AVG / HP Trojan
 

OS: XP w/ SP 3.

For the last two weeks AVG has reported a trojan in the HP printer software package as part of the daily scan.

Every day its removed and subsequently it is back again.

Googling the trojan number shows a lot of folk started getting this warning recently, always affecting people with HP Photosmart printers, so I suspect its a bug in a recent AVG update.

However: I ran malwarebytes this afternoon, which found six trojans, none of them the one that AVG was reporting, and eliminated them.

No help needed: just reporting it for other PPRuNe members.

If it's electronic and it's got some form of logic (firmware/software or otherwise) then it is vulnerable to attack.

It used to be quite trendy for virus writers to target printers. Perhaps this trend is coming back to the scene. :cool:

Did you try running Malwarebytes in Safe Mode with Command Prompt? (you need to be able to invoke mbam.exe using DOS commands) as this is the safest way of starting Malwarebytes which won't start any other viruses as well (so far).

Many folk regard HP software as little better than a virus.

The printers are usually good but the supplied software is best left in the box.

In my experience there does not seem to be a single AV program which will catch every piece of malicious or irritating unwanted software. AVG Free used to be very good but like most AV programs I have found it became clunky and intrusive with successive updates.

I now use Avast! Free which I believe is as good as any, does not slow the machine and is, of course, free.

I'll second M M's vote for Avast. Better than Mike B's idea (which is fine) is to run Avast in boot scan mode - that way you virus check before ANY windows functions are loaded which reduces the risks of anything 'cloaking' itself even in Safe mode. I believe Avira, another free AV product, has suite of tools including downloadable CD's.

Different security applications usually (or often) have different naming protocols for malware found.

One of the important things in researching scan results is the original file name and full path of the detection/s.

Each file can be uploaded to VirusTotal - Free Online Virus, Malware and URL Scanner for multiple second (about 41) opinions. In the case of a well known malicious file, or a well known false detection, the chances are high that the file has already been analysed.

If it's a false positive, the file should be submitted to AVG for further analysis. (I have no idea how diligent Grisoft are in dealing with these. I know that Avast deals with them very promptly.)

MBAM, like all the others, sometimes produces a false detection. For it to have detected 6 malware files is highly suspicious. I would take these detections seriously. MBAM is best run in normal mode.

As an aside, I've had to format and re-install Windows once since I've had it in 5 years. The reason? I foolishly re-installed my HP printer software ('coz it was borked) and that over-wrote some more recent Windows updates, borking the .net framework and Windows update status.

Avast in boot scan mode
 

Avast in boot scan mode-how would you set that up?

Right click the tray icon>Open avast user interface>Scan computer>Boot time scan and then schedule it. Set it to examine whatever you want it to. Restart the computer. It could take an hour or more.

I would do this only if there is malware detected by Avast, that investigation indicates is the real deal (rather than a FP), and normal removal doesn't work.

There is little point in doing it if Avast doesn't detect it. If it is run, and it turns out it is a false positive, too late. The file will have been quarantined. Worst case scenario, it's an important system file. This is a worst case scenario, possible but not very likely.

The end of my story (maybe) - ran malwarebytes and removed threats yesterday, ran malwarebytes again this morning, no threats found, ran AVG at lunchtime, no threats found.

I know I know, just because you can't see them.......however I'm going to take malwarebytes and AVG's results on faith.

There are some good on-line scanners if you ever want a 'third opinion':)

malwarebytes seems to come out at/near the top in every test I have seen.

TD: I had a look at my BIL's laptop at Christmas - he "can't be bothered with antivirus" but "suddenly it's not working". (I know, multiple rolling of eyes and headshakes).

MWB (run in safe mode) found 133 different threats, trojans, etc. Probably not a record, but it surprised me.

I cleaned his laptop up and put a free antivirus on it, but since he "can't be bothered with such things" it will probably fail again very soon.

PEBSAK !

979 is my record for a customer PC, who refused to change her kids' usage habits as they were P2Ping tons of music, films and games (and the associated viruses). Surprising really, since she was a lawyer.

Please tell me you did the right thing and reformatted the infested thing rather than sitting there racking up billable hours. :cool:

Unfortunately, for those with more money than sense she didn't care about my billable hours and just wanted her PC working without losing anything on it.

Unfortunately for me too, I was on a fixed contract.

Luckily though, those 979 infections were only from 17 viruses :ugh:

The first inkling of a trojan in my PC was when AVG reported one in a HP (printer) file.

Just ocurred to me - the HP software installs to default keeping a com port open to report problems, pick up software updates etc. Could this be why the trojan installed to the HP printer files ?

I've just gone to the HP settings and turned everything off everything associated with automatic up and down linking of info., just wondering whether this will be enough.

Without knowing what the file was, and what the AV company subsequently analysed it to actually be (real or false) it's impossible to say with certainty. However, the indications deducible from the info provided so far is that the file AVG detected as a trojan probably was not a trojan, and the files that MBAM detected (which bore no relationship to the AVG detection) probably were malicious.

So, if you see my logic, here, the above surmise is invalid.
It is unlikely that malicious files would install themselves via a printer update, and a firewall would (should) prevent anything but printer software from connecting in the fashion you mention.

Thanks. Yes, firewall was (and is) up and running. So what was in the printer software was or maybe was not, a real/false, but the infections MWB discovered were real - that's my thinking.

BTW, machine is clear of problems today (as for the past few days).