Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Psw.generic6.abbk


  • Please log in to reply
21 replies to this topic

#1 Erishala

Erishala

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 03:47 AM

Hi all,

Tonight I was using my PC when I got bumped out onto a warning window saying that AVG 8.0 (free) had detected this Trojan Horse PSW.Generic6.ABBK in the program folder "PCFriendly".

I moved it into the Virus Vault as AVG suggested straight away and then scanned my computer with AVG and Spybot Search & Destroy.

Spybot came up with 0 warnings, etc.
AVG came up with a handful of "warning/potentially dangerous" cookies but no mention of the Trojan horse again.

I have tried searching all over for information about this trojan/PC Friendly and haven't really found anything of use.

Is it a serious thing I should be worried about or is it just AVG playing up/overreacting? I guess it's important to note this PCFriendly stuff has been on my computer since January 2008.

What is this Trojan eg is it a keylogger type thing? Should I be changing my passwords etc on another system (in particular my WoW password as I don't want to lose my account to a nasty keylogger)?

I'm running Windows XP, Firefox (with NoScript add-on), Spybot Search & Destroy and AVG 8.0

Please help I'm quite worried :thumbsup:

Thanks in advance.

Edit: I should probably mention I wasn't running a scan at the time and AVG brought it up on its own.

Edited by Erishala, 11 September 2008 - 07:11 AM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:52 PM

Posted 11 September 2008 - 06:33 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 05:22 PM

I'm at work right now so can't do any of this until I get home...

However is it something anyone has heard of?

I tried Googling and came up with a very small handful of results.

My boyfriend seems to think it was just AVG being over-zealous and perhaps panicking about something that was just trying to update itself, etc.

I never install anything without scanning it with AVG and Spybot, I never browse websites unless it's through Firefox and NoScript (and I never allow ANYthing through NoScript unless it's something I know is safe - like an official banking site or something). Don't click email links, don't download songs, I never do anything, at all, that's risky. :thumbsup:

And the fact is the program has been on my computer since January. Apparently it's a Microsoft program as well.

My computer didn't behave strangely last night - everything was running fine and I had all my usual programs going (Firefox, World of Warcraft, etc). No crashes and no results came up from either AVG or Spybot - Spybot had the "Congratulations! You are free of warnings!" etc. Even AVG didn't bring it up again :flowers:.

#4 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:11:52 AM

Posted 11 September 2008 - 05:33 PM

No to hijack this topic, but what file was flagged exactly? File name and path if possible.

Based on the name alone, I'd say it's likely a false positive. Gotta love those generic heuristics names..... Without the exact file name and path that AVG flagged, it's hard to tell.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#5 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 05:37 PM

Hi there,

It was PCFriendly... I'm trying to find the exact name of the .exe, but it was something like "inuninist.exe"

So it was just C:\program files\PCFriendly\inuninst.exe

As I said, my boyfriend said it's nothing to worry about, but I just want my clean computer back :thumbsup:. What do you mean by false positive btw?

edit: This would be it here: "PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe"

Edited by Erishala, 11 September 2008 - 05:38 PM.


#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:52 PM

Posted 11 September 2008 - 05:40 PM

Psw.generic6.(Insert extention here) seems to be a family of trojans. I did not find the exact match for your infection so I suspect a new variant. Previx gives lite details on PSW.Generic6.EKD , and McAfee describes Generic PWS.y!F6660367.

I still recommend running Malwarebytes, if nothing else for peace of mind.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:11:52 AM

Posted 11 September 2008 - 05:41 PM

Hi there,

It was PCFriendly... I'm trying to find the exact name of the .exe, but it was something like "inuninist.exe"

So it was just C:\program files\PCFriendly\inuninst.exe


Indeed. False Positive it smells, false positive it is.

What do you mean by false positive btw?


False Postive Definition

The term false positive is also used when antivirus software wrongly classifies an innocuous file as a virus. The incorrect detection may be due to heuristics or to an incorrect virus signature in a database. Similar problems can occur with antitrojan or antispyware software.


Edit - Sorry rigel. Didn't mean to hijack the thread... goes back to corner.

Edited by Galadriel, 11 September 2008 - 05:42 PM.

I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#8 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 05:45 PM

Psw.generic6.(Insert extention here) seems to be a family of trojans. I did not find the exact match for your infection so I suspect a new variant. Previx gives lite details on PSW.Generic6.EKD , and McAfee describes Generic PWS.y!F6660367.

I still recommend running Malwarebytes, if nothing else for peace of mind.


Okay, so you disagree that it's a "false positive"?

I'll try this Malwarebytes when I get home - I'm just paranoid about .exes even more so now!

Does it seem odd that it just suddenly 'appeared' when it has existed since January?

And you may not know this... But does it have "keylogger" properties?

#9 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:52 PM

Posted 11 September 2008 - 05:49 PM

Edit - Sorry rigel. Didn't mean to hijack the thread... goes back to corner.


No... Galadriel, First we are a team here. Second, your experience is far greater than mine. I was responding - just slower - when you responded. All is well :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 05:50 PM

Just wanted to say thanks for your help so far and sorry for the (probably very frustrating!) questions. I really know nothing about any of this and at present all I really know is sheer panic :thumbsup:.

#11 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:11:52 AM

Posted 11 September 2008 - 06:00 PM

No... Galadriel, First we are a team here. Second, your experience is far greater than mine. I was responding - just slower - when you responded. All is well :thumbsup:


Thank you. And what a team it is. :trumpet:

Just wanted to say thanks for your help so far and sorry for the (probably very frustrating!) questions. I really know nothing about any of this and at present all I really know is sheer panic :flowers:.


We do understand the panic Erishala. It is normal to be concerned with such doomy sounding alerts and you did the right thing to ask. A few scans can't hurt. If the other scans don't show any problems, then it very likely is a false positive. You can also try uploading the file to virustotal or Jotti for another opinion.

That will give you a broader range of opinions on the file. If you're still unsure you can post back here and we'll help you sort it out.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#12 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 06:18 PM

Thanks for all your replies everyone :thumbsup:.

For the time being I'll assume I'm safe while at work, and when I get home I'll run all the things suggested and post the results here.
One last question I would like to ask... Should I uninstall this PCFriendly altogether? I was told that sometimes uninstalling/deleting files can
'launch' the virus/trojan so to speak and can be dangerous.

I don't use the PCFriendly program. I think it got installed several months ago when I was watching a DVD. Additionally, should I empty my Virus Vault or leave this file in there?

#13 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:11:52 AM

Posted 11 September 2008 - 06:32 PM

One last question I would like to ask... Should I uninstall this PCFriendly altogether? I was told that sometimes uninstalling/deleting files can
'launch' the virus/trojan so to speak and can be dangerous.


In this case the program is not necessarily dangerous. Based on the info you provided so far, I highly doubt the detection to be accurate. I still believe you're dealing with a false positive. PCFriendly is a legitimate application and the file flagged seems to be its uninstaller package. Those are often tagged because of the compression/packers they use. It will most likely be fixed with a definition update at a later time.

I don't use the PCFriendly program. I think it got installed several months ago when I was watching a DVD. Additionally, should I empty my Virus Vault or leave this file in there?


By all means, if you don't use it, you can very well uninstall it. Use Add/Remove Programs in the control panel to uninstall. If the uninstaller was moved to the vault and is no longer present, you may get an error. If that is the case, simply restore it from the vault. Then try uninstalling it again.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#14 Erishala

Erishala
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 11 September 2008 - 06:49 PM

Thanks so much again, this has been very helpful and certainly made me worry (a little) less!

Do virus scanners, when they find something like this, do they give it the name? E.g. is "Trojan Horse Psw.generic6.abbk" a name that AVG has assigned this file?

Being clueless about this stuff sucks... I thought I was so safe and careful and then something like this happens and you realise that you know almost nothing helpful :thumbsup:.

Edit: Oh, yeah, and this is what I meant - Googling this Trojan only comes up with this "Computer Savvy" blog a guy has written, and a link to this thread I've posted: http://www.google.com.au/search?q=Trojan+H...lient=firefox-a

Not sure what that signifies...

Edited by Erishala, 11 September 2008 - 06:53 PM.


#15 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:11:52 AM

Posted 11 September 2008 - 07:02 PM

Thanks so much again, this has been very helpful and certainly made me worry (a little) less!

Do virus scanners, when they find something like this, do they give it the name? E.g. is "Trojan Horse Psw.generic6.abbk" a name that AVG has assigned this file?

Being clueless about this stuff sucks... I thought I was so safe and careful and then something like this happens and you realise that you know almost nothing helpful :flowers:.


Actually the AV companies have been doing something like this for a long time and it's somewhat of an annoyance to me personally. There is no naming convention, no standard. You can google the names all you like and not find any decent worthwhile info out there. Especially on those heuristics-based detections. More than likely the detection was added for some nasty they weren't quite sure how to target. They use a broader range and tag it with a generic name. Much like swatting flies with a sledgehammer. You're bound to hit it, but you're also bound to hit other things that are in the way. Like bees or butterflies.

So yes, the name was given by AVG. It's not in the file. And another AV might flag it as something else for a totally unrelated detection. If the parameters for the specific broad heuristic-based detection are met by a file, it gets tagged.

Whenever I see generic, or gen in a threat name, I can't help but think false positive now. It's important to double check the files being flagged, especially if nothing else sends up smoke signals and it's not a new file. It doesn't mean they will be false positive always, but taking the results of one AV program at face value is not a good idea either in those cases.

Glad to hear you're a little less worried. :trumpet: We're here if ya need us. :thumbsup:
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users