I apologise if this has already been covered, but I did try a search first and northing’s come up.

Over the last 48hrs I’ve been infected by the Trojan Horse Win32:trojano-CL[trj] and although avast! 4.7 Home Edition is picking it up, it doesn’t seem to be doing anything about getting rid of it.

Whenever it brings up the pop up on my screen I’m selecting either delete, or Move To Chest.

Neither is stopping it from happening again, and I’ve just managed to do a full thorough scan and it said there were no infected files, despite the pop-ups telling me there are.

I’ve scanned with Ad-aware and Spybot, both of which found and (I assume) removed suspicious files, but this Trojan Horse thing is still on my computer and driving me nuts.

Can someone advise me as what to do please?

Thanks for your help

Spike.

Hi Spike1972,

Have you tried a scan with an anti-Trojan program? Here are two good ones:

Ewido (XP’Win2000 only) http://www.ewido.net/en/

 and/or a-Squared [url]http://www.emsisoft.com/en/[/url]

Have you tried a scan with F-Secure Blacklight rootkit detector: you may have some sort of hidden malware.

http://www.f-secure.com/blacklight/

Do you have any sort of pop-ups, notifications, desktop messages or browser redirects warning about spyware? If so, what is the wording?

Do you have a firewall running?

Please run the scans above (Preferably in safe mode- tap F8 while rebooting) and if you are still experiencing problems, can you post a HijackThis! log, please?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Thanks for replying.

I’ve copy n pasted everything that I’ve done so far into a word.doc Is it ok to attach that to a reply, or is it better to copy n paste it all into a reply?

Spike.

I think there’s a character limit on individual postings, but you can always split the posting, or link to a text file as you say.

Thank you.

Ok, I was gonna attach but as it’s a .rtf file it wouldn’t allow it so I’ll just copy and paste, it’s easier…

This is one of the pop-ups I get (and it gets my attention by a flashing yellow triangle in the bottom right of my screen - system tray? - which will NOT go away till I click it):
"
4 Errors Found:
-Your computer has slowed down
-Your Internet connection speed has decreased
-You get popups and annoying ads when you’re online or sometimes even offline
-Your default home page has been changed to the one you didn’t ask for
These are true signs that you may have spyware or other unwanted software installed on your computer.

Click “OK” to download spyware scan and protect your computer from spyware.

OK Cancel"

Selecting OK takes me to http://malwarewipe.com/?rid=248

I also get pop-ups for a casino (I think) and various adult dating places.

This is the homepage it’s kindly given me

http://www.securityuptodate.com/

Another pop-up I get is:

Search:
Security Help Center

• Anti-Spyware• Anti-Adware• Antivirus• Popup Blocker

• Privacy• Free PC Scan• Registry Clean Up• Antivirus Check
 	Tired of annoying toolbars in Internet Explorer? Click here to uninstall them.
See if your system is protected against unauthorized access - scan you PC for open ports online.
Getting lots of advertising popup windows? Block them with popup blocker software.
Infected with virus, trojan or internet worms? click here to check you PC for viruses online.
Receiving to much spam emails? Download last Anti Spam software to block all unwanted emails.

All Right Reserved 2004-2006 Security Help Center

The avast! Pop-up I get is –

avast! Warning

A Trojan Horse Was Found!

File name C:\WINDOWS\system32\1024\ldE087.tmp[UPX]

Malware name Win32:Trojano-CL [Trj]

Malware type Trojan Horse

VPS Version 0619-0, 08/05/8006

Available actions
Move/Rename… Delete Move to chest

Processing
No action Note: if you press the “No action” button, the malware will NOT be activated.

Schedule boot-time scan…

http://www.avast.com Fill in our virus report to help us improve avast!..

I’ve done several Spybot and Ad-Aware scans. Spybot is finally coming back clean, but Ad-aware is still finding something. I’m scanning again now so I’ll try and record what it finds this time.

Also, I haven’t been rebooting after each scan. Is that a bad thing? Is that why it keeps finding something, and why Avast keeps giving me the same pop-up notice, but ignoring me when I ask it to delete the file or move it to chest?

ETA

This is what Ad-aware found

Value: HKEY_LOCAL_MACHINE\software\Microsoft\windows\currentversion\policies\explorer\run àkernell32.dll

And then in the next column it said:

Trace.RegistryZlob

Oopsy I forgot to ask.

Do you want me to carry on with the suggestions you made in your original post, or would you rather I waited till you’ve read the stuff I just posted?

Hi Spike1972,

I’m pretty sure you have a variant of SmitFraud. This tool has proved very effective recently. Please follow the instructions on the page.

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

I would follow this with a scan with Ewido if it works on your OS, again in safe mode.

Edit: A check with BlackLight would be good, too.

Yep looks like another Spy(fill in anything here) rogue antispy that does a drive by download. These things are becoming a real pain.

Right, sorry guys I’m a bit behind on replies, but I’ve downloaded ewido anti-malware, and done a scan.

It’s found 17 infected objects, and 16 Cleaned Infections.

There’s a pop-up now which I THINK is to do with ewido, but wanted to ask your advice either way

“The file “C:\Program Files\RSSoft.zip\RSSoft\RSEDNClient.exe” cannot be removed because it is embedded in the archive “C:\Program Files\RSSoft.zip”. Dou you want to remove the whole archive?”

And the “Dou” is as it appears there.

Seems to be something called RedSwoosh:

http://www.auditmypc.com/process/rsednclient.asp

http://www.bleepingcomputer.com/startups/RSEDNClient.exe-4430.html

As opinions vary, you will have to read the information and decide if it’s something you want to keep.

Running SmitFraudFix should be your priority!

Ok, I can do the smitfraud when I’ve dealt with this ewido scan - unless you want me to cancel it and do it again later? - but what about this archive question please?

"Seems to be something called RedSwoosh:

http://www.auditmypc.com/process/rsednclient.asp

http://www.bleepingcomputer.com/startups/RSEDNClient.exe-4430.html

As opinions vary, you will have to read the information and decide if it’s something you want to keep.

Running SmitFraudFix should be your priority!"

From my reading of this it would be advisable to delete it unless you really want your video downloads from the EULA

Other notes of interest in their EULA state that the software can be automatically updated without your consent, the software may download other published content that it feels may interest you without your knowledge, and non-Personally identifiable information may be shared with third-parties.

Sorry, I didn’t make the connection, you were refering to the archive question… sorry, bit stressed…

I’ll delete it, and see what else the ewido thing gives me.

Thanks for your time, everyone.

OK, we’re getting there.

Remember you have signs of a Rogue anti-spyware infection and that you need to run SmitFraudFix as instructed in the link. After that, you should be feelong a lot less stressed.

OK guys, I think I’ve done it ;D

Getting into Safe Mode was a bit of a pain but I got there on the 3rd or 4th attempt I think.

I’d thankfully printed off the destructions for SmitFraudFix, so I was able to follow them easily enough (I’m not used to doing technical stuff at the best of times, let alone in Safe Mode :o )

I followed the destructions fine until it got to the third bit, where ti says about wininet.dll - that option never came up, and neither did any other options to be honest so I just hit Q, yes, for Quit and hoped for the best.

I’ve rebooted and everything seems to be ok again (at least so far I’ve got my own Homepage back and no more pop-ups), though things do seem a bit slow.

And when I try to start ewido to do a scan, it appears along the bottom of the screen - taskbar? - next to the rest of my windows, but it’s not actually popping up properly onto the screen ???

You could post a HijackThis! log for us to look at. (Link in previous post.)

With Ewido, you could try unistalling then reinstalling.

A scan with the free trial of TuneUp Utilities registry cleaner might help:

http://www.tune-up.com/

With regard to hijackthis, how do I make sure I’ve got the most up-to-date version? I do have it installed but as I’ve not known anyone who has the ability to use it for some time, I’ve not used it in ages so suspect it’s an older version.

I just started it up, but there doesn’t seem to be any kind of update button, which seems a bit odd.

Yer tis http://www.tomcoyote.org/hjt/hjt199//HijackThis.exe

Thanks.

Apologies (again) for being dull, but should I un-install the previous version first?

"Yer tis http://www.tomcoyote.org/hjt/hjt199//HijackThis.exe "

Yep