How could a virus get on my computer?

Hello,

today Comodo Firewall (v3, beta) notified me about an outgoing connection from C:\Program Files\MSTpscre\Tpscrex.exe. It was identified as a Trojan-Downloader.Win32.Agent.bue by ClamAV and Kaspersky. I killed the process and deleted the file. So far I don’t see any problems.

Anyway I’m wondering, how an unknown file can get into my “Program Files” folder and run itself. I use always updated FireFox browser, my WinXP are automatically updated too (just today they were). I didn’t look at any suspicious web sites. Since today morning I installed following programs: ffdshow, CDBurnerXP, Miranda IM and unpacked and tried ViPlay4 beta. These are just new versions of applications I already use for a long time.

So I have no idea how the file could get on my computer. Obviously it must have been today, just before CPF alerted me. Any ideas?

P.S. I don’t have any Antivirus, because Comodo AV causes me some problems. In fact I don’t have an antivirus for over 2 years without ever being infected. Until today…

You should make it a priority to get an anti-virus even if its a free one like Avast which runs fine on XP and with Comodo Firewall, malware is increasing every day and you need all the protection you can get

You can get malware from many sources (have a read through the following) I would suggest you install some of the anti malware programmes listed as you cannot just rely on a firewall for all your security needs.

http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Should have also mentioned this article which might be of use to you.

http://www.castlecops.com/t116539-Guide_Make_your_own_System_Security_Suite_for_Free.html

(:KWL)

Tpscrex.exe isn’t a virus. It’s an IBM Thinkpad zoom utility, details here

Both ClamAV and Kaspersky tagging something doesn’t seem like a false positive is likely. So this question: is this an IBM (or Lenova, these days) machine? Is there any kind of reason for a Thinkpad utility to be present? Malware will misrepresent itself in hopes of being ignored, but that opens the possibility of deleting something needed.

Yes you should investigate, the least you can do is send the other experts: I think the best option would be www.virustotal.com

Anyway my two cents about your generic question, not the particular one about this particular positive…

You should get an antivirus, it’s a must have no matter what some say. CAVS is beta so it’s normal that you experienced problems, get Avira Antivir or Avast or AVG Free or something --and stay tuned for the final release of CAVS if you want. Even if you understand that the antivirus should always have a prevention layer on top of it, it’s still a must even for power users.

That said, it’s always possible to get malware no matter your precautions. Anyway, this is a nice example of a good firewall working as the last line of defence, again so much for the people who also say that a personal software firewall is worthless.
(S)

To answer you further, one reason why the malware was able to write itself to your Programs folder, or anywhere outside Your Documents or the Shared Documents for that matter, is that you were running Windows as Administrator, most people do this but it’s not really advisable. True that even if malware is forbidden from outside your documents folders I can’t see why it couldn’t still install itself there and do his stuff, but maybe if it’s not permitted to install in its favoured location the attack might fail completely because it doesn’t even try to install in your documents; plus there it would be easy for you to find it even by accident. But anyway the important thing is that if you run Windows as limited user you’re not only denying malware permission to install outside your documents, you’re also preventing it from changing or deleting any files there, program files, windows files, core ones, etcetera.

Creating a limited user is piece of cake in Windows from the Control Panel, although you’ll need to run as admin sometimes to install most software or to run some programs such as defraggers, registry cleaners, etcetera; but you can run a program within the admin account without logging on to it most easily, thanks to a certain Windows service (right-clicking on the program or shortcut and chosing the second option “run as…”, or editing the properties to make it the default option for that programs which also need that access. Still some people prefer to run as admins and castrate the admin permissions just for some programs such as the browser, email client etc. --I can’t see the advantage of this compared to the straight option myself–, there are programs that do that such as DropMyRights.

Also I can’t really tell you how you might have get infected, I guess there are hundreds of ways and I don’t know 99 per cent of them. Anything you download from shady sources (and P2P is always shadiest), by all means you shold scan it before opening it. If you had a resident antivirus, and again I recommend you to, I think it would be no good scanning with it on demand since it will scan on access (not sure); but you should get at least another scanner, one that covers spyware and trojans, for example AVG AntiSpyware.

Well, there’s a simple way to test this. Vlada, assuming you’ve got an IBM laptop, open a window and then hit Fn+Space. If the system doesn’t zoom in, it’s because you’ve deleted the Thinkpad Tpscrex.exe file. :wink:

I still think it’s a false postitive though based on the fact that out of 34,400 searches on Google, not one points to that file as being malware.

vlada, any news?

I’m not convinced that everyone needs an AV, it still depends. If you have extremely strict habits and routines, you may be fine. You said it yourself, two years without infection. Of course you can’t be sure, but if you haven’t encountered any problems, it could be true.

The AV question is however not a topic for this board, it should be continued in this section.

/LA

I have a PC (not a notebook/laptop) and it’s not IBM. I built it myself (:KWL)

So I really do believe it was a malware. I was using Avast for a long time (Avast is a Czech program and I’m from Czech Republic), but it was causing problems with Firefox automatic updates. Then I tried Comodo AV, but again it was conflicting with some SW i use (Apache2 server and SMPlayer).

Now I think it might have got to my PC through Apache server which I’m running. I tried to block it for outside connections (only allow localhost), but maybe I set it incorrectly.

I use Spybot and AdAware to check my PC time-to-time. It was always clear.

Japo
I need to run Windows as an Administrator. I’m not an average user. I’m installing some applications, developing something or experimenting with the system almost every day. Unfortunately it’s not so easy to use Windows with User account. I know it from my work ; 88)

But I’m very aware about things I do install. I’m not downloading any programs from unknown sources. I use almost entirely opensource applications which are well known and tested by many users.

But I’m really considering getting a real-time antivirus. I hope the Comodo AVS v3 will be released soon.

Sounds like you build machines the same way I do. You know exactly what is supposed to be there, and what isn’t.

I’d suggest running “Deckard’s System Scanner”, available at http://www.techsupportforum.com/sectools/Deckard/dss.exe

DSS is a more comprehensive malware scanner than HiJackThis, and will also do a HJT scan is a matter of routine. You’re looking for things out of the ordinary, particularly file timestamp changes that might match the Tpscrex.exe timestamps, if you can remember them.

If you do find signs of malware, then this topic is probably best in the Malware Removal Forum. But before moving this topic to that forum, let’s see what there might be to be concerned about.

Except of this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Tpscrex”=“C:\Program Files\MSTpscre\Tpscrex.exe” []

there is nothing suspicious.

I just checked my PC with Spybot S&D, but except of some tracking cookies there was nothing found.

So I do believe my PC is clean again. I was just wondering what I did wrong so I won’t repeat the same mistake. It was probably just a bad luck…

But a good luck I had Comodo Firewall :BNC

Good to know the scan was clean. So CFP did its job is catching an outbound problem. Reading back to your first post, it becomes a bit more obvious that a zoom tool shouldn’t have any cause to try to got out to the Internet. So it does look more and more like this was a malware instance.

While your machine is clean, the question of how this got in remains unanswered. Whether a web page, email, or something else, there is some opening that was used to come on to your machine, and that opening is still there.

Standard practice says to make sure all the software is updated, be it Windows, Firefox, Adobe Reader, Flash, or whatever.

And Japo’s suggestion about limited user is a good one, as you don’t have to run limited for everything. Just enough to reduce the chances for things to get in. Like email. Or general web browsing. I run admin when I have to test things, but on going out to the Internet for something, I will switch over to a limited user account. My usual machine has one admin, and 5 limited role accounts.

For virus checking, have you tried AVG Free from grisoft.com, or AntiVir Personal from free-av.com?

If you haven’t already, I’d suggest removing that registry entry.

Well, the jury’s still out over at Spywaredata.com as to whether the 7th variant of “Tpscrex.exe” listed on that site is a rogue program or not.

But you mentioned that the firewall popped up an alert when the file tried to connect to the Internet. So could you post the destination IP it wanted to go to? it will be recorded in your log files.

Hm, your variant looks quite fishy, its owner hasn’t even been identified… And both Kaspersky and ClamAV flagged it…

Anyway my personal conclusion is that you can always get malware even if you’re someone who knows what he’s doing, and that’s what an antivirus is for. All computers should have an AV, and yet the AV should remain iddle for 99.99 per cent of the time. It’s just a safeguarding measure. CAVS is currently beta, and the new version will also be. Talking about free AVs I recommed Avira AntiVir, it’s an impressive piece of software, and if you’ve got something against it and Avast gave you trouble, AVG is also quite good.

Hello there sorry to bump this old thread,but I just got rid of the same problem as he had. Where it came from? Who knows. Mine was caught by Nod32 Anti Virus it had 1800 AMON infections and 898 IMON infections before I deleted it manually,I just deleted the folder it had created in programfiles.
Well the reason I am here is because I see you lack the destination for the outgoing or ingoing yadayada. :wink:

Time Module Object Name Threat Action Information
24-03-2008 23:39:28 IMON file Ismys.com is for sale | HugeDomains a variant of Win32/TrojanClicker.Agent.NCG trojan

That´s the only evidence I have left on my pc,I deleted the rest to be sure it was gone;)
Except for ofcourse the quarantine. Hope this can be of some help to you experts. :slight_smile:
PS. I use my PC for all kinds of dirty work,so no wonder if I get a virus/malware once in a while. :wink: