There are a growing number of reports that this is a false positive within AGV.
I’ll update you with more soon, but for now check out this excellent post on the topic (translated to English here). Complete with screen shots and search engine analysis.
Please leave a comment if you have any information to share. Unlike the AVG Forum, stupid questions will not be deleted nor the questioners abused. We were all stupid at some point so, chill-out folks.
Update: I have found AVG to do find this with multiple PCs in separate locations. It’s definitely a false positive (misreading from the AVG software). (A note to AVG users, don’t let this bother you, I’ve been using AVG for years and I think this is only the 2nd time Its found a false positive.)
Another Update: AVG will not quarantine Quickbooks files, but it will quarantine Quicken files automatically (in many cases). If you get a message that says the files were deleted you can get them out of AVG’s Virus Vault.
Update #3: I see that the folks at Quickbooks are aware of the issue and are working with AVG to repair it.
July 14th, 2007 at 9:20 pm
thanks for noticing this. i received an alert yesterday with avg… it’s still showing up on the scans. not sure what to do about it, but i’m a little less concerned.
July 15th, 2007 at 11:59 am
You are welcome, Polly. I see that the folks at Quickbooks are aware of the issue and are working with AVG to repair it.
July 24th, 2007 at 9:28 pm
AVG caught SHeur.CKV just now embedded in AdobeRdr707_DLM_en_us.exe
Can a false positive move from Quickbooks to Adobe?
July 25th, 2007 at 11:01 am
I am getting sheur.cqu in splitcam.exe …using avg.. i assume is also a false positive
July 27th, 2007 at 11:17 am
Thanks for this post! Found this page while doing a search for the Quickbooks/AVG problem.
August 5th, 2007 at 4:22 am
This is getting silly lol, my AVG is scanning now, so far it has found 10 different trojan horses and the scan hasn’t finnished yet, i think im going to try for a world record lol, i’m pretty sure i don’t even have 1 real virus, why is it doing this?
September 25th, 2007 at 11:52 am
I’m getting Sheur.NFH with AVG, it started when I installed bitTorrent (avg initially said DNA.exe was the problem). I’ve uninstalled bitTorrent but now it’s reporting SHeur.NFH in system restore files.
October 10th, 2007 at 4:10 pm
Got a different version of this today, caught by AVG - SHeur.QSN
October 18th, 2007 at 6:12 pm
Still different here SHeur.THQ, maybe just another variant, infected file is c:\windows\system32\sptawl.exe or three[1].exe in Temporary Internet folder. Keeps coming back.
November 5th, 2007 at 8:48 pm
I’ve been getting SHeur.QZY detected in C:\windows\xpudate.exe and c:\system volume information\_restore{…..too long to type}\RP505\A0073680.exe file. I’m thinking that it isn’t a false positive. Symantec’s library doesn’t have any info on it either. If it is “real” does anybody have any idea of its payload?
November 25th, 2007 at 4:25 pm
Comment from Ian, (new to virus problems), 25 November 2007, using Windows XP Home.
I already had BITTORRENT installed, (with a view to downloading films if I can ever find out how it works), but had not got around to using it yet.
Then today I downloaded some widgets into iGoogle, (which I am using as homepage), and got Trojan warning on Avira antivirus which I thought Avira had deleted on reboot.
As it was coming to end of period I uninstalled this and downloaded and installed AVG Anti-Virus Free Edition and ran their scan. It found two objects which I assume were from one source since they were named the same, which was
Trojan Horse SHeur.QSN found in 2 places:-
C:\Downloads\BITTORRENT\dna-1.0-alpha-1637.exe
and
C:\Program Fiules\BitTorrent_DNA\dna.exe
AVG automatically “cured” both by moving them to “virus vault” which I presume means protects computer from damage by isolating the infected files.
After that I am a bit out of my depth, so I would like to hear from someone who knows how to complete the process referred to by AVG as
“use the Virus Vault to heal files at a later date and restore them to their original locations on your disk.”
How do I do this ?
Your responses would be appreciated. Thanks - Ian
November 28th, 2007 at 7:58 am
Ian, you are asking for a virus downloading movies via bittorent. There are great and legal ways to download content and movies via bittorrent. Just be careful.
December 25th, 2007 at 2:35 pm
I’m a little relived at finding this, as AVG just found “SHeur.AIZM” in Sensors View Pro, which is definitely professional and shouldn’t include random viruses…
January 18th, 2008 at 9:06 am
Well, today’s version is SHeur.ALQL and is in my Temporary Internet Files. Anyone got a lead on who exactly is doing this? What do they want (other than passwords)??
February 11th, 2008 at 12:33 am
AVG scan turned up SHeur.AMTI in my windows system… I’m wondering if it is safe to delete the file… cos I heard some stories about people whose PCs went crazy after deleting the “false positive” files that turned out to be non-virus…
February 11th, 2008 at 10:15 am
Bev, you should be able to quarantine your files and restore them if they break anything. what file specifically is infected?
February 21st, 2008 at 9:05 am
On mine it’s not a false positive. I recieved a virus over MSN messenger. If anybody messages you with a weird saying and sends a file REJECT THE FILE
February 29th, 2008 at 8:33 am
I came home to find out that the new pirates of the carribean online game was a trojan virus.avrj…. through avg free anti-virus… nothing to be worried about I believe..
April 25th, 2008 at 10:17 pm
Our pirates of the Caribbean game after running smoothly for a long time popped up with it tonight. It said it had a trojan horse SHeur.BHDX in the launcher. We uninstalled the launcher after quarantining the files to AVG and then tried to install the launcher again from the website but got the same message.
May 3rd, 2008 at 3:49 pm
Just found one SHeur.BILB in ToontownLauncher.exe does anyone know exactly what is going on here???
May 10th, 2008 at 2:19 pm
Just found this on searching and would like to second the problem with the Pirates Online game. I’d guess the Toontown one might be related as it’s also a Disney game?
July 16th, 2008 at 10:23 am
AVG just picked up a SHeur.BWOH within the btdna.exe. It also noted that 5 of my system32 files have been changed..
These fiels are:
kernel32
wsock32
user32
shell32
ntoskrnl32
Anyone know what’s going on here? i don’t really have an anti-virus software yet. Not sure which to get. My bro got the Kaspersky, or whatever, software, and it still won’t clean one of the viruses off of his computer. It won’t heal..
July 16th, 2008 at 11:21 am
Kusko, I’m a little confused. You wrote “AVG picked up..” then wrote, “i don’t really have an anti-virus software yet. Not sure which to get.”
If you have AVG installed, then you do have anti-virus now. If you don’t AVG is excellent (and free for home use):
http://free.avg.com/ww.download-avg-anti-virus-free-edition
Another great Anti-Virus product is: Avast (also free for home users)
http://www.avast.com/eng/download-avast-home.html
Both will quarantine your infected files without requiring you get a paid solution.
July 31st, 2008 at 1:44 pm
Hi, I have a western digital memory with a syncronization programme that I run everyday on my computer to have access to my pc from work. Today while opening this program AVG told be that a Sheur.BZPU was detected on ‘F:WDSync_v6_3.130.exe’; and I am really hoping is a falce positive as I haven’t found anything about it yet.
What do you think guys? Can I restore the file and forget about it or not?
Let me know
THANKS
Gaby
July 31st, 2008 at 2:04 pm
Sounds like a false-positive. But I can’t tell from here, obviously. Turn off AVG’s Heuristic Analysis and scan it again. If it still finds it, then I’d be concerned.
I don’t recommend leaving Heuristic Analysis turned off. But it will let you know if this is a library match or if AVG just “thinks” it’s a virus.
July 31st, 2008 at 3:34 pm
How you turn off the Heuristic Analisis?
July 31st, 2008 at 4:26 pm
Here ya go. Full screen mode should help and make it a little easier to read.
But click on Tools > Advanced Settings > Click Scans > Scan whole computer > Un-check “Use Heuristics” > Click Ok and re-scan.
August 1st, 2008 at 1:51 pm
I just sent in a ticket to Western Digital about the Trojan horse SHeur.BZPU when it shows you related question it appears they have had a false positive before so more than likely this new detection is also a false positive.
August 3rd, 2008 at 1:51 pm
Checkout microsoft security site, SHeur.bzpu is a backdoor trojan
http://www.microsoft.com/security/portal/SearchResults.aspx?query=SHeur.bzpu
Backdoor:Win32/Nuwar.gen!D
Aliases: SHeur.BCFX (AVG)
Description: Backdoor:Win32/Nuwar.gen!D is a generic detection for a backdoor trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This trojan also contains advanced stealth…
Published Date: 06/16/2008
Severity Rating: Medium
August 4th, 2008 at 10:36 am
Thanks Martyn! Way to Help!
August 4th, 2008 at 10:39 am
[...] thought it might be an AVG false positive, but thanks to a helpful link from Martyn here. We know that’s not the [...]
August 4th, 2008 at 2:54 pm
I put those files in the vault then delete them. I am safe now from that trojan or should I perform other stuff!,
Thanks Martin and thans to Ron for the help. Sorry I didn’t reply before but I was away.
LEt me know
THANKS!
August 4th, 2008 at 4:49 pm
http://wdc.custhelp.com/cgi-bin/wdc.cfg/php/enduser/popup_adp.php?p_faqid=2528&p_created=1212692974
The following link describes this issue occuring with Western Digital Previously and it was a false positive. I still have not yet heard back from Western digital.
August 4th, 2008 at 5:12 pm
Btw for Gabriela who was using the western digital sync program. They have updated the program. If you register your drive on their website you can download the new version 7.0.328 is the newest version.
August 5th, 2008 at 1:18 pm
I just received word from Western Digital and YES AVG stating that the WD sync file is a trojan is a false positive.
“Thank you for contacting Western Digital Customer Service and Support.
Yes this is normal. What you need to do is configure your AVG anti virus, go to exceptions, and add the .exe file extension to be excluded.”
August 5th, 2008 at 2:12 pm
Evanita, that’s horrible advice from Western Digital’s CS. It may really be a false positive (if so, AVG should correct it). However for them to say ignore all exe’s is just plain stupid on their part.
August 6th, 2008 at 3:06 pm
That is not what they meant. They were referring to the WDsync file which you need in order to access the WDPassport sync program. AVG has accidentally identified this WDsync file as a virus previously and had corrected it. It happens from time to time. I just installed the new version of WDsync and it’s fine.
August 6th, 2008 at 6:21 pm
Ah Good to hear, Evanita. Thanks for taking the time to clarify.
September 19th, 2008 at 11:14 am
Can we get a condensed summary for us that don’t understand all the pc lingo?
My AVG picked up 3 of the Sheur trojans so far today. Is it a virus or not? Is AVGs heal/virus vault going to handle it or do I need to do something else? I can’t follow what has been posted thus far…seems contradictory. And other sites the same.
Thanks in advance.
September 19th, 2008 at 11:22 am
I should add…
The 3 it’s detected thus far were found in
It’s deductible7
Quick Books 04
TurboTax03
None of these programs have been used recently. Quick Books probably the most recent but last time was in Jan of this year.
Why would this start happening now?