A Trojan Horse Was Found...?

Hello,

Everytime when I use/open any programs(Notepad.exe) or the FTP program to upload or download files, I will see this message"A Trojan Horse Was Found!" window pops up. Also, I got this message when I use the “MS-Remote Desktop Connetion” program. I try to delete it and “Move to chest”. But the AVAST cannot delete it. Can you tell me how to delete it? Is it a virus? Is it safe to delete it?

avast! Warning – Pop-up Window


A Trojan Horse Was Found?
File name: C:\Winnt\OFKKST.ITF
Malware name: Win32:Daonol-P [trj]
Malware type: Trojan Hose
VPS vsersion: 090519-0, 05/19/2009


Thanks.

USWebCity.com

Keep it in the Chest, wait for an evangeliest

AVAST cannot move it to the Chest.

With no google results, the file seems suspicious.

Upload to the file VirusTotal and post results.

You said earlier you couldnt delete it. You always should first move it to chest, otherwise if you have another clean computer you can use disconnect the infected computer from internet unless it is important. This way the virus cant report anything or download anything. Try doing a boot scan and post the log

I second the virustotal’s results. Again, as John2009 has stated, keeping it in the chest can do no harm. If you find out that the file(s) are needed, you can always restore them from the chest.

What error message is displayed?

Can you try a boot time scan?

Right click avast icon–>Start Avast Antivirus–>Right click Avast user interface–>Click ‘schedule boot time scan’

This may help you to move the virus to the chest.

Hope this helps,

-Scott-

I can delete it from Windows Explore. Should I do that? Then I will scan it by “‘schedule boot time scan’”. Thanks.

Why have you not sent the file to Virustotal. Go to the website, choose browse, navigate to the file, and send. The file will be examined,and the results shown.You can then copy/paste the results here.
http://www.virustotal.com/

Hi avast9002

Read about this nasty info stealer here: http://www.fissionit.co.uk/forum/showthread.php?p=9906

And here: http://miekiemoes.blogspot.com/2009/01/ix-web-hosting-reliable.html

polonus

Did some googling and found about it. Avast! is right but it looks like a FP. This might be due to its new.

Your website might have the following code if you had the virus on it. (See picture one) and when I tryed to save it as testingtesting123.html, it alerted a virus. (See picture 2)

They say IX Web Hosting was hijacked to add the code to all the sites. I suggest you contact them to tell them they were hacked.

Virus Total Results: http://www.virustotal.com/analisis/6b2a089a806276efa3b4077693320cc4

Sources:
http://forum.cmsmadesimple.org/index.php?topic=27818.0
http://miekiemoes.blogspot.com/2009/01/ix-web-hosting-reliable.html

Just because there are very few hits on virustotal means very little in this case as very few AVs even check this and of those that do avast is on top of its game.

I also don’t see how your example bears and resemblance to the original posters (OP) alert.

The file name and location is his hard disk, your example is the web.
The malware name is Win32:Daonol-P [trj], your is JS:Redirector-D [trj]

So what are you on about, it has nothing to do with what the OP has posted.

The example is a website that downloads the virus by using a redirecter. ;D

After I scan my pc and deleted the file by using the AVAST BART CD, my pc works fine now. Thank you for your help.

Hi avast9002,

You tackled that one right, well done. Others might benefit from the info here.

Well here is explained why so many users were infected with Win32:Daonol lately:
http://ixwebhostwarning.wordpress.com/2008/12/24/ix-web-hosting-and-the-yahoo-counter-script-injection/
http://ixwebhostwarning.wordpress.com/2009/01/11/is-your-site-infected-by-the-yahoo-counter-or-htaccess/

This info from Miekiemoes, a Belgian lady malware fighter, who now works for the makers of MBAM as a malware analytic,

pol

And you know that this is how he got infected, rubbish. You can’t possibly know that from the information posted, it is pure speculation and that doesn’t help the original poster.

That is why we point people to virustotal to first confirm or deny the detection.

Hi DavidR,

Have to agree with you there. The first thing we will have to do is know beyond any shred of a doubt with what malware we are dealing here, and that can only be established from the actual infection on the victim’s machine. We have to start from the information the victim provides us with: a virustotal or jotti scan result, a infectious hyperlink (made non-clickable), a hjt log and/or various other ways to establish the source of infection. Furthermore malware is ever evolving, the malcoders even can have random infection code, so every infection vector should be treated as an individual case. Speculation will lead the victim and the malware helper away from the goal that is removal of the malware at hand,

polonus

Eather way, Avast! detected the script so soulden’t the virus be blocked and none of this would of ever happened? ???

It may not have been a script at all that was the cause, there is nothing that confirms this in this topic at all.

If you don’t understand that concept then perhaps you should then perhaps you should watch and learn rather than give advice that is based on speculation.

When you suggest that something might be an FP (which you did earlier and why I responded), you have to back that up with clear proof or your advice could potentially harm another users computer.