trojan Win 32:small-caa

[dickshar]

A recent scan resulted in discovery of 2 of these same trojans. As suggested by the program I "moved to chest" Is there any thing  further I need to do? Can I delete them? What is the best way to prevent from getting them? I had 3 trojans last June and they were difficult to delete

[DavidR]

You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.

[Lisandro]

What is the best way to prevent from getting them?

Use a well configurated and protected computer, updated.
Surf safelly 

[DavidR]

You haven't yet mentioned the file names or location they were found and I suspect they are probably in system folders a common tactic. I'm guessing that you have XP (you didn't say) and if so you need permission to place files in the system folders. So following on from Tech's advice to protect yourself, take pre-emptive measures.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

[dickshar]

I am sorry that I could not get back on line sooner. I do have windows xp. Have been using firefox browser. The virus chest information says  Name: aoo944493 - Original location:c:systemvolume info/restore. The 2nd item;,Name:csinject.exe, Original location:c:programfiles,norton systemworks/cleansweep

[DavidR]

The c:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

Win XP-ME - How to disable System Restore

The csinject.exe will have to be treated as outlined above check against the multi engine scanners.

However, a forum search for csinject.exe returns two other hits, this may be false positive, why we suggest confirmation against other scanners http://forum.avast.com/index.php?topic=24077.0.

The other one is a 2004 post but is unrelated to your problem.

[dickshar]

I have removed the system restore points as suggested. I have tried several other virus scanners but they found nothing. I'm not sure I have the technical ability to do the suggestion about the administrator. Thanks for your help.

[DavidR]

This as is pointed out in the other Topic looks like it could be a false positive detection.

It isn't too complicated if you take it a step at a time Print of the instructions on the DropMyRights link so you can follow them step by step whilst off-line. There is also a link to the Microsoft page about DropMyRights, this has many images to illustrate what to do (my little bit tries to simplify setting up the shortcuts), so it would also be advisable to print that also.

If you still feel it is beyond you don't worry unduly you have survived this far, just make sure that your OS, anti-virus, anti-spyware and firewall are up to date. If you have a friend who knows a little about computers, perhaps they might help.

[Lisandro]

I have removed the system restore points as suggested. I have tried several other virus scanners but they found nothing. I'm not sure I have the technical ability to do the suggestion about the administrator. Thanks for your help.

To know if a file is a false positive, please submit it to JOTTI or VirusTotal and let us know the result. If it is indeed a false positive, send it in a password protected zip to virus@avast.com
Please, mention in the body of the message why you think it is a false positive and the password used.

[dickshar]

I am sorry, but do not understand how to submit the file for review. When I hit "browse" on the site it brings up some of my files but don't know what and how to submit it What am I supposed to put in the box, and how do I get it there.

[Lisandro]

As suggested by the program I "moved to chest" Is there any thing  further I need to do?

Sorry, it was not your fault but mine.
If the file is in Chest, right click it and send it from there to Alwil for further analysis.
If you use email communication (smtp) you need to fill the SMTP avast tab of settings before sendind it to Alwil FROM Chest.

[dickshar]

I still don't know what I am doing. I used outlook express to send it to Alwil, and it sent it there. I don't know who or what Alwil is and how I can contact them or what they will do with the file.

[DavidR]

Alwil are the company that created avast!

If you have sent the sample zipped and password protected to virus@avast.com (as Tech outlined above) the job is done. the avast team will only contact you if they need any more information.