VGADown, GHook, mppds

I just found out that these 3 trojans or types of trojans or one of these 3 penetrated my system without me installing anything and protected by antivir PP+ Prevx1

I dont even know how they did that. They were not there a couple of days ago and I have not installed anything. I only go to reputable sites. I survived .ANI threat. And both antivir PP and Prevx1 advise that they can detect trojans. Well, They failed me on this one.

Any suggestion about what I should do? change softwares or add dedicate anti-trojans ? or continue reply on antivir pp and prevx1 and start pray.

PS. just did a search , the file was " upxdnd.dll "
see post #9

Hi, folks: One silly question: How did you find out their presence? None of your trusted apps has done so. ???

-{ Quote: "Hi, folks: One silly question: How did you find out their presence? None of your trusted apps has done so. ???" }-

I found out those during a routine check by using another on-demand scanner which was not SAS ( >_< ).

Hi, Coldplay: Trojans can stay dormant for a long time w/o executing its codes. When it is inactive, only on demand scanner can detect it. When it commences execution, realtime guard,such as prevx1's , can instantly pick it up. BTW, have you done a complete file scan w/ prevx1 ? If not done so, why not try it, may be a surprise to you.

I found these. Prevx has it listed as unknown.
http://fileinfo.prevx.com/adware/qqffcc73404945-UPXD34010477/UPXDND.DLL.html

http://www.sophos.com/security/analyses/trojjda.html

I hope this helps.

Hi, folks: Thank you for the informative inputs. Now I know that trojans can sneak into my box even w/ web browsing(see Sopho's note), not necessarily by installation. This theory will definitely cement my firm belief in true value of sandbox/virtualization apps. I do my routine web surfing in frozon mode of DeepFreeze. When the task is done, reboot, and no more worries. I think I have made a wise investment on this one. Truly. :thumb:

I took interest in this thread because I am considering installing Prevx1. I'm wondering if you were notified that this was a unknown/caution file and allowed it? I'm not accusing, I'm just wondering. I'm still trying to wrap my head around how prevx works. I know it checks your database of files and if not known then the community database. Also, do you run as a limited user or admin?

I agree with the infection from visiting sites being scary. I guess they are called drive by downloads. I trust myself to not install something bad (at least 90% of the time ;D ). But for something to sneak up and bite ya from behind is just nasty. I really need to get a backup system going and some sort of sandboxing or vm program running.

Hi, folks: I ,now, have my full faith in Prevx1, although it is not a 100% airtight. That is why I use DeepFreeze to back it up. What I have done w/ prevx1 is these. First I install it for free until the first incident, then x days of trial kicks in. After that period, I subscribed for 3 months. Then I got lucky receiving a key as a gift from one member of this forum. I would give it a very serious consideration. Good luck.

I am pretty sure those files or that file was newly resided in my system. I have done complete scans once every week with antivir pp, prevx1 and SAS.

Let me get this right. Was SAS the one that detected the file with an on-demand scan? Have you removed and or cleaned your system of the malware?

Please hear me out. Even the best AS/AT scanners will never be enough, you have got to employ a HIPS of one name or another. That way you get alerted IMMEDIATELY irregardless of any blacklist database that can't keep up with everything as fast as they like.

I use System Safety Monitor (beta tester/fully licensed) and i have trialed Cyberhawk, Spyware Terminator, and others with resounding success. I was given a URL to a "known" drive-by site, my "resident guard" anti-spyware program was totally blind that a fierce dropper had made entry but SSM was johnny-on-the-spot and instantly SUSPENDED the file and afforded me time to make a decision to DENY it, and that was all she wrote. No problem, no issue.

You have to get that web shielding in place along with your scanners & resident AS's because they can't identify everything, HIPS does! and stops anything which exhibits itself as a process to hand over full control to you, the user, so you know what the heck is going on.

My 2-cents worth if it matters.

Easter.2010, Isn't Prevx1 'an easy to use HIPS' type of program? That's why I was asking if the OP had perhaps allowed an unknown/caution file to run. I'm just learning, but I do see the importance and power that my right finger on the mouse has as to allowing or denying a file. I guess somewhere between the alert and click I need to insert a few brain cells. You bring up that point also because SSM alerted you and you could either allow or deny the malware.

FWIW, I would run SSM free in a heartbeat if I had a little more knowledge. Also, your 2 cents matters to at least 1 person.

-{ Quote: "Let me get this right. Was SAS the one that detected the file with an on-demand scan? Have you removed and or cleaned your system of the malware?" }-

It wasn't SAS, post #3 stated it . I have removed the file or registry already.

-------------

@EASTER

Isn't Prevx1 a HIPS software.

---------

@ innerpeace

Prevx1 has not been warning anything. I checked the link you gave, they helped , thx.

Hi coldplay, good to hear you removed the malware. I just did a quick search for the file you mentioned upxdnd.dll. There was many other hits too when searching google. You might check those out too. Being that its a trojan, you might try other free scanners too, just to be sure that everything is gone. I wish you luck and I'm off to bed. Take care

Hi, folks: As I stated earlier, if a trojan stays dormant, not active, none of the mighty HIPS CAN sense its presense(correct me, if you will). Only the moment it starts to make a move, bingo, some of your defense mechanisms will sound off the alarm. To get rid of those sleep-cell type of malwares, on demand scanner or sandbox model , IMO, still are the better solution. Trojan will not harm you until it EXECUTES. Among your firewall's O/S firewall, AV's behavior control, AS's shield, AT's guard and of course, HIPS, one ought to function accordingly. Otherwise, you better realign your defense team! Have a nice one.

-{ Quote: "It wasn't SAS, post #3 stated it . I have removed the file or registry already.

-------------

@EASTER

Isn't Prevx1 a HIPS software.

---------

@ innerpeace

Prevx1 has not been warning anything. I checked the link you gave, they helped , thx." }-

Is there some reason you don't want to name the other scanner that found the trojans?
Best,
Jerry

Panda.8)

-{ Quote: "Is there some reason you don't want to name the other scanner that found the trojans?
Best,
Jerry" }-

Its a Chinese anti-malware scanner, I dont think many ppl here are willing to give it a try . Also, I said some good things about this scanner before , some guy called me a adviser. the software is call " ArSwp " and it doesn't have an English site but software itself has English interface though. www.arswp.com

Hi, Coldplay: I read Chinese and I have gone to the site d/l,inst the app (green copy), it has English version, during the scan, it requests an internet access. Is this safe to allow? I did not go any further w/o investigating its purpose of connecting to internet, to its server(data base)? Can you hlp me w/ this issue. Seems a good product. I am very interesting in it. Thanks.

-{ Quote: "Hi, Coldplay: I read Chinese and I have gone to the site d/l,inst the app (green copy), it has English version, during the scan, it requests an internet access. Is this safe to allow? I did not go any further w/o investigating its purpose of connecting to internet, to its server(data base)? Can you hlp me w/ this issue. Seems a good product. I am very interesting in it. Thanks." }-

I allowed it, you can't trust any anti-virus/malware softwares if they dont need Internet connection. it updates signatures at startup. what i like about this software is it doesn't ask you to install which makes it perfect on-demand scanner with Dr.web cure it. Also it has found some nasty stuff other programs are not able to find for me.

-{ Quote: "Its a Chinese anti-malware scanner, I dont think many ppl here are willing to give it a try . Also, I said some good things about this scanner before , some guy called me a adviser. the software is call " ArSwp " and it doesn't have an English site but software itself has English interface though. www.arswp.com" }-

Thanks for the reply, Coldplay.

Regards,
Jerry

Hi,Coldplay: I did a scan, and it find two nasties in memory, to my surprise. Because I just did a complete scan w/ SAS and AVG AS, none are found. The app's black/white list are not in English and its scan results are not either. My pc can not read those scripts. I think I need to seek help from friend for modification. Thanks anyway.

-{ Quote: "Hi,Coldplay: I did a scan, and it find two nasties in memory, to my surprise. Because I just did a complete scan w/ SAS and AVG AS, none are found. The app's black/white list are not in English and its scan results are not either. My pc can not read those scripts. I think I need to seek help from friend for modification. Thanks anyway." }-

download Chinese language package from microsoft, sorry I dont know the link but I believe google will bring it up on first link

Hello,
I'm still wondering how you contracted the disease.
What browser are you using?
Mrk

-{ Quote: "Hello,
I'm still wondering how you contracted the disease.
What browser are you using?
Mrk" }-


So am I .

IE 7

-{ Quote: "@EASTER

Isn't Prevx1 a HIPS software." }-

Some might, but i can't in all honesty, mostly because i have zero experience/results with it aside from trying it out for a few days. The fact it requires internet connection to it's website Db doesn't par with me for confidence, but that's my own preference, others seem to prefer the opposite, and hey, if it works, fantastic. I would much rather choose to keep a local database of detectionables like most anti-spyware apps that can be updated from the server just long enough to build on the list and then stop.

-{ Quote: "I only go to reputable sites. " }-Last evening Bell South support page - a reputable site by all accounts - was hacked (first reported on DSLR), and a trojan attempted to download by remote code execution.

-{ Quote: "Hi, folks: As I stated earlier, if a trojan stays dormant, not active, none of the mighty HIPS CAN sense its presense (correct me, if you will)." }-I don't know about the "mighty HIPS" - I'm not even sure what qualifies a program to be HIPS - but the lowly old Process Guard would have snagged this exploit. Or any program that has execution protection. See the other on-going threads about zero-day protection.

-{ Quote: " Any suggestion about what I should do? change softwares or add dedicate anti-trojans ? I survived .ANI threat. And both antivir PP and Prevx1 advise that they can detect trojans. Well, They failed me on this one." }-Whether or not an AV or AT program flags a particular file depends on the current status of the database (Black List)

But if your security setup includes White List protection, this will catch *any* malware executable that attempts to sneak in by remote code execution.

What to choose? There are so many, that one needs to evaluate them to see how they fit in with your current setup.

Here is analysis of the bell south exploit, and you can see that all of the obfuscation and trickery boils down to one simple task/goal: install a trojan.

Bell South Exploit (http://urs2.net/rsj/computing/tests/bellsouth/)


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."
--Bruce Schneier

No matter how good these trojans are in installing themselves, they have to change my harddisk and my frozen snapshot removes any change after reboot. Case closed. Next malware please. :)

-{ Quote: "No matter how good these trojans are in installing themselves, they have to change my harddisk and my frozen snapshot removes any change after reboot. Case closed. Next malware please. :)" }-

Well if they even come close to my system it's like they've crossed an invisible but detectable radiation screen so they're presence is going to be picked up at once. Also i would have to be the one to infect my system, and many times i do :gack: , but now i also run FD-ISR i can use Power Shadow to cover over my snapshots and if they're so cleverly crafted as to refuse to leave even then after being invited, i can always dump the snapshot entirely, and simply re-create a new one (via stored archives), with all programs completely intact and simply start afresh again. A win, win situation!

-{ Quote: "if they're so cleverly crafted as to refuse to leave even then after being invited, i can always dump the snapshot entirely, and simply re-create a new one (via stored archives), with all programs completely intact and simply start afresh again. A win, win situation!" }-
Indeed a win, win situation. That's why I spend so much time on RECOVERY.
My philosophy is based on "I wear a clean shirt every day, why not give my computer a clean shirt every day (=reboot)".
I'm still polishing my recovery, but it's getting better and better.

The bad guys can't do anything to me, if I start with a clean snapshot after each reboot.
Now I'm looking for the right security softwares on my frozen snapshot.

While I have not had a chance to read all the posts to this thread, I have always viewed the Trojan type of malware as the most damaging of all. They can not only mess up your machine but the deeds they do can mess up your life.

Note: While I know what root kits are they are still new to me and I have not gotten a real handle on those yet. :-\

EDIT: Still looking carefully at all the behavoir security apps. before picking one. I am still leaning heavily toward Cyberhawk, for the Family Machine as SSM would cause family members to deal with to many questions.