detects it and deletes it (the bad version?? or all?? I am not sure...)

So does another terrific antimalware app>>> MalwareBytes Antimalware


So, I would suggest that if you did not use those two programs, to do so.

I'm not on my regular computer and I don't have my TechGuy canned replies handy, so refer to these pages for directions for ComboFix and MalwareBytes. Be sure to follow the directions about dis-abling the antivirus and other security apps before using CF<

MBAM:
http://www.bleepingcomputer.com/viru...onal-antivirus

_ _ _ _ _ _ _
ComboFix:
http://www.bleepingcomputer.com/comb...e-combofix#use



Let us know if you do run them what was found....just post the results or log here


I understand if you are not able to go and do these on the affected computer.....it's a suggestion and may turn up some things so I advise doing if possible.

[tomdkat]

Quote:

Originally Posted by perfume

Keeping apart the jotti and virustotal, did you find any abnormal behaviour in you're friend's comp. to warrant a search for a virus? With due apologies to your experience and seniority,can you kindly go thru' this wiki. article ? Link: http://wiki.answers.com/Q/How_do_you...computer_virus

Other than the "Personal Antivirus" popup which notified them of yet more bogus infections, the system was running just fine other than sluggish performance which I think is due to lack of RAM.

I was simply scanning the system to see what else was lurking, in addition to the "Personal Antivirus" infection.

Peace...

[tomdkat]

Quote:

Originally Posted by Byteman

The file mailswitch.ocx is not part of the Personal Antivirus rogue program.....but it most likely is some type of "badware"

I looked at about 15 posts around the Net about the same file (which of course may have a lot of variants, either benign or bad....)

Seems sometimes it is part of Trueswitch and it can...

http://www.prevx.com/filenames/66550...Bn%5D.EXE.html

Or, Yahoo mail which uses trueswitch...

Our mainstay malware tool ComboFix detects it and deletes it (the bad version?? or all?? I am not sure...)

So does another terrific antimalware app>>> MalwareBytes Antimalware


So, I would suggest that if you did not use those two programs, to do so.

I'm not on my regular computer and I don't have my TechGuy canned replies handy, so refer to these pages for directions for ComboFix and MalwareBytes. Be sure to follow the directions about dis-abling the antivirus and other security apps before using CF<

MBAM:
http://www.bleepingcomputer.com/viru...onal-antivirus

_ _ _ _ _ _ _
ComboFix:
http://www.bleepingcomputer.com/comb...e-combofix#use



Let us know if you do run them what was found....just post the results or log here


I understand if you are not able to go and do these on the affected computer.....it's a suggestion and may turn up some things so I advise doing if possible.

Thanks for the info. I have already used MalwareBytes to remove the "Personal Antivirus" infection. I realize ComboFix is NOT advised to be used unless under supervision so I have NOT run that since I'm not doing this under supervision.

My question wasn't to get info on the mailswitch.ocx file specifically or to seek help with the 'Personal Antivirus' infection, but rather to get info on how to *know* any given virus detection is a legit one.

If you read the threads here requesting help with malware removal, often times the Kaspersky online scanner is mentioned to scan the system in question. I presume, this particular scanner is mentioned because:

• It's free
• Kaspersky has a reputation for being reliable

Assuming Kaspersky and NOD32 can be "trusted", based on their reputations, I would think AntiVir detected a false positive and AVG was correct in not detecting anything. This is further supported by my submitting the actual file to AVG's support for their analysis (whatever that entails). However, I'm also wondering if AntiVir has detected something NOD32 and Kaspersky have missed. Or does the analysis done by AVG on this single file support Kaspersky and NOD32 not detecting anything, at the Jotti and Virus Total sites.

So, other than using faith, how can we know that any given detection is an actual infection?

Peace...

[tomdkat]

Quote:

Originally Posted by Byteman

So, I would suggest that if you did not use those two programs, to do so.

I'm not on my regular computer and I don't have my TechGuy canned replies handy, so refer to these pages for directions for ComboFix and MalwareBytes. Be sure to follow the directions about dis-abling the antivirus and other security apps before using CF<

MBAM:
http://www.bleepingcomputer.com/viru...onal-antivirus

_ _ _ _ _ _ _
ComboFix:
http://www.bleepingcomputer.com/comb...e-combofix#use



Let us know if you do run them what was found....just post the results or log here


I understand if you are not able to go and do these on the affected computer.....it's a suggestion and may turn up some things so I advise doing if possible.

Since I'm not really requesting assistance, I don't want to waste your time since it would be better spent helping those in the malware removal forum. However, if you want me to post the MalwareBytes and ComboFix logs anyway, I most certainly can do that.

Peace...

[Byteman]

Tom,


Don't worry, I fully comprehend that you were not asking for direct help with removing Personal AV- I have seen and read a lot of your posts so I know your level.....

It was a suggestion, and that is all, and to show you that other tools also detect that file.

We can never and I do not think ever shall be able to rely on just one scan or even a site like Jotti to decide with really great accuracy.....anything.

That is why we often use quite a few tools, we are experienced with some not finding this or that.

In the Google search results of threads at good malware forums..... I saw that in posts from 2008 and earlier this year, some programs that did detect it in your scan did not back a ways...so, it appears either the file was not infected or the detection was added after that time period....

The scanner engines that did find it may be signature based, and are looking for the file name or heurisic and looking at the file capabilities.....

That is usually the "why" of we see this or that program or scanner finding or not any given malware in a file.

As for how you can "know" a file is malware- it's always chancey so the best way to proceed if given an option is to always "Quarantine" rather than immediately delete. (All tools are not equal---some can be "set" to have "Delete" as the first thing the program does to what it detects- something that is quite wrong to have I think) ComboFix backs up what it finds....even though it says it is Deleted it does save a copy which can be reinstated.

Then- proceed to investigate. The suspects can be left quarantined as long as kids etc don't have access and the owner operator understands what files placed in Quaranitine are so they are not let loose....if you want to take your chances Delete the files.

Even the best of the security programs make mistakes....the mistakes happen once in a while as false positives, as you know.

You only need the set of directions I gave you a link to to use ComboFix, but if you prefer not to, then don't.

What we mean by "with supervision" is basically that we see the version of Windows etc and that you have the full correct set of directions, that's all. And, if there is a glitch, we would have the steps to hopefully get any fixed for you....

[tomdkat]

Thanks for the great info!

EDIT: I'll run ComboFix in a bit and will post the log later.

Peace...

[Elvandil]

Some of the results may depend on heuristics. But behavior alone is not a definitive test for an infection. I would certainly take the AVG labs results as accurate, though there is at times also a matter of opinion involved about whether something even qualifies as a threat.

Right now I have over 50 files/programs on my machine that are consistently identified as either viruses or at least threats. Some are things I have used through many operating systems and I know they are not what these things seem to think they are. But they must contain at least some small length of the virus' DNA to make them falsely accused so often. Luckily, Avira (unlike AVG) lets me exempt those from punishment very easily.

[tomdkat]

Quote:

Originally Posted by Elvandil

Luckily, Avira (unlike AVG) lets me exempt those from punishment very easily.

Are you saying AVG doesn't support exclusions from scanning? I believe it does.

Peace...

[Elvandil]

Quote:

Originally Posted by tomdkat

Are you saying AVG doesn't support exclusions from scanning? I believe it does.

Peace...

Yes, it does, but it is not easy. It needs to be configured in multiple places and a reboot is required. The Avira has the option on the warning popup (with a further warning not to use it too sparingly) and no reboot is needed.

[tomdkat]

Yep, you're right and I wasn't aware of that until you mentioned it. Of all the times I've scanned systems using AVG, I have never had a situation where I wanted to exclude something from being scanned. Strange.

Peace...

[RootbeaR]

Quote from http://www.linuxhaxor.net/2009/04/21/nixie%E2%80%99s-linux-haxor-quickie-how-to-cure-a-windows-virus-with-linux/

Nixie’s Linux Haxor Quickie: How to Cure a Windows Virus with Linux

One of the more popular Linux anti-virus tools is ClamAV. But to most users (especially new users) ClamAV is a bit challenging to use. That is where KlamAV comes in. KlamAV does an outstanding job of making ClamAV a user-friendly tool.

[tomdkat]

Peace...

[perfume]

Quote:

Originally Posted by tomdkat

Yep, you're right and I wasn't aware of that until you mentioned it. Of all the times I've scanned systems using AVG, I have never had a situation where I wanted to exclude something from being scanned. Strange.

Peace...

Dear tomdkat,
If you exclude AVG from scanning for a particular virus/Trojan, the same should apply to other A-V engines. So, your original question still remains as to whether your friend's computer is infected or not. This is very important for all others too, because we will one day find ourselves in the same predicament as to whether it's a full virus code (and needs to be dealt with) or as Elvandil pointed out a small tag of a virus code!
.