PDA

View Full Version : trojan in memory (teatimer) found by avast 5 internet security



kdd53
2011-02-04, 07:43
i have found a trojan, didn't write it down-sorry, in memory on my machine and my son's machine. win 7 starter and win 7 x64 home premium respectively. downloaded from safer-networking #1 mirror and two different sites.

don't know if this is a sb feature that is picked up as a trojan by avast-is or not. anyone else found this pest?

spybotsandra
2011-02-04, 10:47
Hello,

As Spybot-S&D has no spyware integrated, this must be a false alarm.

The reason for such a false alarm is simple: Spybot-S&D saves backups of the problems you have fixed; to make it possible to recover them in case something stops working after the fix.

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file won't be found and loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives - this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

In recent weeks there was a noticeably high number of cases where other anti-virus and anti-spyware programs wrongly detected parts of Spybot-S&D, which probably has to be traced back to insufficient testing at these companies (see articles in the News section on our homepage).

Best regards
Sandra
Team Spybot

kdd53
2011-02-04, 11:59
thanks for your reply. i am aware of the archive reading in anti-virus programs. i am not aware if sb scans system memory as well as the c drive.

if avast finds a sb archive it lists it in the avast scan log. sb runs after avast in my schedule. sb always shows clean. again, avast shows the trojan in memory in the teatimer block. it has shown in the sb memory block also.

if this happens again i will make a note and reply to this thread with particulars. i run a custom scan with avast-is scanning a full rootkit scan and memory.

Gopher John
2011-02-04, 18:07
thanks for your reply. i am aware of the archive reading in anti-virus programs. i am not aware if sb scans system memory as well as the c drive.

if avast finds a sb archive it lists it in the avast scan log. sb runs after avast in my schedule. sb always shows clean. again, avast shows the trojan in memory in the teatimer block. it has shown in the sb memory block also.

if this happens again i will make a note and reply to this thread with particulars. i run a custom scan with avast-is scanning a full rootkit scan and memory.

I'm running Avast 5.1.889 and the latest SpyBot Search & Destroy, both of which have the latest updates to their definitions/signatures. I've not had the problems you report.

One reason may be that I don't use TeaTimer, but I can do a full scan including memory with Avast right after running a scan with SpyBot Search & Destroy. Perhaps Sandra can confirm whether SpyBot Search & Destroy puts or leaves unencrypted signatures in memory, but I don't think so.

By default, Avast doesn't scan .ZIP files. If you've set that in a custom scan, Avast would still not be able to scan a password protected .ZIP file and would report that it couldn't in the log, as Sandra stated.

Root Canal
2011-02-05, 22:32
Uh...turn off that "good for nothing" tea timer and resident shields. They cause a conflict with avast.

drragostea
2011-02-06, 20:10
Root Canal, is complaining the only thing you can do?
Rather than whining and attempting to discredit Spybot-Search&Destroy by claiming things here and there and saying Spybot should do this and that is embarrassing. Just because one side of the story may say that TeaTimer may possibly cause conflicts, does not mean it is a divine fact.

You have been told before in a post that if you think Spybot's TeaTimer causes conflicts, then do not use it.

It is simple, people should be able to choose what they do and what they want on their machine.

I doubt you even have a hairline of an understanding of what goes on behind the forums. Spybot is freeware and modestly rely on the donations from generous people to keep the site and software running; you don't see SaferNetworking selling licenses that cost $29.99 USD a piece for real time protection and extra scanning features.

Have you researched the specific conflicts; where the events are conflicting at? Instead of recycling the term "TeaTimer is good for nothing", "TeaTimer causes conflicts", "SAS, Norton is superior, "Spybot should go on a diet?" in every post that retains to Spybot, have you seen conflicts for yourself besides user reviews?

I think people who do their research instead of following a bandwagon would have a more concise and accurate insight on alleged "conflicts", true or not.

If you do not like Spybot, then don't use it; no one is forcing this product on your machine or anybody else. There is no "diet" on Spybot to go on because there is no "bloat" Spybot (if you call it TeaTimer, then don't use it). Spybot does not urge you to sign up for diagnostic reports like SAS or ask for your email. There's no ads in their taking up half of your computer screen nagging you to upgrade.

kdd53
2011-02-06, 22:46
sorry if i sound like i am complaining and whining about spybot. that was not my intention. i was, however, under the impression that this was a forum for support not criticism.

long time ago, i believe i read something on this forum or another forum about this js trojan and how it hides itself in the system memory in either the spybot.exe or teatimer.exe block.

i understand that this is a troublesome pest and is difficult to rid. thought someone else might have run across what i am talking about and had a cure. guess not.

i will not take your advise on not using the product. i have used spybot for many years successfully. it has found stuff that even the virus scanner misses.

however, i think i will search else where for the time being. i will return soon and post a .jpg of the avast scan showing what i am speaking of.

love the product, but as for all security products, none of them are 100%, unless the programmers are working hand in hand with the "virus" writers. and i have heard that remark before in the "wild".

just hope to find some good info on how to get rid of this pest.

kdd53
2011-02-06, 23:46
Hello,

As Spybot-S&D has no spyware integrated, this must be a false alarm.

The reason for such a false alarm is simple: Spybot-S&D saves backups of the problems you have fixed; to make it possible to recover them in case something stops working after the fix.

If the file found is in the Recovery directory inside the Spybot-S&D directory, it is such a backup. It is no longer of any harm there, as the file won't be found and loaded from there. But once you are sure you don't need the backup, go to the Recovery section inside Spybot-S&D and purge that files.

Current versions compress the recovery files into password-protected zip archives, thus avoiding other spyware applications will give false alarms. Some programs might notify you that they cannot access these zip archives - this can easily be ignored. As the recovery files are named after the threat some programs might also naively detect the backups as threats just because of the file name. This can also be ignored.

In recent weeks there was a noticeably high number of cases where other anti-virus and anti-spyware programs wrongly detected parts of Spybot-S&D, which probably has to be traced back to insufficient testing at these companies (see articles in the News section on our homepage).

Best regards
Sandra
Team Spybot

here's the image. any thoughts?

Gopher John
2011-02-07, 00:32
I just scanned TeaTimer.exe in my installed SpyBot Search & Destroy 1.6.2.46 with Avast 5.1.889 and the current VPS 6.2.2011 - 110206-1. It scanned clean, no infection.

What version of Avast and it's VPS are you using?

You can upload your TeaTimer.exe to VirusTotal (http://www.virustotal.com/) where it will be scanned by 43 virus scanners. Post the VirusTotal results link back here.

drragostea
2011-02-07, 01:02
kdd53, sorry if you mistook the criticism towards you, it was not.

I was responding to Root Canal.