AVG Found a Trojan

From: "Lou" <louisr.RemoveThis@toast.net>

| My anti virus program, AVG, automatically scans my computer every morning at
| 9 AM.
| Yesterday it reported that it changed the following files: kernel32.dll;
| user32.dll; shell32.dll; ntoskrnl.dll; and hosts, and found the following:
| Trojan horse Downloader.VB.AXO and file A0032564.exe. It then deleted this
| file.

The file changes were due to a recently installed patch.


| This morning it again reported that it changed the same five files, but did
| not find a Trojan.
| However my System Restore has been made useless. It will not make a restore
| point and it will not restore my computer to a previously made restore
| point.
| I went to Start|My Computer|Properties and the "Turn off System Restore" box
| was unchecked.
| How can I be assured this Trojan is no longer on my computer?
| How can I recover "System Restore"?


Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/ds/28400/28470/Multi_AV.exe

http://www.pctipp.ch/downloads/dl/35905.asp

English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with...ltiple-

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: AVG Found a Trojan 

From: "VanguardLH" <V RemoveThis @nguard.LH>

< snip >

|
>> hosts
|
| Don't know why it cares about the hosts file. That lists IP addresses
| for unresolved hostnames (and is looked up before a DNS query so it
| can be used to mask out "bad" sites). There is obviously no malware
| in a hosts file, just a list of hostname-to-IPaddress lookups.
|

< snip >

It is prudent to monitor the etc/hosts file for alterations. Many forms of malware will
insert line to misdirect legitimate sites to illegitimate/malicious sites.

For example.
You go to your browser and and type; http://www.google.com
Instead of going to Google, the browser goes to a porn site because of entries in the
etc/hosts putting in the static IP address of the porn site.

Another example.
A Trojan places an entry in the etc/hosts file that redirects www.mcafee.com to the
diagnostic responder address [ 127.0.0.1 ]. This way McAfee can not resolve to a web site
and it will fail to get signature updates allowing the Trojan to reamin on the PC because
there are no signatures to find it and McAfee can no longer obtain updates.

Conversely, the etc/hosts file can be used to block access to known malicious sites.
Most well know is the MVP Hosts file
http://www.mvps.org/winhelp2002/hosts.htm

This is because of the default methodology that the OS uses to perform a name to IP address
lookup.

First the OS checks the hosts file. If there is a line item in this table then the OS uses
the IP address found in the table referenced to the host name.
Second is if there is no entry in the hosts table. Then the OS will make a query to a DNS
server to resolve the host name to an IP address.

BTW: I believe there is a registry entry to change the order of how the OS performs name
resolution.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: AVG Found a Trojan