I did a scan with AntiVir on my laptop tonight, and it popped up an alert for C:\WINDOWS\system32:hvaa.dll. Before I told it to quarantine it, I did a search in C:\WINDOWS for hvaa.dll, and couldn't find anything. Another strange thing is the colon between "system32" and "hvaa.dll". Directory names and filenames in Windows cannot have colons in them, so I'm wondering what exactly did AntiVir find?

AntiVir also says that it is the Trojan horse TR/Dldr.Small.ats. I can't find any information on that... any idea on what it may have done to my system?

It might be a fasle positive, but for now just quarantine as you said already.

You can quickly submit it to AVIRA from your Quarantine by highlighting and clicking the send icon,
next to the wastebasket icon (must have entered Email info on Configuration 'expert' page).

For a detailed response of findings, use:
http://www.avira.com/en/support/submit_suspicious_files.html
enter Email, comment and browse to file location.

The : indicates an NTFS stream, IMHO this is even more a hint at a real infection, not a false positive. Normally there shouldn't be any DLLs in those streams, especially not associated with the system32 directory.

http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams

"How did AntiVir find this?"

Cause its the best.::)

Every serious antivirus program scans ADS (NTFS data streams) these days, it's getting quite common that malware hides in there. As demonstrated here, the normal user cannot easily find these files.
That said, this is most likely no false positive, a DLL attached to the SYSTEM32 directory... Very suspicious!

I usually use FAR or 4NT to play around with NTFS streams.

Not much info on "hvaa.dll" in Google. But searching Google for "fvaa.dll" brings up a similar Trojan Downloader. This must be quite new.

Wow, I'm glad I started this thread. I had never heard of "alternate data streams" before.

There is a tool available to download here called ADS Spy:-

http://www.spywareinfoforum.com/~merijn/programs.php

Run it to find and delete unwanted ADSs.

I dont want to hijack your thread delerious ,but can someone explain whether the ntfs data stream scanning is relevant on 98 machines?.Im thinking of fat32 file system on my 98 and ntfs on xp.Is this the same ntfs that we are talking about or something completly different ?
tia
ellison

ellison64: Win98 does not support NTFS, so it does not have the Alternate Data Stream problem.

Thanks...i wasnt sure whether it was the same thing.
ellison

-{ Quote: "I did a scan with AntiVir on my laptop tonight, and it popped up an alert for C:\WINDOWS\system32:hvaa.dll. Before I told it to quarantine it, I did a search in C:\WINDOWS for hvaa.dll, and couldn't find anything. Another strange thing is the colon between "system32" and "hvaa.dll". Directory names and filenames in Windows cannot have colons in them, so I'm wondering what exactly did AntiVir find?

AntiVir also says that it is the Trojan horse TR/Dldr.Small.ats. I can't find any information on that... any idea on what it may have done to my system?" }-
Why don,t u uload the dile to virus total/ jotti and post the results here.
It will be interesting to see.

A couple questions about these NTFS streams:

- if I download a file, can it have streams attached to it?

- if I unzip a file from an archive, can it have streams attached to it?

Downloads cannot contain NTFS streams (it is specific to the NTFS file system), archive can contain streams (at least RAR supports them).

All files downloaded from the internet will have a 'Zone Identifier' ADS tagged on, because the system puts them there; but the ADS is added upon download.

The old versions of ADS Spy used to find these Zone Identifiers, but the recent version seems to be configured to ignore them.

It is the ZI ADSs that causes Windows to pop-up a warning box when you attempt to open such a file for the first time.