Hi there,
My ad-aware anniversay edition keeps picking up a suspected Win32TrojanPakes,
Its located in two places;
C:\WINDOWS\system32\C63D80\dp1.fne (This file I cannot Locate as its not found in the drive, yes i have viewed all hidden folder as well)
c:\docume~1\ash\locals~1\temp\e_n4\dp1.fne
I've tried deleting these files, but they seem to be coming back straight away after I restart my pc.
Secondly there Ad-Aware picks up a registry entry.
I am not sure what to do now, if it is a false positive that ad-aware hasn't patched up, or if it is an actual legitimate worm/trojan
I have attached these files for you to examine,
Cheers
- Ash
After Research on the net, my computer also contains these files:
It then creates a folder in temp directory & random named folder in the system directory and drops some non-malicious files in them:
• %Temp%\E_4\com.run
• %system%\randomname(folder)\com.run
• %Temp%\E_4\dp1.fne
• %system%\randomname(folder)\dp1.fne
• %Temp%\E_4\eAPI.fne
• %system%\randomname(folder)\eAPI.fne
• %Temp%\E_4\internet.fne
• %system%\randomname(folder)\internet.fne
• %Temp%\E_4\krnln.fnr
• %system%\randomname(folder)\krnln.fnr
• %Temp%\E_4\RegEx.fnr
• %system%\randomname(folder)\RegEx.fnr
• %Temp%\E_4\shell.fne
• %system%\randomname(folder)\shell.fne
• %Temp%\E_4\spec.fne
• %system%\randomname(folder)\spec.fne
It will also add the following registry entry to load itself at system startup:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This worm infects removable drives. It drops copies of itself as (name of the folder).exe. It then sets the attribute of the original folder to Hidden to trick the user to believe the dropped file as legitimate.
It also drops an AUTORUN.INF file to automatically execute, if the autorun feature is enabled on the target machine. It also drops a file called Recycled.exe
Back to Top
Full Version: False Positive?Win32TrojanPakes dp1.fne file
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive False Postive Issues
Hello Hybrid34
Thank you for reporting this. We will re-investigate the file and if it is found to be a false positive it will be removed from detection.
Regards
LS Anders
Thank you for reporting this. We will re-investigate the file and if it is found to be a false positive it will be removed from detection.
Regards
LS Anders
From the files you have listed above, does your machine contain all of them? If that is the case it looks like you have an infection with an autorun worm. To get more help cleaning that please go to the Lavasoft Support Forum: http://www.lavasoftsupport.com/index.php?showforum=61
Also, could you please post the log file from when Ad-Aware is detecting these things.
Regards
LS Anders
Also, could you please post the log file from when Ad-Aware is detecting these things.
Regards
LS Anders
QUOTE(LS Anders @ Jun 9 2009, 04:53 PM) 
From the files you have listed above, does your machine contain all of them? If that is the case it looks like you have an infection with an autorun worm. To get more help cleaning that please go to the Lavasoft Support Forum: http://www.lavasoftsupport.com/index.php?showforum=61
Also, could you please post the log file from when Ad-Aware is detecting these things.
Regards
LS Anders
Also, could you please post the log file from when Ad-Aware is detecting these things.
Regards
LS Anders
Thanks for that Anders, I think i do have a infection, as soon as you insert a external device, the trojan/worm copies itself to the external device, then if you put that device into another PC it copies itself to that PC, very annoying, as its hidden as a .exe file and is automatically run in the autorun.ini
I have attached the log for you
Thanks
- Ash
Hello
The registry entry in the log is related to the file (process) detected. The symptoms you describe are typical for a autorun worm. If you open the autorun.inf file in a text editor you will be able to see a link to the file that it loads. If you want to you can zip (password protect the zip file with the password: infected) the linked file and send it to research@lavasoft.com.
Regards
LS Anders
The registry entry in the log is related to the file (process) detected. The symptoms you describe are typical for a autorun worm. If you open the autorun.inf file in a text editor you will be able to see a link to the file that it loads. If you want to you can zip (password protect the zip file with the password: infected) the linked file and send it to research@lavasoft.com.
Regards
LS Anders
Thanks for that Anders, will do that now,
Cheers
- Ash
Cheers
- Ash
Hello Ash
Thank you for the file. However to be able to look further at this file we will also need the recycle.exe file (probably located in the root). Could you please see if you can find that file too, zip and password it and send it to the same mail address.
Regards
LS Anders
Thank you for the file. However to be able to look further at this file we will also need the recycle.exe file (probably located in the root). Could you please see if you can find that file too, zip and password it and send it to the same mail address.
Regards
LS Anders
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.