Unmovable Trojan ?

Please can anyone help.

Avast detected a malware trojan in my system yesterday.

The Trojan is identified as Win32:Qqpass-CL

The location was given as F/Windows/System32/jbhook.dll/[NSpack]/[ASpack]

Avast was unable to do anything with it (remove to chest, delete, rename) as it was reported that the trojan was in a folder that was being used.

However, when I ran the sytem scan the trojan was again identified - but this time I was allowed (via the menu listing) to remove the trojan to the ‘Chest’.

On starting up my system and logging on the internet this evening - the same virus alert appeared on my screen. Again - I was unable to do anything with the trojan.
When I went into the Alwil folder and checked the contents of the chest - the trojan was in there !!

I am using version 4.7

Can anyone help me out here?

Thanks in Anticipation.

Michael

Run a boot time scan with avast and have it deleted.

Just tried it Eddy - as before I deleted the virus from the boot time scan menu.
Immediately after windows XP came up I got a virus warning from Avast - identifying the very same trojan !
Why is it that Avast cannot delete this little pest ?

Michael

Hi Dicky Button,

Try a couple of rootkit scanners:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

http://www.f-secure.com/blacklight/

If they come up with anything, Google the results just to check it’s something nasty and not a legitimate application, or post the results here for advice before deleting.

Then please download any of the following you don’t already have, install, update and run a scan:

AVG Anti-Spyware: (Requires Win2000/XP)

http://www.ewido.net/en/

Spybot Search & Destroy:

http://www.safer-networking.org/

a-Squared:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Please post a HijackThis! log if none of these works:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Good luck!

Frank

Ran AVG rootkit - nothing detected.
ran Spybot search and destroy - 29 files detected - I removed all of them.
Ran Avast boot up search and the little f****r is still there. So I deleted it again.
I have looked at the properties of the file (in the Chest) and It seems each time I remove or delete - it moves to a new location !

BTW - what is a Hijack This log ?

Regards

Michael

The bleepingcomputer.com link explains with some screenshots to help you.

:slight_smile: Hi Dicky :

 IF a program is able to get rid of the "malware trojan", it would be best to use the AVG antispyware program recommended
 by Frank AND/OR the FREE version of "SUPERantispyware" from www.superantispyware.com . 
 A HijackThis program log is used by volunteer Experts, usually found on antiSPYWARE Support Forums, to help people get
 rid of malware that can NOT be "quarantined" by "normal" programs. For HijackThis log analysis, I recommend the 
 EXPERIENCED volunteer Experts at www.landzdown.com .

Thanks guys - I have posted the Hijackthis log on the Bleeping Computer forums.
I have also run the Ad aware SE - and this has quarantined 29 files - but still not removed the trojan !
Heres hoping :slight_smile:

Dicky

Seems you have a Tojan identified on 29 November by Sophos:

http://www.us.sophos.com/security/analyses/trojdloadraqp.html

You need to kill these processes. (Download Process Explorer if Task Manager is not working):

F:\WINDOWS\System32\SVCH0ST.EXE (Note the difference between 0 & O)

F:\WINDOWS\System32\systen32.exe

Then fix this entry with HijackThis!, reboot into safe mode and delete the file:

O4 - HKLM..\Run: [systen32.exe] F:\WINDOWS\System32\systen32.exe

You also need to pay a visit to MS Update when you have cleaned up this Trojan because you IE is not up to date.

Consider an alternative browser if you can’t update IE- you’ll be much more secure.

Just downloaded and ran Superantispyware.
56 tracker cookies detected (left these alone)
and two further files which were deleted.

Initiated avast whilst NOT connected to the internet - nothing reported.
Connected to the internet and initiated avast - Trojan detected !!!

Is this purely coincidence ?

Probably not. I notice you have SP1. Windows firewall is not turned on in SP1, which means you may well be open to attack from the internet.

I’d recommend you download a good third-party firewall like Zone Alarm and then disconnect from the internet and run all your scans again.

When you have finished, install the firewall and reconnect, being very careful about what you allow to connect to the internet.

Have a look at this guide first so you know how to set up the firewall:

http://www.zonelabs.com/store/content/support/zasc/gettingStarted.jsp?anchor=alerts&lid=zasupp_u

http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=GB&lang=en&lid=nav_za

Thanks for the excellent advice Frank.

I carried out your instructions and I’ve nailed the pest !
I now also have Zone Alarm firewall installed.

Best regards

Michael