UBCD4Win Forums: Trojan horse infection - UBCD4Win Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Trojan horse infection Advice please

#1 User is offline   grapher Icon

  • Newbie
  • Pip
    • Group: Members
    • Posts: 2
    • Joined: 15-December 05

    Posted 15 December 2005 - 07:30 AM

    I have a soho, licensed AVG anti virus program which runs a full scan every 24 hours. Yesterday my PC was clean. This morning's scan revealed "Trojan horse Dropper Agent.ABR" within the UBCD for Windows XP installation file indentified as UBCD4WinV255.exe. It was described as "embedded object". Equally, AVG identified the same trojan horse within the installed program at: pebuilder313\plugin\cisco\files\discon.exe AND AGAIN at: pebuilder313\plugin\cisco\files\cisco.exe

    AVG stated that these last two files had been deleted as they "could not be healed".

    I believe that my machine is now clean once again however, does this instance indicate that pebuilder and thus UBCD is vulnerable to Trojan Horses? My knowledge of these issues is minimal. I realise that pebuilder is not a UBCD program but it is necessary if UBCD CD's are to be created.

    My PC has AVG, Agnitum Outpost as well as Microsoft anti spyware beta so my next query is "How on earth does a trojan horse get past that security curtain?" Subsequent scans by these agents tell me that my machine is now clean. My ADSL router also claims to have hard wired firewall protetcion too!

    Will someone educate this novice on the issue please?
    0

    #2 User is offline   SteelTrepid Icon

    • Administrator
    • PipPipPipPipPipPipPipPip
      • Group: Admin
      • Posts: 6,191
      • Joined: 27-April 04
      • Gender:Male
      • Location:Ohio

      Posted 15 December 2005 - 08:43 AM

      Ultimately it's the end user's responsibility to verify the MD5 hash of their download. This helps confirm that you didn't get a corrupt download or one that could be modified with bad intentions. Every time that this type of issue is brought up it has always been a "false positive." I really need to make a pinned post somewhere and/or add a FAQ about this.

      This is what I suggest:
      1. Always verify the MD5 hash for your download.
      2. Scan the UBCD4Win file with several free online scanners if your system AV software reports viruses.
      3. If none of the online scanners find a virus, submit the files to your AV software company. They will test the files and confirm that it is a virus or it is a false positive. Most virus companies work pretty quickly with this. Their next def. update for their software will probably eliminate the false positive.

      I don't think anyone has ever reported those files as viruses, so this is a new one. They are AutoIt scripts so there is probably something that your AV software doesn't like about them.

      AV companies work very hard to keep us protected so I don't blame them for these issues. It does kinda suck because maybe other people have seen these false positives but didn't want to take the time to ask about it like you. So because of the AV companies being overprotective and making mistakes sometimes, we could lose users?? I just figure and hope most people will ask questions and allow us to explain.

      How long have you had UBCD4Win on your system?? If you've had it for a while and are now getting this, then I'm sure it's just a false positive in their latest definition update.
      "I play Russian roulette everyday, a man's sport, with a bullet called life"

      "My cause is noble, my power is pure"
      0

      #3 User is offline   rdsok Icon

      • rdsok
      • PipPipPipPipPipPipPipPip
        • Group: Admin
        • Posts: 6,037
        • Joined: 02-October 05
        • Gender:Male
        • Location:Norman, Ok. USA

        Posted 15 December 2005 - 11:12 AM

        This isn't a trojan infection as AVG is claiming... its a false positive that was introduced in the latest AVG virus definition update.

        If you suspect a file to be a false positive. Test the file at http://virusscan.jotti.org/ and if it is a false positive, archive (zip, arc, tar etc) the file using a password and email a copy to [email protected] with a brief description as well as the password you used to archive it with. In this case, I would suggest to sending a link to the file instead of the actual file since its over 80Mb in size.

        If it is a false positive , turn off hueristic scanning for the time being. When Grisoft adjusts the virus defintions you can turn it back on. (This won't work in all cases but will in most of them. )
        Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
        0

        #4 User is offline   rdsok Icon

        • rdsok
        • PipPipPipPipPipPipPipPip
          • Group: Admin
          • Posts: 6,037
          • Joined: 02-October 05
          • Gender:Male
          • Location:Norman, Ok. USA

          Posted 15 December 2005 - 12:16 PM

          I reported this to Grisoft already... they have updated their virus definitions already to resolve this. Update your AVG. You will find they are very quick to resolve issues of this nature if you report them.
          Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
          0

          #5 User is offline   pcuser Icon

          • Project Programmer
          • PipPipPipPipPipPipPip
            • Group: Moderator & Development
            • Posts: 3,889
            • Joined: 20-November 04
            • Gender:Male
            • Location:Kneebrasskee

            Posted 15 December 2005 - 12:30 PM

            WOW, that was fast!

            Quote

            I really need to make a pinned post somewhere and/or add a FAQ about this


            I agree.

            Tom
            If you're afraid of taking any chances then the chances are great that you will never learn anything

            Multiboot Plugins - UBUSB (Ultimate Boot USB) - EzPcFix - RootKitty - Network Configuration Utility - UnIsoFS - A Small Linux Distro - SELogger - HashME - WSock - My Paypal
            0

            #6 User is offline   webmedic Icon

            • Ultimate Member
            • PipPipPipPipPip
              • Group: 911Cd Forum Guru
              • Posts: 579
              • Joined: 24-October 04

              Posted 15 December 2005 - 12:39 PM

              speaking of this while beta testing kaspersky 2006 it picked up of all things aida32 and deleted it off my system. So at least it's no so bad if they at least ask you first before deleting things.
              0

              #7 User is offline   thomasjk Icon

              • Advanced Member
              • PipPipPipPip
                • Group: Members
                • Posts: 373
                • Joined: 09-November 05

                Posted 16 December 2005 - 09:37 AM

                View Postrdsok, on Dec 15 2005, 12:16 PM, said:

                I reported this to Grisoft already... they have updated their virus definitions already to resolve this. Update your AVG. You will find they are very quick to resolve issues of this nature if you report them.


                I can confirm that the updated definitions eliminate this issue with AVG Free. During a scan last night AVG Free found false positives in UBCDWIN255.exe on my desktoop machine. I rescanned this morning with updated definitions and nothing was found. :)The AVG Free corrected definition file is 267.14.1.204.

                Thanks, Randy.
                Tom K.
                0

                #8 User is offline   LittlBUGer Icon

                • Main Mirror/Here Since Beginning
                • PipPipPipPipPipPipPip
                  • Group: Members
                  • Posts: 4,698
                  • Joined: 27-May 04
                  • Location:MT, USA
                  • Interests:Computers and stuff...<br /><br />:-)

                  Post icon  Posted 16 December 2005 - 10:24 AM

                  Wait, your name is Randy?! Man, I thought I was unique here. ;)



                  "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - Albert Einstein
                  "Computers are really strange - first everything works fine, then something goes terribly wrong and nothing works, and then - like a thunderbolt from a clear sky, everything is back to normal again. It's like nothing ever happened. Like the computer were female." - Unknown
                  "Some people say that I must be a terrible person, but it's not true. I have the heart of a young boy. In a jar on my desk." - Stephen King
                  "If there is anything the nonconformist hates worse than a conformist, it's another nonconformist who doesn't conform to the prevailing standard of nonconformity." - Bill Vaughan
                  "Microsoft Windows [n.]: A thirty-two bit extension and GUI shell to a sixteen bit patch to an eight bit operating system originally coded for a four bit microprocessor and sold by a two-bit company that can't stand one bit of competition." - Unknown
                  "When a newly married couple smiles, everyone knows why. When a ten-year married couple smiles, everyone wonders why." - Unknown
                  0

                  #9 User is offline   rdsok Icon

                  • rdsok
                  • PipPipPipPipPipPipPipPip
                    • Group: Admin
                    • Posts: 6,037
                    • Joined: 02-October 05
                    • Gender:Male
                    • Location:Norman, Ok. USA

                    Posted 16 December 2005 - 11:21 AM

                    View PostLittlBUGer, on Dec 16 2005, 09:24 AM, said:

                    Wait, your name is Randy?! Man, I thought I was unique here. ;)


                    I guess your not unique in the name area now...

                    (but look at all your other qualities... there must be something... :D)
                    Plan A is always more effective when the device you are working on understands that Plan B involves either a large hammer or screwdriver....
                    0

                    #10 User is offline   grapher Icon

                    • Newbie
                    • Pip
                      • Group: Members
                      • Posts: 2
                      • Joined: 15-December 05

                      Posted 17 December 2005 - 01:37 PM

                      I'd like to say thanks to all those of you who replied to this post and with so much good stuff to read. The early hunch of a false positive proved to be right of course. I had had UBCD on my machine for a few months and used it three times each time with no trouble whatsoever. It will be a real boon when and if I need to work on my installation. ;)

                      Sorry I didn't reply earlier but have been out of touch for a day or two.
                      0

                      Page 1 of 1
                      • You cannot start a new topic
                      • You cannot reply to this topic

                      1 User(s) are reading this topic
                      0 members, 1 guests, 0 anonymous users