Hi Everyone,

Avast! 4 Professional says that I have a Trojan (see below). I’ve read some of the posts on what to do, but for some reason, “boot time scan” is greyed out (not an option) in the menu for me.

Does anyone have some advice?

Thank you very much,
Paul
Arizona, USA

C:\Windows\WINDOWS\svhost.sys
Win32:Nuclear-AP [trj]
Trojan Horse
000780-2, 10/11/2007

What is your OS ?
The boot-time scan isn’t available in win9x or winME.

You shouldn’t have to schedule a boot-time scan if avast detects and is able to deal with the infection. You have a number of options, Move to chest (best), Repair (not always available), Delete (not a good first choice, see below), etc. what did you choose ?

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

Thank you for the quick reply!

I’m running Vista 64.

I think it maybe resolved, but I’m not sure. The reason why I say that is…

I ran the free scan from TrendMicro and it found a different Trojan (or maybe it was the same one but a different name?) and I deleted it via TrendMicro.
However, I rebooted and got an error about the “svchost.exe” (sorry, I don’t remember the error). But I’ve rebooted a couple of times since and no errors.

Maybe the next step is to run Avast again? I’m up for any ideas.

Thank you again,
Paul

Unfortunately there is no boot-time option in the 64bit version of Vista.

It is possible that the trend detection was on the same file as there is no standardisation or naming convention for new malware names.

The message may have been because there is a run command in the registry and since the file is gone, you get an error about a missing file. However, if the error is gone that probably isn’t the case, I would just maintain a watching brief if it does come back try to get as much info as possible.

The svchost.exe is a legit system file, depending on its location. Hence I’m sure you can now see why location is important.

You can check for the presence of the svhost.sys, which should be gone and another avast scan won’t hurt.

That explains why the boot scan is greyed out - thanks for that.

I’ll take your advice and again, thank you for your help.

Paul

No problem, welcome to the forums.

Thanks for having me on the forums

Unfortunately, Avast! Is finding the Trojan everytime I boot up.
I have moved it to the Chest everytime.

Any thoughts? Sorry for being novice at this.

Thank you again,
Paul

If it is continually finding it on boot, there would appear to be other elements undetected or hidden for this, so it is either being restored/regenerated or downloaded again (though that if it is very soon after boot is unlikely). What is your firewall ?

I take it that it is the same file name and location

Since you are running vista 64, I would say you will be limited on the tools that can be used to try and find the other elements.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.

1. If using winXP AVG anti-spyware (formerly Ewido) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware On-Demand only in free version. Or Spyware Terminator Resident scanner.

The above are XP and probably vista compatible, but whether they are vista 64 compatible I don’t know, nor do I know if there is the same safe mode function in Vista 64.

The same is true of the HiJackThis Program - Useful as a diagnostic tool - FileHippo Download - HiJackThis - HJT Information HiJackThis Tutorial 1

Hopefully someone else can pick this up as I’m about to turn it, it is just after 3 a.m. here.

Some other On-line Virus Scanners and other useful Links Security-Ops.eu.tt New on-line scanner http://www.eset.com/onlinescan/

Hi Nailzaz :

Best to use a antiSPYWARE/antiTROJAN program to deal with a trojan;
the 2 that many experienced, trained, certified, Volunteer Malware-
fighting Experts recommend are : 1) FREE version of SUPERAntiSpyware
from www.superantispyware.com ; 2) "Trial" ver of AVG AntiSpyware,
 most easily downloaded from www.ewido.net ; not sure IF this program
is compatible with your Vista 64 bit Operating System !?

Good resources, I’m downloading SuperAntiSpyware right now.

I did try something called, Trojan Remover (www.simplysup.com/tremover ) and it did find trojan(s) and seems to have removed them, but again I’m going to run TrendMicro & Avast as well as at least SuperAntiSpyware to see what they find.

Have you guys heard of that Trojan Remover program?

Thank you again,
Paul

Your welcome.

I hadn’t heard of Trojan Remover before, there really are so many different tools out there and we tend to stick with those we know. The problem in your case is a 64 bit OS which limits the software that can run on it so your more limited to on-line scanners than most 32bit OS users.

Your link brings up a 404 error, probably because you have to get there via another page trying other url combos, to downloads, etc brings up 403 error (access denied permissions, etc. So there may e something wrong with their site. I found a link for majorgeeks.com but that link didn’t work either.

The site’s down for me now too.

I believe the Trojan is gone now. Probably from using various applications.

Two things:

1. Why couldn’t or didn’t Avast Pro remove it effectively?
2. For system performance, I keep Avast running all the time, but I run SpyBot & Destroy & Windows Defender daily to remove ad/malware. Is this a good way to do things? I didn’t want a bunch of apps running.
3. As for Firewalls, I disabled Windows Firewall because a) I heard it isn’t very effective b) I have Avast running and c) I would think my router would prevent most issues. Again, is this a good way to run things?

As always, I value your feedback.

Sincerely,
Paul

1. probably because as I said there was another element (undetected or hidden) restoring the malware which kept being detected. So avast couldn’t dealt with it as you say because it didn’t recognise it, some trojan downloaders aren’t malicious in their own right but what they download is. The indication of this is repeat detections of the same malware and file name. What you don’t detect you can’t remove.

This is why when looking for the undetected element we need to be making notes on what was found by other specialist tools so that samples can be sent to avast to be analysed. I didn’t make that very clear and when you are up to your a** in alligators the last thing on your mind is draining the swamp.

2. To be able to run Vista64 I doubt your system is any slouch, but you should run avast as a resident application as it was designed. Spybot S&D is fine as an on-demand backup and Windows Defender I would suggest you let that run as resident and see if there is any performance impact, if not leave it as resident also.

3. This problem was most likely as a result of an undetected trojan downloader and your router wouldn’t have any impact at all. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Now the vista firewall has outbound protection disabled by default and even if enabled is by all accounts a pain to configure. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0. Again I don’t know if this is Vista64 compatible.

Either that or another compatible firewall that provides outbound protection and by now you probably realise Vista64 doesn’t have a huge software base.

A direct quote from Trojan Remover home page …

“Trojan Remover is designed to work on Windows 98/ME/2000/XP/Vista. The program is not, at present, compatible with any 64bit version of Windows.”

… indicates that the software is not compatible with Vista 64.