Question regarding OSS Quarantine Log?

[spc3rd]

Good evening everyone,

For the past couple of days, I've noticed the OPSS Quarantine log has shown the 3 trojans shown in the attached screenshot. From what I can tell, these particular trojans seem...to be connected somehow with the two Star Defender games I have on my computer. (They were purchased and installed as a bundle package deal about 7 months ago, and I have not experienced any problems with either of them, warnings, etc).

The only "oddity" if it can be called that, is back when I still used just OPFW Pro & Avast AV (free) (before recently acquiring OPSS Pro), I would notice in one of the OPFW logs it would always have entries listed as "Keylogger", and the description listed as "Direct Input Technology." Those entries only corresponded with the time period when I would be playing the Star Defender games. At no other time did such entries appear.

My question: After looking at the attached screenshot, can someone tell me if there is a security problem here I need to address? I've searched on-line for trojans with the name given in the attached log, but have come up with absolutely nothing.

Thank you for your time and any help with this matter.

OSS - Quarantine Log.JPG

[Manny Carvalho]

Buzus and Kryptik are real trojans. It's possible that you have an infection and the AV section of OSS caught them. It's also possible that it's a false positive but always assume the worse and check it out.

I suggest that you do take further action by going to VirusTotal and upload those files and see what other scanners have to say about it: https://www.virustotal.com/

If they agree then delete the quarantined files and do a full scan of your machine and see if the infection is gone. It may not be and you'll need help cleaning your machine.

[spc3rd]

I appreciate the info Manny!

I'm sort of lost here though......how do upload the files you referenced to Virustotal? I've never done this sort of thing.

Thanks very much for any enlightenment!

[spc3rd]

Sorry I have to make this unnecessary SECOND post because of that 15 minute edit rule, but here it is.

I also note that the "Kryptic..." trojan is apparently associated with the .scr version of the DDS scanning program I just downloaded the other day from a link on the Bleeping Computer site. (I'd also downloaded the OTL & HJT programs as well. BTW...I've been accepted into the BC Malware Removal Training Program...as a Sophomore right now).

I have also gone ahead and uninstalled the Star Defender games...since I just don't know what to trust anymore!

To re-iterate my original last question...How do I upload those trojan files you referenced to Virustotal (and just where do I find them)?

Thanks very much for any additional help on this one!

[Manny Carvalho]

Bleeping Computer is a real nice site for helping with this and their training program is great. You'll learn a lot.

To upload a file tick the box to the left of the name, the first Buzus for example, to get detailed information. It should tell you where it is. If it doesn't [I'm working from memory here] then you can use the restore button just above the name to return it from quarantine to the original location. Then go to the VirusTotal site and upload the file from that location. Scan that file again via right clicking it to return it to quarantine until you figure out what it is.

As far as trusting programs. It is a little hard at times and mistakes do happen. It's like people; no matter how long you live, one can still be fooled. You get better with time but it's never perfect.

The best way around this is to always have a clean backup image of your machine. That way if anything happens you can within 15 minutes be clean with a restored system. Cleaning an infected system can be a real tedious task and can take days and maybe even weeks at a site like Bleeping Computer. And once cleaned it's often the case that things are broken and then needs fixing which at times leads to a clean install anyway. A backup image just avoids all that if its clean.

[spc3rd]

Thanks for the additional info Manny.

I'm not so sure this is going to work though. The "Buzus..." trojan, for example, was shown as being located in C:\System Volume Information... Yet, I can find nothing on the C drive by that name. The other trojan, "Kryptic..." is shown as being at C:\Documents and Settings\Administrator\My Documents\Downloads|dds.scr| stream| data0006. (This is the EXACT way it is shown in the "detailed description" section in the Quarantine Log.

I'm beginning to think it might be best to go ahead and remove everything from the Quarantine area; do another full malware scan, and go from there, depending upon whether or not any trojans are still showing up.

[spc3rd]

Update for you Manny,

I did go and restore that "Buzus..." trojan back to its original location. Even after doing so, I still could NOT find it in the location it was supposed to be so I could try getting Virustotal to scan it..

Next, I ran another full malware scan with OPSS. In addition to finding those same trojans all over again, I noticed many repeated entries in the log where the system could "not unpack this thing or that thing"; "access this thing or that thing"; etc, etc. Total number of malware found = 2. (The same trojans as before).

I have now removed the malware from the Quarantine area and ran a FULL scan with MBAM. Scan was clean.

I am now going to run another FULL malware scan with OPSS to see if it finds anything. Given the recurrence of the same two trojans and now all those other strange log entries showing up as the scan progressed...I am becoming more than just a "little" concerned here. Will post back with the results of this 2nd full malware scan with OPSS once it's finished.

Regards,

[Manny Carvalho]

The trojan in C:\System Volume Information... means that it's in a System Restore point. It's fine there as it's not a hazard unless you use the restore point. A valid strategy is just to wait until that point gets deleted. Just remember it's possible that you can reinfect yourself if you use System Restore. You can delete all the SR points if you want but there's no need to do so. It's not possible to extract files from SR points so you can't do what I suggested with the Buzus hit. The other one you should be able to do so.

It's good that MBAM didn't find anything but it's not enough and you should try to get further confirmation. MBAM isn't perfect either.

The notices about not being able not open objects are normal. Some compressed but mostly system files in use just can't be opened by AV -any of them - and those are just files that can't be scanned. It's perfectly normal like the scan below on my clean system. There's no reason for concern.

[spc3rd]

Hi again Manny!

I just finished running a "quick" scan with OPSS and no malware was found, nor did I see all those other strange entries I mentioned...and which you just reassured me about.

I ran a scan with SAS which only found a single cookie. You indicated I should try and get some
"additional confirmation." What would you suggest I do at this point in that regard? (I'm out of ideas).

Thanks very much again for all your help!

[Manny Carvalho]

You should run full scans of all your partitions but making sure that the system partition is fully scanned. I mean make sure it's selected for sure These things can hide so they need tracking down. Quick scans at this point may be misleading since they only scan the most susceptible area but infections can be elsewhere.

Make sure you reboot because these things can sometimes regenerate themselves. If you see nothing then it's likely that you were able to get clean. I hope so. There are times when it's that easy.

[spc3rd]

Thanks for the added info Manny!

When you say, "partitions"...do you mean I need to ensure I do a full scan of every drive I have? I only have a single hard drive (the C drive), and I have 3 removable USB flash drives I will use on occasion to back-up personal files/folders to.

Regards again!

[Manny Carvalho]

If you only have a single drive then I mean to fully scan that whole drive. If you think that the USB flash drives were involved in this then it won't hurt to scan them but it might not be necessary. It's up to you.

A partition is a separation in a hard drive that makes it look like there's another drive. For example, you could break up -partition - your hard drive in two and have it appear as if you have a C and D drive. Partitioning is useful for segregating files from one another. Below is what my two hard drives on this machine look like. It show how I like to separate things but I'm sorry for mentioning this as it doesn't pertain to your system.

[spc3rd]

I appreciate the clarification Manny!

I think I have a better understanding now. As for the 3 USB flash drives I have....I think I will go ahead and scan them...just to ensure I "cover all the bases", so-to-speak. Hopefully...I'll be one of the lucky few...as you referenced in post # 10! I'll post back after all the scans have been done (which will likely take a few hours at least).

Thanks very much again!

[spc3rd]

Greetings again!

Repeated full scans with OPSS, MBAM, and SAS have all been clean. I also presented this issue with one of the Site Admins at the BC site...since it appeared there was some connection to downloads I made from there. Being as "technically-uninclined" as I tend to be...I can't really explain things the way the aforementioned Site Admin at BC did. But, it seems that things were o.k. all along (maybe along the lines of that "false positive" reference you made before Manny).

In any case, everything seems to be doing o.k. for now. Many thanks again for all the help on this one!

Best regards!

[Manny Carvalho]

I'm glad to hear that. With all those scan results I would consider myself clean.

There's always a possibility of a false positive so it's best to check it out before actually deleting anything. Sometimes there's not much difference between malware and a normal program. They may exhibit the same behavior but the real difference is in their intent. One is out to do something for you the other against you. It's almost impossible for any anti-malware program to be 100% correct. Even the HIPS [anti-leak] functionality in OSS which is darn good can't always tell if something is evil or not. That's why it issues an alert and basically asks you to investigate further.

Good luck with the BC malware removal training program. Pretty soon you should be responding to questions like this rather than asking them.