Hello All.

I hope someone can help me with this. I’ve been using a PC for about 12 months now, and have used Avast (0609-1, 01/03/2006) and Counterspy from the beginning. I also run Kerio, Adaware, Spywareblaster and Microsot’s Antispyware beta. I use Windows 2000, SP4, fully updated.

About 3 weeks ago, Avast found a Trojan (Win32:DyfucDldr-AC[Trj] in the WINNT downloaded installations folder - namely a Sunbelt Counterspy folder. I couldn’t get rid of it, trying normal scans and safe mode scans, with the same results - it couldn’t be moved, deleted or moved to chest. In desperation, I deleted the file concerned, and the Trojan was then immediately found in another C’spy downloaded installations file. Deleted this, and the Trojan was gone. My immediate thought was a false positive, since I can’t believe it’s that easy to completely remove a Trojan.
Counterspy wouldn’t work anymore (!?) and so I uninstalled and then reinstalled, updated, and the Trojan was back, same place. (Again, false positive?)

Having a few days to waste and no wet paint to capture my attention, I decided to format, which I did. Reinstalled everything, updated all, and I now have another intruder (see attached) Again, it can’t be touched. In case I haven’t attached correctly (DOH!), its “Win32:Agent-JB[Trj]”

I’ve read on here about the fact that it’s the whole file that is infected, and therefore has to be removed, but I can’t do this without messing up Counterspy.

Something I’ve been considering myself - when I install after format, I put Avast on, then Adaware, and the original Counterspy. I then update Avast and Adaware. I then go to Windows Update and download Internet Explorer 6. I then install the Counterspy 1.5 update from disc (it needs IE6). I then update C’spy, which includes another software update as well as definitions. Is it possible that if I remove Avast and C’spy completely, and reinstall C’spy FIRST, that Avast might not find these Trojans (assuming that they ARE false findings, which I know I can’t be sure of)?

I’ve contacted Avast Tech Help, and the woman there told me to do a MERIJN scan and send her the results, which I did. She said they seemed okay. I’ve since then done a EWIDO scan, which found nothing. Avast still found the attached.

I felt I needed some extra help, and so I’ve come here. Any advise would be much appreciated. Thanks in advance for anything you can offer.

Have you done a forums search for Win32:DyfucDldr-AC[Trj as this has bee covered a couple of time previously, if it is pointing to the sunbelt CounterSpy folder it is probably a false positive detection of one of its malware signatures.

Thanks for the reply, David.

Yes, I have been searching the forums, and while there are a number of posts discussing the Win32:DyfucDldr Trojan, they all seem to be with reference to possible false positives when using Outpost, while mine are found in Counterspy files.

While this points me in the direction of coming to the same conclusion with regard to my system, I didn’t feel able to do so without asking for confirmation of this from people with more experience and knowledge than myself.

I could find no reference to the Win32:Agent-JB Trojan at all though, which is why I decided to post my request for assistance.

Any further comments would be appreciated. Graham.

avast will also give you the file name also try searching for that and that plus the virus name in the forums. However, it does sound like avast detecting unencrypted signatures in CounterSpy.

When posting using a virus name ‘Win32:Agent-JB’ on its own isn’t very helpful without the location and infected file name, this gives us more of an idea of what the problem might be. example (C:\windows\system32\infected-filename.xxx)

Yeah, sorry :-[

File Name: C:\WINNT\DownloadedInstallations{947CE1EC-E178-4E36-B91A-D173F41B7AE2}

Malware Name: Win32:Agent-JB[Trj]

Malware Type: Trojan Horse

VPS: 0609-1, 01/03/2006

Thanks.

Graham,

I don’t think the order in which these are installed will matter too much. If you’re sure these are false positives you can exclude the folder from being scanned using the Program Settings and Standard Shield settings.

Given the number of scans you’ve mentioned in this thread, and if you scan with BitDefender and ClamWin as suggested by Tech in your other thread, it does seem likely that these are false positives. You could also toss in a scan with Spybot S&D just for good measure.

If you google Win32:Agent-JB Trojan you will find a lot of information. Its a trojan downloader when not an FP but, if you’re finding it in the same folder as Win32:DyfucDldr-AC[Trj], I personally would not worry too much.

Not to worry Graham, that’s how we learn. Looking at the Path it looks very much the same as the one (not complete) in the image you posted, so if it is I would treat it much the same as the other in the same location.

However, as belt and braces you could do a google search for the virus name and check if any of the reported symptoms, file names, registry entries, etc. exist, but I would think not.

The latest VPS version is 0609-3 as of a short time ago, so I suggest a manual update.

Welcome to the forums.

I’ve downloaded/updated/scanned with BitDefender and ClamWin, and found nothing. It seems like they were FP’s after all.

Many thanks for all the help provided, it was very much appreciated.

Best regards to all,

Graham.

Just a quick follow-up on this.

Contacted Avast about this, and the 0610-2 (10/03/06) update has dealt with these false-positives. My scans are now clear!! ;D

Thanks to Petr at Avast, and to everyone here for their advice and support.