Re: [H] Trojan??
Hi, Judging from your info, it mostly sounds like a browser hi-jacking. Nice ;) Currently no way to avoid this sh*t when using IE, sorry. Back up your data before doing anything else. Being in your shoes for a moment, I'd check the assigned IP addy, the assigned Gateway addy, and the assigned DNS addy (both Primary and Secondary DNS). Next, check the browser's network settings for anomalies. safer-networking.org is your friend - if you have the cujones, goto gomer.net. Please remember, no AV solution is perfect - it sometimes takes up to 'several' weeks before they get their sinature files right. In the meantime we're stuck with whatever trash the internet may offer :) Sam Franc wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now?
Re: [H] Trojan??
Sorry Ali, Can not forward it to you. Drive crashed and all is lost. Windows was trashed and could not be repaired. Am on a new HD. Don't know if it was the Trojan or the removal by by AVG that did it. Will not try the AVG removal in the future except for a last resort. Sam Mesdaq, Ali wrote: Hmm that’s odd. How big is the file? Can you zip up the files and upload them somewhere for me to get? I can run it through our systems and tell you what I find out about the files. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 5:40 PM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? I started sending my file to your site about a hour ago and it still has not been sent completely. It says do not stop until it is complete. How long does it take? Sam Mesdaq, Ali wrote: Try scanning those online at www.virustotal.com . Scanning against all those AV's gives what I call decent detection. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 11:13 AM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein Protected by Websense Hosted Email Security -- www.websense.com No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM
[H] Trojan??
This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
Wait - it found a Trojan in the Zone Alarm setup files? That to me sounds like a false positive - mostly likely those files contain a heuristic pattern to help ZA discover Trojans and AVG is picking that up as an actual Trojan. That's been known to happen. But hey, it could also be some really clever Trojan writer who decided to hide their malware among known false positives. Try running Windows Defender and see what that gives you. Also, you might want to boot from one of the various Linux Live CDs and run a scan of your system as well. If you have a root kit infection that might be the only way to detect it. -- Brian On Tue, Oct 14, 2008 at 2:12 PM, Sam Franc [EMAIL PROTECTED] wrote: Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
That very well may be the Trojan redirecting all your DNS requests to its own dns server but the server might not be up or it might be redirecting you to an IP of its own and that IP could be down. Trojans messing with DNS are especially dangerous because even if you type www.wellsfargo.com you could be going to a phishing site. Here is a recent blog we wrote about a scam that happened to a friend of one of our researchers http://securitylabs.websense.com/content/Blogs/3184.aspx Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 9:04 AM To: hardware@hardwaregroup.com Subject: [H] Trojan?? This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein Protected by Websense Hosted Email Security -- www.websense.com
Re: [H] Trojan??
Try scanning those online at www.virustotal.com . Scanning against all those AV's gives what I call decent detection. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 11:13 AM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein Protected by Websense Hosted Email Security -- www.websense.com
Re: [H] Trojan??
Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
I started sending my file to your site about a hour ago and it still has not been sent completely. It says do not stop until it is complete. How long does it take? Sam Mesdaq, Ali wrote: Try scanning those online at www.virustotal.com . Scanning against all those AV's gives what I call decent detection. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 11:13 AM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein Protected by Websense Hosted Email Security -- www.websense.com No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
Brian, AVG cleared all the files except 3. I get a message that Bigger than archive size limit for those 3. How does one change the archive file limit? Sam Brian Weeden wrote: Wait - it found a Trojan in the Zone Alarm setup files? That to me sounds like a false positive - mostly likely those files contain a heuristic pattern to help ZA discover Trojans and AVG is picking that up as an actual Trojan. That's been known to happen. But hey, it could also be some really clever Trojan writer who decided to hide their malware among known false positives. Try running Windows Defender and see what that gives you. Also, you might want to boot from one of the various Linux Live CDs and run a scan of your system as well. If you have a root kit infection that might be the only way to detect it. -- Brian On Tue, Oct 14, 2008 at 2:12 PM, Sam Franc [EMAIL PROTECTED] wrote: Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein
Re: [H] Trojan??
Hmm that’s odd. How big is the file? Can you zip up the files and upload them somewhere for me to get? I can run it through our systems and tell you what I find out about the files. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 5:40 PM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? I started sending my file to your site about a hour ago and it still has not been sent completely. It says do not stop until it is complete. How long does it take? Sam Mesdaq, Ali wrote: Try scanning those online at www.virustotal.com . Scanning against all those AV's gives what I call decent detection. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Sr. Security Researcher Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sam Franc Sent: Tuesday, October 14, 2008 11:13 AM To: hardware@hardwaregroup.com Subject: Re: [H] Trojan?? Brian, I have been running an AVG scan and it has found several places for the Trojan Horse Agent_r.CX in Zone Alarm setup files on my desktop. Zls setup_70_484_000 70_337_000 70_483_000 70_462_000 If I put those files in recycle bin and empty it will that get rid of them? Sam Brian Weeden wrote: Could be a few different things going on. Might have been a false positive and you might have killed something necessary for your internet connection to work. But it might have also been a real trojan. Sometimes they insert themselves pretty deeply in system processes and removing them breaks the links that allows things like the network stack to work. Try rebooting, see if that helps. Also try safe mode. But don't get your hopes up. --- Brian Weeden Technical Consultant Secure World Foundation http://www.secureworldfoundtion.org +1 (514) 466-2756 Canada +1 (202) 683-8534 US On Tue, Oct 14, 2008 at 12:04 PM, Sam Franc [EMAIL PROTECTED] wrote: This am when I started up a message came on the screen from AVG. AVG finds you have a trojan. Do you want to remove it forcefully? I clicked yes and the message reappeared. I could not get rid of it. I restarted the computer and the message was gone. Now when I start Firefox I get a message it is taking to long no matter what URL I try to get. Is that the trojan working? What should I do now? -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein Protected by Websense Hosted Email Security -- www.websense.com No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.173 / Virus Database: 270.8.0/1723 - Release Date: 10/13/2008 6:42 PM -- Sam Franc On the Oregon Coast I must be willing to give up what I am in order to become what I will be.-Einstein