Expert: Brian Benosky - 3/7/2009

Question
QUESTION: Hi

I have tried several times to download "Vombato online grammar checker", and then to install it. Each time, my Rising Anti-virus signals Trojan and cleans the infected file (which is the .exe file). After that, I can't use Grammar checker of course.

This is the download location:

http://www.vombato.com/grammarchecker.html

Then I checked this site, which reported that only Rising Anti-virus (out of 35 other anti-virus software) signalled Trojan. That is, the other 35 anti-virus software did not signalled anything. Therefore, I wonder if it is false alarm or not? Is it safe or not to download and install Vombato online grammar checker, and ignore Rising's alarm?

http://www.download3000.com/online-grammar-checker-virus-report-20474.html

("We have tested OnLine Grammar Checker on VirusTotal. Bellow you can see the scan report")

Only for Rising Anti-virus (which is what I use on my computer...) signalled Trojan for Online grammar checker.
The 35 other anti-virus did not signal anything.

What does it mean, should I not clean the file when Rising alarms me? Is it totally safe to not clean?

Sincerely,

Fredrik

ANSWER: Hi Fredrik

Yes, the Vombato file is totally safe to run.  I had never heard of the trojan Rising reported on VirusTotal, Trojan.PSW.Win32.Mmosteal.a, so I did some checking.  It is exclusive to Rising, and they do not offer any information on their website about this (or any) virus definition.  I cannot say what it is finding to be suspicious in the file, but I have downloaded it and sent it through several virus checkers.  Panda marks it as a "Suspicious File", and Rising, of course, calls it a trojan.  I believe that because GrammarChecker constantly uploads what you are typing to check it against Google or Yahoo databases, the activity is marked as suspicious.  But since you are aware of this going in, and it is activity that you allow, it is safe to use.  Here's my VirusTotal check:
http://www.virustotal.com/analisis/e8a7037a090426174463a77c3747214c
Hope that helps.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi again, I had to switch off Rising before I could run Grammar checker. But the software didn't work properly. And after a while, my cursor was hijacked, something else moved it. Do you think it was a Trojan after all, or was it because I switched off Rising for a while so that other viruses could enter my system?

Anyway, does the fact that something took control over my cursor have anything to do with a Trojan? Or is cursor-related issues related to other types of viruses?

Sincerely,

Fredrik

ANSWER: Hi Fredrik

Do a malware scan and send me the logs so we can determine what is going on here.   Please follow my instructions below:

Restart the computer in Safe Mode by continuously tapping the F8 key on boot until a black screen with a menu appears.  Choose to Start Windows in Safe Mode with Networking.  Log on as usual.  

Please download Malwarebytes' Anti-Malware to your desktop from here:

http://www.besttechie.net/tools/mbam-setup.exe

Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to
o Update Malwarebytes' Anti-Malware
* then click Finish.
* If an update is found, it will download and install the latest version.
*Run a Full Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.  Save that log and reboot normally.

Download and install HijackThis:

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Make sure you close EVERY open window and ALL browser windows. The only thing that should be open is the HijackThis program.
Double-click on the file you just downloaded.
Click on the "Install" button.
Upon install, HijackThis should open for you.
Should it not open, go to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe
Choose 'Do a system scan and save a log file'.
Copy the text file which opens in Notepad and paste it in your follow-up, along with the Malwarebytes log.
* Do not fix any entries in HijackThis, as they may be harmless.

Brian

---------- FOLLOW-UP ----------

QUESTION: Brian,

I will do as you suggested. Just a few questions before I proceed:

1. I have a 250 GB internal HDD on my laptop, and several external drives, total is about 750 GB. Will I have to go through all of them? How long would it take?
2. After I had reinstalled my Windows by running Ghost, on one or two occasions, the same thing happened again: my cursor moved by itself, even now after the Windows XP was just installed. I suspect that it might have something to do with my download and installing this software:

www.loqu8.com

It is a Chinese cursor translator. After I installed this, I got this problem with cursor moving by itself. Do you think this could be the reason why the cursor moves by itself?

Answer
Hi Fredrik

The scan can take anywhere from a half-hour to over two hours.  I would scan everything just to be certain.  Your drives may total 1 terabyte usable space, but it all depends on your processor speed and the actual amount of data on those drives.
If your problems started after installing Loqu8, than I would say the cursor movement may be directly related to the program.  If you uninstall the program, does the problem go away?  From what I have read, it uses some sort of mouse-over cursor translation, so I'm sure the program is closely associated with the cursor in Windows registry.  
One thing I would suggest you do is try another mouse.  I have found that jumping mice are often caused by a bad connection from the computer to the mouse.  A different mouse often solves the problem.

Brian