• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

3 trojans?

What are the chances of NIS missing 3 trojans on my computer?

I recently installed Kaspersky on my laptop (windows XP) after using NIS (uninstalled completely). The new Kaspersky found 3 trojans in "volume information" (restore?) and deleted them etc. but I was wondering if they were false possitives. Not sure I want to use the Kas. if it's going to be giving false positives as I'm computer challenged and don't know how to deal with these things. I'm thinking I'll just keep the NIS on the other 2 computers, but not if it misses 3 (!) trojans.

Any opinions on NIS missing 3 trojans?

Replies

Kudos0

Re: 3 trojans?

What are the chances of NIS missing 3 trojans on my computer?

I recently installed Kaspersky on my laptop (windows XP) after using NIS (uninstalled completely). The new Kaspersky found 3 trojans in "volume information" (restore?) and deleted them etc. but I was wondering if they were false possitives. Not sure I want to use the Kas. if it's going to be giving false positives as I'm computer challenged and don't know how to deal with these things. I'm thinking I'll just keep the NIS on the other 2 computers, but not if it misses 3 (!) trojans.

Any opinions on NIS missing 3 trojans?

Kudos0

Re: 3 trojans?

What are these trojans?
"All that we are is the result of what we have thought"
Kudos0

Re: 3 trojans?

Hello,

I didn't copy the names, something about a "backdoor" on the first one, I don't remember the others. They were deleted so don't have the names. I got a little panicky and followed the directions to get them off the laptop. The funny thing is that this laptop is hardly ever online, as I seldom use it so I wasn't expecting problems.

Thanks

Kudos0

Re: 3 trojans?

Ok

Good thing they were deleted then. Some trojans are better detected by some than others.

But it would have been handy to have the samples so Symantec could have written tye signatures for these trojans you mentioned

"All that we are is the result of what we have thought"
Kudos0

Re: 3 trojans?

I'm not familiar with Kasperskys programs, but if you open it you should have an option to look at the quarantined files or at the logbook. There you should be able to find the names of the files it identified as trojans and the names of the threats. With that information we have a better chance of telling you if it was a false positive or not.

I will actually have a look at a computer tonight that I know found a few trojans in the system restore with a freshly installed antivirus program that I belive was Kaspersky. I will try and find what that was.

Message Edited by jAW on 05-21-2008 07:20 AM
Kudos0

Re: 3 trojans?

Thank you both for the help.

I checked the log and found the information (told you Kaspersky is new to me).

1. Trojan program Backdoor.Win32.Agobot.afk 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013439.exe//CryptFF//PE_Patch//UPack


2.Trojan program Rootkit.Win32.Agent.p 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013440.sys//CryptFF


3.Trojan program Backdoor.Win32.Agobot.afk 
File: C:\System Volume Information\_restore{DC0F6FA1-168A-4B6E-951C-3ADB109AF7F0}\RP123\A0013441.exe//CryptFF//PE_Patch//UPack

Hope that's not too much information. if it is tell me and I'll try and remove/delete.

thanks!

Kudos0

Re: 3 trojans?

How did you scan your system with Norton Internet Security? Which types of scans did you perform: Full Scan, or just Quick Scans? The threats you've identified should be detected by Norton software:

http://www.symantec.com/security_response/writeup.jsp?docid=2003-053013-5943-99

http://www.symantec.com/security_response/writeup.jsp?docid=2005-060715-2135-99

 Any additional information you can provide is appreciated. We want to understand why these threats were not found for you. Thanks!

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: 3 trojans?

I did a full scan when NIS updated to 2008 a few months ago. Then it was probably the quick scans that come up when one clicks on the scan button. I don't use the computer very often like I said and it's packed away most of the time. When I go to use it I update NIS first thing, because I know it's been a while and updates are needed.

OK, so I guess they weren't false positives.

thanks

Kudos0

Re: 3 trojans?

The answer to why the trojans never got detected by Norton is quite simple actually. The \system volume information\ is in the exlusions list by default. So if the trojans never actually were "live" in the system during the time you had Norton, or in other words, if they already was in that folder before Norton got installed they would not be detected during a scan.

Kudos0

Re: 3 trojans?

Below is a quotation from the Symantec writeup on why you should disable system restore during cleanup.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

This might be a remain from the old days that simply stayed in the program as antivirus programs obviously can access the system restore these days (edit: You need user rights to the folder). I don't know about Nortons ability to do so if you were to remove it from the exclusion list though.

Message Edited by jAW on 05-22-2008 06:29 AM
Kudos0

Re: 3 trojans?

That's very similar to the issue. Quick Scan will scan files with Startup entries or with System-Start INI or batch entries - the typical areas where infections are found. It appears that Katierose has only run Quick Scans for the past few months, which is most likely why the infections were found in an area where Quick Scan doesn't scan. A Full Scan would catch these trojans, which is why we recommend scheduling a Full System Scan regularly. Thanks!
Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation

This thread is closed from further comment. Please visit the forum to start a new thread.