LOTS of trojans?

[chillmark]

Good evening -

I have a new PC I just bought and I'm a former Mac user, so this is all very new to me. As a result I have a couple questions I was hoping folks here might be able to help me with.

First of all, since installing Avast I have been getting these red pop-up windows saying a trojan horse has been blocked. Are there really that many trojans or am I not doing something application-wise that I should be?

I was also curious if there is anything else besides Avast that I should be running? This is an antivirus program...should I have a firewall? How about anti-spyware?

Thanks for the help ahead of time. Like I said, this is all new to me, so I apologize if I sound like a newb.

I am.

-Chill

[Nesivos]

First of all it depends which Windows OS you are using.

I will assume that if you are a new Windows user you are using Windows 7

1.   With regard to a Firewall.  I have never used anything but Windows for decades except I do have one computer running Ubuntu 12.04 and have used Ubuntu before with earlier versions.  Ubuntu 12.04 is very nice.    I have never used any Firewall except Windows and whatever firewall comes with with AV package.   I now use avast! AIS which comes with a firewall but the firewall does not to my knowledge turn off the Windows firewall but works with it.  Others here are a lot more knowledgeable about firewalls than I have   

My point is that I have  never used a third party firewall but just the Windows firewall along with avast! AIS at this time.  When I used W7 firewall and I left it on its default settings since I don't know enough to tweak them I never had to my knowledge any firewall related problems. I also have not tweaked the W8 Firewall since I staring using it firstly with W8-DP and now with W8-RP.

Others here will most likely suggest using a third party firewall which may be superior to the Windows 7 firewall.   They are probably correct, but I would never recommend that someone new to Windows use a third party firewall.    Windows firewall is good enough for newbies.   When you learn about Windows and Windows third party firewalls then you might want to replace the Windows firewall.   

The reason that I am suggesting someone new to Windows, unless they are a A"computer geek" not use a 3rd party firewall or tweak the Windows firewall is that if you make a mistake with your firewall settings which is easy to do if you are not knowledgeable about Ports and software internet connections can cut a program's and maybe even your Windows OS access to internet.   High risk and low reward for a Windows newbie.

2.  As far as other security software to use with avast! I can just tell you what I use on my W8-RP computers.  I have not experienced any conflicts with this combination.  I also once a week or so run 3rd party on demand scans with software like Malwarebytes, Norman, Stinger, etc just to double check and they rarely, maybe once every several months find malware that my combination missed.  Here is the list I use all in real-time.

avast! AIS 7
SuperAntiSpyware (SAS) Pro
Firefox Beta now 14.11? Beta with NoScript and other security related addons.

Most here would substitute Malwarebytes Pro for SAS Pro but SAS works for me so I use it.

I don't know about Apple computers but I know Ubuntu automatically updates the OS and programs that come along with it along with all the software you get from their Respository.  Or at least it has a function that tells you that you have updates.   While this is try for the Windows OS and other Microsoft programs you are using it may not be true for 3rd party software you are using on a Windows computer.   It is critical from a security perspective that you keep all your software up to date.   This is especially true of Java and Adobe programs especially Adobe Flash.   A good deal of malware can be stopped from infecting and harming your system if you keep current on the updates.   FileHippo updater and Secunia are two free programs that will notify you when third party software on your computer has updates available.

Good luck. 

Others might add their insights so you might want to check back over the next few days to read what they have to say.

[Diddy]

HI Chillmark I would like to tell you that have Windows Vista and I also use avast antivirus free for my computer.  I also use the free version of Malwarebytes free to check for maleware but I rarely have malware on my computer but it is always a good idea to be safe then sorry ha.  As far as the firewall I just use the firewall that came with Windows Vista it works good for me and I have had no problems with attacks or anything like that.

Good luck Chillmark

[Alievitan]

Are you getting these trojan alerts when you are browsing?  What exactly does it say (IE scripshield?File System?) because knowing what type of warning will tell you a lot.  For example, if you are getting scriptshield alerts, that means you are visiting a website with a malicious script and every time you visit that site, you will get repeated warnings. 

As a new user, I would stick with the default Windows 7 firewall.  Third party firewall are mostly to control outbound connections, but if you know what I am talking about or don't care, then you won't need a third party firewall for the most part. 

Avast should take care of all your "realtime" protection needs including spyware, but there might be some other antivirus programs you can run beside it that won't interfere with each other, but there isn't an official Avast faq to officially acknowledge which one, so I wouldn't do it if I were you. 

However, if you think you are really infected, I wouldn't listen to anybody on the forum including me unless it was one of the experts such as "Essex Boy" who is the visiting malware expert.  You can easily cripple your system running scans or running tools that you aren't familiar with. 

As for my personal setup or advice, there are a lot of things, but if I only could tell you one thing, then it is to keep your software up to date with sense of urgency.  According to this article "According to CSIS, five products are responsible for 99-percent of all malware infections. Many of the targeted applications are vulnerable due to a lack of patching, leaving the user and the network exposed......Java, Adobe Reader / Acrobat, Adobe Flash, Internet Explorer, and QuickTime"

You can run this program http://secunia.com/products/consumer/psi/ that does it all for you.  Or you can disable the plugins that you infrequently use like java, quicktime etc

[CraigB]

but there might be some other antivirus programs you can run beside it that won't interfere with each other

No additional antivirus should be installed on the same system with avast installed, you can add something like Malwarebytes or superantispyware for extra scans.

[chillmark]

thanks for the replies everyone

Yeah I guess I should have let you know: I'm running Windows 7 Home.

the messages say a trojan was found, in C:/windows/??? but it comes and goes so fast, I can't read the full message. Interestingly enough, it hasn't come up since I posted this question. I gave it a few days in hopes that I'd have more info to add, but since I haven't seen it...

I guess we can back burner it for now. Thanks for the suggestions, however.

-Chill

[blue_fyre]

 I suggest you make an image of Windows 7 right when you install it that way if any bad happens, you can restore Windows to its original state. This means you store all your files on a separate partition/drive.

 You have to have a good habit of scanning. You can do that with avast but have multi scan engines at your disposal. Me, I use Malwarebytes, HitmanPro, Gmer. Run them once in a while. But then again, once a computer is infected, you really can't trust it, thats why you do imaging.

[Pondus]

First of all, since installing Avast I have been getting these red pop-up windows saying a trojan horse has been blocked. Are there really that many trojans or am I not doing something application-wise that I should be?

and what do the avast warnings say?
did it block a infected website when surfing?...... or found infection in your comp?

does it happen all the time....even when not surfing?

[chillmark]

Ugh

Well it's doing it again. Here's what I can see: this red window in the lower right corner pops up and says a trojan has been blocked, but it doesn't give me any option to delete it or anything.

It goes away quick, but as far as I can tell it says:

location: C:\windows\installer\...\8000000032.@ and 8000000.@
infection:win32 malware-gen and something else about an installer...it switches too fast for me to see
Action: Moved to chest
Process C:\Windows\system32\services.exe

It only happens when I've got firefox open. At the moment I've only got two other tabs open beside this: the website for my grad school class and gmail.

I'm not sure how to make an image of Windows 7, but I'm assuming I can find it somewhere online. I downloaded and ran Malwarebytes and haven't noticed any difference yet.

Thanks for your continued help on this, I realize its a bit rudimentary for you all, but I'm such a neophyte at all this I feel totally lost and unprepared, so thank you.

-Chill

[chillmark]

also

Infection: Win32:Downloader-PKU [Trj]


-C

[essexboy]

You are infected

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach  both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[chillmark]

There is apparently a size limits to posts so here is the first...

[chillmark]

second and third

[essexboy]

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  IE - HKU\S-1-5-21-3698899478-1883234703-3080048218-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3198785
  IE - HKU\S-1-5-21-3698899478-1883234703-3080048218-1001\..\URLSearchHook: {cce665dd-f6dd-4808-968e-eaec971f70ef} - No CLSID value found
  IE - HKU\S-1-5-21-3698899478-1883234703-3080048218-1001\..\SearchScopes,DefaultScope = {172DCDC5-24F1-4687-AE86-D05AF720BD55}
  FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3198785&SearchSource=2&q="
  [2012/07/11 18:19:26 | 000,000,919 | ---- | M] () -- C:\Users\Aaron\AppData\Roaming\Mozilla\Firefox\Profiles\wkwae51r.default\searchplugins\conduit.xml
  O3 - HKU\S-1-5-21-3698899478-1883234703-3080048218-1001\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  C:\Windows\assembly\GAC_32\Desktop.ini
  C:\Windows\assembly\GAC_64\Desktop.ini
  C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdhffggcfjnkigeciffmipblemhphbjl
  C:\Users\Aaron\AppData\Local\Google\Chrome\User Data\Default\Extensions\bdhffggcfjnkigeciffmipblemhphbjl
  C:\Windows\Installer\{6ef2cb95-7de6-eb77-b17c-37f4e459e6db}
  C:\Users\Aaron\AppData\Local\{6ef2cb95-7de6-eb77-b17c-37f4e459e6db}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[chillmark]

Here's the two files...

I'm glad you know what all this stuff means...very confusing stuff.