Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Sheur, Trendmicro, Avg


  • This topic is locked This topic is locked
5 replies to this topic

#1 abanerji

abanerji

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 16 September 2007 - 11:22 AM

First, my details :-

Windows version : XP-pro SP2 (patched, confirmed with Secunia site inspector)
AVG version and virus db version : 7.5.487 and 269.13.21/1010
Other antivirus software installed : nil
Other protection software installed : AVG anti-spyware 7.5, ZoneAlarm free 6.5.737.000, ProcessGuard free 3.405

I had bought a Western Digital external harddisc in Feb 2007, and it came with their software WDSync. I don't use the software; instead I backup my data files to this external HD using Explorer copy function. However, before starting to use the external HD, I had copied (not installed) the WDSync.exe file to my internal harddisc as a precaution. At that time, AVG did not find any issue with this WDSync file.

Today, I did an online scan from TrendMicro website, and TrendMicro informed that the only malware in my PC is a generic low-threat trojan, viz., avg75free_432a861.exe (which I had downloaded on 31st december 2006, before installing) ! Although TrendMicro wanted to clean it, I did not allow. I have kept a screenshot of TrendMicro's results page.

However, while TrendMicro was scanning, AVG suddenly popped up and gave the "trojan SHeur.NFD infected file (WDSync)" message. Interestingly, TrendMicro didn't find this file to be infected.

I have not yet been able to submit the file to jotti, since their server is continuously busy. However, I tried to upload at NormanSandbox and their server returned error (file could not be uploaded) ... this makes me even more suspicious.

At present, I have moved the file to vault.

Thanks.

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 16 September 2007 - 02:49 PM

Try virustotal.com.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 abanerji

abanerji
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 17 September 2007 - 05:34 AM

Thank you for the advice. I managed to get the file tested at virustotal (after stopping resident shield) ... the relevant parts are :-

File WDSync.exe received on 09.16.2007 23:22:40 (CET)
Current status: finished
Result: 2/32 (6.25%)

Antivirus Version Last Update Result
AVG 7.5.0.485 2007.09.16 -
Sunbelt 2.2.907.0 2007.09.15 VIPRE.Suspicious
Webwasher-Gateway 6.0.1 2007.09.16 Virus.Win32.FileInfector.gen (suspicious)

Additional information
File size: 4347904 bytes
MD5: d8a1b837f40c4f3e94518ee10509df66
SHA1: abef9d752fffeb2df0c7ebde5a6ac7383af51c32
packers: embedded
packers: embedded
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics


I notice from the above results that their test included AVG 7.5.0.485, which gave negative. However, my AVG is a later 7.5.487.

I also tried testing at jotti, but the result was getting stuck at Panda. A-squared to Norman (including AVG) found nothing.

Meanwhile, AVG technical support has said : "Unfortunately, the previous virus database might have detected the mentioned virus on some legitimate applications. We can confirm that it was a false alarm. We have immediately released a new virus update that removes the false positive detection on this file. Please update your AVG and check your files again. This file is not detected by AVG with AVG Virus Database version 269.13.21/1012".
I shall do a complete sys-scan with the latest defs ... hopefully, all will come ok.

Could you please tell me why sunbelt and webwasher also suspected virus - I am curious.
Finally, I shall be grateful if you could take a look at my HJT log ... please inform where to post.

Thanks again

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 17 September 2007 - 09:25 AM

Could you please tell me why sunbelt and webwasher also suspected virus

Sunbelt said it was suspicious because it used a generic detection for potential threats that are deemed suspicious through heuristics. Webwasher apparently did the same. AVG also uses Heuristics.

Heuristic analysis is the ability of an anti-virus progtam to detect new viruses before the vendor can get samples and update the program's defintions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The techniques involves inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious that contains no malware. Reducing the detection sensitivity will minimize the risk but then that increases the possibility for new malware to infect your system.

If you want to post a hijackthis log, please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. If you can't perform a step, then skip and continue with the next. In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Edited by quietman7, 17 September 2007 - 09:27 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 abanerji

abanerji
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 18 September 2007 - 10:54 AM

Thank you for your detailed post. I have got my HJT log checked at another forum, and things seem fine. So, probably this topic may be closed now.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:00 PM

Posted 18 September 2007 - 11:04 AM

Thanks for letting us know.

Please note that after posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

To avoid confusing, I am closing this topic. Good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users