Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dford3772 on March 29, 2008, 02:27:32 PM

Title: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 02:27:32 PM
I need help once again.  I took my PC to Circuit City two days ago only to have it cleaned.  When the tech inserted their flash drive
analyzer both Avast and Commodo went nuts on my machine.  A message notified of a Trojan Horse.  The tech IGNORED all this and
forced the analyzer program to run which showed I had a clean machine.

After bringing home my XP fully updated PC (64 athlon 3300 processor), I ran an Avast scan and it found two infected files and identified
them as Win32 Trojan which I moved to the chest.  I scheduled and ran a boot scan and moved files once again to the chest.  Re-scanned and PC is showing as clean. 

What do I do now?  I've already wasted $131 at CC and would not go back there for any reason.  I did see some false positives in this
list archive but finding the files seems to make mine very real.  Should I run a boot scan daily for a bit?  Do I need to run other programs?
Please help,
Donna in AR
Title: Re: Win32 Trojan found
Post by: Lisandro on March 29, 2008, 02:53:54 PM
In detail, if a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. As posted before, disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887), XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405) or Vista (http://support.microsoft.com/?scid=kb%3Ben-us%3B936212&x=6&y=13). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp) for XP/Vista. For XP only: Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx).

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the  Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 03:02:05 PM
It could be a false positive: sometimes 'tools' are detected in this way. Still, not good form to leave files on your computer that are detected as malware.

To check them out, export the files from the chest, temporarily disable avast! (otherwise you won't be able to access the files) and upload the detected files to VirusTotal (http://www.virustotal.com/).

Please post the results here.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 03:24:36 PM
I extracted the files and sent them to Virus Total uploader.  Somehow I skipped the disable Avast but the files were sent it said.
I returned the copies to Chest because I really didn't know what to do though it said copies were in the uploader.  Having never done this before, I am a bit lost.  Earlier I also e-mailed both files to ALWIL software team by R. clicking.
Donna in AR
Title: Re: Win32 Trojan found
Post by: DavidR on March 29, 2008, 03:58:03 PM
But what were the results given by the VT scan ?
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 04:17:33 PM
Hi David,
It's been months but here I am again.  I don't think the VT upload was successful. I've only done this one time before but I did not
remember if the results were immediate and how they came.  Nothing so far so I doubt the upload worked.

I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached
and then a note came up at the bottom of the screen saying copies were in the uploader so I R. clicked and sent to VT but there was
a long wait message.  I did send the copies back to the chest because it appeared they were loose.  Do I need to re-do a different way.
The warnings said these files have Win32: Agent TOS.
Thanks,
Donna in AR
Title: Re: Win32 Trojan found
Post by: DavidR on March 29, 2008, 06:04:07 PM
The most common problem is trying to upload from the chest (though you mentioned extracting them) resulting in a 0 byte file size uploaded. The other possibility is avast stopping the upload because it is detected again, even if you select take no action or close the alert window.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder upload it to VirusTotal without avast alerting.

I don't know why you needed to have to do this, "I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached." You should only need to click the VirusTotal link Frank gave, when the site opens, click the Browse button. Using the pop-up window navigate to the c:\suspect folder and select the file you want to upload.

If you have created the suspect folder (excluded it also) and exported file from the chest avast shouldn't get in the way. The site can get busy and there might well be a wait, don't send the file/s back to the chest as that would effectively break the upload. You just have to be patient and allow the upload to complete and the scan to commence.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 07:18:30 PM
I have decided this is probably real.  I did everything you said except the : and / could not be typed so i just called it C Suspect
both places.  I extracted the files and the warning went mad again and I was not allowed to move in any way to the VT upload box.
I tried right clicking and sending to VT--not allowed to move.

I may have inadvertently let the monster loose again.  I tried to copy, cut paste, move---nothing allowed.  It may be in my memory now for sure.

I finally got both of the files into VT by opening and the reading came back 0 bytes.  This is driving me to panic for i feel like this TH is just racing through my machine.  What should I do with the useless C Suspect file?
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 07:22:57 PM
Quote
Somehow I skipped the disable Avast but the files were sent it said.

If avast! is running, it will block the upload. VirusTotal will report the file has 0 byte.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 07:39:52 PM
Thanks Frank you showed me what to do.  Both came back about the same results.  Here is one of them.

Can't get it to copy in to this file but I am a bit rattled.

I have a png. file of it but can't get it in here.
Donna
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 07:41:58 PM
You can cut and paste the result or use the 'Additional Options' er.. option to attach a .png file.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 07:44:55 PM
I think this will do it.  Both files came back different from what Avast said it was.
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 08:00:34 PM
I think they are false positives associated with the Panda online AV scanner.

Can you look in Start>Control Panel>Add/Remove and see if the Panda scanner is installed?
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 08:13:10 PM
Yes, I have Panda Nano scan in that list and I have no idea where it came from.
What do I do next?
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 08:31:11 PM
I suspect the techs at Circuit City used it to check your computer for viruses.

You can uninstall it from Add/Remove.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 08:47:09 PM
OK. I cleaned up the C Suspect file and sent those copies to reside in chest and removed from Avast scanning list.  I will remove Panda
and I also have PC Doctor for windows that must have come from a free virus scan also so it needs to go.  My PC is operating fine and
I haven't noticed any serious behavior so I lean toward the false positive too.  Do I just leave everything in the chest for a bit and then
delete or what?  There are some other .dll files in the chest connected with Win32 but they are not marked as infected and they have
been there for months.  Just leave all in the chest and maybe run another scan?
Thanks so much for your help,
Donna in AR
Title: Re: Win32 Trojan found
Post by: DavidR on March 29, 2008, 08:50:19 PM
I have decided this is probably real.  I did everything you said except the : and / could not be typed so i just called it C Suspect
both places. 

The folder name should be Suspect, the : and / are part of the path as in c:\ c: is the drive the \ indicates the next bit is a folder so the sum path to the suspect folder is c:\suspect.

I extracted the files and the warning went mad again and I was not allowed to move in any way to the VT upload box.
I tried right clicking and sending to VT--not allowed to move.

You need to ensure that you exclude the suspect folder and its contents so avast doesn't scan them. Add "c:\suspect\*" (copy and paste the text in quotes but not the quotes) to the avast exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions

This will stop avast going mad as you call it and allow the files to be uploaded.

I may have inadvertently let the monster loose again.  I tried to copy, cut paste, move---nothing allowed.  It may be in my memory now for sure.

No you haven't infected files in isolation (different location from where they were found) without a registry key to run them, etc. are inert. That is part of the  purpose of having the suspect folder so you don't have to disable avast to be able to extract from the chest and upload to VT from the suspect folder.

I finally got both of the files into VT by opening and the reading came back 0 bytes.  This is driving me to panic for i feel like this TH is just racing through my machine.  What should I do with the useless C Suspect file?

You now no why the file size is 0 bytes, avast blocking it another reason for using the suspect 'folder' it isn't a file, you can delete the c suspect file.

Whilst this is all a moot point as you have managed to upload the files, it may be of help in the future.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 29, 2008, 09:37:51 PM
So when a problem is found the folder should be created and not send files to chest.  Do you agree that the VT results I sent looks like false positive.  As you will see in my post to Frank my machine is working fine and i asked what to do about the files in Chest.  If it is wait-and-see then I am OK.  All scans are negative for anything.
Thanks a bunch,
Donna in AR
Title: Re: Win32 Trojan found
Post by: FreewheelinFrank on March 29, 2008, 09:44:08 PM
There are some system files backed up in the chest, but you should see those in a separate section.
Title: Re: Win32 Trojan found
Post by: DavidR on March 29, 2008, 11:01:03 PM
I have the folder permanently created (and excluded as I mentioned) though I have given mine a different name (it can be anything you like) and anything I don't want avast to scan lives in there (some samples/tools that would otherwise be detected by avast. Also anything suspicious goes in there so it can easily uploaded to VT.

The only files to be concerned with in the chest are those in the Infected Files section, those that avast detects and you choose to send to the chest. They can do no harm there, so you have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

In a way they are and they aren't false positives. The problem arises because Panda don't encrypt their virus signature files and avast or any other resident scanner is likely to detect them because they are looking for virus signatures. So in this case it looks like you didn't have any 'monster' running round in your system just some unencrypted panda signature files.
Title: Re: Win32 Trojan found
Post by: dford3772 on March 30, 2008, 05:52:13 PM
My special thanks to David and Frank for your patience and help through the first virus crisis I've experienced with Avast.  Avast saved
me even with my inexperienced hand on the throttle and you two pulled me through.  David, as far as the mess with the VirusTotal up-
loader, I think all that little download does is add a "Send to VT" in the pull-down menu.  Their directions for its use are pretty sketchy
and actually it is not necessary.  I've had a great learning experience!

I've created the folder in C and Modified Standard Shield as recommended so I will be ready if there is a next time.  Considering my previous experiences with Norton, I absolutely rave about Avast.  I would just say that new users should develop a game plan for when Avast does find a problem.  Years ago I had a machine completely disabled by a virus (with Norton) and that makes research impossible.
Thanks again for a great product and great help.
Donna in AR
Title: Re: Win32 Trojan found
Post by: DavidR on March 30, 2008, 06:13:26 PM
Your welcome.

VT does get busy at times and there is also the option to send it by email and there is the VTuploader on that same email instruction page http://www.virustotal.com/metodos.html (http://www.virustotal.com/metodos.html). That must have been where you got the bit about vtuploader, which ads an entry to your context menu. Personally for the amount of times you are likely to use it, it isn't worthwhile.

avast 4.8 has a self-protection module which should make things much more difficult for viruses to disable it.