Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Found A Trojan


  • Please log in to reply
13 replies to this topic

#1 pbmac

pbmac

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 22 October 2007 - 05:53 AM

Hi,
While surfing some news articles the other day, AVG came up and said it had detected a TrojanHorse BHO.BPY. It's located at:
c:\documents&settings\Guest\LocalSettings\TempInternetFiles\Content.IE5\P3BRZVNT\CNTE-oiduuyes[1].gif
When this happened, there was something in the background that I did not recognize like it was ripping through some files, and said I need to do something, that warning was not in an AVG box.
Anyways, AVG asked if I wanted to Heal and I said yes(bad move? should have sent to vault?), it said it did so successfully. Next, I closed the browser(IE7) and started a scan with AVG. It came up again in the location above, and deleted it. I rescanned and it was gone.
Is it really gone? All this has occured on a non-Admin account, which is where we do all our net facing activities. I have not switched to the Admin account yet, nor have I rebooted.
Please advise, obviously I'm new at this.........
Thanks for your time.

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:22 PM

Posted 22 October 2007 - 08:08 AM

Sounds like AVG did its job. If you would like to check further you could use the two free programs below.
It would be a good idea to clean up the computer as well.
Remove temporary files, logs, cookies, etc. by using Ccleaner. Do not use "Advanced Settings" or the "Issues" button. Use only the default settings. http://www.ccleaner.com/

Install Super Antispyware free. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

What you described sounds like a "driveby" attempt to infect your computer. Using Firefox with the NoScript addon is the best protection from "drivebys".

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 pbmac

pbmac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 22 October 2007 - 08:39 AM

Thanks. I have Win XP SP2 and I use Ad-aware, Spy-Bot Search and Destroy and the AVG Pro, and ATF Cleaner. I will try your suggestions and I have a few more questions about all of this.
I mentioned I was on a non-Admin account when this happened. In the future, is it safe to log out of the non-Admin account and into the Admin account when I suspect something is wrong? I have most of my important apps on the Admin account, and would need to get there to do malware diagnostic work.
Also, what about System Restore? What I typically do every week, is to update the above anti-malware apps, scan with each, then do a System Restore when they all come up clean. This has worked for me. what should I do with this incident? Is/are any traces of the drive by still on my system? How can I tell?
Thanks for your help and time!!

#4 buddy215

buddy215

  • BC Advisor
  • 12,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:22 PM

Posted 22 October 2007 - 09:45 AM

What are you trying to accomplish by doing "regular system restores"? System restore should be used if there is a problem. You may actually be creating problems as you would be removing updates, program changes, etc. by reverting back to an earlier date.
The reason I suggested using the two programs and cleaning your computer was to make you feel more confident that the malware that AVG found and removed is no longer a threat.
Using a nonadmistrative account is an excellent way to keep a lot of malware from being able to install or make changes to your computer.
Of course, you do have to use the admin account to install programs in Windows.

Here is more info on using system restore.
http://www.bleepingcomputer.com/tutorials/windows-xp-system-restore-guide/

Edited by buddy215, 22 October 2007 - 09:50 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 pbmac

pbmac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 22 October 2007 - 11:46 AM

I apologize. What I meant to say was, I create a System Restore Point after all my scans come up clean. Thanks for your help. I will still try an online scan as well as SAS, I see many people use that. I appreciate your patience.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 22 October 2007 - 12:11 PM

, AVG asked if I wanted to Heal and I said yes(bad move? should have sent to vault?),..

Understanding AVG7 Free Virus Vault

Whenever AVG Free Edition detects a virus, we recommend that you try to heal the infected object as the first option. When AVG Free Edition is unable to heal the virus (this may occur for any of many reasons, including the distortion of the original file by the virus) use the next alternative move it to the AVG Virus Vault. The last option is to delete the infected object (which is often the virus itself)...


The AVG Free Edition Reference Guide explains more detail about the virus vault. The manual is also a good resource for explaining the Control Center, Settings, and other information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 pbmac

pbmac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 22 October 2007 - 01:26 PM

Thanks. I have another question pertaining to malware removal.
If I have a known good Restore Point, prior to when I came across this problem trojan, if I restore back to that good point, is there any possibilty of any of the malware still being around?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 22 October 2007 - 01:49 PM

Yes, if you had a good restore point. Keep in mind that System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points. When you scan your system with anti-virus or anti-malware tools, you may receive an alert or notification that a virus was found in the System Volume Information folder (System Restore points) but the anti-virus software was unable to remove it. Since the System Volume Information folder is a protected directory, your tools cannot access it to delete these files and they sometimes can reinfect your system if you accidentally use an old restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 buddy215

buddy215

  • BC Advisor
  • 12,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:22 PM

Posted 23 October 2007 - 06:34 AM

QUOTE:"If I have a known good Restore Point, prior to when I came across this problem trojan, if I restore back to that good point, is there any possibilty of any of the malware still being around?"

You can use system restore to remove some types and parts of malware. It depends on how the malware got on the computer and locations. For instance, if it is included in a music file you have downloaded, a system restore will not remove it from that file.
Keep in mind too, a lot of malware stops you from being able to perform a lot of functions including system restore.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#10 pbmac

pbmac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 23 October 2007 - 08:06 AM

Thanks.
I logged into the Admin account and ran AVG Pro which came up clean. Rebooted and ran it again and no trojan. Also ran Spy-bot Search and Destroy and Ad-Aware SE, both which came up clean. The trojan is presently in the AVG Virus Vault. I'm trying to learn what happened here. My guess( with the help of the people that replied here ); a file was downloaded ( I did not, only visited a site ) and AVG detected it. Since I never clicked on it ( is that all it takes? ) to activate it, nothing happened, and it is simply a file that AVG now has in the vault? Are there other ways for trojans to be activated? How do I know I didn't do something wrong? I realize my usual scans ( up to date ) came up with nothing. Should I delete the trojan ( and others there as well ) from the vault? One other thing that's bugging me. I noticed in the virus vault, trojans I had last year. One of them, Downloader.Agent.GJW showed up on the same day I got the present one, only LAST year! Coincidence? Thanks for helping out here and bearing with me.

#11 buddy215

buddy215

  • BC Advisor
  • 12,590 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:22 PM

Posted 23 October 2007 - 08:50 AM

I suggested in my first post that you may have got infected by a "driveby". All it takes is to visit a bad site or a compromised site. See info in link below.
http://www.usenix.org/events/hotbots07/tec...ovos/provos.pdf

It is very important that you keep all programs and Windows updated to help prevent this.

Yes, permanently delete all of the quarantined items.

Secunia will scan your computer and tell you which programs need updating and help you do that.
http://secunia.com/software_inspector/

By the way, did you ever do a scan with Super Antispyware? If not, I suggest you do that since you have reason to believe that one of the malwares showed up again.

If you are allowed, I would suggest again to install the Firefox browser with the NoScript addon. Use it when visiting sites on the web and it will protect you from drivebys. You don't have to set as your default browser.

Edited by buddy215, 23 October 2007 - 09:03 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 23 October 2007 - 08:52 AM

Should I delete the trojan ( and others there as well ) from the vault?

Yes. When a program quarantines a file or moves it into a virus vault (chest), that file is safely held there (and no longer a threat) until you take action to delete it. One reason for doing this is to prevent deletion of an essential file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the file in the vault is known to be bad, you can delete it at any time.

Your asking how you got infected so read "How did I get infected?, With steps so it does not happen again!".

Also read:
"Simple and easy ways to keep your computer safe".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 pbmac

pbmac
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Location:Earth
  • Local time:08:22 PM

Posted 23 October 2007 - 02:35 PM

Ran SAS in Safe Mode as buddy215 instructed, and it only found a few tracking cookies. Should I continue to use SAS with the other three anti-malware apps I presently use? Since the trojan was only detected, not activated, is there any need to flush the System Restore Points? Thanks again for your time and patience.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:22 PM

Posted 23 October 2007 - 02:44 PM

I recommend you keep SAS and use it as a stand-alone scanner. There's no need to run it at startup unless your going to upgrade to the paid version. IMO SAS is more effective than Spybot and Ad-aware.

If you have no more malware issues you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users