Jump to content

Sh37[1].html Quarantined


WacoJohn

Recommended Posts

Lately, when I open a website (randomly), 3.0 quarantines a file described as sh37[1].html:

 

Detection Name W32.Trojan.9ab9

File Path C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1D12CUPQ\sh37]1].html

 

I would not know for certain, but I think it is probably a false positive.

 

1. How can I determine if it is safe?

 

2. If it is safe, how can I stop this from happening?

Link to comment
Share on other sites

Guest Orlando

1. How can I determine if it is safe?

 

Inexperienced users can use VirusTotal, but can't do a rate as 100%, so lend attention.

 

2. If it is safe, how can I stop this from happening?

 

All files in "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\" can be deleted because this path is the temporary files path of IE, so you could delete only this files, without problems (if you delete all files you will lose the IE History).

 

Please read this guide to report this FP, thanks,

Orlando

Link to comment
Share on other sites

Lately, when I open a website (randomly), 3.0 quarantines a file described as sh37[1].html:

 

Detection Name W32.Trojan.9ab9

File Path C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1D12CUPQ\sh37]1].html

 

I would not know for certain, but I think it is probably a false positive.

 

1. How can I determine if it is safe?

 

2. If it is safe, how can I stop this from happening?

Hi WacoJohn

If You are uncertain, if Your file is infected or not, You can have it analyzed. If the file is regarded as clean, the file will not be subject to any scan by Immunet.

-------------------------------------------------------------------

1.) If you need an immediate analyzis with result, for example during weekends & holidays:

-------------------------------------------------------------------

1a.) Download & install the freeware VirusTotal (VT) Uploader 2.0 from here: http://virustotal-up...n.softonic.com/. Using this simple freeware You may upload the file to VT website, where 42 different Antivirus & Antimalware products will immediately analyze the file. After a few seconds You will from VT get a report, that lists if any products regard Your file as infected or not. The products, that have found Your file to be infected, will also give their names of the infection. Many products call the infection differently by using their own vocabulary. If only a few of the products report Your file to be infected, You may regard the infection to be a "false postive". Note, that results from some of the products are more reliable than from others. (Some of the products are known for reporting "false positives"!) Finally, it is up to Yourself to treat the file as clean or infected!

-------------------------------------------------------------------

1b.) If you regard the file to be clean, it can be placed in a sort of "whitelist" in the Immunet software:

Product->Settings->Protection Exclusions-> Add New Exclusion.

You must here enter the path to the file, and the full path will be added as a new line to the list of exclusions. Note, that to the right of the line is an (x)! If You change Your mind and want, that the path would be scanned by Immunet again, it can be deleted by clicking on the (x)- sign and the path (line) will disappear from the list.

-------------------------------------------------------------------

Remember to click on the "Apply" button, otherwise your settings will not be saved!

-------------------------------------------------------------------

2.) If You do not need an immediate analysis, and You can wait until workdays Mon-Fri 9-15, You can have You file handled by the Immunet staff:

-------------------------------------------------------------------

2a.) Submit Your suspicious file (false postive) here: http://www.immunet.c...tact/index.html

-------------------------------------------------------------------

2b.) If the analysis by Immunet regards the file as a "false positive", this will be reported to the Immunet database (the Cloud), and all further scans by Immunet will treat the file as clean. Note, that the file does not have to be on the Exclusion list any more now! If the Immunet analysis regards the file to be infected, this will be reported to the Immunet database (the Cloud). A scan by Immunet will then place the file in Quarantine. Note, that if You personally still regard the file as clean, you must add it to Your own exclusion list (see item 1b. above)

-------------------------------------------------------------------

Note, that if You have in emergency case used alternative 1.) above, you should later anyhow follow the instructions as per alternative 2.) as well. This is important, so that the whole Immunet communty gets proper online info from the common database (the Cloud)!

 

 

Cheers,

sweidre

Link to comment
Share on other sites

Thank you for all the advice. Since it is a TEMPORARY file, I cannot seem to upload it for analysis, or anything else. The moment I restore it from quarantine, 3.0 quarantines it again.

 

I suppose if I paused 'protection', I could restore it from quarantine and then (hopefully) get it analyzed .. but I can't find where to pause protection. Sorry if I am missing something obvious.

 

For what it's worth, I have attached a screen shot of the quarantine. You can see where I have restored the quarantined file to the temporary folder, then (very quickly) copied it to my desktop so I can get it analyzed but then it gets quarantined again.

 

I THINK that once I managed to get it zipped before it got quarantined again .. and I think I uploaded the zip .. to the forum or emailed it to Immunet .. not sure .. but have not heard back yet. I am not sure about that .. but I no longer have the zip ... and cannot seem to create another one because it keeps getting quarantined.

 

I guess it would help to know how to pause protection.

 

Link to comment
Share on other sites

I am NO expert on all this .. but I am not sure it would be a good idea to whitelist a browser temporary file. Take, for example, one named sh37]1].html

 

An html file can contain anything .. from harmless content to safe content. They do not have exclusive names either. sh37]1].html could come from one website and be harmless ... and a temporary file with the same name could come from another website and be harmful. If the file name were whitelisted .. harm would not be detected if it is whitelisted.

 

No?

Link to comment
Share on other sites

Thank you for all the advice. Since it is a TEMPORARY file, I cannot seem to upload it for analysis, or anything else. The moment I restore it from quarantine, 3.0 quarantines it again.

 

I suppose if I paused 'protection', I could restore it from quarantine and then (hopefully) get it analyzed .. but I can't find where to pause protection. Sorry if I am missing something obvious.

 

For what it's worth, I have attached a screen shot of the quarantine. You can see where I have restored the quarantined file to the temporary folder, then (very quickly) copied it to my desktop so I can get it analyzed but then it gets quarantined again.

 

I THINK that once I managed to get it zipped before it got quarantined again .. and I think I uploaded the zip .. to the forum or emailed it to Immunet .. not sure .. but have not heard back yet. I am not sure about that .. but I no longer have the zip ... and cannot seem to create another one because it keeps getting quarantined.

 

I guess it would help to know how to pause protection.

 

Hi WacoJohn,

If you want, that Immunet will ignore your file and not analyze the file at all, put it on the Exclusion List ( "whitelist"). Then Immunet will not quarantine it either! Follow these instructions previously given:

--------------------------------------------------

Quote:

1b.) If you regard the file to be clean, it can be placed in a sort of "whitelist" in the Immunet software:

Product->Settings->Protection Exclusions-> Add New Exclusion.

You must here enter the path to the file, and the full path will be added as a new line to the list of exclusions. Note, that to the right of the line is an (x)! If You change Your mind and want, that the path would be scanned by Immunet again, it can be deleted by clicking on the (x)- sign and the path (line) will disappear from the list.

 

 

Remember to click on the "Apply" button, otherwise your settings will not be saved!

 

Unquote

 

--------------------------------------------------

Remember, that this a temporary solution only, so that Immunet cannot quarantine the file! But as Immunet wants to quarantine it, it is sign, that Immunet regards the file to be malicious! So, you should then try to send it to the Immunet Laboratory for analyzis! (The link, I have already given to you). Temporary files can do as much harm as Permanent files!

 

If You cannot manage it, You must PM to Orlando or to another Admin!

 

Good Luck,

sweidre

Link to comment
Share on other sites

I am NO expert on all this .. but I am not sure it would be a good idea to whitelist a browser temporary file. Take, for example, one named sh37]1].html

 

An html file can contain anything .. from harmless content to safe content. They do not have exclusive names either. sh37]1].html could come from one website and be harmless ... and a temporary file with the same name could come from another website and be harmful. If the file name were whitelisted .. harm would not be detected if it is whitelisted.

 

No?

Hi WacoJohn,

The posts are coming in wrong order now, I see! To be on the safe side, I think it is better, that you let the file to remain in the quarantine until Orlando or another Admin expert in this, can help you. As long as the file is in the quarantine, it cannot do any harm! Maybe we should not let it out from jail!

 

I hope you can wait until an expert in this can help you!

sweidre

Link to comment
Share on other sites

Hi again,

Further down in this Forum you can see the category: "Emergencies". This category is for members, who urgently need help! I advice you to post your problem there with a reference to this thread!

Cheers & Good Luck!

sweidre

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...