PDA

View Full Version : AVG resident Shield + Trojan Horse Generic6


Dilbert
21-08-2007, 21:15
Evening'

Running AVG Free Edition (updated daily, run every two days), and this evening it came up with a couple of 'Threat Detected'.

Details were:

Threat detected while opening file: C:\System Volume Information\_restore......\A0235584.exe

Threat detected while opening file: C:\System Volume Information\_restore......\A02335583.dll

All sorted now, but don't know why. Are these in System Restore files? Do I need to worry?

Any help appreciated!

Thanks. :)

anonymous
21-08-2007, 23:56
Hi AVG resident,

Wow, not just me. I've been running the AVG Free Edition since March, update daily and run daily. I've never received any warnings until today and this evening I too received the threat of Trojan Horse Generic6 !
It's in my C:\Program files\Installsheild Installation Information\..etc
times 4 and in my C:\Users\(Me)\AppData\Local\Temp\..etc.
times 2.
They're all set up files with extensions like ISSetup.dll and setup.exe
How strange that we both got this for the first time on the same day?
Before I found your post I was reading another site (sorry skipped about so much but I think it was on Cnet) a user was discussing the same thing but it was generic5, older post. That person said that they did an new update, rescanned and then it was gone. However my scan just finished and stated that all 6 infections were healed. It wants me to re-start now.
Based on where mine were, I'd say it has nothing in particular to do with your system restore files. But I'm going to stay worried and I think you should too until we find out why/where this came from all of a sudden.
Let's see how many others get this today. Scary....

anonymous
22-08-2007, 00:30
Just wanted to let you know that I also was infected with the Generic6 today. I ran two scans and both showed the trojan some with .ums and also with .umu a friend in casual conversation mentioned that he had a trojan show up today on his computer...didn't say what is was but may be the same Generic6. Nothing had showed until today.

anonymous
22-08-2007, 00:53
Wow, the same thing just happened to me too.

As soon as I started up my computer today, my AVG-free did an autoscan--as it does everyday--and it picked up 2 Trojan Horse Generic6.UMS and 2 Trojan Horse Generic6.UMU. There was one of each .UMS and .UMU in my Local Settings/Temp and the other two were in InstallShield Installation Information--AND they were all ISSetup.dll and setup.exe. Very strange we all have this problem within hours of each other. Hopefully it's just a mistake with the most recent AVG update.

These are the first files my AVG-free has ever found so I'm pretty inexperienced with dealing with virus-cleanup. They are quarantined now, so is there really anything else I should be worrying about?

Oh and sorry I'm not any help answering the question.

Message was edited by: Dufusdor

anonymous
22-08-2007, 01:07
Hi guys, I have the same report.

Same 2 files as everyone else, will have to look into this more.

Message was edited by: OZSlayer

anonymous
22-08-2007, 01:08
Hi guys, I have the same report.

Same 2 files as everyone else, will have to look into this more.

anonymous
22-08-2007, 01:15
I too have been infected , by the same virus and on the same day. Where has this damn thing come from.
I have a brand new laptop, and stupidly connected to the 'Net for about 30 minutes during an OS install with no anti virus running. I do have an excellent firewall though, and so if the infection has come that way I find it surprising, i must say.
I have though done a couple of system restores and also used the 'settings and transfer wizard' on Windows Vista.
Perhaps more interestingly I've had huge problems with my keyboard suffering from 'lag' and frequently 'dropping' charcaters I type. This is a brand new laptop and I was about to return it as having a faulty keyboard, but I'm convinced that some sort of 'key logging' might be going on - since the trojan was put 'in the vault' it's behaved correctly.
But the virus keeps re occuring, so I'm going for a fresh install after scanning everything I'm about to load on to the machine.
Perhaps the keyboard thing isn't 'logging' as such just the virus creating a 'time lag' but something funny's going on ... mind you, I am using Vista, might explain a lot!
S

anonymous
22-08-2007, 01:23
O.o

Just last night I typed my name and nothing was showing up, then a few seconds later my name showed up with with some of the letters typed about 4 or 5 times. I was in the process of starting a dedicated server on my computer, so that could have caused some lag. However I have no idea what kind of affects a keylogging program has on my computer because I have never experienced that before. Could just be a coincidence--I'm probably just overreacting because this is something new to me lol.

anonymous
22-08-2007, 01:37
Hey I found something that might calm everyone's nerves:

http://forum.grisoft.cz/freeforum/read.php?4,106389,backpage=,sv=

Someone just posted in the AVG forums about the same problem when they downloaded a game from the internet. According to them it's a problem with the update and it has happened before to World of Warcraft and now also to the newly released Bio-Shock Demo... Anyone recently download Bio-Shock Demo?

anonymous
22-08-2007, 02:22
Wow I'm getting the same threats, I am scanning at the moment and have 8 threats so far, but I have searcher for the files and they arent even on my computer.
I have 2 _is1.exe, 2 setup.exe and 4 ISSetup.dll all trojanhorse generic6.UMS and UMU . Being some what computer illiterate though I know a little bit. I'm unsure what to do with these, do I leave them or get rid of them? any assistance would be appreciated, this is a work computer and I don't want to bugger it up.

anonymous
22-08-2007, 02:26
Me, too, with having the Trojan horse Generic6.UMU & .UMS appearing suddenly. I've had the AVG Free Edition for awhile, update daily and usually run every 2-3 days. I've received this warning of 2 threats from Trojan horse Generic6.UMU &....UMS today, August 21, 2007, about 5:30 pm, PDT. First time for getting threat warnings also.

The Trojan horse Generic6.UMU was in my C:\Program Files\TurboTax\Basic 2006/Dllnst/ISSetup.dll , and
Trojan horse Generic6.UMS was in my C:\Program Files\TurboTax\Basic 2006\Dllnst\Setup.exe .

It is strange that so many are geting these within hours of each other.

When my scan finished, it stated 2 infections were healed. No restart was asked for --

Anyone know if AVG staff have heard of these trojan horses being circulated ??

anonymous
22-08-2007, 02:53
Seems AVG fixed it, hopefully that is the last we will see of it.

anonymous
22-08-2007, 03:02
Weird!! - I also got them today. The first time I started my computer up today........

Have ran avg for awhile now, and never anything...

Why do you say AVG fixed it?

anonymous
22-08-2007, 03:13
At the end of the scan it came up that AVG had healed all 8 files, Ive just completed another scan and nothing came up, so all looks good for now :)

anonymous
22-08-2007, 03:42
I ran into the same thing; run AVG every day and it came up with a grand total of 44 files infected---almost all InstallShield files, on closer inspection. A bunch went into the Virus Vault, and AVG claimed the others were healed, but when I ran AVG a second time, they still showed up as having Trojan Generic6, plus four cropped up in my Temp files. Since I didn't really need the files that were still showing up, I deleted them, and the ones in the Temp file. Running AVG a third time to see if that got them all. We'll see.

Interestingly enough, of the files that are in the Virus Vault, the ones listed as Generic6.UMU are all 539.27 KB in size; all of those listed as Generic6.UMS are 444.92KB in size. There are a bunch of different files, but some of them I know should not be anywhere near that big. So I don't think this is a false positive---I think it's something real that's latching onto InstallShield somehow.

anonymous
22-08-2007, 03:44
Add me to the list of people who got the Generic6.UMU and the Generic6.UMS Trojan Horses. It happened earlier today during an automatic scan of the Desktop when my mom was online. I have had no problem in the past.



Anyone know what this is about?

anonymous
22-08-2007, 03:46
Well I've been looking around on the internet and other people who have had problems like this in the past were able to quarantine the files, unfortunately AVG would find more within the next few days... I'm hoping that's not my case.

And when it says that AVG "healed all files" doesn't it mean that the files are now quarantined and unusable by the computer (unless restored)? Hopefully AVG has made some sort of mistake and we don't have any viruses at all. Or am I wrong-- are files still usable while quarantined?

anonymous
22-08-2007, 03:50
No, when AVG says it healed the files, it thinks that it removed the Trojan; the file is still there and useable because AVG thinks it's OK at the moment---but if my experience is any guide, it'll think it's not next time you scan it. It's quarantined only if it goes to the Virus Vault (where I presently have 40+ Generic6 things using 20 MB of my hard drive now).

anonymous
22-08-2007, 03:55
Ok, thanks for clearing things up for me, gardibolt. Sounds like you got it pretty bad :(

anonymous
22-08-2007, 04:03
Oh wow 44 files :o I thought I had it bad. I have deleted all temp files and deleted all cookies, which I do regularly anyway, but it appeared that all of the viruses were attached to files in temp files. I'm now doing a 3rd scan to triple check which appears clear so far. Hopefully it is just a grisoft error and they can fix it soon.

anonymous
22-08-2007, 04:09
Considering the size of the infected files (nearly half a meg each---and all either 539.27 or 444.92 KB) in my Virus Vault, I don't think this is a false positive. I think it's real.

But so far the third scan is coming up clean... here's hoping I got it all.

anonymous
22-08-2007, 04:09
Sorry-- Noob question --but what exactly are temp files for? Is it ok to just delete the ones that are infected? I'm assuming it's ok to delete the other files of mine that were infected- "InstalShield Installation Information"

anonymous
22-08-2007, 04:11
That's a good question. I suspect you may not be able to use InstallShield to uninstall a program that you've lost the information to either due to the Trojan, or because you deleted it, but someone who knows more about IS than I do may need to answer. But deleting infected Temp files shouldn't cause you any trouble.

Message was edited by: gardibolt

anonymous
22-08-2007, 04:18
Yeah, I have a feeling it could be real rather than an error, I have just checked all of the files in the virus vault and they're the same size as you mentioned, 3rd scan is close to finished and all seems good so far. Fingers crossed we have got rid of them.

anonymous
22-08-2007, 04:21
OK, if you're coming up with files the exact same size I am then I'm virtually certain it's real. Still nothing found on 3rd scan, but a ways to go yet. Fingers still crossed.

Maybe this was something that's been in our systems a while, but AVG just added it to today's updated definitions? That'd explain why it's suddenly appearing out of nowhere.

anonymous
22-08-2007, 04:30
That was my guess, but I didn't like that idea and I preferred to make myself think that it was a false positive.

Anyway I just checked and I have the same .UMU file size, but my .UMS is different (445.59--not that different lol). But it's the same case in that my .UMU's are the same to each other and .UMS's are same to each other.

anonymous
22-08-2007, 04:31
I recently had trouble with my hard drive. It was not totally trashed but it would not survive a disk check without stopping. A diagnostics showed bad blocks. This drive is currently attached as a second drive. I abandoned Norton Internet Security because it caused headaches with accessing the network. I downloaded and ran AVG. It found the generic6.UMU and generic6.UMS on the old drive in two places. Both are ISSetup.dll and setup.exe files. One of the programs was downloaded over a year ago. I am not sure about the other. After reading all the posts to this thread it occurs to me that perhaps AVGs latest virus definition update is suspect or missreading something. This is something that we all would have in common. It is too coincidental that all these show up at the same time. If it was a new virus it would not be in my old file.

anonymous
22-08-2007, 04:34
That's reassuring... I think :). At least that proves that this all has something to do with the latest update.

Message was edited by: Dufusdor

anonymous
22-08-2007, 04:38
Maybe that could be why, it would explain why soo many people are suddenly affected, if it is something to do with the new updates. I read else where that alot of people who have downloaded a certain game (Bioshock Demo) have also been affected, but as far as I know the only game I have down loaded previously isn't anything like what others are having issues with. I have also been getting alot of the latest virus e card and photo emails, that I delete with out opening, surely they wouldn't have anything to do with it. It is all too confusing for me lol, this is the first time I have had virus issues with this computer.

anonymous
22-08-2007, 04:54
Well I just finished another virus scan and it didnt find anything. Anyway, I have to go to bed-- Good luck to all of you. I'll probably be back tomorrow to see what else has been discovered lol.

anonymous
22-08-2007, 04:57
Mine is almost finished aswell and all is clear yay. Night dufusdor, even if it is midday here lol.

anonymous
22-08-2007, 05:02
My son recently downloaded something called knight_online_setup_121306.exe, and this is the file that AVG detected with the Generic6.UMS. It didn't come up on AVG until my daily complete scan was run on 8/21. What is this thing? AVG says that it is not healable, and it is now in my virus vault.

On the website www.forums.toonzone.net, alot of people are reporting finding this trojan as well related to the BIOSHOCK demo.
I am currently looking at the AVG forum threads for further information.

Thanks for the link.

anonymous
22-08-2007, 05:06
Damnation....a bunch more have cropped up in a different place. I'm not happy about this.

Oh....wait. It found the things in the Recycle Bin. Emptying the bin and will try again.

Message was edited by: gardibolt

anonymous
22-08-2007, 05:19
I was trying to install Civilization IV and each time I clicked "install" AVG warned me about the Generic6.ums. Anyone else have that happening?

anonymous
22-08-2007, 05:35
I have the same trojans but as far as i know they are being deleted. I will restart computer and run avg again. Does anyone know if it is affecting their computes at all?

anonymous
22-08-2007, 05:37
I have civilization IV but installing it worked fine

anonymous
22-08-2007, 05:48
It dosnt seem to have affected my computer. I think I found the source of mine, I down loaded a couple of games a while back, which I have now deleted completely from my system.

anonymous
22-08-2007, 06:01
oh ok. as far as i know they have gone

anonymous
22-08-2007, 06:14
Hi Everyone,
Turned on my pc this morning and AVG popped up saying it found the exact same file, generic6.
I did a full scan and found another 9 files, all of which i quarantined and then deleted. They were either in 'TEMP' or in the "install shield information' folders. I have done another scan and it was clear, so im hopefull it's gone. I probably should have left them quarantined but i had my last pc die around a year ago thanks to a bug and didnt want it happening again.
Its strange so many people have had the same problem, i wonder whats happened?

SirJD

anonymous
22-08-2007, 06:21
hey, i haf da same infection as well, and an extra one called Obfustat.IYB, dunno how it appeared.. its on my soldier front installer and game guard.. its really weird.. never had this problem b4, my comp has been clean of virus' and trojans until very recently..

anonymous
22-08-2007, 06:25
Maybe its AVG thinking its a virus when it isnt?
Ive read on a few other forums and it seems 99% of people have had the problem with games, mainly the bioshock demo but a few others when trying to install legitimate games they have downloaded from the internet.

Then that leaves me with another Q, if it isnt a virus, will my PC be ok now that i deleted them all? :P
SirJD

anonymous
22-08-2007, 06:37
yea mebbe it isnt.. but i juz deleted da files with da generic6 virus thing.. and now i juz did a full virus scan and received another two.. generic6 files??? now its ISsetup.dll and setup.exe...

anonymous
22-08-2007, 06:40
They are the exact same files i got aswell, and i deleted all of them.

SirJD

anonymous
22-08-2007, 06:46
owhh it is.. ok then.. thx.. i guess i will juz get rid of them..

anonymous
22-08-2007, 06:48
Good Evening All,

I too would like to report that I have also been infected by the Trojan Horse Generic6.UMU and Generic6.UMS with filenames of ISSetup.dll and setup.exe.

The suspected virus tried to attach to the following extensions:

\autorun\drivers\vista\80211,
\autorun\drivers\vista\LaunMgr,
\autorun\drivers\vista\Webcam, and
\program files\installshield installation information.

and other similar extensions with a total of 14 infected files found.

The Trojan Horses were found by AVG when I started the computer and right after the regular daily AVG updates were completed.

Its interesting that most of the people's computers were effected today. I recommend rescanning your computer with a different software program to see if it finds anything else.

My question that I have to you all is that are you guys running a Free AVG Edition program or a commercial version? If you some of you guys are running a commercial version, my guess is that you should have the same problem.

Please let me know. Thanks!!

anonymous
22-08-2007, 06:49
OK, fourth time through seems to be the charm. Finally got rid of them all. Now to try rebooting and scan again just to make sure....

See y'all in the morning.

anonymous
22-08-2007, 07:01
My slave drive won't let me access it after about 30 seconds - sound like the same thing is happening to me - and yes I have the generic virus also. Let me know what you found that will work on getting the drive running again. I have tried a few programs to recover data and it's not working :(

anonymous
22-08-2007, 07:03
must....keeep...scanning

anonymous
22-08-2007, 07:55
I also got these warnings today when the autoscan occurred.. i then ran another scan, and it's found 2 more =/
trojan generic 6.ums
trojan generic 6.umu

_is.exe is one file
and
ISSetup.dll

I haven't downloaded any new games.. the only thing I've been doing lately is browsing the internet.. Never got a virus before from just browsing?

anonymous
22-08-2007, 08:04
I received 4 treats today with the same trojan generic6.umu, I really feel it has something to do with AVG Anti-virus updates. I'm running full scans with two other antivirus programs and will let you guys know the outcome. Try turning off the restore points so the viruses won't hide in those system areas. Also if you downloaded any games such as Final Fantasy XI themes for Windows XP and Bioshock demo, UNINSTALL THEM RIGHT AWAY! I've tried running the open source anti virus utility Clamwin but all files that Clamwin tries to scan, permission is denied according to the Clamwin log. I believe I obtained the theme via " Microsoft.com's get more themes link" in the XP display panel. Another strange thing was a game called Air Hockey Demo appears to have installed itself with no user intervention. I was curious and attempted to play the game, the game was unplayable and I uninstalled it. I was in the middle of installing a trial version of Adobe Flash CS3, the trojan generic6 took over and wouldn't allow the install to continue. I hope this info is helpful and can be of use.

anonymous
22-08-2007, 09:12
I too have the problem

But I really suspect a false positive because:

it is at first place found in a software/driver package HP dedicated for a machine and taken directly from the HP website. And yesterday everything looks fine...????

Then it looks infected (well, avg free says...) in a ISSetup.dll and a setup.exe in Install Shield Installation Information...

Strange, he ?

(machine is new, I'm just installing it from scratch with a XP Pro (must remove Vista for our company needs...) and have downloaded HP driver packages only...)

Hope it helps.

anonymous
22-08-2007, 09:32
Another one here who's picked this up today.....

I've had my laptop since August 6th 2007

First thing I did was download AVG (free edition), AVG Anti-Spyware (free version) and Zone Alarm, followed by Firefox to replace Internet Explorer (personal preference).

I have also downloaded drivers for my printer and another piece of kit I attach up (couldn't use disk for either as I needed Vista drivers) - both from trusted manufacturer sites, and both as soon as I got my laptop.

I also installed a couple of pieces of software from disk (Office 2007 and PSP X).

AVG updates and scans on the laptop when I turn on every morning. Has been fine until now, but his morning I'm also getting Generic6.UMU and Generic6.UMS in ISSetup.dll and setup.exe respectively (as per previous posters).

I have never downloaded a game onto this laptop -- and no-one else has had use of it since I picked it up.

I haven't opened pictures attached to emails. In fact since getting the laptop I've done all my emailing via webmail so that I can access everything from both my laptop and my desktop.

So I really don't know where I've got these from, but am also totally confused (even having read this thread) about how to get rid of them!!

Off to read back through the thread whilst the scan finishes.......

anonymous
22-08-2007, 10:04
Wouldn't happen to be an Acer Aspire, would it?

anonymous
22-08-2007, 10:11
I have also just oufn a Generic6 virus on one of our machines at work. Oddly, we all use AVG Free edition, all been updated this morning, but only one out of 10 machines has the virus.

Surley this means that it is not a AVG problem, but a virus in itself?

No games have been downloaded on the infected machine either.

anonymous
22-08-2007, 10:24
mmmm i too have the 'virus' however mine was found in a game file, Ceasar3, so it would appear to genuine, if it is located randomly on different systems that is?

anonymous
22-08-2007, 10:26
Advent 7211

anonymous
22-08-2007, 10:43
Another one as well! I'm using AVG 7.5 anti malware and it picked up the same trojan in an Arcsoft Photo Impression file I've had since December. This is the main programme executable (PhotoImpression6.5_Gold_engfull.exe) from the Arcsoft website for their Gold 6.5 product which I bought online. (PhotoImpression is actually uninstalled but I retained the main file.) So I'm not sure how that has suddenly become infected - if indeed it has. I tried to heal it but it failed and moved the file to the vault.
I'll email AVG support with the details and post back if anything useful comes up. A further full scan on my desktop and laptop - both with yesterday's updates on hasn't revealed any more - so maybe they are genuine?

anonymous
22-08-2007, 10:45
Hi. Im having the same problem - yesterday, no viruses, started the AVG Virus Programme after it updated itself, and then when I came back after my breakfast I had 14 Viruses, all of which Couldnt be healed, moved to the vault.
Some are in .dll files, some are in .exe files, and the rest are in Installshield files. Am I safe to just delete these files or not?

anonymous
22-08-2007, 10:56
I am trying to add these files to a ZIP. But I keep getting errors about the files being temporary, and permission errors.

How is a file characterised as 'temporary' in Vista? And how do I un-temporary-ize it?!

anonymous
22-08-2007, 10:58
This has got to be a false positive, surely. AVG Free Edition detected the same two "viruses", but with EasyNote software that came via my brother on a memory stick - two months ago. It's been on my machine for this length of time and yet it is only today that the alert came up.

Interestingly, AVG Free Edition went through the detection and yet at the end did nothing, simply completed the routine.

Probably won't even see this with the next update of AVG. Methinks.

GrahamG

anonymous
22-08-2007, 11:27
My first run said it had 'healed' the files, but that I needed to reboot to complete the 'heal'.

I opted NOT to reboot immediately, as I was in the middle of something - but have since rebooted as I was away from my laptop for a short while.

Then re-ran AVG, and it told me about the same things but no mention of healing or request to reboot.

Just finishing off another run of AVG, having done nothing since the last (apart from check out a few of my 'normal' web sites), and it's been running over 30 mins without finding anything yet.......

anonymous
22-08-2007, 11:32
I've been up all night trying to figure this trojan out and how to stop it. Here's what I've determined so far. The trojan seems to be self mutating with multiple payloads that are randomized as to selection of payload (a,b,c,d.....) Example: payload a= game file infection, payload b= file permission changes/tampering, payload c= spontaneous reboot, payload d= setup.exe and ISSetup.dll and so forth. Multiple antivirus scans with Trend Micro Housecall and AVG results in no infection found. Scans with ClamWin Anti virus results in permission to scan all files denied on a file by file basis. There is a possibility of rootkit, but I have not fully tested as of yet with results of rootkit detectors being sometimes cryptic and too informative. Has anyone seen this behavior before August 21, 2007 which appears to be when the first initial reports started appearing in this form and my system was compromised.? AVG engineers need to address this issue regardless of what edition of AVG Antivirus is being used. The commonality of all these reports appear to be the use, reliant, and trust of using AVG Antivirus Free Edition. Free antivirus software is pointless if it can't protect a system and introduces more questions and doubts than answers. Since Grisoft (Software Developer of AVG) does not offer any technical support to us, I am appealing to the technical community both novice and advanced in solving this dangerous situation. The trojan that was indicated by AVG was Trojan Horse Generic6.UMU

Grizz of CTGNY

anonymous
22-08-2007, 11:38
I have the exact same problem..

I'm not really good with virusses and stuff like that so I ask you what to do with those virusses. Are they dangerous?

anonymous
22-08-2007, 11:47
I've just downloaded this morning's AVG update for the Anti-Malware product and it no longer detects the Trojan (see my earlier post.) I moved the "infected" file out of the Vault and back to its original location, re-scanned and all ok. Thoughts?

anonymous
22-08-2007, 12:17
AVG said thait healed them, so i had to reboot. After that I did another scan, the scan still found the trojans, so I did today's update and another scan and for some reason there were no trojans detected anymore.

anonymous
22-08-2007, 12:20
I did today's AVG update and it's still showing the infected files in the Virus Vault as infected. Still showing no signs of problems outside the Vault so I think I have it contained on my PC, finally. After putting what I could into the Vault, I deleted everything else that showed as infected (even if AVG said it had been healed), deleted all Temp files and emptied the Recycle Bin. That seemed to do the trick.

anonymous
22-08-2007, 12:31
Hi everybody.

I had this problem (Trojan Horse Generic6) during a Windows update (using Vista), I'm 99% sure that the problem is connected with this event because when AVG free notified it to me I wasn't doing anything else on the Internet and I don't have set up any auto-update for all the programs I use on my laptop.

Now in the virus vault the are 4 files .UMS and they are all:

C:\Program Files\InstallShield InstallationInformation......SETUP.exe

To me it's a false positive, I had the same problem few times ago with a BackDoor that ONLY AVG free was finding during the scan...

Message was edited by: luchino_san

anonymous
22-08-2007, 12:35
At this time I would not advise taking a file that was supposedly "healed" by AVG out of quarantine and place it back in use. It's better to err on the side of caution. However I do strongly suggest scanning the specific file(s) in question with other Anti virus engines (No vendor bias here,). Trend Micro, Symantec/Norton, Kapersky, Avast and other respected Anti-Virus utilities developers have free versions of their products and also offer free online scans of a specific file or an entire system. I advise this only because at this time all "infection(s)?" appear to be associated with AVG and there is no certainty that AVG Free Edition is not itself compromised, faulty (false positives?), infected (the program itself or the automatic and manual update process) or just ineffective. Also Grisoft (developers of AVG Free Edition) have not made any statements, technical or addressed the growing problems as indicated by the growing posts in this forum as of yet. As I stated in an earlier post since Grisoft does not offer technical support on their free products it will probably be up to the IT and technical community to determine what is happening, solve the problem and develop a fix or remedy.

grizz of CTGNY

anonymous
22-08-2007, 13:58
For what it's worth, a while back I did have the AVG commercial version. Looked at the free version and couldn't see any difference between the two. OK, no technical support - but hey, you trust the AV software you are using?

I honestly think the professional / commercial version would have come up with exactly the same messages. The fact that Grisoft have stayed stum on this over the last 24-hours makes me a little nervous. If this is a false positive then they'll want to get rid of that with a new update, without too much smoke. If it is a failure in their software then they'll be sorting out the commercial version first.

I'll rgriss's advice and test my machine with another AV program. I kinda liked AVG, but this has dulled the shine on that package a bit.

anonymous
22-08-2007, 14:36
Dear All,

Interestingly, just decided to refresh AVG and low and behold there were two priority updates for the virus database. These have obviously been released during the day, but they weren't available this morning when my free AVG did it's scheduled update.

I'll see what this test throws up.

anonymous
22-08-2007, 14:53
Yes, mine is an ACER Aspire 5100 running Vista Home Premium. Just yesterday, my AVG showed these in my c:\DRV folders. These are OEM drivers. Never had a problem before. This PC is only used for a GPS in my truck, normally!

anonymous
22-08-2007, 15:00
All I know is that there was a Windows Update a few hours before the scheduled check. This has only happened to me once before, pertaining to World of Wracraft's downloader program. I'm of the mind that there's no virus, and this is just something AVG needs to update... but as has been said before, I'd rather be safe than sorry, so for now, the files will stay in the vault.

anonymous
22-08-2007, 15:01
Good Morning, I also had Trojan horse Generic6.UMU show up on a scan done last night at around 9:00 PM. Been running AVG for 2 months now and scan daily - this is the first occasion of threats found. 4 instances were listed: ISSetup.dll, setup.exe, ISSetup.dll, setup.exe. All are Install shield in program files. I don't play games on this computer and no one has downloaded any or played any via internet. AVG report says these are NOT HEALABLE! They are listed as back up files, but I am unable to locate them in my computer, even by tracing the path. I'm running a new laptop with Vista. After reading that scary bold post on page 5 of this forum, I am VERY CONCERNED. I've got the threats in the Virus Vault, but AVG help files are no help. Are they really safe there? If I clear them from the Vault, where do they actually go? I recently downloaded a beta version of Palm Desktop for Vista from Palm site - it's the only way I can sync my Palm with Vista, so I hesitate to get rid of it, but I think I'll try that & then do another scan & see what happens...

anonymous
22-08-2007, 15:14
bluespruce

If you clear the vault, the files are wiped from existence...but don't do that just yet. I had an "infected" HDD (the generic6 type (41 of them)), pulled the drive, went to a spare PC, downloaded the newest update for AVGFree, slaved in and tested the drive, and it shows clean, even the vault. I restored the files, and tested. Shows OK. Put it back in the original PC and scanned. ALL OK. Must be a false positive!

Dilbert
22-08-2007, 15:17
AVG Forum advice on virus removal is here:

http://forum.grisoft.cz/freeforum/read.php?4,104929,backpage=,sv=

AVG Forum advice on false positives is here:

http://forum.grisoft.cz/freeforum/read.php?4,104930,backpage=,sv=

Is it just me or does there seem to be a lot of new posters here?

anonymous
22-08-2007, 15:18
Yes. I think the reason is Google finds very few references to "trojan horse generic6".

anonymous
22-08-2007, 15:24
I just ran a few of my "infected" files thru http://virusscan.jotti.org/ and they showed up clear.

anonymous
22-08-2007, 15:36
well, its official:
http://forum.grisoft.cz/freeforum/read.php?4,106381,page=1,backpage=,sv=

anonymous
22-08-2007, 15:41
ok I've read the thread but just got more & more confused by PC talk...
had the same problem, scanned with avg, "healed" both files, updated AVG, scanning again to see if it shows up clean.
1: if the results are clean - can that be a false positive?
2: any chance my pc is still infected because I "healed" the files instead of vaulting them?
3: what does this trojan do exactly? (simplest terms possible, not too pc savvy...)

anonymous
22-08-2007, 16:29
Most of the time, a trojan horse is a file that is written to be stand alone, and to do just what the name implies. AVG cannot and will not (from what I've seen) "heal" a trojan horse virus, because the virus is the file itself, and was written to serve this purpose. It simply deletes the file, or moves a copy to the vault. It will report them as healed, even if it deletes or moves them to the vault.

See http://en.wikipedia.org/wiki/Trojan_horse_%28computing%29

Message was edited by: jittechnologies

Message was edited by: jittechnologies

anonymous
22-08-2007, 17:48
I am also having the same message popping up on AVG Free Edition. Could it be that this is not just some cooincidence and we all got infected at the same time? Rather isn't it more likely that Grisoft might have updated a signature and AVG detected it? (Possibly something that might have been latent on all of our PC's?)

anonymous
22-08-2007, 18:32
read the previous posts. Even AVG says its a FALSE +.

anonymous
22-08-2007, 18:44
No I do not believe it's possible for it to have been a latent or dormant security hole or problem on our PC's. The computer running AVG Free edition that was infected (?) had a brand new retail not OEM hard drive with a XP Pro installation CLEAN install ( no disk cloning or disk image transfer) performed 48 hours ago, which was about 24 hours before the AVG outbreak (?) or AVG continuing problem. The post from the MODERATOR in response to this incident lacks clarity and appears not to take the threat seriously or address the current situation. Yes we know there is no tech support for the free edition but the free edition is marketing for the paid version of AVG Anti Virus and their growing catalog of other security ( ???) products. If AVG Free fails and is defective Grisoft should realize that this is a brand and will affect the sales or success of anything associated with the company. Grisoft!!, this is a time for a responsible software company which we believed you to be, to make a statement on your homepage explaining clearly in technical and lay-persons term (plain english) what is happening, why, and how to fix the problem, and prevent it from happening again. Do we need to send mass e-mails pleading for help to CERT, CSIRT, and any other national or international Computer Security Incident Response Teams and/or agencies?

Grizz CTGNY

anonymous
22-08-2007, 19:03
This is a false positive. I ran the latest updates from AVG. Copied the files from the virus vault to the destop. Ran a scan on them and nothing.

I restored the files to their original location, and ran a complete scan. Nothing.

I emptied the virus vault and ran an online scan via symantec's online site. Nothing.

Whatever it was has been fixed by AVG it seems.

dave.m
22-08-2007, 19:20
Never ever seen anything like this before.
One thread about AVG Resident Shield possibly coming up with false positives.
Started with first post at 2115 yesterday and 22 hours later there as been 83 posts about it.
BUT what is unusual is the all the posts have been by newcomers to the forums. All 37 of them.
Not a single post by any of the regular contributors.
http://forums.vnunet.com/thread.jspa?threadID=118966&start=0&tstart=0
Posters include all these with, mostly, only one or two posts to their tally.


AVGuser
squeaker
Dufusdor
OZSlayer
SDG
Kyles
StormyWeather
MIKE
garibolt
CardinalsFan29
9cswrs
lu0509
Orvalizard
Dan1737
Steenbok
SirJD
4b1dd3n
Alert
starCarlton
oscarian
rg133
olive674132
cw18
Markusdragon
WozUK
eltel
6rdfar90
marcosscriven
Grahamg
rulger
luchino_san
jittechnologies
Kunami
bluespruce
f3k
nickandale
Willia451
*
Welcome one and all to the forums. Please feel free to contribute where you can in other threads, or, if stuck post a problem.
dave

anonymous
22-08-2007, 19:37
Quick question: So, it seems that this was a false-positive. But, I still have 6 files in my AVG Virus Vault. They are described as:

"Backup Copy
Infected"

"Healable: No"

I've run a few AVG scans, since the detections, and they've come up clean.

I've also updated and run a few Trend Micro scans - also clean.

What should I do with the 6 files in the Virus Vault? Just leave them alone? Delete them? Something else?

Any advice would be greatly appreciated.

Should I "restore objects" (the files) in the Virus Vault, then do another AVG scan and IF that comes up clean ... "wipe objects" (which will presumably take them out of the Virus Vault)?


Message was edited by: Harry Hirsute

anonymous
22-08-2007, 19:39
I don't know about the others but after the scan was done I googled the name of the trojan and the thread popped up.
this is pretty much the first scare like this I had so I figured I'd register.

anonymous
22-08-2007, 19:40
new here also and ran into some of these same problems starting yesterday evening... 8/21 7:30 or so...


I ran into both the


Generic6.UMS (setup.exe, f.s.= 444.92kb) and
Generic6.UMU (ISSetup.dll, f.s. = 539.27)
those were in installshield installation information folders


I also got a Generic6.UMS for a intel matrix storage manager installer, which I needed because of my hard drives.. and raid. 5.13mb iata62_enu.exe which I really the whole time have felt is a false positive...


I also got two more different ones in my System Volume Information
they are
Generic6.UMS AOO16136.exe 444.92kb and
Generic6.UMU A0016137.dll 539.27kb


they all healed when prompted to make a decision... After reading this thread since yesterday,and the update this morning, I decided to restore the one I felt most comfortable with, the Intel Matrix iata62_enu.exe, so I restored it and scanned it individually with AVG and nothing...


edit- a google search brought me to this thread

Message was edited by: Castle

anonymous
22-08-2007, 19:45
I found this site by Googling the virus name as well. I registered in order to ask questions and hopefully answer some as well.

anonymous
22-08-2007, 21:15
What I did was use the "save as" function in the virus vault to save the files to my desktop. Then I copied the files back to their original location (the virus vault tells you where they were originally).

They I just cleaned out the virus vault.

Hope this helps.

anonymous
22-08-2007, 21:16
Hi, I'm new to this technology lark, started using AVG instead of Norton recently, running new laptop with VISTA. This morning 4 threats appeared, all Trojan horse Generic6.umu/.usm. File size's and locations match other people's post's. The only internet access i've had was to download AVG update yesterday. I've downloaded todays AVG update, emptied my virus vault and done another scan, everything is coming up clear. This forum came up when I googled the virus so I thought I'd join in. I'm not sure if I've done the right thing or what a trojan horse is or does and is a false positive a common thing?

anonymous
22-08-2007, 21:18
Hi, just doing a search for the same trojan - was just in the middle of setting up a new Epson printer when half way through the installation it came up with

D:/Common/easyprintmodule/euro/setup.exe Trojan Horse Generic6.ums - coincidentally i also have AVG which, seems to be the common factor here.

I tried to send it to the virus vault and it refused, i tried to heal and it refused so now i don't know what to do. I am currently doing a full scan, have scanned with xoftspy and ad-aware, both showed up stuff but then they both do, the trojan didn't seem to appear in either but then they don't always show up trojans.

I have been scanning with avg which is a commercial copy and hmmm it is taking for ever.

I have never had a virus before on the PC and am not sure what to do about it. Have read the first feew pages of posts so will go back to read some more and then if i can't get rid of this thing i will contact AVG.

Just thought i'd add this as so many other people are having the same issue - it strikes me that as it is all related to AVG that it is possibly an avg fault?

Sorry, can't answer any questions elsewhere on the forum, i am usless with PC's, was just replying to someone asking earlier on if anyone else had had this same problem. It is good that you have this forum though, otherwise many many people today would be worrying about the horse galloping through their PC. Thank you!

Anne

Message was edited by: Summer Naturals

anonymous
22-08-2007, 21:47
Hmmm the avg scan showed up nothing - then i did a selected areas scan and scanned D, this showed no threats but one error but i can't find out what the error is or how to repair it.

Will keep on scanning and report back if anything is found.

I so do not like computers!

anne

anonymous
22-08-2007, 22:15
Thanks for your reply. I don't seem to have a "save as" function in my Virus Vault. Perhaps that's because I'm using the free-version of AVG.

I wonder if "restoring" the files and then "deleting" them in the VV would be the way to go?

Would there be any harm to just leaving the files in the VV - provided that the AVG scans keep coming back clear?

Message was edited by: Harry Hirsute

anonymous
22-08-2007, 23:35
Oh wow, there is soo many more people affected by this now. I did 5 scans yesterday (just to be safe lol) and they have all shown up clear, I am now doing my regular morning scan and so far so good, but this stage in the scan yesterday I had a files detected, so hopefully this is the end of it :D

anonymous
23-08-2007, 03:06
I just wanted to update you guys in case it's of interest/help.

I re-read this thread and decided to "restore" the files that were in my Virus Vault (based on the reasoning that this was a "false-positive" issue).

After I restored the files, I updated and ran an AVG scan. It was clear.

I also ran an updated Trend-Micro virus-scan and that was also clear.

My computer (a Dell lap-top) appears to be functioning just fine.

Thanks to you all for your help and your time. I appreciate it and hope this update will help someone else as well.

anonymous
23-08-2007, 03:16
I'm new to this forum too. Just FYI, I am 100% positive this is a false positive because:

1. AVG confirmed it when I emailed them;
2. Scanned the files again and they are clean after the new updates;
3. Looking at AVG's forums I was shown this site, http://virusscan.jotti.org/. Guess what? EVERY SINGLE VIRUS SCANNER FOUND NOTHING except AVG.
4. Too many legitimate files used by Windowsupdate.com and such reference to these "Installshield" files.
5. The "true" Generic6 virus is EXACTLY the same size as these files are--to the byte--and yet it never uses file names of setup.exe or ls.dll--it uses wlomroek.dll and wvuusrr.dll, usually in a C:\avenger folder.
6. This is a trojan that is over two years old and has not had any detections reported for a better half of a year.

So, I guess I'm really 110% sure that these were all false positives. In fact, double check me and then restore the files in your virus vault and re-scan with AVG to see if they come up again.

This happened in July with cncgenerals.exe showing up as some trojan as well (another false positive--I emailed them that as well. This file belongs to the game Command and Conquer: Generals by the way.).

I have used AVG Free Edition since version 5.0 on Windows 95 computers, and these are the first encounters I've had with false positives. I must admit this is giving me serious doubts about AVG's dependability. Maybe I'll check out Avast and Nod32 if this happens again...

Oh, and vnunet.com better start thanking google.com for making your forums the top result when searching for Trojan Generic6--am I the only one who found this on google? :D


Message was edited by: bourgeoisdude

Message was edited by: bourgeoisdude

anonymous
23-08-2007, 03:47
Thanks for that info bourgeoisdude, I have restored the files and scanned again, and suprise, suprise nothing was detected. I have used AVG for 5 yrs after ditching nortons, and never had an issue. I will most certainly be looking for a new A/V program now.

beebs
23-08-2007, 04:20
You'd al be better off if you had a record of the processes running in your PC. Use HiJackThis, to create a log and post it in a site like, Bleepingcomputer site, as they specialise in, HiJackThis logs.

If you have not got the program, get it here to download it and install.
http://www.majorgeeks.com/download3155.html

Go here for posting your log, bleepingcomputer site
http://www.bleepingcomputer.com/forums/forum22.html

There is also captain spyware's site too, see here,
http://virusvault.co.uk/fusionbb/

Beebs B-)

anonymous
23-08-2007, 04:48
Thanks for that but I have just finished clearing up with mine and its fine, turned out nothing in there. False positives and I suspect the last update for kicking that off. I posted my HJT log on tweakxp and learnt a lot from reading the info in the link.

Before posting, please read and follow these instructions:
http://forum.tweakxp.com/forum/Topic4303-29-1.aspx

warren

anonymous
23-08-2007, 04:52
I was one of the first newbies on the site yesterday, sure was surprised with all the feedback when I checked this site today, I appreciate all the info given. thanks Google search :)
Since yesterdays message ... I updated AVG free on my son's computer earlier tonight and then ran a scan, nothing showed up on the Generic6 on that machine. I then checked for an update from AVG on my machine and Grisoft had new updates already....maybe they heard us loud and clear and this is the fix that we shouldn't have needed in the first place.

anonymous
23-08-2007, 05:27
Interesting....I tried restoring one of the files and yes, it shows up as clean. So it may be a false positive. I find it curious though about the file sizes all being uniform. That strikes me as....unusual to say the least. I had over 40 occurrences of this yesterday, and all of them were one of two file sizes, exactly the same.

Most of them were crap I didn't need any more anyway, but some of the InstallShield data that's now in the Virus Vault might be useful for future uninstallations, I'd guess. Maybe I'll restore all of those and scan again and see if all looks clear.

And yes, I'm one of the folks who got here through Google too. Google is your friend.

anonymous
23-08-2007, 09:36
Under "Action" in the virus vault you should have a "restore files as" function.

That's what I meant.

Sorry for the confusion.

beebs
23-08-2007, 12:39
> Thanks for that but I have just finished clearing up
> with mine and its fine, turned out nothing in there.
> False positives and I suspect the last update for
> kicking that off. I posted my HJT log on tweakxp and
> learnt a lot from reading the info in the link.
>
> Before posting, please read and follow these
> instructions:
> http://forum.tweakxp.com/forum/Topic4303-29-1.aspx
>
> warren

Hi, Warren

Glad your on top of it as its a communal blip from the look of things and at least theres a choice of site to bookmark when your in need of an expert to read a HJT log. I shall also add your suggested site to my own favourites as there is some good stuff in there for recommendations and lnks to sites we could all do with.

Beebs B-)

anonymous
23-08-2007, 17:09
I'm pretty positive that the virus isn't coming from avg (though i'm not an expert at all when it comes to computers) but I've had avg since march and yesterday avg found 8 files with the trojan horse generic 6 threat. I've been trying to find out what it is. I do know that my computer started acting funny 2 days ago after downloading aim and yesterday avg found the trojan. And i haven't updated my avg. I didn't see exactly what files have it but i do know that one said something about setup and one about exe. I haven't done anything with it yet and ain't having a problem with my comp. (right now anyway). so if someone could help i would appreciate it.

beebs
23-08-2007, 18:10
> anti-spyware, (or other av's) programs flag up false
> positives regularily, (report a threat thats not
> there). usually, when bits are left behind in the
> registry and continues to prompt antivirus software
> like AVG. It will always react, offering a name of a
> threat, reporting its spread. removing all traces in
> most cases will fix it, as will further updates. If its
> not removed and AVG is not updated the same threat
> warning message will likely show again. as there is no
> real threat, the system is still clean.

This explains a fair amount, as many users have dumped other AVs for AVG and still have leftover bits still in the registry to create havoc down the line.

Beebs B-)

anonymous
23-08-2007, 18:49
my computer just did 2 scans, one i did manuelly and the other was the scheduled test. neither one found anything. i checked all the info in my virus vault and it said that it was the backup file. so i checked the help screen and found out what the icons and one of the icons next to the columns was a exclamation mark in a blue box. what i gather from what it said was that it created a backup file with the virus before it cleaned the original.

i just went and updated my avg and the only updates were 2 "priority updates" concerning virus associated updates.......................................


Message was edited by: kitkat0405

anonymous
25-08-2007, 16:50
Hi.. i recieved a letter yesturday from my bank. stating that they had closed my internet banking account as they feard that i had some kind of keylogger on my computer and thaught that some 3rd party had tried to enter my acc.

i did a AVG scan.. and i also came up with generic6... however mine was Generic6.UFB.

i cannot see that any of you have mentioned this version.. it appears that avg has got rid of it.. dun scan for a 3rd time now just to be sure..

has any one had the .UFB one? and can maybe give me clues as to where the hell tis come from?.. and/ or if its linked to the issue im having with my bank?

oviously.. this whole thing is kinda scary

jack hackett
25-08-2007, 17:15
>Is it just me or does there seem to be a lot of new posters here?
something fishy is going on
>BUT what is unusual is the all the posts have been by newcomers to the forums. All 37 of them.
and all of them registered on the same day or the day they made their post!
In all likely hood all are down to just ONE troll, (the grammar, content, technical details etc of the posts is pretty much the same too, suggests the work of one person) although the troll has raised a valid point about the recent FPs thrown up by AVG, didnt think was in a trolls nature tho

anonymous
25-08-2007, 17:22
im not a troll :(..

well.. just on wow

jack hackett
25-08-2007, 17:37
AVG AV has been throwing, up what appear to be, a few false positives lately.
If you have suspect file and want to check it out to ascertain if it is indeed a false positive on AVG's part, then upload the file(s) to http://virusscan.jotti.org/ for scanning
.
click-->http://forum.grisoft.cz/freeforum/read.php?4,104930,backpage=,sv=]YOU SUSPECT A FILE TO BE A FALSE POSITIVE[/url]<--here

anonymous
27-08-2007, 12:42
huh, how could we all possibly be the work of 1 troll :s I'm sure if admin suspected a troll they could compare IP's and verify this!
I found the site via google after I found the alerts after my morning scan, hence why I posted here, as there was several other people querying it as well.

anonymous
30-08-2007, 01:38
>Is it just me or does there seem to be a lot of new posters here>>>>

Well gee!!! guess what!!! they may have all done what i did and looked up generic 6 on google and found this forum that way, seeking an answer from the net gurus. Don't get paranoid about it,

obviously something is going on with AVG or a Trojan maker out there and it all happened just now. Not a real big mystery is it Sherlock.

This problem is real as it is affecting a lot of people right around the globe it would seem and affecting different programs. I don't have any games on my machine apart from the standard windows ones. my trojan happened when i ran an update on a spyware program and it attached itself to the setup.exe file and its related dll. 2 different files resulted namely a umu 539.27 kb and ums file 444.92 kb. I am using AVG Free (updated daily) on a Vista Home Premium Laptop and on an XP Pro Desktop and the same problems are happening on both machines.

anonymous
23-09-2007, 15:23
Holy Moly!!!! I was just thinking about this little problem and wondered about clearing out my AVG vault (I was the second poster to this topic). I remembered that I'd found this forum and saved the site in my bookmarks; thought I'd check back.
I'm absolutely floored that so many people had the same thing happen at the same time!!! Crazy!
Well, it sounds like good news in the end. Hope we don't hear from it again!

I think I will come back to this site often. Clearly a lot of impassioned people! Too bad about my user name though! Oh well, it was a panicked moment!
Until next time!

anonymous
30-09-2007, 19:12
Hi,
I have exactly the same problem. Everyday, AVG decides more and more of my files have the generic Trojan. It'll heal some and move them to the vault and others it'll say it can't heal and leaves it to me to delete them. That seemed all well and good, except that instead of saying that now my computer is clean, it'll find more of the Trojan in files the next day when I scan again. Today it said that one of my important files is infected, and I just couldn't bear to delete it- it's an exe for a slideshow program that I often use. I really don't want to delete that exe, in case I have to reinstall someday. Everything seemed so strange that it occurred to me that AVG was giving me false positives. I googled and found this forum.
Reading through this thread, I'm a little confused as to what should be done. Should I just delete everything AVG says is infected with the generic Trojan? Or is AVG defective?

anonymous
01-10-2007, 03:11
you'd be better off if you had a record of the processes running in your PC using HiJackThis, in the form of a log and then post it in a site like,
Bleepingcomputer site, as they specialise in, HiJackThis logs.

if you have not got the program get it here,
http://www.majorgeeks.com/download3155.html

go here for posting your log, bleepingcomputer site
http://www.bleepingcomputer.com/forums/forum22.html

there is also tom coyote or captain spyware's site too, see here,
http://virusvault.co.uk/fusionbb/

dave

vanashworth
02-10-2007, 12:46
I did an AVG scan yesterday 1.10.07 it and found two Trojan Horse Generic 7 one ended with .SU1 and the second one .WSP AVG deleted it but put it into the virus vault, I have since emptied the virus vault. I hope this was the right thing to do?

anonymous
02-10-2007, 13:25
>>I have since emptied the virus vault. I hope this was the right thing to do?

I always do the same and have never had a problem.

dave

vanashworth
28-10-2007, 14:53
sorry I am late in responding, but thank you very much for your help.

Regards.
Van

anonymous
30-11-2007, 09:08
Hi, I am a noob to this site, whilst my AVG was running its normal daily scan it came up with generic6.wkv I have not seen this one mentioned on this thread (the WKV bit) it said it was in my googlebase connector, there seems to be very little information about this other than this thread. Being a bit of a PC dunce does 'false/positive' mean that there really isn't anything there?

Cheers Sara