Hello friends.
We need little help.
Last night we formated our hdd, than we instaled mozzila firefox everything was fine. Until we spent 1hour on net and than we disconected. We still use dial up connection :(. Problem is, when we conect we dont open any site or we dont start any download, our connection than start to send/recive some files(two monitors who show connection status work non stop). But we cant see what our computer or connection try to send or what try to recive.
We instaled AVAST and he found next files:

2/14/2006 8:40:54 PM djordje 5504 Sign of “Win32:Trojano-2873 [Trj]” has been found in “C:\System Volume Information_restore{F381E0EA-33A5-4636-8D1B-99FCDFF45C26}\RP6\A0003509.exe” file.
2/14/2006 9:13:48 PM djordje 5504 Sign of “Win32:Istbar-AU [Trj]” has been found in “E:\System Volume Information_restore{F381E0EA-33A5-4636-8D1B-99FCDFF45C26}\RP6\A0003510.exe[UPX]” file.
2/14/2006 9:14:02 PM djordje 5504 Sign of “Win32:SpyBot-A3352 [Trj]” has been found in “E:\System Volume Information_restore{F381E0EA-33A5-4636-8D1B-99FCDFF45C26}\RP6\A0003511.exe” file.
2/14/2006 9:14:02 PM djordje 5504 Sign of “Win32:SpyBot-A3352 [Trj]” has been found in “E:\System Volume Information_restore{F381E0EA-33A5-4636-8D1B-99FCDFF45C26}\RP6\A0003512.exe” file.
2/15/2006 12:34:59 AM djordje 1356 Sign of “Win32:SdBot-gen18 [Trj]” has been found in “C:\rr.exe[MEW]” file.
2/15/2006 12:35:31 AM djordje 3800 Sign of “Win32:SdBot-gen18 [Trj]” has been found in “e:\windows\system32\ati2vxx.exe[MEW]” file.
2/15/2006 12:48:30 AM djordje 1128 Sign of “Win32:Trojano-2873 [Trj]” has been found in “E:\Documents and Settings\djordje\Local Settings\Temporary Internet Files\Content.IE5\8TAFOXMZ\MTE3NDI6ODoxNg[1].exe” file.
2/15/2006 12:48:46 AM djordje 1128 Sign of “Win32:Trojano-2873 [Trj]” has been found in “C:\MTE3NDI6ODoxNg.exe” file.
2/15/2006 12:56:01 AM djordje 1128 Sign of “Win32:Adware-gen. [Adw]” has been found in “E:\Documents and Settings\djordje\Local Settings\Temporary Internet Files\Content.IE5\TBWAQDJB\Installer[1].exe” file.
2/15/2006 12:56:06 AM djordje 1128 Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\Installer.exe” file.

We of course deleted these files, but we still cant find “cure” , can you help us please?!?! Our connection still sending and reciving something.
Thx in advance!

PS> is there any solution beside format C: ?

Welcome Branko,

Download and install the free version of Ewido from

http://www.ewido.net/en/

Also download and install Spybot Search & Destroy from

http://www.safer-networking.org/

After the installs are finished turn off your system restore, delete temporary internet files, and reboot. Scan with Ewido and let it quarantine anything it finds. Then scan with Spybot S&D and let it quarantine what it finds. Post again with your results.

Also, if you don’t have a third part firewall this would be a good time to get one. Zone Alarm works well for me and is easily configured. Others recommend Kerio. In either event block unrecognized inbound and outbound connections.

The time for an unprotected system to infection is counted in minutes now not hours. So you need to ensure your system has a firewall as mentioned (not windows XP’s firewall, a poor excuse for a firewall), this will stop unauthorised internet access from malware on your system

Ensure that you OS is fully up to date XP SP2 with latest security updates, this will close a number of security vulnerabilities. It will also allow you to update IE6 to the latest IE6 SP2 version, further improving security.

The viruses found in "C:\System Volume Information_restore points can only be removed by disabling system restore and rebooting. This will clear ALL restore points, only enable system restore once your system is clean.

You don’t say what action you have taken after the viruses were detected. You can schedule a boot-time scan from within avast.

Clear your

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR - Post your hijackthis-Log here for a diagnosis: tomcoyote.org/hjt