BleepingComputer.com: Trojan Horse and of worries worm infection

Ok, so I was running a routine scan with AVG and it picked up a "Trojan Horse Generic3_c.BLNJ" in "D:\i386\apps\app28194\warranty.exe". Also noted that another "Trojan Horse Generic3_c.BLNJ" appeared in a scan yesterday, but it appeared in my system restore files.

I'm a tad surprised that this computer has a trojan on it. I've made sure to be extremely careful with my browsing lately, as well as only ever making exceptions for NoScript on shopping and well known TV Network sites like Amazon, ebay, NBC, HULU, that sort of thing. I guess there's a chance it could be old, but that makes me feel even more dissapointed in Mbam and eset (the two programs I typically use to scan when AVG doesn't work) that they didn't pick it up first. So yeah I've scanned with eset and Mbam and they got nothing.

On a side note I was worried about SYSTEM, a program on my task manager. I feel as though I recognize it as if it's always been there, though it using more CPU than I remember it doing, so I looked it up on your startup list and it came back as mostly bad. I've checked each of my computers and have found it on all of them, but it only takes up CPU on the old XP computers.

Whenever I find something on one of my computers it always makes me nervous that some of it could've been left behind, so any advice would be appreciated. And please reply as quick as you can, I'll be busy on Thursday and possibly the rest of the weekend after that.

• List of common system processes found in Task Manager
  
• Common system processes found in Task Manager
  
• How To Determine what Services are running in Windows XP

System Idle process is used for measuring how much idle time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+ of processor time on average (this is the value in the CPU column). In non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system.

System is a process in NT "kernel mode" that contains most of the system threads and handles various basic system functions. When Windows loads, the Windows kernel starts and runs in kernel mode to set up paging and virtual memory. It then creates some system processes and allows them to run in "user mode" but restricts their access to critical areas of the operation system. The User mode processes must request use of the kernel by means of a system call in order to perform privileged operations on their behalf. Kernel mode has full access to system resources and controls scheduling, thread prioritization, interrupt handlers, memory management and the interaction with hardware. The system process cannot be terminated. For more detailed information, please refer to:

• User Mode vs Kernel Mode
  
• Architecture of Windows NT
  
• Understanding System Call Execution

Thanks man. I was pretty sure about it, but the infection had me a tad nervous. So just wondering, but any idea what this particular Trojan does?

Also i386 is supposed to a part of Windows XP's backup files or something right?

Edit/Off Topic: I was unaware of the different rules in regards to quoting on these boards. I'll try not to let it happen again.

This post has been edited by VicVegas: 31 March 2011 - 02:53 AM

The C:\i386 folder contains a copy of your Windows installation files so it holds the files used to install, repair, modify, update and rebuild Windows. These files are also located on your Windows installation CD if you have one. Although the folder takes up space, you should not delete anything located there if space is not a factor. There are times when you will be prompted for your CD or I386 folder to search for files. Having them on the hard disk makes it easy to access those files without having to insert the installation CD. The convenience of having that folder readily available if needed outweighs the need to remove it. Malware can hide anywhere, even in this folder.

A Trojan Horse is a destructive stand-alone application that masquerades as a benign program and hides "malicious code" within the original source code in such a way that it can gain control and do its chosen form of damage. This malicious code is a process or function specifically added by the Trojan's programmer that performs an activity the user is unaware of. Trojans are executable programs (.exe, .vbs, .com, .bat, etc) which means that when you open the file, they will perform some action.

• What is a Backdoor Trojan
  
• The Difference Between a Virus, Worm, Trojan Horse and Blended Threats
  
• What is the difference between viruses, worms, and Trojans?
  
• Trojan FAQs: Common Trojans and how they work
  
• Sophos Threatsaurus: the a-z of computer and data security threats

Each security vendor uses their own naming conventions to identify various types of malware. Names with Generic or Patched are a very broad category. See Understanding virus names.

Generic detections are usually a heuristics engine detection of possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

Submitting file samples to the vendor for further analysis allows the lab techs to quickly investigate and confirm if the detection is actually malware. Some security programs have built-in options for submitting a file directly from the quarantined area to the vendor's lab for analysis. Most user guides will explain how to do that. Other anti-virus solutions automatically submit files or provide an alert to do so if you have checked the option to "Submit for analysis in the program's settings. If those options are unavailable, you can also look for documentation on the vendor's web site on how to submit file samples.

This post has been edited by quietman7: 30 March 2011 - 06:49 PM

Hmmn so it's possible it's a false positive? Well I'll let AVG analyze it, though as inept as those doofs are I doubt they'll accomplish anything. Any way I can send it from their quarantine to Virus Total? Or would I have to restore it?

Edit: Ok, ok. They e-mailed me back and said it was a false positive on both accounts.

Quote

AVG also restored those files after the update. I don't even know what they do. I tried searching for them, but those locations don't seem to actually exist or are otherwise inaccessible to users.

BTW I've been thinking about changing my AV. Is a combination of Comodo Firewall Free with Avira Antivirus Free as good as having a single full program? Just asking opinions.

This post has been edited by VicVegas: 31 March 2011 - 02:59 AM

I have been disappointed with AVG ever since they made a decision in April 2010 to partner with LimeWire and promote the use of peer-to-peer (P2P) file sharing, a security risk which can make your system susceptible to a smörgåsbord of malware infections, remote attacks, and exposure of personal information.

NOTE: With the release of AVG 2011, there have been numerous complaints about issues and conflicts with other security tools like Malwarebytes' Anti-Malware. Unlike previous versions, AVG 2011 cannot be effectively disabled to prevent it from interfering with other security tools...after restarting the computer, AVG re-enables all protections. Read these related discussions:

• AVG 2011 Free vs. Malwarebytes
  
• AVG 2011 Resident Shield - File Exclude List Feature Removed
  
• AVG False Positive against Malwarebytes' Anti-Malware

There have been reports of issues with the computer starting properly on 64-bit Windows sytems for which AVG has had to release these fix instructions.

There have also been reported problems with computers after using new features like PC Analyzer and PC Tuneup which purport to fix registry errors in order to make the system more stable and various optimizing tools which can make changes to system settings.

I do not recommend the routine use of registry cleaners/optimizers as they are extremely powerful applications that can damage the Windows registry by using aggressive cleaning routines and cause your computer to become unbootable. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from booting properly. For routine use, the benefits to your computer are negligible while the potential risks are great.

Even MajorGeeks, a popular download hosting site, has issued a Statement on AVG Free 2011 and has removed its Editor's Pick listing.

For these reasons, I no longer recommend AVG as a free alternative.

My personal choice is NOD32 Anti-Virus if choosing a paid for program as it leaves a small foortprint or one of the following if choosing a free alternative.

• avast! Free Antivirus
  
• Microsoft Security Essentials
  
• Avira AntiVir Personal - Free Antivirus

I'm not an advocate of suites. All-in-one tools and suites generally use more system resources than separate programs that do the same task. They tend to have varying degrees of strengths and weaknesses for each feature. In contrast, separate tools are designed, built and maintained with a greater focus in a specific area so they are generally of better quality and more effective at what they are designed to do. This means the program's performance for that particular feature is usually superior than their all-in-one counterpart. Further, all-in-one tools generally do not allow the user as much flexibility in tailoring default settings and usage.

Well right now I'm using the paid version of AVG. So your saying that having separate free tools like (as I said) Comodo's free firewall (the best firewall available from what some have told me) combined with the free version of Avira (an Antivirus you just recommended) would be better than most paid subscription antivirus programs?

Also thanks for the heads up on the P2P thing. Since I learned a while back what they actually are and what they do I know that I should stay away. AVG sucks, I wish I'd known about these other programs before I signed up for another year. Kaspersky I've heard is decent in the past, but I'm using their paid product on another computer and have been seriously ticked off over how much system resource it eats.

I've spent 40-70 dollars every year trying new programs, then this year I dropp nearly a hundred bucks on this junk and now it's sound like I'd be safer to run free programs. Crazy world we live in.

As I said, I no longer recommend AVG for the reasons already cited and I prefer using separate products, not suites for a variety of reasons. With that said, AVG's effectiveness as an anti-virus solution is about the same as the free alternatives so I'm not saying it is not a good product.

Since you have already paid for a license, whether you should continue using AVG is a decision you have to make. I cannot make it for you...but can provide my opinion and recommend alternatives if you want something else.

Once the license ends, or when I get fed up with it, I'll be changing to something else. I hate the thing, I'm only using it because I paid for it. And I only paid for it because I was scattering to figure out what to AV use when my last license ended. The only advantages to even having a suite is the live tech support, and you usually get outsourced to some foreign country where no one knows what they're doing and you can barely comprehend their accent.

I understand, you probably would rather not be held accountable for any choices I make with my Antivirus or something.
Whatever the case I'll make it simple. What program do you use?

I currently use Free Comodo Firewall on two of my other computers and I'm pretty pleased with the "block anything we don't recognize" approach it takes, though I can't really control when it updates itself. Avira Free seems like a good AV that has limited impact, some of it's heuristics guards are almost as good as having a firewall, though I'm not fond of it bugging me to download the full version all the time. And having both of them running at once certainly has less impact on my system than than the AVG suite.

Also is there anything else I should think of apart from firewalls and AVs to keep me computers safe?

Edit: Ok I apologize, I should leave questions like this for elsewhere. The original problem was resolved (in fact, there was no actual problem apparently) so I should stop posting in here.

Sorry again.

This post has been edited by VicVegas: 31 March 2011 - 06:41 PM

No need to apologize.

Quote

See Post #6...My personal choice is NOD32 Anti-Virus.