Win32:Trojano-180 and others - HELP !

[riad]

Hi,

I am keeping having this virus, this started today morning, and I cannot get rid of it.
When I run avast (all latest updates), it finds some infected files, through scanner or resident detector, deletes them. But after some time, a get new files infected with this virus.

I also got plenty of Win32:Trojano-gen and Win32.Parite and Agobot and SdBot, all at the same time.

During 6 years my PC was connected full time, I was never infected with Win2000 basic (no SP). Once I moved to SP4, my problems started there.

Anyway, I do not seem to completly clean my machine, viruses keep coming back. What should I do ?

[riad]

By the way, does Trojano-180 have another name ?

[zehavi]

I have the same problem Avast keep notifying me of this virus while no other tool finds it. I beleive it exists because my PC is not behaving correctly.
However, Avast was not able to repair the files it keeps telling me "An erroc has occured while accessing file ...
Any help on how to repair the files?

[DavidR]

A good point to start would be General Advice&Tools for virus/trojan/malware removal

Then, please Help us to Help you - User's FAQ - we need more information to be able to help fully. A visit to the - thread will give you a lot of useful advice and an idea of the information needed to Help you fully.

HTH David

[Eddy]

I have noticed that Avast and some other anti-virus applications falsly detect viruses/trojans in the windows temp/restore folder. Since you didn't mentioned what files where detected and what their locations where, it is kinda hard to give specific help. But I think this may be the case here also. Disable system restore, reboot and see if it still happens. Perhaps you can gives us some more information. In the mean time you also may have a look at the following page:

http://members.home.nl/edeijl/acred/cleaning.htm

[riad]

I checked these links before by browsing the forum.
However, this does not solve the Trojano-180 problem.
May be NT2000 has a big security hole that is being exploited by this stuff from outside ? I applied all recommended MS security fixes though.

I backed up one of the trojano-180 files that avast could not clean because it was being used by something else.  In case you want it.

Anyway, I copy you here the list of viruses cleaned by avast (but trojano-gen and trojano-180 keep coming back:

23/06/2004 19:20:25   ZARKON\Administrator   1328   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\program files\submit\submithook.dll" file.  
23/06/2004 19:29:16   ZARKON\Administrator   1328   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\program files\submit\submithook.dll" file.  
23/06/2004 20:09:42   ZARKON\Administrator   2416   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\Submit\submithook.dll" file.  
23/06/2004 21:00:02   ZARKON\Administrator   2416   ASWSIMPLE Application error. Error details: 5 = Access is denied.  
23/06/2004 21:13:54   ZARKON\Administrator   2416   Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\Submit\submithook.dll" file.  
26/06/2004 00:07:09   NT AUTHORITY\SYSTEM   656   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\atljp32.exe" file.  
26/06/2004 00:09:10   NT AUTHORITY\SYSTEM   656   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\nttq32.exe" file.  
26/06/2004 00:10:48   NT AUTHORITY\SYSTEM   656   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\apitm32.exe" file.  
26/06/2004 00:11:29   ZARKON\Administrator   1556   Sign of "Win32:Trojan-gen. {Other}" has been found in "c:\program files\submit\submithook.dll" file.  
26/06/2004 00:12:35   NT AUTHORITY\SYSTEM   656   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\crtj32.exe" file.  
26/06/2004 02:12:16   NT AUTHORITY\SYSTEM   688   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\winkd32.exe" file.  
26/06/2004 02:16:19   NT AUTHORITY\SYSTEM   688   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\atluw32.exe" file.  
26/06/2004 10:15:19   NT AUTHORITY\SYSTEM   688   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\nttg.exe" file.  
26/06/2004 10:19:27   NT AUTHORITY\SYSTEM   688   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\nettk.exe" file.  
26/06/2004 11:09:54   ZARKON\Administrator   244   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\temp\windows\trz3.tmp" file.  
26/06/2004 11:10:11   ZARKON\Administrator   244   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\temp\windows\trz4.tmp" file.  
26/06/2004 11:10:17   ZARKON\Administrator   244   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\temp\windows\trz5.tmp" file.  
26/06/2004 11:20:38   ZARKON\Administrator   244   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\atlpo32.exe" file.  
26/06/2004 11:25:35   ZARKON\Administrator   244   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\mfcya.exe" file.  
26/06/2004 11:38:30   ZARKON\Administrator   244   Sign of "Win32:Trojan-gen. {Other}" has been found in "Z:\Program Files\Alwil Software\Avast4\DATA\moved\submithook.dll" file.  
26/06/2004 20:24:11   NT AUTHORITY\SYSTEM   700   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\atlkl32.exe" file.  
26/06/2004 20:28:37   NT AUTHORITY\SYSTEM   700   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\apiax.exe" file.  
26/06/2004 20:38:55   NT AUTHORITY\SYSTEM   700   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\d3uv32.exe" file.  
26/06/2004 20:44:17   NT AUTHORITY\SYSTEM   700   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\sdkbw.exe" file.  
26/06/2004 20:44:45   ZARKON\Administrator   1080   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\temp\windows\trz2.tmp" file.  
26/06/2004 20:47:58   ZARKON\Administrator   1080   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\d3uv32.exe" file.  
26/06/2004 20:56:14   ZARKON\Administrator   1080   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\apiax.exe" file.  
26/06/2004 21:05:25   ZARKON\Administrator   1080   Sign of "Win32:Trojano-180 [Trj]" has been found in "D:\WIN2000\system32\sdkbw.exe" file.  

It seems as a real virus, torjan or whatever, because it changes names and makes the machine bahave strange.

Thanks
riad

[ran102]

Hello.  I also have the trojano-180.  Here is the thread that I started yesterday - http://forum.avast.com/index.php?board=2;action=display;threadid=5538;start=new.
I have had no luck at all getting rid of this.  thanks.