Avast reports two trojan horses small blf and helatin. I’ve Moved to chest, scanned all local drives and rebooted but the viruses are found again. I’ve made sure to close all apps and not to launch other apps while scan is in progress. The scan finds the two bad files and they are moved to chest but after reboot they are back. I’ve also tried running the scan in Safe Mode - it does not find any problem files but when I reboot in normal mode, the system infected icon (red circle white cross) shows in the system tray…
I am running Win 2000k Professional, Zonealarm firewall. My Avast stuff is all up to date.
I have new problems with IE 6 - don’t know if they are related. IE6 will not show images (Action cancelled message), will not load a page if I click on its link, and will not go into google.com or yahoo.com. Firefox works fine.
On booting up, when the Windows Logon prompt screen shows there is now a substantial delay before I can enter Password - this is new.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
Were there recreated in the same location and file name ?
If so you may have other elements to this infection restoring the malware.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
Besides using the programs recommended by David, I suggest:
Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.
Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
Thanks for your help. I think I’ve got rid of the problem now. It may be helpful to others what succeeded. First the log showing the problem. I have deleted the times, but these were spread over two days between several reboots/bootscans.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\1.dllb” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\Documents and Settings\administrator\Local Settings\Temp\5.dllb” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Zhelatin-ML [Wrm]” has been found in “C:\WINDOWS\system32\dlh9jkd1q5.exe” file.
Sign of “Win32:Small-BLF [Trj]” has been found in “C:\WINDOWS\system32\dlh9jkd1q1.exe” file.
Closed all apps and ran Ccleaner.exe
Ran Avast full scan
Downloaded and ran a-squared full scan
Downloaded and Reinstalled IE6
Downloaded and Reinstalled IE6 updates/patch
Scheduled Avast boot scan - this again found problem files - selected Move to Chest
Was surprised to find winsock32.dll and kernel.dll in chest.
Have now being running for hours without problem. Fingers crossed
Hi you are infected with malware that will keep returning till it is cleaned totally. I suggest you start a new thread in the Virus section referencing this thread
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logfile of HijackThis v1.99.1
Scan saved at 23:41:48, on 20/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Gozilla is likely spyware and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of gozilla.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information.
Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
Tells that Gozilla (C:\Program Files\Go!Zilla) should be removed.
I’ve deleted entries and files referenced above (regscan.exe and gozilla files were not on the system).
I’ve also installed and run AVG which picked up more problems.
The new log is
Logfile of HijackThis v1.99.1
Scan saved at 14:25:41, on 21/04/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
If these files are in the user files section of the chest, they belong there. Avast made a backup copy of these files and placed them there for safe keeping.
First of all I’d like to thank everybody who has replied to this post. I really appreciate all your input.
I’ve tried all the suggestions and it would appear now as if my system is clean (i.e. if I run Avast or AVG no problems are found). But… my computer is now running so slow its ubelievable … what have I introduced to cause this. I now have two antivirus progs running (Avast an AVG) and also A-Squared and Zone Alarm as my firewall … what should I do?
But.... my computer is now running so slow its ubelievable ... what have I introduced to cause this.
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
This could cause conflict as they both fight for control over what AV locks a file prior to scanning it, this could cause the slowing you mention.
Unless you are talking about AVG Anti-Spyware, which isn’t an anti-virus but an anti-spyware program. avast should have detected AVG and may disable elements to try and avoid conflict.
What should you do, uninstall the second AV, AVG anti-virus.
Just repartition/reformat dude. If you do this you will be 100% sure that no viruses are in your system. For example, if the trojan installed a rootkit, avast will tell you that you are clean, when in fact you are not clean.
Sorry for the nuclear option to be used for a limited war is an over kill scenario reinstalling windows and all its security patches is no light matter, not to mention you could well be very vulnerable to exploits whilst on-line getting these security updates. Then there are all your programs and the settings you have tweaked and made it work how you want it; email account set-up, etc. etc. not a matter to be taken lightly.
If you were to continually reformat and install windows because your AV doesn’t detect anything you would have a lot of down-time. If you suspect a rootkit then you use rootkit tools, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm.
Before pressing the nuclear ‘final’ option you should try the tools which may do the job without the collateral damage.
AVG Anti-Spyware will revert to the free version with no resident protection after the 40 day trial. In the meantime you can disable the resident shield from the Status section of AVG Anti-Spyware.
(Of course if you decide to purchase either product, having an anti-Spyware program with resident protection running alongside your AV will be fine as long as your system does not take a performance hit- but as yours is an older OS, I’d suggest just keeping the free versions with on-demand scanning which won’t take up system resources.)
If your system is still slow, you could try swapping ZA for Kerio (now Sunbelt) firewall.