Annoying problems...

[Sopp_Slayer]

"A Trojan Horse Was Found".

I got the avast! Home 4.7 version, which I've used since late winter 2005, and I am very happy with it.
But lately I've had some problems with my PC. When I get online, avast! notices an incomming trojan horse,
but it "stops the malware", as it says, so I get the chance to Abort Connection. But after aborting,
the Trj. comes back, with the following description:

File name: http://208.66.194.234/s_112_167772164?m=3&a=1&hdd=344257313833484120202020202020202020202003&fs=1&gen=0&os=940000000500000001000000280a00000200000053657276696365205061636b2031
Malware name: Win32:Small-EPJ [trj]
Malware type: Trojan Horse
VPS version: 071109-0, 09.11.2007

This happens all the time!
I've scanned my drives several times, and I cant find any threats on my PC.
Is there anyone who could give me a helping hand?

- Tom

[FreewheelinFrank]

Hi Sopp_Slayer,

Looks like there's a nasty undetected by avast! on your computer which is trying to download this malware.

As no AV will detect 100% of malware all the time, try some other free scanners.

Here follows canned advice:

Look for and remove rootkits (hidden malware):



Panda Antirootkit

Blacklight

AVG Anti-Rootkit



Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.



Try a scan with DrWeb CureIT!



Try the usual free adware/spyware scanners.



AVG Anti-Spyware Free (Requires Win2k/XP)

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

a-Squared Free



Download, install and update the programs. Disconnect from the internet (pull the plug) before running scans in Safe Mode if possible.



Always select the option to quarantine any malware found rather than delete it, then you will be able to restore files or registry entries wrongly identified as malware- a rare but not unknown event for any malware scanner.



Try some online scans. (Disable avast! while scanning.)



F-Secure

BitDefender

Panda

Trend Micro Housecall



If still having problems, post a HijackThis! log.

[Lisandro]

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[Sopp_Slayer]

Thank you for the advices.  I hope this will fix the problems.. 

- Tom

[oldman]

Good advice given here. You may have a downloader. Make sure you update any of the antispyware programs before you scan and do a complete scan rather than a qick scan. My choice to start with is SAS, but it up to you.

Luck!

[oldman]

One more thing that may help. If you are using a firewall besides windows firewall, you may want ot check the logs and see if anything suspicious/unusual is accessing the internet.

[Sopp_Slayer]

I only have the Windows Firewall running..
By the way.. just before starting the Panda Anti-Rootkit, I found a suspicious file, named "loader.exe".
I deleted it, then scanned with the P A-R, but found nothing.. so now I will try the NanoScan to see if there
may be more viruses/spyware etc. etc.

[Sopp_Slayer]

After running the first task at NanoScan, I found two viruses. One MSN-Worm and a Trojan Horse.. so now I think I've found the source..

Thank you for all help!

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

The reason I ask is that Panda's on-line scanner has a habit of dumping its signatures on the system and they aren't encrypted, so avast might be detecting those.