PCANDIS5.SYS - Trojan horse Generic10.ASPV

R

RJK

Guest
....whilst in the middle of writing my Aunty an email, Windows Defender

decided to fire up and do a sweep,

and as soon as it started up, up popped AVG 8.0 "Threat Detected,"

....false positive ?

....should I upload C:\Windows\system32\PCANDIS5.SYS to Virus Total ?

AVG 8.0 has never complained about this file before now !

regards, Richard

 
R

RJK

Guest
http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64

mmm ?

...what to do ?

"RJK" <nospam@hotmail.com> wrote in message

news:O4rz7zJ2IHA.4920@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> ...whilst in the middle of writing my Aunty an email, Windows Defender

> decided to fire up and do a sweep,

> and as soon as it started up, up popped AVG 8.0 "Threat Detected,"

>

> ...false positive ?

> ...should I upload C:Windowssystem32PCANDIS5.SYS to Virus Total ?

> AVG 8.0 has never complained about this file before now !

>

> regards, Richard

> </span>

 
R

RJK

Guest
Hi,

...how on earth does one copy and paste from a CMD box ?!

....back to DOS ! ....

IPCONFIG /ALL > c:\ipconfig.txt

Windows IP Configuration

Host Name . . . . . . . . . . . . : presler

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast

Ethernet NIC

Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.55

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08

Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08

....moan.... ....quick rummage in the router :-

WAN IP address : 84.71.149.185

Gateway : 62.25.195.21

Primary DNS server : 195.92.195.94

Secondary DNS server : 195.92.195.95

....anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and

I've never read such a load of rubbish in my life.

....can't get a grip on what the darned file is for, where it came from

....and if I even need it ? !!!

http://www.file.net/process/pcandis5.sys.html

File name: Pcandis5.sys

Product name: PCAUSA Rawether for Windows

Description: PCAUSA NDIS 5.0 Protocol Driver

Company: Printing Communications Assoc., Inc. (PCAUSA)

.....I don't think I've got anything that came from them. !!!

....AVG 8.0 which has been running a scan has just decided to destroy

another copy of it in a restore point !!

regards, Richard

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message

news:OIFWRsK2IHA.6096@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> From: "RJK" <nospam@hotmail.com>

>

> | http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64

> | mmm ?

> | ..what to do ?

>

> CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf

>

> Assuming the above...

>

> In a Command Prompt type; IPCONFIG /ALL

>

> Copy and paste your DNS Servers.

>

>

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

>

> </span>

 
D

David H. Lipman

Guest
From: "RJK" <nospam@hotmail.com>

| Hi,

| ...how on earth does one copy and paste from a CMD box ?!

| ...back to DOS ! ....

| IPCONFIG /ALL > c:\ipconfig.txt

| Windows IP Configuration

| Host Name . . . . . . . . . . . . : presler

| Primary Dns Suffix . . . . . . . :

| Node Type . . . . . . . . . . . . : Unknown

| IP Routing Enabled. . . . . . . . : No

| WINS Proxy Enabled. . . . . . . . : No

| Ethernet adapter Local Area Connection:

| Connection-specific DNS Suffix . :

| Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast

| Ethernet NIC

| Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85

| Dhcp Enabled. . . . . . . . . . . : Yes

| Autoconfiguration Enabled . . . . : Yes

| IP Address. . . . . . . . . . . . : 192.168.1.55

| Subnet Mask . . . . . . . . . . . : 255.255.255.0

| Default Gateway . . . . . . . . . : 192.168.1.1

| DHCP Server . . . . . . . . . . . : 192.168.1.1

| DNS Servers . . . . . . . . . . . : 192.168.1.1

| Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08

| Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08

| ...moan.... ....quick rummage in the router :-

| WAN IP address : 84.71.149.185

| Gateway : 62.25.195.21

| Primary DNS server : 195.92.195.94

| Secondary DNS server : 195.92.195.95

| ...anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and

| I've never read such a load of rubbish in my life.

| ...can't get a grip on what the darned file is for, where it came from

| ...and if I even need it ? !!!

| http://www.file.net/process/pcandis5.sys.html

| File name: Pcandis5.sys

| Product name: PCAUSA Rawether for Windows

| Description: PCAUSA NDIS 5.0 Protocol Driver

| Company: Printing Communications Assoc., Inc. (PCAUSA)

| ....I don't think I've got anything that came from them. !!!

| ...AVG 8.0 which has been running a scan has just decided to destroy

| another copy of it in a restore point !!

| regards, Richard

Based upon your reply, your DNS servers haven't been altered to something like 85.255.x.y

which is a sign of a DNSChanger Trojan. Your Router get the DNS Servers from the ISP and

you get the DNS Service via the Router.

However, %windir%\system32\PCANDIS5.SYS is too legitimate. .SYS files, drivers, belong

in; %windir%\system32\drivers

If you'd like, you can email me a sample and I will have my "peers" check out the file.

In the meantime, search the Registry for; PCANDIS5.SYS and see if it is being loaded and

from where and post back the results.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 
R

RJK

Guest
Thanks again,

It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it !

....searching registry:-

....found keys -

HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ \C:\WINDOWS\system32\PCANDIS5.sys

HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\WINDOWS\system32\PCANDIS5.sys

..... all seems to be okay ?

Key Name:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\

Class Name: <NO CLASS>

Last Write Time: 6/28/2008 - 1:50 PM

Value 0

Name: a

Type: REG_SZ

Data: C:\WINDOWS\system32\PCANDIS5.sys

etc. ...recently handled files ?

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5

Class Name: <NO CLASS>

Last Write Time: 6/28/2008 - 9:57 AM

Value 0

Name: Type

Type: REG_DWORD

Data: 0x1

Value 1

Name: Start

Type: REG_DWORD

Data: 0x3

Value 2

Name: ErrorControl

Type: REG_DWORD

Data: 0x1

Value 3

Name: ImagePath

Type: REG_EXPAND_SZ

Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS

Value 4

Name: DisplayName

Type: REG_SZ

Data: PCANDIS5 NDIS Protocol Driver

Value 5

Name: Group

Type: REG_SZ

Data: PNP_TDI

Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Security

Class Name: <NO CLASS>

Last Write Time: 5/6/2008 - 11:09 PM

Value 0

Name: Security

Type: REG_BINARY

Data:

00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00

.................

00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00

0...............

00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00

ÿ...............

00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00

...`.........ý...

00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00

.................

00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ...........

....

00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00

................

00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00

.............ý...

00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........

....#...

00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00

.................

000000a0 00 00 00 05 12 00 00 00 - ........

Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Enum

Class Name: <NO CLASS>

Last Write Time: 6/28/2008 - 9:57 AM

Value 0

Name: 0

Type: REG_SZ

Data: Root\LEGACY_PCANDIS5\0000

Value 1

Name: Count

Type: REG_DWORD

Data: 0x1

Value 2

Name: NextInstance

Type: REG_DWORD

Data: 0x1

....NEXT :)

Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5

Class Name: <NO CLASS>

Last Write Time: 6/28/2008 - 9:57 AM

Value 0

Name: Type

Type: REG_DWORD

Data: 0x1

Value 1

Name: Start

Type: REG_DWORD

Data: 0x3

Value 2

Name: ErrorControl

Type: REG_DWORD

Data: 0x1

Value 3

Name: ImagePath

Type: REG_EXPAND_SZ

Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS

Value 4

Name: DisplayName

Type: REG_SZ

Data: PCANDIS5 NDIS Protocol Driver

Value 5

Name: Group

Type: REG_SZ

Data: PNP_TDI

Key Name:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5\Security

Class Name: <NO CLASS>

Last Write Time: 5/6/2008 - 11:09 PM

Value 0

Name: Security

Type: REG_BINARY

Data:

00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00

.................

00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00

0...............

00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00

ÿ...............

00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00

...`.........ý...

00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00

.................

00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ...........

....

00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00

................

00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00

.............ý...

00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........

....#...

00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00

.................

000000a0 00 00 00 05 12 00 00 00 - ........

....even though I haven't a clue as to what all this lot is, Upnp seems to be

cropping up !

....recently I switched off Upnp, ...perphaps I should switch it back on !

....I think I give up !

regards, Richard

 
D

David H. Lipman

Guest
From: "RJK" <nospam@hotmail.com>

| Thanks again,

| It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it !

| ...searching registry:-

| ...found keys -

| HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ \C:\

| WINDOWS\system32\PCANDIS5.sys

| HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\

| WINDOWS\system32\PCANDIS5.sys

| .... all seems to be okay ?

< snip >

| regards, Richard

Have you updated your signatures and rescanned ?

I came across another thread that indicated updated signature scan no longer detected the

Generic Trojan and thus was most likely a FP.

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

 
R

RJK

Guest
Hi,

I think I'll restore boot drive image taken 27/06/08, which I think I took

before AVG got nasty about pcandis5.sys :)

....first I may try to restore just that file from that hd image, will then

rescan ...I think first with heuristics switched off.

It may sound daft but, all the while digging around on this subject, it

feels like a false positive.

....will post outcome.

Thanks for your input

regards, Richard

 
R

RJK

Guest
....just restored pcandis5.ssy from hd image 27/06/08, and rescanned it with

AVG - nothing found. (heuristics on btw)

Jus resubmitted it to VirusTotal:-

http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82

....AVG now finds nothing wrong with it !

CAT-QuickHeal still does not like the file !

....seems like I made all that fuss about nothing ! :)

many thanks again for your help,

regards, Richard

"RJK" <nospam@hotmail.com> wrote in message

news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Hi,

>

> I think I'll restore boot drive image taken 27/06/08, which I think I took

> before AVG got nasty about pcandis5.sys :)

> ...first I may try to restore just that file from that hd image, will then

> rescan ...I think first with heuristics switched off.

>

> It may sound daft but, all the while digging around on this subject, it

> feels like a false positive.

> ...will post outcome.

>

> Thanks for your input

>

> regards, Richard

> </span>

 
R

RJK

Guest
....draned keyboard ssy=sys !

regards, Richard

"RJK" <nospam@hotmail.com> wrote in message

news:Or1epNU2IHA.4936@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> ...just restored pcandis5.ssy from hd image 27/06/08, and rescanned it

> with AVG - nothing found. (heuristics on btw)

> Jus resubmitted it to VirusTotal:-

> http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82

> ...AVG now finds nothing wrong with it !

> CAT-QuickHeal still does not like the file !

>

> ...seems like I made all that fuss about nothing ! :)

>

> many thanks again for your help,

>

> regards, Richard

>

>

>

>

>

>

> "RJK" <nospam@hotmail.com> wrote in message

> news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>> Hi,

>>

>> I think I'll restore boot drive image taken 27/06/08, which I think I

>> took before AVG got nasty about pcandis5.sys :)

>> ...first I may try to restore just that file from that hd image, will

>> then rescan ...I think first with heuristics switched off.

>>

>> It may sound daft but, all the while digging around on this subject, it

>> feels like a false positive.

>> ...will post outcome.

>>

>> Thanks for your input

>>

>> regards, Richard

>></span>

>

> </span>

 
You must log in or register to reply here.
Top Bottom