Installed Avira AntiVir and it found trojans

Hi,

I had been using AOL Active shield but I decided to try Avira Antivir. Boy was I sorry. Got the following reports:

C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\MC561403.CAB
[0] Archive type: CAB (Microsoft)
--> J0234687.GIF
[DETECTION] Is the Trojan horse TR/BHO.ecl
[WARNING] The file was ignored!
virusscan.jotti.org results - AntiVir found TR/BHO.ecl


C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF
[DETECTION] Is the Trojan horse TR/BHO.ecl
[WARNING] The file was ignored!

Begin scan in 'K:\
K:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-K\EnterWW.cab
[0] Archive type: CAB (Microsoft)
--> J0234687.GIF
[DETECTION] Is the Trojan horse TR/BHO.ecl
[WARNING] The file was ignored!

K:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF
[DETECTION] Is the Trojan horse TR/BHO.ecl
[WARNING] The file was ignored!

The following is an old hard drive removed from my Windows 98 computer.
Begin scan in 'W:\' <DISK1PART01>
W:\CABREST.BAT
[DETECTION] Contains suspicious code HEUR/Trojan.DIRKiller
[NOTE] The fund was classified as suspicious.
[WARNING] The file was ignored!

There are four entries that are Microsoft Office related which I find strange indeed.

I have always kept my antivirus program updated and scan weekly or more. Any help will be appreciated.

 

Hi Ann,

Sure look like false positives to me. The Office detections are actually all one file ......... J0234687.GIF
I find it difficult to believe also.
The bat file might be interesting. Care to right click it and select Edit to see what it contains?

 

Hi noahdfear,

I certainly hope you are correct in assuming they are false positives.

This is what the .bat file contains:

cls
@echo ***Registry Restore by RLS***
@echo Revised 7/19/01a
@echo.
@echo This program will restore system.dat, user.dat, win.ini and
@echo system.ini files from the backup CAB file you select.
@echo It will create a C:\Windows\Temp3 directory and put the
@echo extracted files there. If this directory already exists,
@echo it will delete all files in it first.
@echo.
@echo ***Ctrl-C will stop the program at any time***
@echo.
@echo DO NOT RUN THIS WITH WINDOWS OPEN!
@echo.
@echo off
if not "%windir% "==" " goto WINDIR
choice /c:YQ Continue (Y) or quit (Q) ?...
if errorlevel 2 goto quit
smartdrv 8192 8192
cls
@echo Here are the files to choose from starting with most recent:
@echo off
DIR C:\WINDOWS.000\SYSBCKUP\*.cab /O:-D
@echo For the "XY" in RB0XY.cab, find the matching letter. (Ctrl-C to quit)
@echo 00 A 05 F 10 K
@echo 01 B 06 G 11 L
@echo 02 C 07 H 12 M
@echo 03 D 08 I 13 N
@echo 04 E 09 J 14 O
choice /c:ABCDEFGHIJKLMNO Enter the letter for the "XY" you want.

if errorlevel 1 set num=00
if errorlevel 2 set num=01
if errorlevel 3 set num=02
if errorlevel 4 set num=03
if errorlevel 5 set num=04
if errorlevel 6 set num=05
if errorlevel 7 set num=06
if errorlevel 8 set num=07
if errorlevel 9 set num=08
if errorlevel 10 set num=09
if errorlevel 11 set num=10
if errorlevel 12 set num=11
if errorlevel 13 set num=12
if errorlevel 14 set num=13
if errorlevel 15 set num=14

@echo off
if not exist c:\windows.000\temp3 mkdir c:\windows.000\temp3
deltree /y c:\windows.000\temp3\*.*
extract /L c:\windows.000\temp3\ C:\WINDOWS.000\SYSBCKUP\rb0%num%.cab user.dat
extract /L c:\windows.000\temp3\ C:\WINDOWS.000\SYSBCKUP\rb0%num%.cab system.dat
extract /L c:\windows.000\temp3\ C:\WINDOWS.000\SYSBCKUP\rb0%num%.cab win.ini
extract /L c:\windows.000\temp3\ C:\WINDOWS.000\SYSBCKUP\rb0%num%.cab system.ini
@echo.
choice /c:YQ Last chance - restore the extracted files (Y) or quit (Q)?...
if errorlevel 2 goto quit
cls
@echo off
attrib c:\windows.000\temp3\user.dat -r -s -h
attrib c:\windows.000\temp3\system.dat -r -s -h
attrib c:\windows.000\user.dat -r -s -h
attrib c:\windows.000\system.dat -r -s -h
copy c:\windows.000\temp3\user.dat c:\windows.000
copy c:\windows.000\temp3\system.dat c:\windows.000
attrib c:\windows.000\user.dat +r +s +h
attrib c:\windows.000\system.dat +r +s +h
copy c:\windows.000\temp3\system.ini c:\windows.000
copy c:\windows.000\temp3\win.ini c:\windows.000

@echo.
@echo Files were successfully restored from RB0%num%.cab
@echo Hit Ctrl-Alt-Delete to reboot.
@echo.
goto end
:WINDIR
@echo Oops! YOU have Windows open.
@echo.
@echo Files were not restored.
@echo.
goto end
:quit
@echo Files were not restored. Hit Ctrl-Alt-Delete to reboot or
@echo enter 'cabrest' again to start over.
@echo.
:end

 

Indeed an interesting batch file. It's not malicious though. Won't hurt anything to remove it, and AVG won't howl about it anymore.

I'd be more than happy to analyze that gif file if you want to upload it to my submission channel. Grab the one located at C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\J0234687.GIF

 

That is very good news, indeed. Thank you so much! I was able to delete it.

I'll try to do that, but I do not know how to link from here to there. The site asks for a link.

Ann

File was submitted without having to link anything. Good Luck!

 

File appears legitimate and uninfected.


Kaspersky Anti-Virus Results: Nothing Detected

Antivir Results: Nothing Detected

Trend Micro Results: Nothing Detected

Avast Results: Nothing Detected

VBA32 Results: Nothing Detected

AVG Results: Nothing Detected

NOD32 Results: Nothing Detected

 

THANKS! Could you tell me how your AntiVir came up clean while my AntiVir detects this as trojan. I would like to know why the discrepancy, if possible.

Once again, you have restored my peace of mind.

Ann

 

My scan was done with an online scanner that uses various databases, such as the ones listed in my post above. Often-times the resident database differs slightly from the online databases.