My Personality Test Results Ron Paul on “Don’t Ask Don’t Tell”
Jul 14

There are a growing number of reports that this is a false positive within AGV.

I’ll update you with more soon, but for now check out this excellent post on the topic (translated to English here). Complete with screen shots and search engine analysis.

Please leave a comment if you have any information to share. Unlike the AVG Forum, stupid questions will not be deleted nor the questioners abused. We were all stupid at some point so, chill-out folks.

Update: I have found AVG to do find this with multiple PCs in separate locations. It’s definitely a false positive (misreading from the AVG software). (A note to AVG users, don’t let this bother you, I’ve been using AVG for years and I think this is only the 2nd time Its found a false positive.)

Another Update: AVG will not quarantine Quickbooks files, but it will quarantine Quicken files automatically (in many cases). If you get a message that says the files were deleted you can get them out of AVG’s Virus Vault.

Update #3: I see that the folks at Quickbooks are aware of the issue and are working with AVG to repair it.

40 Responses to “Trojan Horse SHeur.AFJ (false positive within Quickbooks/Quickin)”

  1. polly Says:

    thanks for noticing this. i received an alert yesterday with avg… it’s still showing up on the scans. not sure what to do about it, but i’m a little less concerned.

  2. Ron Shank Says:

    You are welcome, Polly. I see that the folks at Quickbooks are aware of the issue and are working with AVG to repair it.

  3. helen Says:

    AVG caught SHeur.CKV just now embedded in AdobeRdr707_DLM_en_us.exe

    Can a false positive move from Quickbooks to Adobe?

  4. mreman1 Says:

    I am getting sheur.cqu in splitcam.exe …using avg.. i assume is also a false positive

  5. Patri cia Says:

    Thanks for this post! Found this page while doing a search for the Quickbooks/AVG problem.

  6. claire Says:

    This is getting silly lol, my AVG is scanning now, so far it has found 10 different trojan horses and the scan hasn’t finnished yet, i think im going to try for a world record lol, i’m pretty sure i don’t even have 1 real virus, why is it doing this?

  7. Alan Says:

    I’m getting Sheur.NFH with AVG, it started when I installed bitTorrent (avg initially said DNA.exe was the problem). I’ve uninstalled bitTorrent but now it’s reporting SHeur.NFH in system restore files.

  8. Cindy Says:

    Got a different version of this today, caught by AVG - SHeur.QSN

  9. Bill Says:

    Still different here SHeur.THQ, maybe just another variant, infected file is c:\windows\system32\sptawl.exe or three[1].exe in Temporary Internet folder. Keeps coming back.

  10. Charmaine Says:

    I’ve been getting SHeur.QZY detected in C:\windows\xpudate.exe and c:\system volume information\_restore{…..too long to type}\RP505\A0073680.exe file. I’m thinking that it isn’t a false positive. Symantec’s library doesn’t have any info on it either. If it is “real” does anybody have any idea of its payload?

  11. Ian Hutcheson Says:

    Comment from Ian, (new to virus problems), 25 November 2007, using Windows XP Home.

    I already had BITTORRENT installed, (with a view to downloading films if I can ever find out how it works), but had not got around to using it yet.
    Then today I downloaded some widgets into iGoogle, (which I am using as homepage), and got Trojan warning on Avira antivirus which I thought Avira had deleted on reboot.
    As it was coming to end of period I uninstalled this and downloaded and installed AVG Anti-Virus Free Edition and ran their scan. It found two objects which I assume were from one source since they were named the same, which was

    Trojan Horse SHeur.QSN found in 2 places:-
    C:\Downloads\BITTORRENT\dna-1.0-alpha-1637.exe
    and
    C:\Program Fiules\BitTorrent_DNA\dna.exe

    AVG automatically “cured” both by moving them to “virus vault” which I presume means protects computer from damage by isolating the infected files.
    After that I am a bit out of my depth, so I would like to hear from someone who knows how to complete the process referred to by AVG as
    “use the Virus Vault to heal files at a later date and restore them to their original locations on your disk.”
    How do I do this ?
    Your responses would be appreciated. Thanks - Ian

  12. Ron Shank Says:

    Ian, you are asking for a virus downloading movies via bittorent. There are great and legal ways to download content and movies via bittorrent. Just be careful.

  13. Tor Says:

    I’m a little relived at finding this, as AVG just found “SHeur.AIZM” in Sensors View Pro, which is definitely professional and shouldn’t include random viruses…

  14. Stephen Says:

    Well, today’s version is SHeur.ALQL and is in my Temporary Internet Files. Anyone got a lead on who exactly is doing this? What do they want (other than passwords)??

  15. Bev Says:

    AVG scan turned up SHeur.AMTI in my windows system… I’m wondering if it is safe to delete the file… cos I heard some stories about people whose PCs went crazy after deleting the “false positive” files that turned out to be non-virus…

  16. Ron Shank Says:

    Bev, you should be able to quarantine your files and restore them if they break anything. what file specifically is infected?

  17. Kayota Says:

    On mine it’s not a false positive. I recieved a virus over MSN messenger. If anybody messages you with a weird saying and sends a file REJECT THE FILE

  18. David Says:

    I came home to find out that the new pirates of the carribean online game was a trojan virus.avrj…. through avg free anti-virus… nothing to be worried about I believe..

  19. Felis Says:

    Our pirates of the Caribbean game after running smoothly for a long time popped up with it tonight. It said it had a trojan horse SHeur.BHDX in the launcher. We uninstalled the launcher after quarantining the files to AVG and then tried to install the launcher again from the website but got the same message.

  20. Knaptihuved Says:

    Just found one SHeur.BILB in ToontownLauncher.exe does anyone know exactly what is going on here???

  21. senoritafish Says:

    Just found this on searching and would like to second the problem with the Pirates Online game. I’d guess the Toontown one might be related as it’s also a Disney game?

  22. Kusko Says:

    AVG just picked up a SHeur.BWOH within the btdna.exe. It also noted that 5 of my system32 files have been changed..

    These fiels are:
    kernel32
    wsock32
    user32
    shell32
    ntoskrnl32

    Anyone know what’s going on here? i don’t really have an anti-virus software yet. Not sure which to get. My bro got the Kaspersky, or whatever, software, and it still won’t clean one of the viruses off of his computer. It won’t heal..

  23. Ron Shank Says:

    Kusko, I’m a little confused. You wrote “AVG picked up..” then wrote, “i don’t really have an anti-virus software yet. Not sure which to get.”

    If you have AVG installed, then you do have anti-virus now. If you don’t AVG is excellent (and free for home use):
    http://free.avg.com/ww.download-avg-anti-virus-free-edition

    Another great Anti-Virus product is: Avast (also free for home users)
    http://www.avast.com/eng/download-avast-home.html

    Both will quarantine your infected files without requiring you get a paid solution.

  24. Gabriela Says:

    Hi, I have a western digital memory with a syncronization programme that I run everyday on my computer to have access to my pc from work. Today while opening this program AVG told be that a Sheur.BZPU was detected on ‘F:WDSync_v6_3.130.exe’; and I am really hoping is a falce positive as I haven’t found anything about it yet.
    What do you think guys? Can I restore the file and forget about it or not?
    Let me know
    THANKS
    Gaby

  25. Ron Shank Says:

    Sounds like a false-positive. But I can’t tell from here, obviously. Turn off AVG’s Heuristic Analysis and scan it again. If it still finds it, then I’d be concerned.

    I don’t recommend leaving Heuristic Analysis turned off. But it will let you know if this is a library match or if AVG just “thinks” it’s a virus.

  26. Gabriela Says:

    How you turn off the Heuristic Analisis?

  27. Ron Shank Says:

    Here ya go. Full screen mode should help and make it a little easier to read.

    But click on Tools > Advanced Settings > Click Scans > Scan whole computer > Un-check “Use Heuristics” > Click Ok and re-scan.

  28. Evanita Says:

    I just sent in a ticket to Western Digital about the Trojan horse SHeur.BZPU when it shows you related question it appears they have had a false positive before so more than likely this new detection is also a false positive. :)

  29. martyn Says:

    Checkout microsoft security site, SHeur.bzpu is a backdoor trojan

    http://www.microsoft.com/security/portal/SearchResults.aspx?query=SHeur.bzpu

    Backdoor:Win32/Nuwar.gen!D

    Aliases: SHeur.BCFX (AVG)
    Description: Backdoor:Win32/Nuwar.gen!D is a generic detection for a backdoor trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This trojan also contains advanced stealth…
    Published Date: 06/16/2008
    Severity Rating: Medium

  30. Ron Shank Says:

    Thanks Martyn! Way to Help!

  31. Trojan Horse SHeur.bzpu is a backdoor trojan Says:

    [...] thought it might be an AVG false positive, but thanks to a helpful link from Martyn here.  We know that’s not the [...]

  32. Gabriela Says:

    I put those files in the vault then delete them. I am safe now from that trojan or should I perform other stuff!,
    Thanks Martin and thans to Ron for the help. Sorry I didn’t reply before but I was away.
    LEt me know
    THANKS!

  33. Evanita Says:

    http://wdc.custhelp.com/cgi-bin/wdc.cfg/php/enduser/popup_adp.php?p_faqid=2528&p_created=1212692974

    The following link describes this issue occuring with Western Digital Previously and it was a false positive. I still have not yet heard back from Western digital.

  34. Evanita Says:

    Btw for Gabriela who was using the western digital sync program. They have updated the program. If you register your drive on their website you can download the new version 7.0.328 is the newest version.

  35. Evanita Says:

    I just received word from Western Digital and YES AVG stating that the WD sync file is a trojan is a false positive.

    “Thank you for contacting Western Digital Customer Service and Support.

    Yes this is normal. What you need to do is configure your AVG anti virus, go to exceptions, and add the .exe file extension to be excluded.”

  36. Ron Shank Says:

    Evanita, that’s horrible advice from Western Digital’s CS. It may really be a false positive (if so, AVG should correct it). However for them to say ignore all exe’s is just plain stupid on their part.

  37. Evanita Says:

    That is not what they meant. They were referring to the WDsync file which you need in order to access the WDPassport sync program. AVG has accidentally identified this WDsync file as a virus previously and had corrected it. It happens from time to time. I just installed the new version of WDsync and it’s fine.

  38. Ron Shank Says:

    Ah Good to hear, Evanita. Thanks for taking the time to clarify.

  39. Kat Says:

    Can we get a condensed summary for us that don’t understand all the pc lingo?

    My AVG picked up 3 of the Sheur trojans so far today. Is it a virus or not? Is AVGs heal/virus vault going to handle it or do I need to do something else? I can’t follow what has been posted thus far…seems contradictory. And other sites the same.

    Thanks in advance.

  40. Kat Says:

    I should add…

    The 3 it’s detected thus far were found in

    It’s deductible7
    Quick Books 04
    TurboTax03

    None of these programs have been used recently. Quick Books probably the most recent but last time was in Jan of this year.

    Why would this start happening now?

Leave a Reply