Small trojan healed?

My free version of AVG found a trojan called Trojan.Downloader.Small.57.V. It gave me the option to heal it, and gave me a dialog box that the trojan was healed, but I got it a few more times after that. I did a Google search for Trojan.57.V but there were no results, though I did find many other variations of the Small trojan. Each time, I was given the option to heal, and a box that said that it was healed.

I followed all the instructions in the "Malicious Software Removal" thread, except that I did not download CounterSpy nor AVG Anti-Spyware; since everything else was negative, I preferred to save these time-sensitive trial versions in case I really need them.

The newest version of BitDefender didn't have an option to “Click-on the Detected Problems tab, then select Click here to export the scan report” as directed in the thread, nor was there a “ bdscan.txt” file on my computer. The closest match I found in the BitDefender folder was “vscan.log”, which I attached. I've also attached a screenprint showing that there were no infected files.

Likewise, Panda did not have an option to “click on See Report, then click Save Report, so I've attached a screenprint showing no errors

 

Followup: Here are the "vscan.log" file as well as the jpg screenshots of the BitDefender and Panda online scans. Thanks in advance!

 

Can you attach the logs from the Panda and Bit Defender scans?

 

No, because as per my original post, which is still visible below, "...The newest version of BitDefender didn't have an option to “Click-on the Detected Problems tab, then select Click here to export the scan report” as directed in the thread, nor was there a “ bdscan.txt” file on my computer... likewise, Panda did not have an option to “click on See Report, then click Save Report, so I've attached a screenprint showing no errors".

 

Okay, just attach a fresh HJT log and we will go from there.

 

attached, thank you.

 

Please look in Add/Remove Programs for the following and uninstall them if found:

Screensavers.com

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O2 - BHO: IEByteRange - {1A7793DE-2598-4FA8-9EC5-9442CDE5E1CC} - C:\Program Files\Screensavers.com\SSSInst\bin\SSSInst.dll

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - E:\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O23 - Service: Privacyware network service (PFNet) - Unknown owner - E:\pfsvc.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

After you complete the above, REBOOT and proceed with the rest of this fix...

Next Reset Web Settings & Default Security Settings

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

Note for IE 7 users:
Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.



Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

Thanks for your help. I didn't have any problems that I know of following the instructions you provided, but some things weren't exactly what or where you described, so I'm going to list them just in case it makes a difference:

1. The item in Add/Remove programs was ScreenSaver Installer, not screensavers.com;

2. The BHO said "no file found" where you had "screensavers.com" etc. listed, presumably because I'd just removed it;

3. There was no button anywhere in the Internet Options dialog box called "Reset Web Settings". I went to the Advanced tab, and there was a box to "Reset Internet Explorer Settings";

4. After I changed the home page, I had to click a "Delete" button under Browsing History. There were buttons for Delete Files and Delete Cookies, but none for "Delete all Offline Content". There was a button to "Delete All", which I did;

5. When I went to the Security tab, the "Default Level" button was greyed out (not available).

Here is the HJT log

 

Looks good, can you check in AVG about the detection you initially mentioned and give me the location of the infection?

Also, how are things running?

 

I can't look in the vault, because I emptied it per the instructions in the Malware Removal thread. I seem to remember that it was in a Temporary Internet Subfolder, but I can't swear to it. Things seem to be running OK, but they seemed to be running OK after AVG healed the trojan too, before I started all this. Assuming everything is safe, am I OK to go back to using msconfig to block processes like messenger etc., and can I change my explorer settings back?

 

That's what I was thinking, you should be good to go if your not having any further problems.

You should see this article on How to Protect yourself from malware!

Surf Safely!