MS Works. Another Trojan Found - KIS took care of it, but MS Work shortcut problem

[Arrow5]

Hello yet again.

 

Using KIS 2010 Win XP Serv Pack 3 Home Computer

 

I posted about a week or less ago, that Full scan found a trojan, KIS took care of it. All Green all is well.

 

Today upon routine Root Scan that goes automatically all fine this morning, but afternoon rootscan found a trojan - took care of it.

But - the file that came up was something to do with My MS works.

 

Screen shots below.

 

Computer rebooted, I ran full scan, a couple more pop ups came up with red detections, did recommended action of delete, - full scan finished -- all green.

 

When I try to use my MS Works - it cannot find the shortcut I guess. Says moved or something....Tries to look for it, but I stopped the search for it (with the flashlight icon that comes up when it tries to search), so I could post my question.

 

Is there anything I need to do?

Here's the line item I pasted on the detected action. (also a screnshot below)

The active threats is empty - (screenshot below)

 

3/26/2010 2:06:52 PM Deleted Trojan program Trojan.Win32.Agent.dqbn C:\Program Files\microsoft works\WksWP.exe High

 

 

 

 

 

 

 

 

 

[Arrow5]

Active threats empty screenshot

 

 

[Arrow5]

So question is -- in order to use my MS Works - what do I do.

It's more than just the shortcut I think - When I try to open it - it's like it's not there.

Edited March 26, 2010 by Arrow5

[richbuff]

Settings > Protection > uncheck Select action automatically > ok.

 

Then, Threats detected > Disinfected files > right click WksWP.exe > select Restore.

 

Then please send it to the Lab, instructions: http://forum.kaspersky.com/index.php?showtopic=13881

[Arrow5]

Settings > Protection > uncheck Select action automatically > ok.

 

Then, Threats detected > Disinfected files > right click WksWP.exe > select Restore.

 

Then please send it to the Lab, instructions: http://forum.kaspersky.com/index.php?showtopic=13881

 

 

 

Ok - I'm a bit slow on understanding this, so please hang in there...

 

If I restore this disinfected file for this - won't my computer be compromised with this trojan?

 

And by unchecking the select action automatically in settings/protection - isn't "automatically" my default ? What happens with any virus/trojans that may come up, if that's no longer set to automatically.

 

When you say send this to the lab -- (and I'm kind of slow here on getting these instructions there's a couple of different ways to send it it seems from what I'm reading),

-- what am I sending to the lab? -

-- what do I do in the meantime with my computer? Can I still use it while this is going on?

 

 

Ackkkk!!! I'm so confused!

 

 

 

 

 

 

[richbuff]

If you think that it may be a false positive, then please follow my instructions. This will accomplish the following: Restoring MS Works, and: Notifying the Lab, so detection can be emended.

 

After you send a copy of WksWP.exe to the Lab, by following the set of instructions that works best, then wait about 24 hours for the Lab to emend the detection. Then, you can revert to Automatic mode, as is best for most users. During the period that Automatic mode is withdrawn, Kaspersky will prompt you if there are any detections. Post back if that occurs, and if you need assistance with deciding.

[Arrow5]

If you think that it may be a false positive, then please follow my instructions. This will accomplish the following: Restoring MS Works, and: Notifying the Lab, so detection can be emended.

 

After you send a copy of WksWP.exe to the Lab, by following the set of instructions that works best, then wait about 24 hours for the Lab to emend the detection. Then, you can revert to Automatic mode, as is best for most users. During the period that Automatic mode is withdrawn, Kaspersky will prompt you if there are any detections. Post back if that occurs, and if you need assistance with deciding.

 

 

 

 

I don't even know what a false positive is, let alone how to tell if this was one - ?

KIS detected The trojan win32.Agent.dqbn which appeared on the scan today, and I did the recommened delete.

 

 

By my sending it to the lab am I creating a help ticket that they will get back to me on?

Can I still use my computer, go online etc... while this file is restored?

 

Thanks & sorry for being thick-headed, but all of this unerves me!

 

 

[richbuff]

The detection appears to be false, that is, it is not malware, so all is safe. To be sure that it is not malware, Please send it to the Lab. You do not need a support ticket. Note "possible false positive, Reply requested" when you send it to the Lab. If it is a false detection, the detection signatures will be emended by the Lab, this can take about 12 to 24 hours.

[Arrow5]

The detection appears to be false, that is, it is not malware, so all is safe. To be sure that it is not malware, Please send it to the Lab. You do not need a support ticket. Note "possible false positive, Reply requested" when you send it to the Lab. If it is a false detection, the detection signatures will be emended by the Lab, this can take about 12 to 24 hours.

 

 

Ok. I'll do as instructed. How based on your statement above, do you know that the detection "appears" to be false, though.

If KIS detected it and treated it like a trojan. It also is listed in system restore - if you look at the detected threats tab - deleted log I posted.

 

Just curious.

Thank you again, as always for the fast support in this forum.

 

 

[Arrow5]

Additional question on doing this sorry.

 

 

In order to send to lab, do I have to restore it? Can this be done without the restore?

I notice another person with the same problem trojan, and you've mentioned to them to send it to the lab, but didn't mention restore, so I'm trying to figure all of this out.

 

-- At the moment I don't need MS Works to do things,for a few days anyway --

so does it need to be restored, in order to send it to the lab?

 

-- Also what about that other ones besides WksWP.exe that were in the detected tab & show deleted. (I've listed those below with the wkswp.exe one:

 

 

3/26/2010 2:06:52 PM Deleted Trojan program Trojan.Win32.Agent.dqbn C:\Program Files\microsoft works\WksWP.exe High

 

3/26/2010 2:28:56 PM Deleted Trojan program Trojan.Win32.Agent.dqbn C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP621\A0065398.exe High

 

3/26/2010 4:36:31 PM Deleted Trojan program Trojan.Win32.Agent.dqbn D:\I386\Apps\APP11984\src\MSWORKS\PFILES\MSWORKS\WKSWP.EXE High

 

 

Thank you!

 

 

 

 

 

 

 

 

[Arrow5]

So do I restore the other 2 or just the wkswp.exe one restore & send to lab?

And if I restore, isn't it going to keep coming up as trojan alert?

 

[antikythera]

Additional question on doing this sorry.

In order to send to lab, do I have to restore it? Can this be done without the restore?

I notice another person with the same problem trojan, and you've mentioned to them to send it to the lab, but didn't mention restore, so I'm trying to figure all of this out.

 

-- At the moment I don't need MS Works to do things,for a few days anyway --

so does it need to be restored, in order to send it to the lab?

 

-- Also what about that other ones besides WksWP.exe that were in the detected tab & show deleted. (I've listed those below with the wkswp.exe one:

3/26/2010 2:06:52 PM Deleted Trojan program Trojan.Win32.Agent.dqbn C:\Program Files\microsoft works\WksWP.exe High

 

3/26/2010 2:28:56 PM Deleted Trojan program Trojan.Win32.Agent.dqbn C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP621\A0065398.exe High

 

3/26/2010 4:36:31 PM Deleted Trojan program Trojan.Win32.Agent.dqbn D:\I386\Apps\APP11984\src\MSWORKS\PFILES\MSWORKS\WKSWP.EXE High

Thank you!

the second and third files quarantined are the same file in different locations. The Pfiles directory is an installation source directory for the works suite. the other location is created by Windows System Restore. Every time your computer starts up or a program is added a restore point is created and stored here. The filenames are altered but the A0065398.exe will be a compressed copy of WksWP.exe.

 

Your system will not be at risk from restoring the file to send it in to the labs as long as you are not running it as part of MS Works. As soon as you have sent it off, reverse this setting in KIS:

 

Settings > Protection > uncheck Select action automatically > ok.

 

If anything triggers the file it will be automatically quarantined again.

[Arrow5]

antikythera -- Thank you for that. just needed a clarification, and that helped tremendously, thank you.

[Arrow5]

Getting ready to do this today.

 

Once I right click on this to restore, in order to send to lab as a possible false positive - I noticed there is a "send" option in the right click menu - that I assume will be viable once I click restore.

 

Is this correct?

Thanks!

 

 

[Arrow5]

After doing instructions - in order to send to lab - I've restored it from disinfected, but when I try to find the file name from my list of programs the file to send is not there.

 

I'm looking in the original destination I thought C:program files/Microsoft Works/ and looking for wkswp.exe - but not there.

 

 

[Arrow5]

please stay in one topic, or the other, not in both.

when you restored the file, it should have prompted where to save it, it might not have opened in the microsoft works folder, but in another one (best bet is my documents). try doing a file search for that exe.

 

 

Thank you, I started another thread, and I know that's not good, because I was having a separate issue, and wasn't getting anything on the old thread. I do apologize for that I knew better.

 

No, there was nothing that came up that said where to save it. Or that I saw.

 

So I will try searching C: drive.

 

But am I understanding that correctly - that's the file I needed to find and send.

Now that it's probably residing in a different place - do I need to put it back into program files? And how?

[Arrow5]

I'm having a hard time finding it my searching of C: drive even

 

Is it WksWP.exe

[Arrow5]

I'm having a hard time finding it my searching of C: drive even

 

Is it WksWP.exe

 

 

I think I just sent MSWorks.exe

and that doesn't match it,

?

 

 

 

[Arrow5]

I think I just sent MSWorks.exe

and that doesn't match it,

?

 

 

 

I just did a file search on files with WksWP and this is what I have listed in C:

 

Screenshot below:

[antikythera]

in windows explorer click on tools. then click on folder options. click the view tab. untick 'Hide extensions for known file types' and 'Hide protected operating system files'. Make sure the option to show hidden files and folders is selected above these entries too by placing the check mark by it.

 

click apply and search again.

[Arrow5]

in windows explorer click on tools. then click on folder options. click the view tab. untick 'Hide extensions for known file types' and 'Hide protected operating system files'. Make sure the option to show hidden files and folders is selected above these entries too by placing the check mark by it.

 

click apply and search again.

 

 

This is all making me uneasy - just to send this blasted thing to the lab! - thank you though for your patience with me.

--- Once I unticked "hide protected operating system files

I got a windows warning pop up screenshot below: Do I continue on even with that warning?

 

 

 

 

 

 

[antikythera]

click yes you can change it back again later when the search is done. the suspected file is not critical to the operation of your pc anyhow so it is perfectly safe to do so for the moment.

[Arrow5]

click yes you can change it back again later when the search is done. the suspected file is not critical to the operation of your pc anyhow so it is perfectly safe to do so for the moment.

 

 

Ok - I've found the file now!!! Thank you! So it was hidden huh?

But ....

Someone before said that when I restored in order to that, that there should've been a place to save the file - but I told them that there wasn't. All I got - when I right-clicked on the file name in Disinfected files it that it just dissapeared from the detected tabs list of disinfected files.

 

So is it residing where it needs to be ? Just was hidden from view from me due to the the view that you've had me change to uncover ?

 

 

If so - can I now send it to Lab - but I've already sent to the lab was what I initially thought was the file, and it was MSworks.exe. - not the correct one. Now that I've found the correct one - If I send this now now (Wkswp.exe - will that cause more confusion?)

 

And once I send it, I'll be able to change the folder options in View that I've unchecked just now ? correct?

One more thing. Do I need to put the Settings/Protections/select action automatically - ticked off again in order to send it to the lab - or that was just for restore process? At the moment, I've got the protections back to select automatically ticked.

 

 

Thank you again.

 

 

Thank you again for your patience.

 

 

 

[Arrow5]

Thank you antikythera,

 

I've sent the correct file to the lab -- Thank you again for helping me figure out that the file was hidden from my view. I knew I was following directions as stated to me, but just couldn't find that blasted file!

 

While I was in the process of sending the Lab form for the correct one since found - the initial response from the lab came back on the previous incorrect file I sent, with no detections on that one.

 

After submitting the correct one, with an explanation that I had sent an incorrect one previoiusly, a response came back on that about 2 minutes after I sent it to them -- saying that there was no malicious code in that file.

 

 

So now - is it ok to try and run my MS Works ?

Will it still trigger an Alert from KIS about a trojan?

Will a full scan or Rootkitscan bring this back up again?

 

How does this happen anyway. Just curious how it got triggered in the first place.

Thank you again!

 

 

[antikythera]

Ok - I've found the file now!!! Thank you! So it was hidden huh?

But ....

Someone before said that when I restored in order to that, that there should've been a place to save the file - but I told them that there wasn't. All I got - when I right-clicked on the file name in Disinfected files it that it just dissapeared from the detected tabs list of disinfected files.

 

So is it residing where it needs to be ? Yes until you send it in.

 

If so - can I now send it to Lab - but I've already sent to the lab was what I initially thought was the file, and it was MSworks.exe. - not the correct one. Yes explain this and why.

Now that I've found the correct one - If I send this now now (Wkswp.exe - will that cause more confusion?) No

 

And once I send it, I'll be able to change the folder options in View that I've unchecked just now ? correct? No, quarantine the file first. Then restore the settings I said to change in windows explorer.

One more thing. Do I need to put the Settings/Protections/select action automatically - ticked off again in order to send it to the lab - or that was just for restore process? At the moment, I've got the protections back to select automatically ticked. Leave it as it is.

Thank you again.

Thank you again for your patience.

Edited March 29, 2010 by antikythera