Hello everyone!
I have windows XP on my laptop…last night I got a note from my avast (4.7.1096 home edition) On-Access scanner a warning that I have a trojan virus in my sistem32. I tried to delate it via my avast antivirus prog.
(I had that problem (trojan) before-a year and a half before- when I used Kaspersky antivirus prog. Then somehow I couldn’t open any of my files and programs in my laptop cos it was said that in my laptop was missing .exe file. I’ve asked for my friends help to repair that mess- I’ve delated Kaspersky antivirus, restored my windows and I could say that everything went well, except 2 things: 1. since then, everytime I’m turning on my laptop, before starting up, I have a note from sistem32 and some japaneese letters are written…after clicking ok, everything’s working fine excpt 2nd thing: everytime I turn on lap. I have to go to control panel to set to place volume icon on a taskbar, although every time I check it and apply it.)???
Now I’m returning to last night problem no.2…
2 hours (or so), after receiving a note that lap is defected with Trojan, I got the same note for Win32:Zhelatin-ALB [Wrm]-never heard of it before. I have spybot search&destroy, so I used it 2 times, but I didn’t restarted laptop from safemode. And avast couldn’t repair that worm.
What to do?
Please help me

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.

1. since then, everytime I'm turning on my laptop, before starting up, I have a note from sistem32 and some japaneese letters are written...after clicking ok, everything's working fine

What is your language version ?
How do you know it is from system32 ?

Is there anyway you can translate the Japanese characters, using http://babelfish.altavista.com/ and paste the translation here ?

Clicking OK may have been what got you infected.

Hi Darlin :

 Trojan(s)/Worm(s) are best dealt with by using antiTROJAN/antiSPYWARE
  program(s) and since Spybot is no longer a top antispyware program, I
  recommend you use the FREE Version of "SUPERAntiSpyware" from
  www.superantispyware.com .

Yes you should still down load superantisptware.

Download superantispyware

First update SAS Then

Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.

Under Scanner Options make sure the following are checked

• CHECK ALL BOXES

Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.

When the scan is done, quarentine everything found . Reboot if asked. You can post the log in your next reply if you wish.

Thank U spiritsong & oldman for a wise sugestion…I’ve downloaded that SUPERAntiSpyware (it’s really good).
There were some cookies infected, but the main thing follows…
During complete scanning procces via SUPERAntiSpyware , I’ve received the alarm notification from avast for a number of viruses, which I moved to chest.
This is the result of it:
2.12.2007 21:03:14 SYSTEM 1456 Sign of “Win32:Zhelatin-ASX [Wrm]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP422\A0440351.EXE” file.
2.12.2007 21:09:02 SYSTEM 1456 Sign of “Win32:Zhelatin-ALB [Wrm]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445627.EXE” file.
2.12.2007 21:19:32 SYSTEM 1456 Sign of “Win32:Zhelatin-ALB [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\1NZE2XVE\SEV[1].EXE” file.
2.12.2007 21:19:40 SYSTEM 1456 Sign of “Win32:Tibs-BBG [trj]” has been found in “C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H82NZPKF\SEV[1].EXE” file.
2.12.2007 21:19:49 SYSTEM 1456 Sign of “Win32:Tibs-BBG [trj]” has been found in “C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\H82NZPKF\SEV[2].EXE” file.
2.12.2007 21:19:52 SYSTEM 1456 Sign of “Win32:LdPinch-AAY [trj]” has been found in “C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\ZU99EPGZ\PI[1].EXE” file.
2.12.2007 21:30:31 SYSTEM 1456 Sign of “Win32:Zhelatin-ASX [Wrm]” has been found in “C:\WINDOWS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\CTIBSDE7\GMC[1].EXE” file.
2.12.2007 21:30:42 SYSTEM 1456 Sign of “Win32:Zhelatin-ALB [Wrm]” has been found in “C:\WINDOWS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\SD2F0LA7\ALT[1].EXE” file.

So, as you can see there are lots of viruses found in it.
What happens now, should I do something with it?
I’m a begginer in theese kind of things(informatical).
DavidR, I hope that now You know what to do next.
Thank U all for your precious time

And this is the result after scanning procces on my external hard disc, also virusus found:
Trojan.AdobeR/RavAV
F:\SYSTEM VOLUME INFORMATION_RESTORE{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP44\A0004114.EXE
F:\SYSTEM VOLUME INFORMATION_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445570.EXE
F:\SYSTEM VOLUME INFORMATION_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445594.EXE

After rebooting laptop, I still have problems with that start up window and placing manually volume control on taskbar.
I think it had some connection with that non-Unicode programs.
Now everything is in chest & in quarentine.
What’s next?

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use AVG Antispyware; SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

You are so kind…thank U, but I’m a real begginer, so all of this what You’ve write is like a chineese language to a non chineese speaker (to me)…so I have to download at least 5 of new programs for what?
I know that my words seems to you like a child, but I would be very grateful if you could ‘say’ it in a simple way (vocabulary)

You will download them if necessary after doing the first steps and being clean by avast.
As no program is perfect, something could be missed by avast and the others could caught (detect).

I’ll post the same with more info:

If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:

1. Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again after step 3.

2. Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).

4. It will be good if you download, install, update and run AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.

5. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster (for XP/Vista). For XP: Panda (for XP).

6. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here and, specially, scan and submit to on-line analysis the RunScanner log would help to identify the problem and the solution.

7. After you’re clean, use the immunization of SpywareBlaster or, which is better, the Windows Advanced Care features of spyware/adware cleaning and removal.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

What tech was getting at was some of your detections where in your system restore. Which is why he suggested that you turn it off and reboot. That will clear all restore points.

These are restore points

F:\SYSTEM VOLUME INFORMATION\_RESTORE{17A4E34B-B0F7-41F0-9E0F-14EE907186CC}\RP44\A0004114.EXE F:\SYSTEM VOLUME INFORMATION\_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445570.EXE F:\SYSTEM VOLUME INFORMATION\_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445594.EXE .12.2007 21:03:14 SYSTEM 1456 Sign of "Win32:Zhelatin-ASX [Wrm]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP422\A0440351.EXE" file. 2.12.2007 21:09:02 SYSTEM 1456 Sign of "Win32:Zhelatin-ALB [Wrm]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{C49BD92C-9C3F-4BDD-866F-EAF535330B6C}\RP480\A0445627.EXE" file.

The other detections are in temporary files. So if you clean out all temp files, turn off your system restore, then schedule a boottime scan, you will be able to better determine if you have to do any futher steps.

This program is very good for cleaning up things like temp files. The first time it’s run, it’s a demo mode to show what it is going to remove. When you restart it it will do the cleanup.

CleanUp

I suggest you download the above program, use it to clean up your computer then turn off system and reboot.

After you reboot, you should physically diconnect from the internet (unplug the modem), pause avast, by right clicking the “a” icon and select pause provider, standard shield Then rerun SAS with the same settings as before.

Then turn system restore back on.

You may not need to do anythiing else. ;D

Steps to turn off System Restore

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
   You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

Steps to turn on System Restore

1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
4. Click OK.

After a few moments, the System Properties dialog box closes.

hopefully that is all you will have to do.

Thank U Tech for your time, I’m sure I’ll ask again for a help.
I don’t know have You written all my posts about this issue before, cos I have problems with start up and volume control.
I have some questions:

1. considering that I’ve discovered this viruses a few hours ago, do I need to start cleaning it today from my laptop, or should I wait with it till (if they) start to appear again?
2. Do you think that after removing those viruses (if I succeed), I wouldn’t have any problems with my start up problems (hyerogliphics) and putting volume control on taskbar
3. Do you think this problem with starting up is related to non-Unicode programs, which is turned on in my control panel settings, which is should I uncheck it…and finally what is this non-Unicode programss function at all??

If you have time. Start it as soon as you can.

I’m not sure. Let’s see what you get and let’s us helping you troubleshooting the other problems later.

I’m not an expert on this… which programs are you talking about?

Thank You Oldman, You’re very kind…I’ll try, but first I want to know what you people think about those questions I’ve asked for. 'cos having avast and having that SUPERAntiSpyware made me calm, I don’t have notifications about viruses anymore…but I still have those basic problems-volume control&sign up…
we’ll see :

I’ve tried to do what Oldman wrote to me…I’ve done everything except one thing I couldnt find in avast, and that’s -Schedule a boot-time scanning. I cannot find it in a way Tech wrote.
So do I have to do everything from the start(turn system restore off before or after using clean up)??
I’ve also scanned via avast the whole F & C discs, and there was no infected file found.

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.

You can disable than enable system restore. This will delete any infected restore points, if any exists.

If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, ‘Schedule boot-time scan…’

Or see http://www.digitalred.com/avast-boot-time.php

so, for now I didn’t get any notifications about viruses in system.
I’ve done almost everything except runscanner & windows advanced care.
Should I delete from my laptom programs I have like search & destroy, tune up utilities, ad-aware, now when I’ve downloaded SUPERAntispyware , clean up & panda?
And should I wait for some time to delete infected files from chest & quarantine(although I don’t know how to do it)?

Spybot S&D and AdAware essentially do the same thing, but they are lightweight (IMHO) when compared to SAS so I would say you could get rid of one (adaware) or both.

Tune Up Utilities is a different functionality so I would say keep it.

Panda, I assume you are talking about the anti-rootkit, if so then the tool is constantly updated and before using it you really should download the latest version as the old version may not detect new rootkits. So I would suggest bookmarking the location to download the latest version.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.