Trojan Horse Agent2 ANXO

Rank: 1

Julian

Newbie

posts: 0

Registered: 2005-6-3

Message 1 of 17

 Trojan Horse Agent2 ANXO
14-04-2010 10:38 . am | View his/her posts only
Has any body had a problem with Trojan Horse ANXO, I can only run Ver 13.40, later versions refuse to run or install, The file corrupted is the VX Setup.exe file, no other file on the system are infected, just the VX file, I have the same problem with the other PC on the LAN, but I can install all my versions on a laptop that has never been part of the network. I run a bought version of AVG, they have not been much help so if anyone has experience of this problem and got over it, please get in touch.

Rank: 1

cutter

Newbie

posts: 55

Registered: 2011-11-23

Message 2 of 17

14-04-2010 11:12 . am | View his/her posts only
One day with my Space navigator parts just started creeping across the screen and nothing I did would fix it so I just quit using it. A couple of days later I ran an update and scan from "Spybot Search and Destroy". It indicated a trojan but could not remove it. When I googled the trojan it led me to a couple of solutions. The one that worked without problems was Malwarebytes anti malware program. When the trojan was gone my spacemouse went back to normal.

Every good source of info I have read says to have more than one program, although to limit the antivirus to just one. Microsoft security essentials for antivirus, Malwarebytes, Superantispyware, Spybot Search and Destroy and Spywareblaster are the ones I use with very few problems. The one that got me with the mouse was one that basically no one knew about for a while and so no protections were written for it.

A google search with the identified trojan or virus will take you to the answer to solve your immediate problem and the above programs I use will generally keep it from happening again and are free.

Finally, the only truly safe PC is the one that never goes on line. If you don't want eventual trouble don't go online with it and run minimal software on it only related to your work and everyting scanned before it is allowed on there. If you are like me for instance you do go online and tinker with new programs and the price one pays is occasional headaches. That is why you back up regularly with good archives.

Rank: 1

Julian

Newbie

posts: 0

Registered: 2005-6-3

Message 3 of 17

14-04-2010 11:44 . am | View his/her posts only
Many thanks, I run Spyware doctor and Ad-Aware, they have failed to even show a problem, I googled the trojan but it seems to be new as there was no reference to it. Strange that it only attacks VX and then only versions after 13.40. I have just found your post about maintenance cost, see my reply, we are on the same planet!
I will give Malwarebytes a go.

Rank: 1

Mike

Newbie

posts: 0

Registered: 2002-8-28

Message 4 of 17

14-04-2010 01:14 . pm | View his/her posts only
You could try the latest version of VX V13. 13.75 is on our support site for download. Or better yet 14.31. Hint, Hint, Hint!!

Rank: 1

OldForumPost

Newbie

posts: 0

Registered: 2012-1-14

Message 5 of 17

14-04-2010 02:34 . pm | View his/her posts only
The best tool I have found for getting rid of viruses and malware is AVAST.

It is free and it allows you to do a boot scan, so it can scan your system before windows fully loads.

AVAST also plays well with other Anti-virus programs. In most cases you cannot load two Anti-virus programs at the same time, but programs like Trend Micro, Zone Alarm and Bit Defender don't seem to mind that AVAST is loaded.

Good Luck,

Jarrod Schmidt

jarrods@vx.com
SKYPE: jarrodschmidt


Rank: 7Rank: 7Rank: 7

Paul

Moderator

posts: 262

Registered: 2011-9-17

Message 6 of 17

14-04-2010 03:18 . pm | View his/her posts only
Hi Scotty,
I installed V14.31 and paid for the upgrade for V14. However, when I went to open V13.75 whilst V14 was running it came up with a weird Microsoft message an wouldn't run. Seems AVAST was quarantining the vx.exe every time. This was a coincidental ocurrence so I thought it was a VX problem.
However I deleted the infected (Trojan win-32) file and reinstalled fresh from the current V13.75 install and it is all fine.

It is the first time I have had an infection for years.

Jarrod, doesn't Windows Defender make Zone Alarm redundant? And why would you run two AV programs side by side? I am always trying to have as few programs as possible running. They all suck up resources.

Back to VX versions. Why wouldn't you use V13.75? It is the best V13 version by far. And V14 is a substantial improvement on V13. I agonized over the upgrade cost for a year. I ended up with a model that was right on the limit of the old Sketcher solving capability. If I added or changed anything it stalled. Yet in V14 it flies. IMO the V14 sketcher is A VAST improvement. Being able to add tangency constraint to splines is a BIG step forward.
Cheers

Rank: 1

OldForumPost

Newbie

posts: 0

Registered: 2012-1-14

Message 7 of 17

14-04-2010 03:46 . pm | View his/her posts only

____________________

Jarrod, doesn't Windows Defender make Zone Alarm redundant? And why would you run two AV programs side by side? I am always trying to have as few programs as possible running. They all suck up resources.

____________________

Windows Defender might make Zone Alarm Redundant. I was only listing some AV programs that would allow you to install AVAST at the same time.

I agree with you that you would typically only want to run one AV Program, but if you think you have a virus and you cannot get to it with your AV program, you can load AVAST without being required to uninstall your current AV program. I would only run two AV programs side by side if one is AVAST, so that I could to do a boot scan with AVAST. I have seen people load MCAfee and Norton at the same time, only to have both not work. AVAST seems special in that it can be install - you can do your boot scan - then uninstall AVAST.

Hope this clarifies things.

Jarrod.

Rank: 1

ChrisWard2k2

Newbie

posts: 2

Registered: 2011-11-22

Message 8 of 17

14-04-2010 05:05 . pm | View his/her posts only
It could be a false positive from AVG, in other words it "thinks" the VX Setup.exe is something that it is not. Have you tried adding Setup.exe to the Anti-virus white list? Or simply disconnect from the internet and try running setup with AVG switched off.

Rank: 7Rank: 7Rank: 7

Paul

Moderator

posts: 262

Registered: 2011-9-17

Message 9 of 17

14-04-2010 05:37 . pm | View his/her posts only
Hi Chris,
me thinks 'false positive' is a false negative/positve.(can't figure which is correct and I am English as first language bloke)
If it says it's infected, it is.

Rank: 1

Mike

Newbie

posts: 0

Registered: 2002-8-28

Message 10 of 17

15-04-2010 11:11 . am | View his/her posts only
I won't weigh in on which Anti-virus to run. That is not my area of expertise but I can tell you that we currently run Microsoft Security Essentials on our zip files. So anything you download from VX is squeaky clean when it leaves Florida. 13.40 was released in November 2007. There was nothing wrong with the file at that time.

Rank: 1

ChrisWard2k2

Newbie

posts: 2

Registered: 2011-11-22

Message 11 of 17

15-04-2010 11:35 . am | View his/her posts only
Hi Mudcrab, I'm surprised you are so sure about that because it's a fact that all AV apps make these "mistakes" (not just with VX files of course). If they were perfect, they wouldn't need to offer the get-out-jail-card that is the "white list"..........

Rank: 1

Julian

Newbie

posts: 0

Registered: 2005-6-3

Message 12 of 17

16-04-2010 06:22 . am | View his/her posts only
Cracked it, AVG was seeing the VX Setup.exe file as a false positive(!), AVG had just done one of it's auto upgrades, stupid I should have spotted it, anyway all is now well. I have uninstalled AVG and the whole system is running much faster, I have a feeling AVG was responsible to one or two other problems. Thanks for all the help.

Rank: 7Rank: 7Rank: 7

Paul

Moderator

posts: 262

Registered: 2011-9-17

Message 13 of 17

16-04-2010 03:22 . pm | View his/her posts only
Hi Chris,
the difficulty with 'false positives' is How do you know the file is NOT infected? And why do you take the chance - after all you have the AV to do things you cannot see or do from outside of the PC.
OK you can install a clean file and see what happens. Then you have a clue as to what might be going on.

In Scotty's it could still be infected - just not being detected. If he is using other AV software and it is not seeing it then it may be false positive or the AV software is not on the ball. My understanding is that US base AV companies are obligated to share signatures/fixes amongst them selves within a very short time frame. Hence all AV software is roughly at the same knowledge level regards new diseases.

Hence my willingness to trust the AV software. My initial response to the infection here was 'no way' and I submitted a false positive report to AVAST - but removal an re installing solved the problem. IMO this is a more prudent response than turning off the AV. Have not heard back from Avast however.
Anyway thats my defense. Cheers

Rank: 1

ChrisWard2k2

Newbie

posts: 2

Registered: 2011-11-22

Message 14 of 17

16-04-2010 05:17 . pm | View his/her posts only
The point of switching off the AV is to see if the problem is caused by the AV itself, not a virus. It's a simple test and the results are conclusive, that is how you know.

If the system is actually infected with a virus, the test of switching the AV off is not going to make any difference to the system, given that the virus is already "in". Trojan horses are designed to allow a hacker or spy-bot access to your system. That can't happen if you are disconnected from the internet.

During the detection process, the AV has various methods to determine if a file is dangerous. The most sure-fire method is pattern matching, a known finger-print if you will. However, for the earliest outbreaks of a new virus or variant, there isn't an exact pattern to match, so other, less accurate methods are deployed, and that's where the false-positives come from.

In this case, we knew it was highly unlikely to be a virus because the file is from a trusted source (VX Corp). If you read my other posts on this subject, I explain that one of the AV tests is for suspicious file behavior. VX falls into that category simply because it can run as more than one process and has more than one exe file. AV apps are largely designed for the general-use software and file types that most PCs use. Huge apps like CAD-CAM are outside of that definition and the consequence is what Scotty has experienced.

Rank: 7Rank: 7Rank: 7

Paul

Moderator

posts: 262

Registered: 2011-9-17

Message 15 of 17

16-04-2010 08:53 . pm | View his/her posts only
Hi Chris,
about two weeks before Scotty I did have a Trojan attach to vx.exe V13.
Avast would quarantine the file wehnit tried to run with the consequence I couldn't run V13.

Turning of the AV would allow the exe to run as it would not be quarantined.

When I deleted and re installed the problem was solved. In other words Avast was not recognising the behaviour and quarantining the exe as before.

So another test scenario and a different outcome eh! Cheers

Rank: 1

ChrisWard2k2

Newbie

posts: 2

Registered: 2011-11-22

Message 16 of 17

16-04-2010 10:13 . pm | View his/her posts only
Hi Mudcrab

It is extremely unlikely that vx.exe actually had a Trojan attached to it. That isn't how Trojan's would usually get onto your system or hide away, although of course it is not impossible. Trojans will normally arrive hidden within a file already - typical hiding places are Windows system files and common image files, including those that your web browser stores for faster access to your most-visited sites, like the Google logo image etc, so it's a good idea to clear that cache. Did you verify the suspect file with any other tools or did you just trust Avast?

AV Quarantine is one reason why the AV's action would stop VX working, another is the AV's file test itself - The AV app is accessing an exe file that Windows is trying to run - this can cause a failure whether or not the file is good or bad. Now, if Avast (or other AV) does not "know" vx.exe, it may well intercept the execution of the file because it could be deemed suspicious for two reasons. Firstly, vx.exe immediately launches another exe file (vxmain.exe), then closes. Secondly, the name "VX" is unfortunately associated with a toxic nerve gas, so it's just the sort of name that a Trojan creator might like to use. In the past I have seen Trend Micro quarantine VX and Windows itself do so (Microsoft Data Execution Prevention - WinXP/Win7). However, this does not happen with all AV apps, nor does it happen on all PCs - one of the reasons being that the execution of vx.exe is so fast it simply is not detected every time! Some of the popular AV apps do know about VX and I would hope Avast is one of them - perhaps that is why it no longer interferes with VX on your PC.

However, if you really did have a Trojan that attaches itself to other apps and files, it would definitely be catching many of them, especially commonly known exe files such as those that arrive with the Windows install plus Adobe Reader, Outlook etc etc - those would most likely be attacked before VX since it is also unlikely that the Trojan creator knows of VX - if a search and attack parsing list was created VX would be near the end of that list, i.e. one of the last to be attacked. To be on the safe side, I'd run Avast in boot-up mode. You might also like to try Vipre Rescue, which performs a very deep scan and can dig-out root kits. http://live.sunbeltsoftware.com/

Rank: 1

ChrisWard2k2

Newbie

posts: 2

Registered: 2011-11-22

Message 17 of 17

22-04-2010 12:06 . am | View his/her posts only
McAfee has the mother of all false-positives in it's latest update which will stop your PC from re-booting:

McAfee Update Issue
See also