Guest RJK Posted June 27, 2008 Posted June 27, 2008 ....whilst in the middle of writing my Aunty an email, Windows Defender decided to fire up and do a sweep, and as soon as it started up, up popped AVG 8.0 "Threat Detected," ....false positive ? ....should I upload C:\Windows\system32\PCANDIS5.SYS to Virus Total ? AVG 8.0 has never complained about this file before now ! regards, Richard Quote
Guest RJK Posted June 27, 2008 Posted June 27, 2008 http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64 mmm ? ...what to do ? "RJK" <nospam@hotmail.com> wrote in message news:O4rz7zJ2IHA.4920@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > ...whilst in the middle of writing my Aunty an email, Windows Defender > decided to fire up and do a sweep, > and as soon as it started up, up popped AVG 8.0 "Threat Detected," > > ...false positive ? > ...should I upload C:Windowssystem32PCANDIS5.SYS to Virus Total ? > AVG 8.0 has never complained about this file before now ! > > regards, Richard > </span> Quote
Guest David H. Lipman Posted June 27, 2008 Posted June 27, 2008 From: "RJK" <nospam@hotmail.com> | http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64 | mmm ? | ..what to do ? CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf Assuming the above... In a Command Prompt type; IPCONFIG /ALL Copy and paste your DNS Servers. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest RJK Posted June 28, 2008 Posted June 28, 2008 Hi, ...how on earth does one copy and paste from a CMD box ?! ....back to DOS ! .... IPCONFIG /ALL > c:\ipconfig.txt Windows IP Configuration Host Name . . . . . . . . . . . . : presler Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast Ethernet NIC Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.55 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.1 Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08 Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08 ....moan.... ....quick rummage in the router :- WAN IP address : 84.71.149.185 Gateway : 62.25.195.21 Primary DNS server : 195.92.195.94 Secondary DNS server : 195.92.195.95 ....anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and I've never read such a load of rubbish in my life. ....can't get a grip on what the darned file is for, where it came from ....and if I even need it ? !!! http://www.file.net/process/pcandis5.sys.html File name: Pcandis5.sys Product name: PCAUSA Rawether for Windows Description: PCAUSA NDIS 5.0 Protocol Driver Company: Printing Communications Assoc., Inc. (PCAUSA) .....I don't think I've got anything that came from them. !!! ....AVG 8.0 which has been running a scan has just decided to destroy another copy of it in a restore point !! regards, Richard "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:OIFWRsK2IHA.6096@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > From: "RJK" <nospam@hotmail.com> > > | http://www.virustotal.com/analisis/c9bf961...601d8a7f5c93a64 > | mmm ? > | ..what to do ? > > CAT-QuickHeal 9.50 2008.06.26 Trojan.DNSChanger.ewf > > Assuming the above... > > In a Command Prompt type; IPCONFIG /ALL > > Copy and paste your DNS Servers. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest David H. Lipman Posted June 28, 2008 Posted June 28, 2008 From: "RJK" <nospam@hotmail.com> | Hi, | ...how on earth does one copy and paste from a CMD box ?! | ...back to DOS ! .... | IPCONFIG /ALL > c:\ipconfig.txt | Windows IP Configuration | Host Name . . . . . . . . . . . . : presler | Primary Dns Suffix . . . . . . . : | Node Type . . . . . . . . . . . . : Unknown | IP Routing Enabled. . . . . . . . : No | WINS Proxy Enabled. . . . . . . . : No | Ethernet adapter Local Area Connection: | Connection-specific DNS Suffix . : | Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast | Ethernet NIC | Physical Address. . . . . . . . . : 00-13-8F-DE-A1-85 | Dhcp Enabled. . . . . . . . . . . : Yes | Autoconfiguration Enabled . . . . : Yes | IP Address. . . . . . . . . . . . : 192.168.1.55 | Subnet Mask . . . . . . . . . . . : 255.255.255.0 | Default Gateway . . . . . . . . . : 192.168.1.1 | DHCP Server . . . . . . . . . . . : 192.168.1.1 | DNS Servers . . . . . . . . . . . : 192.168.1.1 | Lease Obtained. . . . . . . . . . : 27 June 2008 23:56:08 | Lease Expires . . . . . . . . . . : 28 June 2008 23:56:08 | ...moan.... ....quick rummage in the router :- | WAN IP address : 84.71.149.185 | Gateway : 62.25.195.21 | Primary DNS server : 195.92.195.94 | Secondary DNS server : 195.92.195.95 | ...anyhooo, I've been googling on the file PCANDIS5.SYS for ages ...and | I've never read such a load of rubbish in my life. | ...can't get a grip on what the darned file is for, where it came from | ...and if I even need it ? !!! | http://www.file.net/process/pcandis5.sys.html | File name: Pcandis5.sys | Product name: PCAUSA Rawether for Windows | Description: PCAUSA NDIS 5.0 Protocol Driver | Company: Printing Communications Assoc., Inc. (PCAUSA) | ....I don't think I've got anything that came from them. !!! | ...AVG 8.0 which has been running a scan has just decided to destroy | another copy of it in a restore point !! | regards, Richard Based upon your reply, your DNS servers haven't been altered to something like 85.255.x.y which is a sign of a DNSChanger Trojan. Your Router get the DNS Servers from the ISP and you get the DNS Service via the Router. However, %windir%\system32\PCANDIS5.SYS is too legitimate. .SYS files, drivers, belong in; %windir%\system32\drivers If you'd like, you can email me a sample and I will have my "peers" check out the file. In the meantime, search the Registry for; PCANDIS5.SYS and see if it is being loaded and from where and post back the results. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest RJK Posted June 28, 2008 Posted June 28, 2008 Thanks again, It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it ! ....searching registry:- ....found keys - HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ \C:\WINDOWS\system32\PCANDIS5.sys HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\WINDOWS\system32\PCANDIS5.sys ..... all seems to be okay ? Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ Class Name: <NO CLASS> Last Write Time: 6/28/2008 - 1:50 PM Value 0 Name: a Type: REG_SZ Data: C:\WINDOWS\system32\PCANDIS5.sys etc. ...recently handled files ? Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5 Class Name: <NO CLASS> Last Write Time: 6/28/2008 - 9:57 AM Value 0 Name: Type Type: REG_DWORD Data: 0x1 Value 1 Name: Start Type: REG_DWORD Data: 0x3 Value 2 Name: ErrorControl Type: REG_DWORD Data: 0x1 Value 3 Name: ImagePath Type: REG_EXPAND_SZ Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS Value 4 Name: DisplayName Type: REG_SZ Data: PCANDIS5 NDIS Protocol Driver Value 5 Name: Group Type: REG_SZ Data: PNP_TDI Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Security Class Name: <NO CLASS> Last Write Time: 5/6/2008 - 11:09 PM Value 0 Name: Security Type: REG_BINARY Data: 00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00 ................. 00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00 0............... 00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00 ÿ............... 00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00 ...`.........ý... 00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00 ................. 00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ........... .... 00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00 ................ 00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00 .............ý... 00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........ ....#... 00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00 ................. 000000a0 00 00 00 05 12 00 00 00 - ........ Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCANDIS5\Enum Class Name: <NO CLASS> Last Write Time: 6/28/2008 - 9:57 AM Value 0 Name: 0 Type: REG_SZ Data: Root\LEGACY_PCANDIS5\0000 Value 1 Name: Count Type: REG_DWORD Data: 0x1 Value 2 Name: NextInstance Type: REG_DWORD Data: 0x1 ....NEXT :-) Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5 Class Name: <NO CLASS> Last Write Time: 6/28/2008 - 9:57 AM Value 0 Name: Type Type: REG_DWORD Data: 0x1 Value 1 Name: Start Type: REG_DWORD Data: 0x3 Value 2 Name: ErrorControl Type: REG_DWORD Data: 0x1 Value 3 Name: ImagePath Type: REG_EXPAND_SZ Data: \??\C:\WINDOWS\system32\PCANDIS5.SYS Value 4 Name: DisplayName Type: REG_SZ Data: PCANDIS5 NDIS Protocol Driver Value 5 Name: Group Type: REG_SZ Data: PNP_TDI Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\PCANDIS5\Security Class Name: <NO CLASS> Last Write Time: 5/6/2008 - 11:09 PM Value 0 Name: Security Type: REG_BINARY Data: 00000000 01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00 ................. 00000010 30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00 0............... 00000020 ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00 ÿ............... 00000030 02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00 ...`.........ý... 00000040 01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00 ................. 00000050 ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00 ÿ........... .... 00000060 20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00 ................ 00000070 00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00 .............ý... 00000080 01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00 ........ ....#... 00000090 01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00 ................. 000000a0 00 00 00 05 12 00 00 00 - ........ ....even though I haven't a clue as to what all this lot is, Upnp seems to be cropping up ! ....recently I switched off Upnp, ...perphaps I should switch it back on ! ....I think I give up ! regards, Richard Quote
Guest David H. Lipman Posted June 28, 2008 Posted June 28, 2008 From: "RJK" <nospam@hotmail.com> | Thanks again, | It's a job to handle PCANDIS5.SYS, AVG keeps grabbing hold of it ! | ...searching registry:- | ...found keys - | HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\ \C:\ | WINDOWS\system32\PCANDIS5.sys | HKCU\Software\Microsoft\Wwindows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys\C:\ | WINDOWS\system32\PCANDIS5.sys | .... all seems to be okay ? < snip > | regards, Richard Have you updated your signatures and rescanned ? I came across another thread that indicated updated signature scan no longer detected the Generic Trojan and thus was most likely a FP. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest RJK Posted June 28, 2008 Posted June 28, 2008 Hi, I think I'll restore boot drive image taken 27/06/08, which I think I took before AVG got nasty about pcandis5.sys :-) ....first I may try to restore just that file from that hd image, will then rescan ...I think first with heuristics switched off. It may sound daft but, all the while digging around on this subject, it feels like a false positive. ....will post outcome. Thanks for your input regards, Richard Quote
Guest RJK Posted June 28, 2008 Posted June 28, 2008 ....just restored pcandis5.ssy from hd image 27/06/08, and rescanned it with AVG - nothing found. (heuristics on btw) Jus resubmitted it to VirusTotal:- http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82 ....AVG now finds nothing wrong with it ! CAT-QuickHeal still does not like the file ! ....seems like I made all that fuss about nothing ! :-) many thanks again for your help, regards, Richard "RJK" <nospam@hotmail.com> wrote in message news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Hi, > > I think I'll restore boot drive image taken 27/06/08, which I think I took > before AVG got nasty about pcandis5.sys :-) > ...first I may try to restore just that file from that hd image, will then > rescan ...I think first with heuristics switched off. > > It may sound daft but, all the while digging around on this subject, it > feels like a false positive. > ...will post outcome. > > Thanks for your input > > regards, Richard > </span> Quote
Guest RJK Posted June 28, 2008 Posted June 28, 2008 ....draned keyboard ssy=sys ! regards, Richard "RJK" <nospam@hotmail.com> wrote in message news:Or1epNU2IHA.4936@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > ...just restored pcandis5.ssy from hd image 27/06/08, and rescanned it > with AVG - nothing found. (heuristics on btw) > Jus resubmitted it to VirusTotal:- > http://www.virustotal.com/analisis/4592c73...d7d89ccd10c3c82 > ...AVG now finds nothing wrong with it ! > CAT-QuickHeal still does not like the file ! > > ...seems like I made all that fuss about nothing ! :-) > > many thanks again for your help, > > regards, Richard > > > > > > > "RJK" <nospam@hotmail.com> wrote in message > news:%233Q2FHU2IHA.528@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> Hi, >> >> I think I'll restore boot drive image taken 27/06/08, which I think I >> took before AVG got nasty about pcandis5.sys :-) >> ...first I may try to restore just that file from that hd image, will >> then rescan ...I think first with heuristics switched off. >> >> It may sound daft but, all the while digging around on this subject, it >> feels like a false positive. >> ...will post outcome. >> >> Thanks for your input >> >> regards, Richard >></span> > > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.