malware again

[SUSZANNAH]

I seem to be a magnet for malware lately.....although they are cleared. I would like to know why, I was logged off internet last night using Window Washer when siren went off alerting me to Trojan_Agent.Q went to chest no problem, but I had to scan with Avast to find another file the same, how come Avast did not alert me to the fact there was another Trojan present...it seems they are getting through Webshield and all protection I have, just curious that's all......

[kamulko]

Maybe this Trojan is self-reproducing if you didn't deleted it from the tmp files. Have you made a search in the tmp folder? Have you deactivated the system restore before the scan at reboot? Sometimes the panic turn off our mind...

[SUSZANNAH]

System Restore was already disabled, I used Window Washer to clear all temporary files, then did a scan with Avast, did a scan with Trend Micro just to double check all seems clear now, it was, I just thought that Webshield would have alerted me rather than have to do a scan and find it myself, although it picked up the first file, it picked up the second file on the on-demand, scan though...odd

[DavidR]

Come on Suszannah, you know the drill by now

What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?

I take it you are still using IE probably on an account with admin privileges? How about a switch of browser or run all internet access programs using DropMyRights.

Don't forget you can use the boot-time scan now you are on XP.

Run hijackthis and see if there is anything unusual - useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

[SUSZANNAH]

lol...I should David I get plenty of practise.....cleaned the virus no problem, done all the fancy bits, just wondered why Avast didn't alert me to the second  file, until I did a manual scan, I thought webshield would have put in an appearance on that one as well..........as a matter of fact I have kept the references to the files which are now long gone......
 original file name......a[1].exe
 virus description  ......Win32:Agent-Q [Trj] in temp files

Original file name....gxxwr.exe
virus  description.....Win32:Agent-Q [Trj] in C:\WINDOWS\system32.

[DavidR]

I too would havethought web shield would have put in an appearence, but I'm not sure how it works if you are using AOHell's browser.

You really should use another browser outside of AOHell, connect to AOHell and open your second browser. Also if you weren't browsing with admin privileges any virus wouldn't have admin privileges also so they shopuldnt be able to put files in the system folders and reap havock with admin privileges.

DropMyRights - Browsing the Web and Reading E-mail Safely as an Administrator

For ease of use I would suggest that you create a folder called DMR (on the C:\ drive) rather than the default location burried in the documents and settings folder. This makes the path in your shortcut much shorter, but this is your choice.
For each program (browser, email program, etc.) that you want to run with restricted rights you need to create an alternative desktop shortcut to launch it via DropMyRights.exe.
The target location in the alternative shortcut would look something like this - C:\DMR\DropMyRights.exe "C:\Program Files\Mozilla Firefox\firefox.exe". What this is doing is calling the DropMyRights.exe, which launches the program with restricted rights.
You will need to change the icon as it will look like a plain old MS DOS icon, rather than the original programs icon.

[SUSZANNAH]

Thanks David...will have to print this one out...just to get my head around it....lol, wish you could find me some easy things to do....

[whocares]

And of course if avast added detections for these AFTER they got on your Harddisk, then of course they will not be detected by any of the shields unless you run or touch them (e.g. with WindowWasher) or you do a full scan; easy, isn't it ?

 

P.S.:
Win32:Agent-Q -> Added may 31st to avast VPS

[DavidR]

Thanks David...will have to print this one out...just to get my head around it....lol, wish you could find me some easy things to do....

The link I gave you for MS DropMyRights has a good set of instructions and images to set it up and well worth printing off to follow.

When you get started it is often easier to make a copy of the current shortcut you use to launch the program and edit that, a little easier than creating a shortcut from scratch.