Author Topic: Win32 Trojan found  (Read 7757 times)

0 Members and 1 Guest are viewing this topic.

dford3772

  • Guest
Win32 Trojan found
« on: March 29, 2008, 02:27:32 PM »
I need help once again.  I took my PC to Circuit City two days ago only to have it cleaned.  When the tech inserted their flash drive
analyzer both Avast and Commodo went nuts on my machine.  A message notified of a Trojan Horse.  The tech IGNORED all this and
forced the analyzer program to run which showed I had a clean machine.

After bringing home my XP fully updated PC (64 athlon 3300 processor), I ran an Avast scan and it found two infected files and identified
them as Win32 Trojan which I moved to the chest.  I scheduled and ran a boot scan and moved files once again to the chest.  Re-scanned and PC is showing as clean. 

What do I do now?  I've already wasted $131 at CC and would not go back there for any reason.  I did see some false positives in this
list archive but finding the files seems to make mine very real.  Should I run a boot scan daily for a bit?  Do I need to run other programs?
Please help,
Donna in AR

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Win32 Trojan found
« Reply #1 on: March 29, 2008, 02:53:54 PM »
In detail, if a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. As posted before, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run SUPERantispyware or Spyware Terminator.
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
About legit antispyware applications or the bad ones: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sites

5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you're clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.
The best things in life are free.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #2 on: March 29, 2008, 03:02:05 PM »
It could be a false positive: sometimes 'tools' are detected in this way. Still, not good form to leave files on your computer that are detected as malware.

To check them out, export the files from the chest, temporarily disable avast! (otherwise you won't be able to access the files) and upload the detected files to VirusTotal.

Please post the results here.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #3 on: March 29, 2008, 03:24:36 PM »
I extracted the files and sent them to Virus Total uploader.  Somehow I skipped the disable Avast but the files were sent it said.
I returned the copies to Chest because I really didn't know what to do though it said copies were in the uploader.  Having never done this before, I am a bit lost.  Earlier I also e-mailed both files to ALWIL software team by R. clicking.
Donna in AR

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32 Trojan found
« Reply #4 on: March 29, 2008, 03:58:03 PM »
But what were the results given by the VT scan ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #5 on: March 29, 2008, 04:17:33 PM »
Hi David,
It's been months but here I am again.  I don't think the VT upload was successful. I've only done this one time before but I did not
remember if the results were immediate and how they came.  Nothing so far so I doubt the upload worked.

I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached
and then a note came up at the bottom of the screen saying copies were in the uploader so I R. clicked and sent to VT but there was
a long wait message.  I did send the copies back to the chest because it appeared they were loose.  Do I need to re-do a different way.
The warnings said these files have Win32: Agent TOS.
Thanks,
Donna in AR

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Win32 Trojan found
« Reply #6 on: March 29, 2008, 06:04:07 PM »
The most common problem is trying to upload from the chest (though you mentioned extracting them) resulting in a 0 byte file size uploaded. The other possibility is avast stopping the upload because it is detected again, even if you select take no action or close the alert window.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder upload it to VirusTotal without avast alerting.

I don't know why you needed to have to do this, "I have the uploader downloaded and when i sent the infected files to it they appeared in the VT window with all warnings attached." You should only need to click the VirusTotal link Frank gave, when the site opens, click the Browse button. Using the pop-up window navigate to the c:\suspect folder and select the file you want to upload.

If you have created the suspect folder (excluded it also) and exported file from the chest avast shouldn't get in the way. The site can get busy and there might well be a wait, don't send the file/s back to the chest as that would effectively break the upload. You just have to be patient and allow the upload to complete and the scan to commence.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #7 on: March 29, 2008, 07:18:30 PM »
I have decided this is probably real.  I did everything you said except the : and / could not be typed so i just called it C Suspect
both places.  I extracted the files and the warning went mad again and I was not allowed to move in any way to the VT upload box.
I tried right clicking and sending to VT--not allowed to move.

I may have inadvertently let the monster loose again.  I tried to copy, cut paste, move---nothing allowed.  It may be in my memory now for sure.

I finally got both of the files into VT by opening and the reading came back 0 bytes.  This is driving me to panic for i feel like this TH is just racing through my machine.  What should I do with the useless C Suspect file?
« Last Edit: March 29, 2008, 07:25:16 PM by dford3772 »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #8 on: March 29, 2008, 07:22:57 PM »
Quote
Somehow I skipped the disable Avast but the files were sent it said.

If avast! is running, it will block the upload. VirusTotal will report the file has 0 byte.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #9 on: March 29, 2008, 07:39:52 PM »
Thanks Frank you showed me what to do.  Both came back about the same results.  Here is one of them.

Can't get it to copy in to this file but I am a bit rattled.

I have a png. file of it but can't get it in here.
Donna

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #10 on: March 29, 2008, 07:41:58 PM »
You can cut and paste the result or use the 'Additional Options' er.. option to attach a .png file.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #11 on: March 29, 2008, 07:44:55 PM »
I think this will do it.  Both files came back different from what Avast said it was.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #12 on: March 29, 2008, 08:00:34 PM »
I think they are false positives associated with the Panda online AV scanner.

Can you look in Start>Control Panel>Add/Remove and see if the Panda scanner is installed?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

dford3772

  • Guest
Re: Win32 Trojan found
« Reply #13 on: March 29, 2008, 08:13:10 PM »
Yes, I have Panda Nano scan in that list and I have no idea where it came from.
What do I do next?

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Win32 Trojan found
« Reply #14 on: March 29, 2008, 08:31:11 PM »
I suspect the techs at Circuit City used it to check your computer for viruses.

You can uninstall it from Add/Remove.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog