Avast 4.6 & win32:Trojano-1941

I have tried a multitude of suggested avast recommendation “Move to Chest”.
I tried to Delete it!
It is repeatedly catching this Trojan horse. But it so repetitious it now annoying. Every 15 to 30 seconds the avast!Warning pop ups. I did the move to chest and delete. Not sure how I should move or rename it.

How do I stop or block or remove this. I’m up to date.

Information about current update:
Total time: 4 s

  • Program: Already up to date
    (current version 4.6.731)
  • Vps: Already up to date
    (current version 0548-0)

Server: download21.avast.com (70.86.87.234)
Downloaded files: 3 (0.03 KB)

I’m now not sure whether microsoft went into the block mode.

Just not comfortable with what’s taken place. It not happening, now. Microsoft Antispyware had a pop up about a toolbar modification. I chose to block it. Now it has stopped.

Should I of taken or done something different?

It seems this win32:Trojano-1941 is active only when the internet is on.

Offline I’m fine.

Any suggestions?

Are you using Windows XP?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning
Select for scanning archives.
Boot.

Other option is scanning in SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222

Can you post the name and the path of the infected files?

Yes Windows XP.
I think I’m currently doing that.
I has 1 infected notice.
It was the same as the repeated problems.

Location can I get that from the Chest?
Its is in two locations

My documents and local disk.
I’m gonna wait till it has finished the current scan.

This is a generic Trojan definition, so really we need the exact filename and location.

However, there is mention on the net of this warning been associated with a _disk.dll malware. This is a symptom of a Trojan downloader, which tries to download malware while you are online- this seems to fit your symptoms.

It may be the result of a CoolWebSearch infection, so running CWShredder would be a good idea:

http://www.intermute.com/spysubtract/cwshredder_download.html

The infection probably starts form Winlogon Notify and will not be removed by avast! even in a boot scan. Try Ewido which can remove process-injecting Trojans:

http://www.ewido.net/en/

Ewido is installed and ready to run.
Here’s transaction or notices which I’ve gotten

Microsoft Antispyware: Microsoft Antispyware has blocked st2.dll

Trend Micro CWShresdder: CoolWebSeach was not found on this system

Unknown: Runtime Error 5 at00ce45D3

Avast: Cannot process "C:\WINDOWS\system32\st3.dll: file

Avast: C:\windows\system32\st3.dll

[b]Sure seems to dodge the scans.

Anyhow I run the Ewido 2 times.
During the First Scan Avast Popped up that it found the threat again. [/b]

Scan results of Ewido


ewido security suite - Scan report

  • Created on: 7:13:28 AM, 11/30/05

  • Report-Checksum: 6D7BF213

  • Scan result:

    HKU\S-1-5-21-955470624-1491259652-3236984647-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} → Spyware.PopularScreensavers : Cleaned with backup
    [592] C:\WINDOWS\q6772648.dll → TrojanDownloader.Delf.zu : Cleaned with backup
    [1508] C:\WINDOWS\system32\st3.dll → TrojanDownloader.Delf.h : Error during cleaning
    C:\Documents and Settings\Mark\Cookies\mark@msnportal.112.2o7[1].txt → Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Mark\Cookies\mark@questionmarket[1].txt → Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\AA2EC03E-F4F6-4B5A-8938-082CBA\626F21A2-1DB6-4A84-B22E-B69E9A → Dialer.Generic : Cleaned with backup
    C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs → Trojan.Qhost.ew : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll → Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
    C:\WINDOWS\q6772648.dll → TrojanDownloader.Delf.zu : Cleaned with backup
    C:\WINDOWS\Temp\trz17F.tmp → TrojanDownloader.Delf.h : Cleaned with backup

::Report End

[b]I run the scan a second time.

Again it run into the trojan st3.dll First scan I see has cleaned with errors![/b]

2nd scan

ewido security suite - Scan report

  • Created on: 7:44:40 AM, 11/30/05

  • Report-Checksum: 580EDCC4

  • Scan result:

    [592] C:\WINDOWS\q6772648.dll → TrojanDownloader.Delf.zu : Error during cleaning
    [1508] C:\WINDOWS\system32\st3.dll → TrojanDownloader.Delf.h : Error during cleaning
    C:\WINDOWS\Temp__delete_on_reboot__trz17F.tmp → TrojanDownloader.Delf.h : Cleaned with backup
    C:\WINDOWS__delete_on_reboot__q6772648.dll → TrojanDownloader.Delf.zu : Cleaned with backup

::Report End

Running Microsoft spyware deep scan currently.

Then I’ll reboot and see what takes place Again with AVAST!

Thanks “Tech” It appears that Avast has stopped it repititious catching of this file and we’re now back online.

You’re welcome. Glad you finally get rid of that infection.
Again, welcome to forums and, if you can, please, login and help the others 8)