Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: patach on May 12, 2005, 02:42:23 PM

Title: trojano-1175
Post by: patach on May 12, 2005, 02:42:23 PM
I've on my computer a trojan. Avast detect it as "trojano-1175" or "trojano-1218", and when i planify a scan at boot, it detect all (?) files infected and erase them, but the trojan still remain on my computer and launch when i start explorer or iexplorer. I've tried others soft like anti-spyware from microsoft or
a-squared but the problem is the same.
After 2 days on trying cleaning up my computer, i don't know what to do. Can anyone help me ?

Title: Re: trojano-1175
Post by: DavidR on May 12, 2005, 02:50:36 PM
In order to help fully we need more information....
- What OS are you using? is it up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?

How did you discover it, e.g. whilst browsing the web, after a download, routine scan?

Have you cleared your temporary internet files/cache and temp files?

Title: Re: trojano-1175
Post by: patach on May 12, 2005, 03:43:12 PM
ok, here are informations you resquested :
- i'm using windows 2000 pro up to date with the last critical patches.
  i've also a personnal firewall (kerio) and spybot (with teatimer actived) installed on my computer.

- the version of avast is 4.6 home edition (downloaded yesterday), the virus database number is 0519-1.
  at the time i write, a new version has been downloaded (0519-2) but no new scan has be made.

- many files were detected, mostly in c:\winnt\system32 with strange names (with .exe extension), and in
  the last scan it detected corrupted files with something like ":$data" at the end of file's name (i think
  it's ADS stream in file, but correct me if i'm wrong).

- i discovered it whilst browsing the web, because kerio and spybot launched together to warn me that suspects programs tried to execute themselves and/or change the default start page in internet explorer.

- by default, internet explorer is set to clean up temporary internet files when i close it, and there are only
  few files in temp folder that i can't erase.

- when i try to start explorer or iexplorer, the memory grow up fast and i've to kill process.
  (maybe because of kerio or spybot or ms anti-spyware, i don't know exactly)

If you want more informations, fell free to ask me.

Title: Re: trojano-1175
Post by: DavidR on May 12, 2005, 07:31:12 PM
Ok with w2k you can use the, schedule boot-time scan in avast's menu (or try the 'Schedule Boot-Time Scan' using RejZoR's AEC avast! External Control Tool (http://www.excessive-software.tk/)

I'm not sure if that may be an ADS stream issue, I haven't come across it as I still have my HDD formatted as fat32 not NTFS.

Hijackthis should be able to show you what is running on your system.

Download HijackThis.zip (http://www.spywareinfo.com/~merijn/files/hijackthis.zip) - HiJackThis Tutorial (http://www.tomcoyote.org/hjt/#introduction)
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.