trojano-1175

[patach]

Hi,
I've on my computer a trojan. Avast detect it as "trojano-1175" or "trojano-1218", and when i planify a scan at boot, it detect all (?) files infected and erase them, but the trojan still remain on my computer and launch when i start explorer or iexplorer. I've tried others soft like anti-spyware from microsoft or
a-squared but the problem is the same.
After 2 days on trying cleaning up my computer, i don't know what to do. Can anyone help me ?


Thanks.

[DavidR]

In order to help fully we need more information....
- What OS are you using? is it up to date?
- What avast! version and VPS file (virus database) number, e.g. 0436-4 (see about avast!)
- What was the filename, where was it found
  example (C:\windows\system32\infected-filename.xxx)?

How did you discover it, e.g. whilst browsing the web, after a download, routine scan?

Have you cleared your temporary internet files/cache and temp files?

[patach]

ok, here are informations you resquested :
- i'm using windows 2000 pro up to date with the last critical patches.
  i've also a personnal firewall (kerio) and spybot (with teatimer actived) installed on my computer.

- the version of avast is 4.6 home edition (downloaded yesterday), the virus database number is 0519-1.
  at the time i write, a new version has been downloaded (0519-2) but no new scan has be made.

- many files were detected, mostly in c:\winnt\system32 with strange names (with .exe extension), and in
  the last scan it detected corrupted files with something like ":$data" at the end of file's name (i think
  it's ADS stream in file, but correct me if i'm wrong).

- i discovered it whilst browsing the web, because kerio and spybot launched together to warn me that suspects programs tried to execute themselves and/or change the default start page in internet explorer.

- by default, internet explorer is set to clean up temporary internet files when i close it, and there are only
  few files in temp folder that i can't erase.

- when i try to start explorer or iexplorer, the memory grow up fast and i've to kill process.
  (maybe because of kerio or spybot or ms anti-spyware, i don't know exactly)

If you want more informations, fell free to ask me.

Patrice.

[DavidR]

Ok with w2k you can use the, schedule boot-time scan in avast's menu (or try the 'Schedule Boot-Time Scan' using RejZoR's AEC avast! External Control Tool

I'm not sure if that may be an ADS stream issue, I haven't come across it as I still have my HDD formatted as fat32 not NTFS.

Hijackthis should be able to show you what is running on your system.

Download HijackThis.zip - HiJackThis Tutorial
For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.