Trojan horse in Slimbrowser

wenbo · Joined: Sep 15, 2003 Posts: 367 Location: Ontario, Canada

Hi Gnomies,

Today on boot up I had the following warning come up from AVG.

"Infection";"Trojan horse SHeur2.APWL";"C:\Program Files\SlimBrowser\sbrowser.exe";"";"7/10/2009, 10:26:09 AM"

There were two warnings but I was only able to move one to the vault. It said the files couldn't be found for the second one.

When I googled it only one post came up and that was a Slimbrowser forum. He had the same message yesterday and AVG told him it was a virus. He uninstalled it and reinstalled and hasn't had the warning again. I do have it installed but never use it. I uninstalled it as well since I don't use it.

My question is, how could I possibly get a virus in a browser that I don't even use? And has the uninstall removed the problem.

Thanks All

zlim · Joined: Mar 11, 2005 Posts: 2635

Download malewarebytes and scan with that too.
Don't depend on a scan with just one program.

If it were me, I'd go to http://virusscan.jotti.org/en
have the site scan the suspicious file and find out if it is a virus or a false positive. That site scans with 21 different products. Of course, they will not agree but if quite a few report something, then it isn't a false positive. If only AVG is finding something, then it is a false positive.

goretsky · Posted: Sat Jul 11, 2009 3:58 am Post subject:

Hello,

Given the name of the reported infestation, Trojan horse SHeur2.APWL, this could be a false positive alarm, e.g. a report of a Trojan horse when none is actually present. The reason I think this is because of the word Heur in the name. This likely indicates the use of heuristic (rule-based) detection algorithm, as opposed to specific identification using traditional signature-based methods.

I would strongly suggest contacting AVG's support department to check on this; if this is a false positive alarm, then by reporting it you can help them fix it.

Regards,

Aryeh Goretsky

wenbo · Joined: Sep 15, 2003 Posts: 367 Location: Ontario, Canada

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

Just for information purposes:

If a virus somehow gets into your PC it will infect many executable files, even ones you don't normally use.
But a good rule of thumb would be if you don't use it,,,,, loose it!
You certainly don't need to clutter up your HD with programs you don't use!

When I first started using AVG, many years ago now, it found a virus on a picture sent to me by a person in Canada. That pic had been sitting in my PC for several years and my previous AV program had never found it.
I didn't really need to keep the picture so I just deleted it. Problem solved!

Good Luck,

Doc Cool

wenbo · Joined: Sep 15, 2003 Posts: 367 Location: Ontario, Canada

Okay, I ran my usual Sunday night scan and this is what it found.

"Object name";"C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP410\A0039900.exe"
"Detection name";"Trojan horse SHeur2.APWL"
"Object type";"file"
"SDK Type";"Core"

"Object name";"C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP410\A0039900.exe:\$JF\sbrowser.exe"
"Detection name";"Trojan horse SHeur2.APWL"
"Object type";"file"
"SDK Type";"Core"

These are the 2 from the week before.

"C:\RECYCLER\S-1-5-21-1882146560-869516872-448844140-1003\Dc11416.exe";"Trojan horse SHeur2.APWL";"Moved to Virus Vault"
"C:\RECYCLER\S-1-5-21-1882146560-869516872-448844140-1003\Dc11416.exe:\$JF\sbrowser.exe";"Trojan horse SHeur2.APWL";"Moved to Virus Vault"

I have uninstalled the Slimbrowser since I don't use it but it seems there is still a trojan there. These are the same 2 trojans that it found last time just in a different location I think.

Can I remove these infections? Do I just leave them in the vault? Why are these things still there and how are they getting in my computer?

I am well protected so I don't know how they are getting in in the first place.

Can someone help me out?

Thanks

zlim · Joined: Mar 11, 2005 Posts: 2635

Note how it says RESTORE. Infections hide in your restore points.

In XP to remove all but the last restore point, Start>Programs>Accessories>System Tools> Disk Cleanup then More options.
Once in more options click on System Restore and Clean up.

OR a bit safer way so you can delete some but not all the restore points, open CCleaner and click on Tools then System Restore. You can then pick and choose what you want removed.

Remove some older restore points and do a scan again until you no longer see the trojans listed in restore. After that, clear the virus vault and do one last scan and no trojans should appear anywhere.

wenbo · Joined: Sep 15, 2003 Posts: 367 Location: Ontario, Canada

zlim · Joined: Mar 11, 2005 Posts: 2635

Sorry I don't know.

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

For the casual user to remove ALL restore points, the process is easy enough.

Go into System Restore and turn it off for the C: drive.
Then reboot your computer.
During that process, ALL restore points for C: will be deleted.

Then, after the reboot, again go into System Restore and turn it back on for C:.
A new restore point will be created.

System Restore in XP is the first version that's actually worked as it should.
It's invaluable to someone like me who tests a lot of new programs.

I have to rely on System Restore at least once a week to fix some problem caused by a poorly written piece of software.

But yes, you can remove a virus or trojan from a program on your HD and still have a copy of it in an old restore point. It would only hurt you if you ever restored that old Restore Point, making that information active again.

Cheers !

The Doctor Cool

zlim · Joined: Mar 11, 2005 Posts: 2635

But wenbo doesn't have any restore points. Why is AVG pointed to infections in Restore when there aren't any? That's what I can't answer.

I'm going through something similar on my husband's XP computer, except his has restore points. I've been going into CCleaner and removing the restore points because AVG keeps popping up warnings and everytime it does, I move the files to the vault then delete them.

wenbo · Joined: Sep 15, 2003 Posts: 367 Location: Ontario, Canada

Since I had no restore points visible in CCleaner I did what zlim suggested

"In XP to remove all but the last restore point, Start>Programs>Accessories>System Tools> Disk Cleanup then More options.
Once in more options click on System Restore and Clean up. "

When I ran a virus scan last night (Sundays messed up) I was free of virus's just the usual warnings for cookies. So I appear to be clean now.

I really don't know how I got infected in the first place as I'm very well protected and don't download anything from and unknown source etc.

Oh well all seems to be well now. Thank you all for you help and input. Very Happy

zlim · Joined: Mar 11, 2005 Posts: 2635

Well, I can pinpoint what "infected" me at least according to AVG. I downloaded and installed a free program that uncovers all the passwords on an XP computer.
I got an XP computer from a friend. It died, he bought a new one and I told him not to throw the old one away. I brought it home, cleaned it up (it was filthy inside), installed a new power supply because it wouldn't do a thing. Once I got it up and running, I bought more RAM so it could run instead of limp! I cleaned out all his files (I had moved the files from this hd to his new computer by removing the hd and attaching it by USB to his new computer before I brought the dead computer home).
I decided to see if there were any passwords lurking that I needed to erase. After that, AVG started popping up about a trojan dialer. Since the computer is not attached by modem or cable, I wasn't worried but I want everything gone that causes popups. My husband will be using this computer and I don't want him bothered by popups.
I thought I cleaned it up and I did remove that password finder but I'm still getting the AVG warnings. I move everything to the vault then empty the vault. I've removed pretty many restore points but I may either need to remove all but the last or restore from an image I made before I installed that program. I've marked the program - possible trojan- so I do not use it again.

drwho07 · Joined: Nov 29, 2007 Posts: 1546 Location: Central FL, USA

AVG will flag almost any program that directly accesses the registry.
Any Keygen or password detector program is fair game for any good AV program.

Instead of harboring those programs on your HD, it's a good move to just put them on a removable media, like a flash drive, memory card or CD and get them OFF of the HD all together.

Works for me!

Doc Cool