Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Detected Fujacks Virus On My Laptop


  • Please log in to reply
4 replies to this topic

#1 *peter79*

*peter79*

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 24 February 2008 - 08:31 AM

hi there,

I noticed my laptop getting extremely sluggish a few days ago and then my AVG Free anti-virus detected the fujacks virus. I have some questions that hopefully you can help me with.

AVG initially found 36 infected files, which were all .htm files hiding in Photoshop folders. AVG was unable to heal these files so I moved them to the AVG Virus Vault. However, only 32 files were moved into the vault.
- Could this mean that 4 infected files hid themselves again immediately after they were found?

Following the instructions on this site, I have now scanned my laptop again with AVG Antivirus, SUPERAntiSpyware, Spybot, Ad-Adware, House Call and Stinger, and none of these detect any problem. The only things that show up in the scan are some old infected files that AVG previously found and healed months ago.
- Are the fujacks files in the AVG Virus Vault no longer a problem?

The only firewall I was using at the time was Windows, so I have since installed ZoneAlarm. Also, my wifi network connection does not have any security enabled, and I'm thinking this may have been the initial cause of the problem. I usually use an external hard drive too, but I haven't plugged it in since fujacks was detected.
- Could fujacks have spread to this external HD too?

If it helps, I can post a HijackThis log in the relevant forum as well.

I'd really appreciate if you could help me out with this! Thanks very much - Peter

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 24 February 2008 - 08:59 AM

When an anti-virus quarantines a file by moving it into a virus vault (chest), that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive". If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be bad, you can delete it at any time.

"Understanding AVG7 Free Virus Vault"
"AVG FAQ #647: I have some files in the AVG Virus Vault. What next?"

After deletion of the files, perform a full system scan with your anti-virus and SAS in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 *peter79*

*peter79*
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 24 February 2008 - 10:33 PM

Hi quietman7,

Thanks very much for your reply. The links have been very helpful. I feel it will be safe to delete these files from the vault. I have 2 more questions I hope you can assist with:

1. What about the files that AVG first detected but did not move to the vault. These are no longer in the Photoshop folders but are also not in the vault. What could have happened to them?

If it's useful, these filenames are:
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Web Photo Gallery\Dotted Border - White on Black\Caption.htm
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Web Photo Gallery\Flash - Gallery 1\Caption.htm
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Web Photo Gallery\Flash - Gallery 2\Thumbnail.htm
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Web Photo Gallery\Gray Thumbnails\Thumbnail.htm
C:\Program Files\Adobe\Adobe Photoshop CS2\Presets\Web Photo Gallery\Horizontal Gray\Caption.htm

I have read that fujacks can makes changes to the registry, such as adding the following entries (these have not been added to my registry):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\bleepjacks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svohost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"ati3evx.exe" = "C:\WINDOWS\ati3evx.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"ati3evx.exe" = "C:\WINDOWS\ati3evx.exe"

2. Are there any other fujacks registry edits I should check for?

3. I scanned the registry with Piriform CCleaner and it detects many issues that can be fixed. Should I allow CCleaner to automatically fix these or should I post a HiJackThis to get more advice?

Thanks very much for your help.

Regards, Peter

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:23 PM

Posted 24 February 2008 - 11:06 PM

Registry cleaners are extremely powerful applications. There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.

The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system unbootable.

The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results". Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly can have disastrous effects on your operating system such as preventing it from ever starting again. For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Those entries you read about are startup entries to load the malware when Windows boots. If you did not find any when you checked, that's good so I would not be concerned.

Did you rescan with AVG to see if it still detects those files it could not remove? AVG uses heuristic detection which incorporates the ability of an anti-virus program to detect new viruses before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The techniques involves inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. Reducing the detection sensitivity will minimize the risk but then that increases the possibility for new malware to infect your system.

If they show again in your next screen, follow these instructions.

If you suspect a file to be a false positive. Test the file at [virusscan.jotti.org] and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to virus@grisoft.com with a brief description as well as the password you used to archive it with.

If it is a false positive , turn off heuristic scanning for the time being. When Grisoft adjusts the virus definitions you can turn it back on. If turning off Heuristics still doesn't allow access to the file while testing and emailing... disable the resident shield temporarily.

forum.grisoft: instructions for suspected FP's
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 *peter79*

*peter79*
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 25 February 2008 - 05:47 AM

Hi quietman7,

Thanks again for your informative reply. I really appreciate it.

I'll leave the registry as it is for the time being so. As they say, if it ain't broke don't fix it :thumbsup:

Also, I deselected "Use Heuristic Analysis" in AVG's Resident Shield properties, and I rescanned. I guess this allowed me to scan using signature-based detection, but AVG still didn't pick up those extra files that it found first time. Since I can't find those files, I can't check if they are False Positives. Is it safe to assume that wherever those files are, they are they are out of harm's way now?

Thanks - Peter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users