New Trojan???

Running Avast! in the background and a Virus warning message has suddenly popped up.

Name: Win32: Trojano-090 (Trj), File name: C:\windows\System32\iassam.exe
VPS version: 0419-1, 06/05/2004

So… apparently, I’ve got this virus in my system, but I can’t find any information on it.

I don’t know if it is simply resident or if it has launched and if it has, I don’t know how to get rid of it.

What do I do???

Update…

I’ve attempted ‘repair’ and got the following error message: “Cannot process”

Now what???

Hi,

just boot your PC to safe mode (F8-Boot) and then move it to chest with avast, or delete it…

if that doesn’t help :

what WIN do you have ? Are all ServicePacks and Windowsupdates applied ?

test the file with OnlineScanners e.g. from Trend, RAV & KAV (see below) to get a more specific name
(you need to temporarily pause AV-Resident Shield/Monitor/Guard to be able to scan the file online)

(If they all don’t show it as infected, please send it in a password-protected zip-file to
virus (at) asw (dot) cz
Include the Zip-password and a link to this posting in the mailtext)

spybot, ad-aware and cwshredder might also help
see www.lurkhere.com ->nicefiles and www.lavasoft.de

-remove the Virus/Malware and it’s system modifications according to VirusInfos
from Avast, VGREP, TrendMicro, Kaspersky;
you might also try searching for the virus name or filename with google

general removal procedure:

  • disable system restore on Win ME/XP
  • kill respective Backdoor/Trojan process with task manager
  • search for the file/process names in the registry; remove the malware’s startup entries in the registry
  • disinfect or (if disinfection is not possible) delete the file; this may be possible only after a reboot

if you still can’t remove it, you could post a logfile of Hijackthis here

-Secure your system:
change passwords, secure shares, install patches/updates for WIN&IE;
disable ActiveX and Scripting in IE except for know secure sites - and better use a secure browser like Opera or Mozilla

  • scan your whole system with updated avast and maybe a 2nd scanner ,e.g. TrendMicro/RAV to check whether your PC is clean :wink:
  • If needed, reenable system restore on Win ME/XP

Further Details and Links via the board search above :wink:

I moved it to chest immediately, no sense taking unnecessary chances.

I’m currently running a full system scan just in case.

Sorry for the lack of info…

I’m running WinXP and as far as I know, all updates and patches are applied. The PC is firewalled and nothing is downloaded; not even email. So I don’t have any idea how this sucker got in if it’s a virus.

I’ve searched google for both the virus and the filename and come up with nothing.

What I did come up with though is IAS which appears to have something to do with my wireless network. Related???

I find it hard to believe that I’m the first person on the net to discover a new virus… not on this pc anyway.

Any help is useful.

Thanks.

Hi,

obviously it’s not a new virus, if avast detects it…

to get more info on it, scan it with the onlinescanners mentioned above… :wink:

Are you suggesting that Avast never registers false positives.

I’ll keep ya posted.

just like any other AV program Avast has false positives.
best way to tell for sure whenever you think avast has falsely detected a virus is to scan with housecall.

I have the same problem.

Hi Cassie,

then the same solutions/advice/questions apply to you :wink:

:smiley: Ok, Smarty Pants - I can read, ya’l know. ;D ;D

On a more serious note, when I go into Safe Mode, the Trojan does NOT show up. Avast! is the only scanner than shows the Trojano-090 message/warning, I cannot find anything on it anywhere on the web, and I did use every other scanner in the world and none of them have detected the trojan.

I’m dazed, confused, and feeling a bit vaporish so I will do have a nice lay down.

!!!

Just in case I searched my registery (XP home) for iassam.exe

Though it might not help, I put an extract of my search here.


in HKEY_CLASSES_ROOT\CLSID{6BC09896-0CE6-11D1-BAAE-00C04FC2E20D}:

\InproServer32
(default) REG_SZ C:\W.\S.32\iassam.dll
ThreadingModel REG_SZ Free

\ProgID
(default) REG_SZ IAS.NTSamAuthentication

\TypLib
(default) REG_SZ {6BC09890-0CE6-11D1-BAAE-00C04FC2E20D}

\Version
(default) REG_SZ 1.0

and that is almost repeated in some next keys


Oooops … W.= Windows and S.32= System32 :slight_smile:

Then please send in the file in to avast (see above) and tell us what they say about it :wink:

I sent the file in last week and have received nothing; not even a “we’ve received your email” notice.

Cassie. Are you running anything wireless?? I’m seriously wondering if we’re getting a false positive based on something that Avast isn’t used to seeing; wireless networking.

T.

Nope. Nothing wireless at all. And that $&!@# notice keeps popping up.

Hi Cassie,

WHICH other / Onlinescanners did you use ? results ?
you know that you can exlude files from scanning in both the mainscanner and the resident shield ?
:wink:

If it helps, I’ve removed the file, since the computer that its on doesn’t need the wireless and I’ve experienced no difficulties since. I’ve received a clean scan from Avast now that it’s gone, but I’m still none the wiser as to what was wrong with the file.

Kinda makes you wonder what you’re laying money out for. But then, what do I know… I’m just a Llama. :wink:

Those recommended on this forum as well as Norton (yes, hog but I was desperate) as well as a couple others. The results were always the same - clean system. Thus my confusion and frustration were born ::argh!!::

Seriously, I’m ready to dumb Avast - this is getting way too muddy. You mention excluding files but what files do I exclude? Each time the ****** popup appears it has a different file listed as “infected” but I can’t find the source of the infection, my 'puter works great and my cats are ready to put me away for growling.

??
Cassie

Hi Cassie,

  1. Including KAV ? Please list them all …

  2. This imho doesn’t really point to a false alarm:
    but on each occurence, NOTE exactly the full path/location/filename & move them to the chest, or better to a new separate folder and send them in again
    to virus@avast.com or virus@asw.cz with info on file location and a link to this topic.
    pack the file into an encrypted Zip (i.e. with password) and include password in the mailtext

P.S.: always different names ? I thought, it was “iassam.exe” ?
and the fact that nothing can be found on google about the above filename, also points against a false alarm

:wink:

you could also send it in to
newvirus@kaspersky.com
or
virus@rokop-security.de

to have it analyzed for free

→ State that you suspect either a new trojan, or a false alarm
:wink: