overcautious newbie

I had a trojan horse on my computer today which was “successfully moved to chest” when I did a scan. I did another scan and included the archive files and I got the another warning about a trojan horse. Again, this was moved to chest as recommended. Since then I have completed 3 standard scans and one thorough scan with no infections (although I did not scan the archives again). Am I worrying unnecessarily? Sorry, I don’t know the type of trojan horse. Obviously my windows firewall has holes in it.

Thanks

Erm … Well, having a few Trojans in your system after consecutive scans is generally not good. So, your worrying is justifiable.

My guess, do a boot scan of your system. Delete/quarantine/repair any files.

Have you been doing anything that may introduce malware into your system lately? It may be that a recent download (which, when initiated and approved by you, will get pass a firewall no matter what) introduced some malware.

Still worried after scans? Get a dedicated anti-trojan like A-Squared (or others) and do a scan.

Or, get HiJackThis and post a logfile for experts to analyze.

Good luck and remember to post back :slight_smile: !!

so you are saying that despite the fact that my last 4 scans (3 standard and 1 thorough) show no infections, I should still do a “boot scan of my system”?

Nothing wrong in being cautions or over cautious.

I doubt a boot-time scan would find anything different as it is using the same signatures, unless there was a problem in dealing with what was found and this clearly isn’t the case.
If something is coming back it would be what put it there you would be trying to find and that was undetected in windows.

What is the malware name, the infected file name, where was it found e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

The windows firewall doesn’t have holes in it, it is an open door as it has no outbound protection.

You don’t mention what your OS is ?

Whilst the windows XP (or Vista) firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection (Vista does but it is off by default and none to friendly) and you should consider a third party firewall.

Don’t forget that I’m a newbie at this…

Can you answer this question in very simple terms…

If 3 standard scans and 1 thorough scan show no infections, is there still a possiblity that I am infected?

thanks

There is always the possibility, if the infection isn’t one that avast detects, no AV can provide 100% you have done as much as you can with avast.

This possibility of still being infected would be identified by strange symptoms on your system, things that didn’t happen in the past, browser opening sites you didn’t initiate, email being sent that you didn’t initiate, etc.

So do you have any suspicions ?

Notice in the signatures of other members on this topic you will see some of the additional software that backs up avast, like anti-spyware tools. But you can take these additional measures too far, the more tools you have the more sharpening of those tools is required (signature and program updates).

Your use of your computer shouldn’t be one of constant updating of security applications (or it becomes the master and you the slave and why bother having a computer), but practising safe Hex. Don’t open attachments or clicking links in unsolicited emails, even if they supposedly come from friends, etc.

Thanks David,

So far, my system is working fine. I also ran a thorough scan using Ad-Aware and that was okay. Here is the info that I found in my avast! log viewer under “warnings” (the problem started July 2):

4/08/08 3:18:49 PM 1672 Sign of “Win32:Vapsup-BX [Adw]” has been found in “C:\Program Files\Simply Accounting 2008\upgrade.exe” file.

5/09/08 3:44:50 PM 3176 Sign of “Win32:Vapsup-BX [Adw]” has been found in “C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP665\A0046104.exe” file.

7/02/08 11:09:58 AM SYSTEM 1620 Sign of “JS:Agent-AE [trj]” has been found in “http://58.65.232.33/counter.php?b=3” file.

7/02/08 11:10:26 AM SYSTEM 1620 Sign of “JS:Agent-AE [trj]” has been found in “http://58.65.232.33/counter.php?b=3” file.

7/02/08 11:10:28 AM SYSTEM 1620 Sign of “Other:Malware-gen” has been found in “http://58.65.232.33/01/01/java.php\Baaaaa.class” file.

7/02/08 11:29:37 AM 1636 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll” file.

7/02/08 11:49:02 AM 1636 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\System Volume Information_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP706\A0050705.dll” file.

7/02/08 12:15:54 PM 1636 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\ \Local Settings\Temp\NIS8\Setup\SymLT.MSI\Binary.SymLCSVC.9E3C0E2F_0873_4AD9_995B_D9DAAF9B9E76[Embedded#XINSTALLDLL]” file.

7/02/08 12:16:37 PM 1636 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\ \Local Settings\Temp\SymLCSVC.EXE[Embedded#XINSTALLDLL]” file.

Is there anything I should be particularly concerned about? thanks

Well the ones on the 2nd July the first three are intercepts by the Web Shield and you should have had only one option given Abort Connection that drops the download connection for (only) that file. So it shouldn’t get on to your system.

Interestingly the 4th is a remnant of Symantec, what symantec applications do you or did you have ?

The one in the C:\System Volume Information_restore point, there is little to do with this if it has been dealt with.

The last two are also Symantec Related and Norton Internet Security in particular, so you appear to have remnants of symantec applications, so you need answer the above question on exactly what you did have.

So my only concern would be the removal of the symantec remnants.

I have tried repeatedly to remove Norton antivirus components. I even used an uninstall program that was recommended by someone vfrom this forum because it caused problems when I tried to install Avast instead. The uninstall helped my immediate problem at the time but I don’t know why I still have remnants of it lingering. One thing is for certain - I will NEVER use Norton again.

thanks David

You can check those Folder locations and see if they still exist and delete the Folders any sub folders and files would also be removed, exercise care that you only delete the folders in Bold text.

C:\Documents and Settings\ \Local Settings\Temp[b]NIS8[/b]
C:\Program Files\Common Files[b]Symantec Shared[/b]

And this file if it still exists.
C:\Documents and Settings\ \Local Settings\Temp[b]SymLCSVC.EXE[/b]

David, I deleted the ‘symantic shared" file but couldn’t find the other two. When I try to find the files, I don’t see “local settings” ( the path should be "C:\Documents and Settings'my name’\local settings\temp\NIS8"). I can’t find “local settings”. Is this unusual?

Thanks

I’m not sure you’ve used Norton Removal Tool for Windows 2000/XP/Vista.

Actually I did. At the time the Norton and Avast were conflicting on my system and I had problems finding the download and, when I did find it, I couldn’t click on it. I think it was DavidR that helped me by providing a link through this forum. I downloaded and ran the Norton removal tool and it corrected my problem at the time.

So, I suggest an avast installation from the scratch:

  1. Uninstall avast from Control Panel first.
  2. Boot.
  3. Download the latest version of Avast Uninstall and use it for complete uninstallation.
  4. Boot.
  5. Install again the latest avast! version.
  6. Boot.
  7. Check and post the results.

I remember doing that at the time as well so I don’t think there’s a need to do it again. David advised that I delete selected files (see back) but I can’t find the “local settings” and hence, I can’t find the two files to be deleted. Is this unusual?

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders’ to manage the file(s).

thanks Tech. I deleted them with the except of the last one which I couldn’t find.

@ Tech,

There isn’t currently a problem with Student’s installation of avast, these came up in scans indicating that there are some remnants even though he has used the uninstall tool. That tool is also reported to be far from perfect and I think this symantec shared folder is commonly left behind.

@ Student,

I don’t know when you ran the symantec uninstall tool if it was after 2/7/08 it may have removed the folder but for sure there should be a local settings (and Temp for that matter) folder, even if there is no NIS8 sub folder. So I’m a little surprised by that.

The Local Settings shouldn’t have been a hidden folder.

In the presence of Norton, avast installation could be damaged, for sure.


You should find the 2 files inside the 2 locations shown below. Open the files shown in the pictures below on your computer. These are, of course, inside the “Documents and Settings” folder.