Boot sector virus from USB flashdrive?

  • Thread starter Thread starter Scott
  • Start date Start date
S

Scott

XP sp2- Zone Alarm Security Suite said
"not-a-virus:Porn-Dialer.Win32.Agent.aw
found in
Quicken\qw.exe
Quicken\RestartExe.exe "
At the same time I had another virus alert about ".Ardamax." and
"backdoor.blackhole.2004". During the infection the firewall said my
computer was trying to send out ARP requests periodically. It could not be
removed completely and I reformatted the drive, clean XP install and had
similar spyware problems. Installed new harddrive, clean install, scanned
several times before downloading and installing Quicken Basic again.

Now I am running SnoopFree and when I restored my Quicken backup, SnoopFree
says "QW.exe is trying to hook the keyboard" on password prompt and "QW.exe
is trying to capture the screen" which I denied, of course. Quicken works
fine when I disallowed qw.exe to hook the keyboard and capture the screen.

Now I am concerned that possibly this virus problem is now in my Quicken
backup file or the boot sector on my USB flashdrive. Right now there is no
spyware or virus detected on my computer, but SnoopFree log shows that
QW.exe tried to hook the keyboard over 100 times when I logged into Quicken
and tried to capture the screen too. Is this normal for qw.exe to try and
hook the keyboard and capture the screen? I am afraid I may have to reformat
again and build a new Quicken file instead of using the backup. Any help
about this is very much appreciated. Scary stuff. Thank you. PS My backup
file is stored on a USB flashdrive. Before the reinstall, ZoneAlarm gave
errors while trying to scan files in the Boot Sector of my harddrive. Is it
possible with XP for a virus to encrypt its' own files to make it
undetectable? During the infection I booted to DOS only using and EZ OS
Installation program and was unable to view some files and folders that were
encrypted. I also posted to a forum at Quicken and awaiting a reply. Thanks
very much. Scott
 
From: "Scott" <[email protected]>

| XP sp2- Zone Alarm Security Suite said
| "not-a-virus:Porn-Dialer.Win32.Agent.aw
| found in
| Quicken\qw.exe
| Quicken\RestartExe.exe "
| At the same time I had another virus alert about ".Ardamax." and
| "backdoor.blackhole.2004". During the infection the firewall said my
| computer was trying to send out ARP requests periodically. It could not be
| removed completely and I reformatted the drive, clean XP install and had
| similar spyware problems. Installed new harddrive, clean install, scanned
| several times before downloading and installing Quicken Basic again.
|
| Now I am running SnoopFree and when I restored my Quicken backup, SnoopFree
| says "QW.exe is trying to hook the keyboard" on password prompt and "QW.exe
| is trying to capture the screen" which I denied, of course. Quicken works
| fine when I disallowed qw.exe to hook the keyboard and capture the screen.
|
| Now I am concerned that possibly this virus problem is now in my Quicken
| backup file or the boot sector on my USB flashdrive. Right now there is no
| spyware or virus detected on my computer, but SnoopFree log shows that
| QW.exe tried to hook the keyboard over 100 times when I logged into Quicken
| and tried to capture the screen too. Is this normal for qw.exe to try and
| hook the keyboard and capture the screen? I am afraid I may have to reformat
| again and build a new Quicken file instead of using the backup. Any help
| about this is very much appreciated. Scary stuff. Thank you. PS My backup
| file is stored on a USB flashdrive. Before the reinstall, ZoneAlarm gave
| errors while trying to scan files in the Boot Sector of my harddrive. Is it
| possible with XP for a virus to encrypt its' own files to make it
| undetectable? During the infection I booted to DOS only using and EZ OS
| Installation program and was unable to view some files and folders that were
| encrypted. I also posted to a forum at Quicken and awaiting a reply. Thanks
| very much. Scott
|

Whay are you calling what was called "not-a-virus" a virus ?

If Zone Alarm Security Suite said "not-a-virus:Porn-Dialer.Win32.Agent.aw" on Quicken for
Windows it is a False Positive declaration.

You also said...

"At the same time I had another virus alert about ".Ardamax." and "backdoor.blackhole.2004"
"

Sounds like a Trojan and again, NOT a virus.

So you have NO virus. You have no Boot Sector Infector.
Are you using NTFS or FAT32 ?

Let's prove that this is a False Positive...

Please submit a sample of "QW.EXE" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
David H. Lipman said:
From: "Scott" <[email protected]>

| XP sp2- Zone Alarm Security Suite said
| "not-a-virus:Porn-Dialer.Win32.Agent.aw
| found in
| Quicken\qw.exe
| Quicken\RestartExe.exe "
| At the same time I had another virus alert about ".Ardamax." and
| "backdoor.blackhole.2004". During the infection the firewall said my
| computer was trying to send out ARP requests periodically. It could not
be
| removed completely and I reformatted the drive, clean XP install and had
| similar spyware problems. Installed new harddrive, clean install,
scanned
| several times before downloading and installing Quicken Basic again.
|
| Now I am running SnoopFree and when I restored my Quicken backup,
SnoopFree
| says "QW.exe is trying to hook the keyboard" on password prompt and
"QW.exe
| is trying to capture the screen" which I denied, of course. Quicken
works
| fine when I disallowed qw.exe to hook the keyboard and capture the
screen.
|
| Now I am concerned that possibly this virus problem is now in my Quicken
| backup file or the boot sector on my USB flashdrive. Right now there is
no
| spyware or virus detected on my computer, but SnoopFree log shows that
| QW.exe tried to hook the keyboard over 100 times when I logged into
Quicken
| and tried to capture the screen too. Is this normal for qw.exe to try
and
| hook the keyboard and capture the screen? I am afraid I may have to
reformat
| again and build a new Quicken file instead of using the backup. Any
help
| about this is very much appreciated. Scary stuff. Thank you. PS My
backup
| file is stored on a USB flashdrive. Before the reinstall, ZoneAlarm gave
| errors while trying to scan files in the Boot Sector of my harddrive. Is
it
| possible with XP for a virus to encrypt its' own files to make it
| undetectable? During the infection I booted to DOS only using and EZ OS
| Installation program and was unable to view some files and folders that
were
| encrypted. I also posted to a forum at Quicken and awaiting a reply.
Thanks
| very much. Scott
|

Whay are you calling what was called "not-a-virus" a virus ?

If Zone Alarm Security Suite said "not-a-virus:Porn-Dialer.Win32.Agent.aw"
on Quicken for
Windows it is a False Positive declaration.

You also said...

"At the same time I had another virus alert about ".Ardamax." and
"backdoor.blackhole.2004"
"

Sounds like a Trojan and again, NOT a virus.

So you have NO virus. You have no Boot Sector Infector.
Are you using NTFS or FAT32 ?

Let's prove that this is a False Positive...

Please submit a sample of "QW.EXE" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
Click to expand...
Thanks Dave. I tend to call everything a virus, ignorance I suppose. Was
FAT32 before reformat, now NTFS. I will submit the file as suggested and
will post the report. I am also going to install Quicken on a separate box
and see if I get the same "hooking and capturing" messages. Thanks again.
Scott
 
David H. Lipman said:
From: "Scott" <[email protected]>

| XP sp2- Zone Alarm Security Suite said
| "not-a-virus:Porn-Dialer.Win32.Agent.aw
| found in
| Quicken\qw.exe
| Quicken\RestartExe.exe "
| At the same time I had another virus alert about ".Ardamax." and
| "backdoor.blackhole.2004". During the infection the firewall said my
| computer was trying to send out ARP requests periodically. It could not
be
| removed completely and I reformatted the drive, clean XP install and had
| similar spyware problems. Installed new harddrive, clean install,
scanned
| several times before downloading and installing Quicken Basic again.
|
| Now I am running SnoopFree and when I restored my Quicken backup,
SnoopFree
| says "QW.exe is trying to hook the keyboard" on password prompt and
"QW.exe
| is trying to capture the screen" which I denied, of course. Quicken
works
| fine when I disallowed qw.exe to hook the keyboard and capture the
screen.
|
| Now I am concerned that possibly this virus problem is now in my Quicken
| backup file or the boot sector on my USB flashdrive. Right now there is
no
| spyware or virus detected on my computer, but SnoopFree log shows that
| QW.exe tried to hook the keyboard over 100 times when I logged into
Quicken
| and tried to capture the screen too. Is this normal for qw.exe to try
and
| hook the keyboard and capture the screen? I am afraid I may have to
reformat
| again and build a new Quicken file instead of using the backup. Any
help
| about this is very much appreciated. Scary stuff. Thank you. PS My
backup
| file is stored on a USB flashdrive. Before the reinstall, ZoneAlarm gave
| errors while trying to scan files in the Boot Sector of my harddrive. Is
it
| possible with XP for a virus to encrypt its' own files to make it
| undetectable? During the infection I booted to DOS only using and EZ OS
| Installation program and was unable to view some files and folders that
were
| encrypted. I also posted to a forum at Quicken and awaiting a reply.
Thanks
| very much. Scott
|

Whay are you calling what was called "not-a-virus" a virus ?

If Zone Alarm Security Suite said "not-a-virus:Porn-Dialer.Win32.Agent.aw"
on Quicken for
Windows it is a False Positive declaration.

You also said...

"At the same time I had another virus alert about ".Ardamax." and
"backdoor.blackhole.2004"
"

Sounds like a Trojan and again, NOT a virus.

So you have NO virus. You have no Boot Sector Infector.
Are you using NTFS or FAT32 ?

Let's prove that this is a False Positive...

Please submit a sample of "QW.EXE" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
Click to expand...
Looks like I am being ultra-paranoid. Installed Quicken Basic on a separate
box and get the same keyboard hook alerts from SnoopFree but not trying to
capture screen. Apparently this seems to be a normal function for qw.exe ?
Still going to submit the suspect file as suggested. Thanks again, Scott
 
Scott said:
XP sp2- Zone Alarm Security Suite said
"not-a-virus:Porn-Dialer.Win32.Agent.aw
found in
Quicken\qw.exe
Quicken\RestartExe.exe "
At the same time I had another virus alert about ".Ardamax." and
"backdoor.blackhole.2004". During the infection the firewall said my
computer was trying to send out ARP requests periodically. It could not be
removed completely and I reformatted the drive, clean XP install and had
similar spyware problems. Installed new harddrive, clean install, scanned
several times before downloading and installing Quicken Basic again.

Now I am running SnoopFree and when I restored my Quicken backup,
SnoopFree says "QW.exe is trying to hook the keyboard" on password prompt
and "QW.exe is trying to capture the screen" which I denied, of course.
Quicken works fine when I disallowed qw.exe to hook the keyboard and
capture the screen.

Now I am concerned that possibly this virus problem is now in my Quicken
backup file or the boot sector on my USB flashdrive. Right now there is no
spyware or virus detected on my computer, but SnoopFree log shows that
QW.exe tried to hook the keyboard over 100 times when I logged into
Quicken and tried to capture the screen too. Is this normal for qw.exe to
try and hook the keyboard and capture the screen? I am afraid I may have
to reformat again and build a new Quicken file instead of using the
backup. Any help about this is very much appreciated. Scary stuff.
Thank you. PS My backup file is stored on a USB flashdrive. Before the
reinstall, ZoneAlarm gave errors while trying to scan files in the Boot
Sector of my harddrive. Is it possible with XP for a virus to encrypt its'
own files to make it undetectable? During the infection I booted to DOS
only using and EZ OS Installation program and was unable to view some
files and folders that were encrypted. I also posted to a forum at Quicken
and awaiting a reply. Thanks very much. Scott
Click to expand...
After searching this I found this unrelated but similar article regarding
Quicken having a backdoor in it.
http://computerworld.com/action/art...yName=privacy&articleId=9025436&taxonomyId=84
Thanks for your help and information. Scott
 
David H. Lipman said:
From: "Scott" <[email protected]>


| After searching this I found this unrelated but similar article
regarding
| Quicken having a backdoor in it.
|
http://computerworld.com/action/art...yName=privacy&articleId=9025436&taxonomyId=84
| Thanks for your help and information. Scott
|

Well that was an eye opener !

I have been using Quicken for a long time. I still use Quicken 8 for DOS
under WinXP and I
use Quicken 2006.
Click to expand...
Yes, if its true I imagine it will become a target. I read in the Quicken
forum that the porn-dialer was a false-positive. Thanks for your help. I am
saving your message for future reference. Scott
 
Back
Top