When I opened Internet Explorer, a message popped up from my
anti-virus program (AVG Free) advising that Trojan Horse
PSW.Lineage.BKG was detected in a .dll file of a bin file of the Ask
Toolbar in Program Files. Two options were offered: “heal” or “move to
virus vault.” Unclear of what the difference is, I chose “heal” and the
Ask file along with a restore point were moved to the AVG virus vault.
Several follow up scans in safe and regular mode as well as an online
Kaspersky scan showed no malware.
Research yielded no info about PSW.Lineage.BKG, even on the AVG
site, but other PSW.Lineage Trojans are mentioned online. It seems that
this Trojan attempts to steal passwords, and BKG “may” be an
abbreviation for “banking”. I do not do online banking but do use my
credit card on the Internet. I use Windows firewall and an Actiontek
Is it necessary now to change all my online passwords, or can I feel
reasonably sure that this has been taken care of?
The short answer is probably not … but.
The problem is that we don’t actually know exactly what happened,
and the not knowing means that there’s some risk.
When your anti-malware software detects and removes an infection, it can happen at either of two times:
Before the malware had a chance to actually execute and infect your machine
After the malware had been executed and had infected your machine
The problem is that based on your question, I can’t honestly tell which it was. In fact, it’s even likely that depending on exactly what your anti-malware software reported, you might not be able to tell which it was either.
The difference, of course, is that if the malware is caught before infection, you’re likely quite safe. If caught after infection … well, it may be too late.
Now, the reason I waffle at all is that most real-time scanners will fall into the former category, catching things as they arrive (in “real time”), and blocking them from ever infecting your machine. Since you indicate that this message has popped up in Internet Explorer, that’s typically the result of a real time scanner.
On the other hand, you indicate that it was “detected in a .dll file of a bin file of the Ask Toolbar in Program Files.” That typically means that the infection is already in place, since the infected file appears to have been installed into its working location.
Thus we’re left not really knowing exactly what happened. And as a result we don’t know exactly what the risks are that you’ve been exposed to.
I think you can guess where I’m headed with this.
In the words of Dirty Harry: “… you’ve got to ask yourself one question: Do I feel lucky?”
In your shoes … I’d change my passwords. It’s an inconvenience, perhaps, but better safe than sorry.