Is it a real threat?

Hi- I’m new to the forums and am not sure what info I need to post, but here goes…

A few months ago I had a computer technician remove my symantec anti virus saying it had a bundled fire wall that was interfering with me networking a printer. I installed Avast which I heard is a resonable alternative to commeercial anti-virus. On installation, it found a Trojan. A week ago as I transferred game files to a second hard drive it recognized a second (or the same trojan) and last night I ran a full scan and it found 2 more. In 5 years I may have found 1 virus with Symantec. Am I unlucky and just picked up something new? Is Avast giving me false alarms? Was symantec undersensitive?

On a related topic, a few times over the past few weeks when I go into sleep mode, Windows asks me to restart/shut down to install updates. I have autoupdate set to notify me if it downloads windows updates and I was not aware of new downloads. I did update Window’s mediaplayer to allow my daughter to get movies off of iTunes. Could that do it or could this be virus behavior. I haven’t seen it for several days-maybe it’s innocent…
Thanks for any help.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

You say the tech removed symantec, which you say had a bundled firewall, if that was also removed, what did you replace it with ?
avast isn’t a firewall (one is being developed, no date for release), though the Network Shield does provide a very limited intrusion check against common worm and virus ports, it isn’t a full firewall.

If you haven’t got a firewall, I’m surprised you only got 3 trojans. Based on what you said one that was on your system undetected by symantec.

Thanks DavidR for the fast reply!
I’m at work now, so I’ll check the logs and post from home.
I have Windows Firewall (Service Pack 2) on and I have a router in place. I was advised that’s reasonably secure.

No problem, glad I could help.

The Windows XP firewall doesn’t provide any outbound protection.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Comodo looks well reviewed, I’ll probably try it. I’ve had trouble with my home wireless network with Zone Alarm. Why wife’s laptop connects to my desktop and our printers through a wireless router. Any suggestions ongetting outbound protection without getting messed up with my connections?

Also, I was looking through some other posts. Do I need/want a rootkit detector/remover?

Sorry I don’t use a wireless or wired network, so I can’t be much practical help, though I wouldn’t have thought there would be any requirement to configure the firewall.

You don’t really need any rootkit tools unless you suspect you have a rootkit or have a trojan/malware (the same one), that continually comes back. The reason I say this is these tools are constantly updated to cater for new rootkits/variants, so you would have to download the latest before each time you run it, otherwise out of date security software is almost as bad as none.

avast! 4.8, which is in beta testing at the moment has a rootkit scanning element will differ as I’m assuming any updates can be done through the normal avast auto update process.

Here’s my warning log.
Is Win32:Trojan-gen {Other} a specific trojan or a generic identifier?

2/1/2008 7:18:15 AM SYSTEM 144 Sign of “Win32:Zorro [trj]” has been found in “C:\WINDOWS\DOWNLOADED PROGRAM FILES\CPCSCAN.DLL” file.
2/24/2008 10:31:38 PM SYSTEM 204 Function setifaceUpdateFiles() has failed. Return code is 0x20000011, dwRes is 20000011.
2/24/2008 10:31:38 PM SYSTEM 204 An error has occured while attempting to update. Please
3/8/2008 10:43:58 PM eric 196 Sign of "has been found in “F:\X-Men Legends 2\apache-xml2.exe” file.
3/17/2008 12:03:07 AM eric 3884 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\eric\Desktop\Mods\civmods\xmentrainer\apache-xml2.exe” file.
3/17/2008 12:15:18 AM SYSTEM 220 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{8AD14770-E05C-478B-A385-25802715B52B}\RP932\A0099511.EXE” file.
3/18/2008 12:58:32 AM eric 3884 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{8AD14770-E05C-478B-A385-25802715B52B}\RP932\A0099511.exe” file.

For the following files, CPCSCAN.DLL (may be a Crucial Technologies file) and apache-xml2.exe (no hits on google which I would say is unusual). For the others found in the System Volume Information folder I wouldn’t worry about those, in fact I would tend to clean out the old system restore points and create a new clean start point, see below.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here. I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.

In order to do that you would need to export (not restore) the files from the Infected Files section of the chest, avast will probably alert again, but see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

Create Clean Restore Point - Clear old Restore Points.

Now you are clear of infection create a clean System Restore point:

  1. Click Start, All Programs, Accessories, System tools, System Restore.
  2. In the pop-up that appears fill in the radio button to Create a Restore Point
  3. Click NEXT
  4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
  5. Click CREATE

You now have a clean restore point, you should clear the old ones:

  1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
  2. Click OK on the C: drive
  3. Click the More Options tab
  4. In the System Restore section click the Clean Up button

Thanks again for the hand holding DavidR.

I extracted the suspect files to"suspect" but couldn’t upload them to Virus Total. Everytime I tried it reported they had 0 bytes of data. I tried emailing them as attachments, but same deal even though they were some 36 kb in the folder(if I remember-I deleted them, choosing the “Delete permanently” option when the Avast noticed them moving to recycle). Odd.

Anyway, Apache is a no CD crack I downloaded (I own the game, I don’t pirate) and I guess it was hiding a trojan.

I set a new restore and am waiting on Disk Cleanup as we speak (well, type). Are you familiar with CCleaner? I use it as a cleaner program. Any idea if it’ll remove old restore points?

By the way, do you think the behavior I described in the first post was suspicious? Reading all this virus stuff is making me paranoid!

Maybe you should add these files to an archive (zip) file, disable temporarily the avast Internet Mail provider and send to VirusTotal by email.

As far I know, CCleaner does not delete old restore points.

I did something similar. I found the infected files on my back up image and uploaded them. Virustotal recognized them with a few of it’s scans.

Does avast recognize too?
Right now, are your computer clean?
Do you need further help?

Yes, Avast recegnized them, which is how I got to this point.
I think I’m clean now, with a negative scan earlier today! Thanks for the help!