Helping people with computers... one answer at a time.

When your anti-virus program tells you that it caught something, your next steps depend on what, when and how it was caught. And it depends on prudence.

When I opened Internet Explorer, a message popped up from my anti-virus program (AVG Free) advising that Trojan Horse PSW.Lineage.BKG was detected in a .dll file of a bin file of the Ask Toolbar in Program Files. Two options were offered: "heal" or "move to virus vault." Unclear of what the difference is, I chose "heal" and the Ask file along with a restore point were moved to the AVG virus vault. Several follow up scans in safe and regular mode as well as an online Kaspersky scan showed no malware.

Research yielded no info about PSW.Lineage.BKG, even on the AVG site, but other PSW.Lineage Trojans are mentioned online. It seems that this Trojan attempts to steal passwords, and BKG "may" be an abbreviation for "banking". I do not do online banking but do use my credit card on the Internet. I use Windows firewall and an Actiontek modem/router.

Is it necessary now to change all my online passwords, or can I feel reasonably sure that this has been taken care of?

The short answer is probably not ... but.

The problem is that we don't actually know exactly what happened, and the not knowing means that there's some risk.

When your anti-malware software detects and removes an infection, it can happen at either of two times:

  • Before the malware had a chance to actually execute and infect your machine

  • After the malware had been executed and had infected your machine

The problem is that based on your question, I can't honestly tell which it was. In fact, it's even likely that depending on exactly what your anti-malware software reported, you might not be able to tell which it was either.

"If caught after infection ... well, it may be too late."

The difference, of course, is that if the malware is caught before infection, you're likely quite safe. If caught after infection ... well, it may be too late.

Now, the reason I waffle at all is that most real-time scanners will fall into the former category, catching things as they arrive (in "real time"), and blocking them from ever infecting your machine. Since you indicate that this message has popped up in Internet Explorer, that's typically the result of a real time scanner.

On the other hand, you indicate that it was "detected in a .dll file of a bin file of the Ask Toolbar in Program Files." That typically means that the infection is already in place, since the infected file appears to have been installed into its working location.

Thus we're left not really knowing exactly what happened. And as a result we don't know exactly what the risks are that you've been exposed to.

I think you can guess where I'm headed with this.

In the words of Dirty Harry: "... you've got to ask yourself one question: Do I feel lucky?"

In your shoes ... I'd change my passwords. It's an inconvenience, perhaps, but better safe than sorry.

Article C3627 - January 28, 2009 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?


Michael Burasco
January 28, 2009 1:02 PM

I agree. Changing you passwords is a lot less of a hassle than having your identity stolen. I change all of mine every 6 months. I keep them in a spreadsheet which I store on a flash drive in an encryoted file (TrueCrypt) in a safe place. I update my spreadsheet on a computer that is not connected to the internet and that file is never on a harddrive of any computer that is connected. Call me paranoid but I have two friends that have had their identity stolen in the last six months.

February 4, 2009 9:07 AM

Leo, It could have been a false positive. In which case the danger is that AVG deleted something harmless, or possibly deleted an essential file. All antivirus programs "detect" a certain number of non-existent viruses, particularly if 'heuristic search' is enabled.

Carl R. Goodwin
February 4, 2009 9:38 AM

I noticed in the question that they stated that they have an "Actiontek" modem/router. MY Actiontek modem is JUST a modem - NOT a router! BEWARE!

Depends on the model. I once had an ActionTek that WAS a router.
- Leo

Nigel Broder
February 4, 2009 4:49 PM

I also have an Actiontex model M1424WR amd it IS a router so check before you panic.

February 8, 2009 6:19 PM

Leo, thank you for the article.

In a situation like this, would it have been possible for a "two-way" firewall, such as Zone Alarm for example, to keep the Trojan from stealing the passwords in the first place?

Best you can say is "maybe". The problem is that once you're infected there's no way to know that the firewall is in fact blocking it.
- Leo

January 17, 2013 7:14 AM

Leo, based on what you stated above about when a malware executes, is it correct to say that if my anti-malware software detects a malware during a manual (on-demand) or scheduled scan when I am NOT connected to the internet, then the malware has already executed and have already infected my PC? Thanks…

All it means is that the virus is present on your machine in some form. It might be in an executable file that you've downloaded but not yet run, meaning your machine is not yet infected, or it's present in your system in some infected form.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.