Trojans are crazy !

VGADown, GHook, mppds

I just found out that these 3 trojans or types of trojans or one of these 3 penetrated my system without me installing anything and protected by antivir PP+ Prevx1

I dont even know how they did that. They were not there a couple of days ago and I have not installed anything. I only go to reputable sites. I survived .ANI threat. And both antivir PP and Prevx1 advise that they can detect trojans. Well, They failed me on this one.

Any suggestion about what I should do? change softwares or add dedicate anti-trojans ? or continue reply on antivir pp and prevx1 and start pray.

PS. just did a search , the file was " upxdnd.dll "
see post #9

 

Hi, folks: One silly question: How did you find out their presence? None of your trusted apps has done so.

 

I found out those during a routine check by using another on-demand scanner which was not SAS ( >_< ).

 

Hi, Coldplay: Trojans can stay dormant for a long time w/o executing its codes. When it is inactive, only on demand scanner can detect it. When it commences execution, realtime guard,such as prevx1's , can instantly pick it up. BTW, have you done a complete file scan w/ prevx1 ? If not done so, why not try it, may be a surprise to you.

 

I found these. Prevx has it listed as unknown.
http://fileinfo.prevx.com/adware/qqffcc73404945-UPXD34010477/UPXDND.DLL.html

http://www.sophos.com/security/analyses/trojjda.html

I hope this helps.

 

Hi, folks: Thank you for the informative inputs. Now I know that trojans can sneak into my box even w/ web browsing(see Sopho's note), not necessarily by installation. This theory will definitely cement my firm belief in true value of sandbox/virtualization apps. I do my routine web surfing in frozon mode of DeepFreeze. When the task is done, reboot, and no more worries. I think I have made a wise investment on this one. Truly.

 

I took interest in this thread because I am considering installing Prevx1. I'm wondering if you were notified that this was a unknown/caution file and allowed it? I'm not accusing, I'm just wondering. I'm still trying to wrap my head around how prevx works. I know it checks your database of files and if not known then the community database. Also, do you run as a limited user or admin?

I agree with the infection from visiting sites being scary. I guess they are called drive by downloads. I trust myself to not install something bad (at least 90% of the time ). But for something to sneak up and bite ya from behind is just nasty. I really need to get a backup system going and some sort of sandboxing or vm program running.

 

Hi, folks: I ,now, have my full faith in Prevx1, although it is not a 100% airtight. That is why I use DeepFreeze to back it up. What I have done w/ prevx1 is these. First I install it for free until the first incident, then x days of trial kicks in. After that period, I subscribed for 3 months. Then I got lucky receiving a key as a gift from one member of this forum. I would give it a very serious consideration. Good luck.

 

I am pretty sure those files or that file was newly resided in my system. I have done complete scans once every week with antivir pp, prevx1 and SAS.

 

Let me get this right. Was SAS the one that detected the file with an on-demand scan? Have you removed and or cleaned your system of the malware?

 

Please hear me out. Even the best AS/AT scanners will never be enough, you have got to employ a HIPS of one name or another. That way you get alerted IMMEDIATELY irregardless of any blacklist database that can't keep up with everything as fast as they like.

I use System Safety Monitor (beta tester/fully licensed) and i have trialed Cyberhawk, Spyware Terminator, and others with resounding success. I was given a URL to a "known" drive-by site, my "resident guard" anti-spyware program was totally blind that a fierce dropper had made entry but SSM was johnny-on-the-spot and instantly SUSPENDED the file and afforded me time to make a decision to DENY it, and that was all she wrote. No problem, no issue.

You have to get that web shielding in place along with your scanners & resident AS's because they can't identify everything, HIPS does! and stops anything which exhibits itself as a process to hand over full control to you, the user, so you know what the heck is going on.

My 2-cents worth if it matters.

 

Easter.2010, Isn't Prevx1 'an easy to use HIPS' type of program? That's why I was asking if the OP had perhaps allowed an unknown/caution file to run. I'm just learning, but I do see the importance and power that my right finger on the mouse has as to allowing or denying a file. I guess somewhere between the alert and click I need to insert a few brain cells. You bring up that point also because SSM alerted you and you could either allow or deny the malware.

FWIW, I would run SSM free in a heartbeat if I had a little more knowledge. Also, your 2 cents matters to at least 1 person.

 

It wasn't SAS, post #3 stated it . I have removed the file or registry already.

-------------

@EASTER

Isn't Prevx1 a HIPS software.

---------

@ innerpeace

Prevx1 has not been warning anything. I checked the link you gave, they helped , thx.

 

Hi coldplay, good to hear you removed the malware. I just did a quick search for the file you mentioned upxdnd.dll. There was many other hits too when searching google. You might check those out too. Being that its a trojan, you might try other free scanners too, just to be sure that everything is gone. I wish you luck and I'm off to bed. Take care

 

Hi, folks: As I stated earlier, if a trojan stays dormant, not active, none of the mighty HIPS CAN sense its presense(correct me, if you will). Only the moment it starts to make a move, bingo, some of your defense mechanisms will sound off the alarm. To get rid of those sleep-cell type of malwares, on demand scanner or sandbox model , IMO, still are the better solution. Trojan will not harm you until it EXECUTES. Among your firewall's O/S firewall, AV's behavior control, AS's shield, AT's guard and of course, HIPS, one ought to function accordingly. Otherwise, you better realign your defense team! Have a nice one.

 

Is there some reason you don't want to name the other scanner that found the trojans?
Best,
Jerry

 

Panda.

 

Its a Chinese anti-malware scanner, I dont think many ppl here are willing to give it a try . Also, I said some good things about this scanner before , some guy called me a adviser. the software is call " ArSwp " and it doesn't have an English site but software itself has English interface though. www.arswp.com

 

Hi, Coldplay: I read Chinese and I have gone to the site d/l,inst the app (green copy), it has English version, during the scan, it requests an internet access. Is this safe to allow? I did not go any further w/o investigating its purpose of connecting to internet, to its server(data base)? Can you hlp me w/ this issue. Seems a good product. I am very interesting in it. Thanks.

 

I allowed it, you can't trust any anti-virus/malware softwares if they dont need Internet connection. it updates signatures at startup. what i like about this software is it doesn't ask you to install which makes it perfect on-demand scanner with Dr.web cure it. Also it has found some nasty stuff other programs are not able to find for me.

 

Thanks for the reply, Coldplay.

Regards,
Jerry

 

Hi,Coldplay: I did a scan, and it find two nasties in memory, to my surprise. Because I just did a complete scan w/ SAS and AVG AS, none are found. The app's black/white list are not in English and its scan results are not either. My pc can not read those scripts. I think I need to seek help from friend for modification. Thanks anyway.

 

download Chinese language package from microsoft, sorry I dont know the link but I believe google will bring it up on first link

 

Hello,
I'm still wondering how you contracted the disease.
What browser are you using?
Mrk

 

So am I .

IE 7