Avast tonight found my first ever Trojan. I was so panicked by it that I deleted it straight away but it was in Microsoft Works and apparently the file had something to do with clipart (I googled it but can’t remember what it was called now).

The other night WinWord tried to access the internet but I blocked it with ZoneAlarm. I hadn’t asked Word to open but it did and that concerned me. I did a scan 2 nights ago and nothing, found this file but said it couldn’t scan it as it was corrupt. Then I tried the same last night and nothing. Avast updated itself last night so I tried again today and voila, one Trojan Horse.

Having deleted the file am I now safe? I’ve never had a Trojan before so a little scared.

Also I used one of those Sony cd’s the other day that had their dodgy XCP software on but I searched my computer for the file it was meant to put in system32 and it wasn’t there and I checked the barcode number with the one that was meant to be affected and my barcode didn’t match so I assumed I must have had a later or earlier model CD without the file on it. Am I right in thinking though that most AV’s updated their software ages ago to detect this file and do something about it (I seem to remember reading something about that on Sony’s site)?

No need to panic… better is send the infected file to Chest (Quarentine) than to delete it immediatly. It could be a false detection of avast.

Did you click in a hyperlink?

To be sure:

1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
2. Clean your temporary files.
3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
4. Use a-squared, ewido or Spyware Terminator (trojan removers).

Sorry, but this rootkit need a special attention and it’s not ‘detected’ by antivirus.
Better will be googling for rootikit analisers and cleaners…

That’s really useful, cheers mate. Is the latest Sony rootkit scanner okay now? I know the first one created a bigger problem than the rootkit itself.

I’ll follow those instructions later as well.

Thanks for your help!

I’m just downloading that file you suggested (Trojan Killer) just one quick question, why is there a need to disable auto recovery in XP before doing a boot-up scan?

Hi kentmonkey,

Why, we do not want to remove the trojan, and then after boot-up have Windows neatly restoring the malware back on.
That is why we have this special routine to deal with trojans, so they do not stay there
when they are restarted from the system or the registry. This a very elimentary truth of trojans, and when you recognize this mechanism, you have beaten the prototype.

polonus

System restore will make a restore point for files deleted/moved from the system folders. Many trojans, etc. try to be located in the system folders so you think they are important system files and leave them there. Having decided to move or delete the file the last thing you want is if in the future you use system restore it restores the infected file. So we disable system restore to prevent the file being saved by system restore.

Avast has just found another file on my computer it can’t scan, it was in windows/softwaredownloads/…

apparently the “CAB Archive is corrupt” This was the same message I got a few times before it decided that the file in the Works folder the other night was indeed a Trojan Virus.

I’ve moved the file to the Chest just in case, it could just be that as I’m on dial-up the Windows update hadn’t downloaded fully before I disconnected (in fact they hardly ever do) but anybody have that from time to time, CAB Archives being reported as being corrupt?

There may be many legitimate reasons that a file can’t be scanned.
What was the reason given and what was the file name and location ?

Files that can’t be scanned are just that, not an indication they are suspicious/infected, just unable to be scanned. You have to decide if the reason is legitimate and for the most part it will be.

By examining 1) the reason given by avast! for not being able to scan the files, 2) the location of the files, you can get an idea of what program they relate to. You may need to expand the column headings to see all the text.

Many programs (usually security based ones) password protect their files for legitimate reasons such as AdAware and Spybot Search & Destroy, there are others (and avast doesn’t know the password or have any way of using it even if it did know it). File corruption is another, system file in use, etc.

I won’t worry that much… some packing structure that cannot be unpacked by avast scanner.
So, it there is something wrong, the Standard Shield will pick it up latter.

Are you sure this CAB belongs to Windows Update?
I think it’s not the most common case.
If you right click the file into the Chest and scan it, what do you get?

The exact location of the file was:
WINDOWS\SoftwareDistribution\Download\S-1-5-18\9c32b8bdc8cfb34dfe1531aa3f509cb9\BIT14.tmp
However, I’ve right clicked and scanned it and Avast doesn’t find a virus so hopefully all is okay.

Seems a temporary file. You can open avast Chest and add it there.
Then you can delete the file.
Did you run avast at boot time?