Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR.Vapsup.uvj Trojan Found


  • Please log in to reply
6 replies to this topic

#1 I_am_CanadianEh?

I_am_CanadianEh?

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 06 July 2009 - 12:32 PM

Hellow fellow BC folks. :flowers:

I use Avira Antivir Premium and I keep getting an alert that says I have the TR.Vapsup.uvj trojan in the following file:

C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe

I have denied access, but it keeps alerting me. There is no information on this Trojan in the Antivir virus list.

I did an scan of this file with VirusTotal and here are the results.

Antivirus Version Last Update Result

a-squared 4.5.0.18 2009.07.06 -
AhnLab-V3 5.0.0.2 2009.07.06 -
AntiVir 7.9.0.204 2009.07.06 TR/Vapsup.uvj
Antiy-AVL 2.0.3.1 2009.07.06 Virus/Win32.Sality.gen
Authentium 5.1.2.4 2009.07.05 -
Avast 4.8.1335.0 2009.07.05 -
AVG 8.5.0.386 2009.07.05 -
BitDefender 7.2 2009.07.06 -
CAT-QuickHeal 10.00 2009.07.06 -
ClamAV 0.94.1 2009.07.03 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.06 -
eSafe 7.0.17.0 2009.07.06 -
eTrust-Vet 31.6.6598 2009.07.06 -
F-Prot 4.4.4.56 2009.07.05 -
F-Secure 8.0.14470.0 2009.07.06 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.06 -
Ikarus T3.1.1.64.0 2009.07.06 -
Jiangmin 11.0.706 2009.07.06 -
K7AntiVirus 7.10.783 2009.07.03 -
Kaspersky 7.0.0.125 2009.07.06 -
McAfee 5668 2009.07.06 -
McAfee+Artemis 5667 2009.07.05 -
McAfee-GW-Edition 6.8.5 2009.07.06 Trojan.Vapsup.uvj
Microsoft 1.4803 2009.07.06 -
NOD32 4220 2009.07.06 -
Norman 6.01.09 2009.07.04 -
nProtect 2009.1.8.0 2009.07.06 -
Panda 10.0.0.14 2009.07.06 -
PCTools 4.4.2.0 2009.07.06 -
Prevx 3.0 2009.07.06 -
Rising 21.37.04.00 2009.07.06 -
Sophos 4.43.0 2009.07.06 -
Sunbelt 3.2.1858.2 2009.07.05 -
Symantec 1.4.4.12 2009.07.06 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.06 -
VBA32 3.12.10.7 2009.07.06 -
ViRobot 2009.7.6.1820 2009.07.06 -
VirusBuster 4.6.5.0 2009.07.05 -

There are no other symptoms on the computer other than this warning. The date stamp of the file is July 3rd, but I installed the Google Toolbar at least 1 week before that and had no alerts.
Finally, I did a scan with ESET's online scanner and it came out clean.

I use Vista Home Premium SP2 fully patched.

Is this a false positive or something more sinister? Please help. :trumpet:

Thanks. :thumbsup:

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:46 PM

Posted 06 July 2009 - 11:19 PM

Hello,If it gives you the option to repair the detected infections then do that and the problem should be solved. If it still pops up after doing another full scan then run a scan in safe mode.


Please run part 1 of S!Ri's SmitfraudFix
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kaje

Kaje

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:46 PM

Posted 07 July 2009 - 04:42 AM

I would like to venture a guess that you use Facebook? I'm curious because I too use Avira and this same file was detected on my system. I was sort of an idiot earlier because there was someone in my Facebook friends list who was obviously "hacked" and sent out a fake message to several people. Horrid misspellings and a link to an odd website. Upon clicking the link, I was warned by Facebook that the site has been reported dangerous by other users, so I decided not to follow the link. however, the stupid part was where I typed the url in teh address bar manually... the page was "blank". Even trying to r-click and view source revealed a blank notepad... screwy eh? And then this Trojan appears... lol. So anyways, beware!

Don't follow this link without knowing it is potentially dangerous and could harm your computer. With that being said, here's the actual Facebook message:

Subject: YYour nakeed ddances wwere filmeed!

"LOL
[www.facebook.c/l/;://matt.freehost.pl/funnyvids/"].facebook./l/;h//matt.fre...unnyvids/"[/url]

Don't follow this link without knowing it is potentially dangerous and could harm your computer.
Notice the fake url: [//matt.freehost.pl/funnyvids/]matt.freehost.pl/funnyvids/[/url] ... .pl is a country code top-level domain, or ccTLD for Poland.


{Mod Edit: Broke link...Please do not post Potentially dangerous links in the forum>>someone will just try it,thanks~~boopme}

Edited by boopme, 07 July 2009 - 09:02 AM.


#4 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 07 July 2009 - 07:50 AM

UPDATE

I submitted the above said files to Avira and upon analysis, they sent me this report.

A listing of files alongside their results can be found below:

File ID Filename Size (Byte) Result
25390829 GoogleToolbarUser.exe 273.61 KB FALSE POSITIVE


Please find a detailed report concerning each individual sample below:

Filename Result
GoogleToolbarUser.exe FALSE POSITIVE

The file 'GoogleToolbarUser.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.1.4.192.


So, I would suggest to check Avira for updates and try and access the files again to see if you get the alerts.

Just to be sure, I'll follow Boopme's instructions.

Kaje

Please do not post dangerous links...change the http to hxxp to prevent someone from accidently (or purposely) clicking on the link and possibly becoming infected. :thumbsup:

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:46 PM

Posted 07 July 2009 - 09:22 AM

This is a definate false positive, You can double check by submitting a suspicious file to Jotti or VirusTotal.

JOTTI and VT scan

Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:

For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 I_am_CanadianEh?

I_am_CanadianEh?
  • Topic Starter

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:46 PM

Posted 07 July 2009 - 11:48 AM

Over 2,600 views on this topic?!! WOW! :trumpet:

After updating Antivir, I am no longer getting the alerts. This was definitely a false alarm.

For good measure, here is my Smitfraud log.

SmitFraudFix v2.423

Scan done at 12:20:02.67, Tue 07/07/2009
Run from C:\Users\tim\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\NoteBurner\VTBurnerGUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Windows\sttray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts

hosts file corrupted !

127.0.0.1 m.dell.com
127.0.0.1 microsoft.com.org
127.0.0.1 www.www.microsoft.com.org
127.0.0.1 ads.techguy.org

C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\tim


C:\Users\tim\AppData\Local\Temp


C:\Users\tim\Application Data


Start Menu


C:\Users\tim\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000000


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Intel® PRO/100 VE Network Connection
DNS Server Search Order: 64.71.255.198
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E1B16384-8F15-455D-82CA-5726B6D2D815}: DhcpNameServer=64.71.255.198 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{E1B16384-8F15-455D-82CA-5726B6D2D815}: DhcpNameServer=64.71.255.198 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=64.71.255.198 192.168.0.1


Scanning for wininet.dll infection


End


And here is the result from VirusTotal, AFTER I updated Antivir. As you can see, Antivir no longer flags this as infected.

Antivirus Version Last Update Result

a-squared 4.5.0.18 2009.07.07 -
AhnLab-V3 5.0.0.2 2009.07.07 -
AntiVir 7.9.0.204 2009.07.07 -
Antiy-AVL 2.0.3.1 2009.07.07 Virus/Win32.Sality.gen
Authentium 5.1.2.4 2009.07.07 -
Avast 4.8.1335.0 2009.07.06 -
AVG 8.5.0.386 2009.07.07 -
BitDefender 7.2 2009.07.07 -
CAT-QuickHeal 10.00 2009.07.07 -
ClamAV 0.94.1 2009.07.07 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.07 -
eSafe 7.0.17.0 2009.07.07 -
eTrust-Vet 31.6.6601 2009.07.07 -
F-Prot 4.4.4.56 2009.07.06 -
F-Secure 8.0.14470.0 2009.07.07 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.07 -
Ikarus T3.1.1.64.0 2009.07.07 -
Jiangmin 11.0.706 2009.07.07 -
K7AntiVirus 7.10.786 2009.07.07 -
Kaspersky 7.0.0.125 2009.07.07 -
McAfee 5669 2009.07.07 -
McAfee+Artemis 5668 2009.07.06 -
McAfee-GW-Edition 6.8.5 2009.07.07 -
Microsoft 1.4803 2009.07.07 -
NOD32 4222 2009.07.07 -
Norman 6.01.09 2009.07.07 -
nProtect 2009.1.8.0 2009.07.07 -
Panda 10.0.0.14 2009.07.07 -
PCTools 4.4.2.0 2009.07.07 -
Prevx 3.0 2009.07.07 -
Rising 21.37.14.00 2009.07.07 -
Sophos 4.43.0 2009.07.07 -
Sunbelt 3.2.1858.2 2009.07.07 -
Symantec 1.4.4.12 2009.07.07 -
TheHacker 6.3.4.3.364 2009.07.06 -
TrendMicro 8.950.0.1094 2009.07.07 -
VBA32 3.12.10.7 2009.07.07 -
ViRobot 2009.7.7.1822 2009.07.07 -
VirusBuster 4.6.5.0 2009.07.06 -

Problem solved!! :flowers: :thumbsup:

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:46 PM

Posted 08 July 2009 - 09:03 PM

Hello all looks good, Have a great day.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users