Problem deleting Trojan

Recently I changed Norton Antivirus for Avast Home.

I liked it very much, faster, less memory for the resident protection.

But I had one problem that made me nervous.

Two days ago, Avast sopped working and I had to fix the installation so it could start again, it was the same problem many people already had and it is discussed in another topics, so I’ll not comment here.

But yesterday Avast found some Trojan in my temporary internet folder, the resident protection didn’t block them (as norton always did) and worst, even choosing to delete the files, they’re not gone. Avast entered a kind of loop, and after some time clicking to delete, a message that the file cannot be found (or something like that) starts appearing. But the warning keeps coming over and over.

So I downloaded ewido and spybot and scanned my system. Ewido found some Trojan and apparently cleaned them. Spybot found some adware and stuff and cleaned too. Now the problem seems to be solved, but I want to now if it is normal.

What is in my mind now is, or Norton was leaking many Trojan and I never known or Avast didn’t protected my system as it should. Its important to say that these Trojan wasn’t on my system on the first system scan I did when installed avast (and updated database) before the crash.

Please, do not understand this as a complain, I’m just trying to understand what happened and, if possible, continue to use Avast.

Thank you very much!

You may have some remnants of NAV, it can be harder to get rid of than a virus, this could effect how avast works.

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT
You can also download SymNRT, a Norton uninstall tool that uninstalls all Norton 2004/2005/2006 products.

Plus no single program is going to catch everything so a multi-application approach is best amd ewido works well with avast.

:slight_smile: Hi DJ :

 "Trojans" are BEST dealt with by using antiSPYWARE
   and/or antiTROJAN program(s), not an antiVIRUS
   program. I feel the Best such FREE programs are
   Ewido, which you used, and/or "SUPERantispyware"
  ( the FREE ver ) from www.superantispyware.com .

Ok, thanks for the tips.

I don’t know too much about virus and trojan, for me, everything that harms a computer is some “kind of virus”, and a antivirus is the solution! =P

I am worried because norton had protection against virus and worms, so I thought that every antivirus had it too…

Thanks!

An AV should detect viruses, worms and especially Trojans, which, according to a recent Symantec report, are the most common form of malware now.

No AV has 100% detection, as DavidR mentioned. As Ewido’s nabbed the Trojans now, it’s hard to know whether Norton had missed the Trojans, or if avast! let them through.

I wonder why they are in your browser temp files? Is your OS/browser up to date? If not, vulnerabilities may let Trojans get onto your computer. Have you been visiting crack/warez sites? If so. no AV is going to protect you from eventually getting burned. :-\

Frank, I’m at work now, when I come home, I’ll check the correct folder and the name of the trojan. Maybe this can help…

Thanks

Obs. I’m using Internet Explorer, never updated it, only if it was with windows automatic updates…

I suggest you update IE as a matter of urgency as there are many vulnerabilities that are being exploited. You should also consider an alternative browser one that isn’t based on the IE core as these are less susceptable to adware and spyware.

Even then you should take proactive action to limit the effect of any infection that does manage to get on to your system. Whilst browsing or collecting email (any program that has access to the internet that specifically doesn’t require administrative privileges). if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Frank, this a part of the avast log file saved:

Sign of “Win32:Horst-BF [Trj]” has been found in “C:\DOCUME~1\ATLETI~1\CONFIG~1\Temp\77exhdd.9.exe[UPX]” file.
Sign of “Win32:Horst-BE [Trj]” has been found in “C:\DOCUME~1\ATLETI~1\CONFIG~1\Temp\9exssd32.6.exe[UPX]” file.
Sign of “Win32:Agent-VM [Trj]” has been found in “C:\DOCUME~1\ATLETI~1\CONFIG~1\Temp\93exmodul32d.5.exe[UPX]” file.
Sign of “Win32:Agent-VM [Trj]” has been found in “C:\Documents and Settings\Atletico 1\Configurações locais\Temp\93exmodul32d.5.exe[UPX]” file.

David

You mean use a logon that don’t have administrator privileges in windows?
What do you think about usin firefox for browse?

Thank you all!

Temp files containing the exmodul32 string are a sysmtom of Horst.AX:

Yes. you have Trojan-Proxy.Win32.Horst.ax on your computer Virus creates files **exmodul32.exe in temp folder. this programs activity looks like spambot.

(This thread refers back to the avast! forum where similar problems have been posted.)

http://forum.kaspersky.com/index.php?act=Print&client=printer&f=19&t=13019

Horst.AX was added to the avast! definitions on 25 September 2006, which would explain why avast! started detecting it recently.

http://www.avast.com/eng/vps_history.html

I’m curious as to why the file is identified as Agent-VM, because this was added in May this year.

http://www.avast.com/eng/vps-content-2006.html

???

And the ewido report:

C:\Arquivos de programas\DAEMON Tools\SetupDTSB.exe → Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Atletico 1\Configurações locais\Temp\9exssd32.6.exe → Proxy.Horst.jc : Cleaned with backup (quarantined).
C:\WINDOWS\system\smss.exe → Proxy.Horst.jq : Cleaned with backup (quarantined).
[2336] VM_00400000 → Proxy.Horst.jq : Error during cleaning.
C:\WINDOWS\system32\hldrrr.exe → Proxy.Mitglieder.ei : Cleaned with backup (quarantined).
C:\Documents and Settings\Atletico 1\Configurações locais\Temp\tmp1.tmp → Trojan.Agent.xu : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nvsvcd.exe → Trojan.Agent.xu : Cleaned with backup (quarantined).
D:\Downloads\sun.exe → Trojan.LdPinch.att : Cleaned with backup (quarantined).

I’m worried with this error:
[2336] VM_00400000 → Proxy.Horst.jq : Error during cleaning.

But when scanned again, did not found any problems…

:slight_smile: Hi DJ :

  The most extensive thread Avast has had about
  "exmodul" is at :

  http://forum.avast.com/index.php?topic=20027.msg173564;topicseen#msg173564 .
 ( especially the last post by "stuzoo" )

 It appears this is something that should be checked out
 by a volunteer Experts on an antiSPYWARE forum; if you
 know of none, I recommend www.landzdown.com .