how can I remove Win32:Trojano-3295 [Trj]?!

I’m having the same problem with this virus as another poster. I am using win xp. I have done the following:

Removed system restore
Deleted temp internet files
scheduled boot scan

The boot scan did delete the file, but when I reboot it shows back up again.
When I try to delete from avast I get the “file being used by another app” message.

Again, I can delete it by doing the boot scan, but it reappears on every restart or reboot.

How do I ge rid of this thing?

Hi charliewb,

See this thread over in viruses and worms:

http://forum.avast.com/index.php?topic=18804.0

Thank you for the response. I’ve tried the steps outlined in the post mentioned. The boot scan does find and delete the file, but when the system boots avast again flags the same file and gives the trojan warning. I have double checked and I have system restore checked off. I have done those steps three different times but I cannot boot the computer without getting the virues warning.

I’ve submitted a ticket to avast but hoping someone has another suggestion?

I have one other thought about this. My computer is an HP Pavilion 3400+ and they come standard with an hp recovery system . Could this be where the virus is being restored from?

thanks

In order to help fully we need more information…

  • What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
  • What was the virus name, what was the filename, where was it found
    example (C:\windows\system32\infected-filename.xxx)?
  • Do you have a firewall, if so what?

Download and run this program, Ewido Security Suite it specializes in trojan removal and may well be able to kill this.

If you haven’t already got this software (freeware), download, install, update and run it.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster Don’t install this until you are clean.

Here is the info requested:

Avast version 4.6 Home edition
VPS file version 0604-1 compilation date 01/24/2006

File location: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NSQYPXYD\gdnUS1391[1].exe[Yoda]

Note that the locations remains the same up tp \Content.IE5. The next folder name will change, then the rest stays the same.

Malware name: Win32:Trojano-3295 [Trj]

Malware type: Trojan Horse

I use ZoneAlarm version 5.1.011.000 with truevector

I’ve run Ad-aware. Spybot has been giving me problems (crashes). Will uninstall and reinstall.

Also, since my last post I have run a thorough scan with archive checked from windows safe mode. Took 3 1/2 hours. Avast found and deleted 8 infected files. When it booted on completion of the scan, the avast again found the virus.

I’ve downloaded the suggested program and will install and run it. Will let you know results.

It sounds like there is something else restoring the file which can happen with multi part malware Ewido may well have more success.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

I also suggest that you update your firewall ZA free is on 6.1.?? I think wwith better outbound protection.
Since your firewall is well out of date, makes me ask is your OS up to date (SP2 plus latest Security updates)? If this virus is taking advantage of an expliot (it could continue to come back) that has since been patched you should update.

Thanks for all the advice. Running ewido caught 72 infected items for quarantine. When I rebooted and ran the avast boot scan it did again catch the trojan virus and deleted it.

And this time it did not reappear. So ewido must have caught whatever else was restoring the virus.

I am still at SP1 (I know, I know). So I will update to SP2 as well as get Zonealarm up to date.

Again, I really appreciate the help!
thanks,
charlie


Welcome to the forums, charliewb! :slight_smile:

Also, you should concider updating IE5 to IE6 which is more secure.


Glad we could help, welcome to the forums and avast!

I had the same problem

use weboot spysweeper.
reboot into safe mode
login as a user other than root administrator. (the user can have admin rights)
start a scan with spysweeper and it will detect then remove it.

I’ve had no issue with this trojan or downlaod.ruin after sweeping in safe mode