Trojan trouble
Alright, I figure I will ask here though I also plan to ask my computer college professor.
A person who I do regular maintance for on his computer brought it back again. He runs WinXP Home.
Last time it was infected with more viruses trojans then I could count. So I set him and his family up on a limited user account. For about a week or so it worked just fine. Then BAM, he calls up one night to tell me the limited user account can't log in anymore. That puzzeled me, so I told him to bring it up next time we see each other, and in the mean time they can use the admin account to do whatever needs done.
So I gave him the admin password(no big deal.. pretty wimpy password), and he runs a scan and comes up with a trojan that from his description is the same one I dealt with when he last brought it to me. I had thought a-squared had killed it(took it more then a week to resurface which made me think that they had done something to reinstate it). I had him run a-squared on it amoung many other scanners. None of them can catch this little bugger. A-squared doesn't even seem to nail it anymore. Which is odd since it killed(or at least sent it to hiding) the last time.
Anyways the closest thing to an identification that we go on it is AVG calls it Trojan AHD. I think the full name AVG identified was Trojan.Dropper.agent.AHD or some such. I will have to wait till I get access to his comp to check the exact name. I have searched AVG's virus database to no avail and have checked a few others for a virus that sounds like what this does.
AVG does detect it but it can not remove it due to it existing in files and folders that don't exist. Last time I looked and looked to see where its hiding hole was and couldn't find the little bugger. I can't recall all the 'fake' files that avg says is infected but I do recall(and he also said it is popping up this time) a file named "wtf.exe". When searching the file I don't get a whole lot of aid(though I also haven't run in this vain for very long). But I haven't found anything on a virus/trojan that has AVG detect non-existant folders and non-exsistant files and that apparently blocks limited user accounts. Though I did find some interesting tidbits that I may try on his computer just in case.
My plan so far is to try and go through DOS after it. Perhaps a DOS based scanner can nullify it. It is getting to him. Because as I said last time it looked like it was the same stuff(though it fried the whole comp last time, so far the computer still 'works'), and it sure didn't take long for it to go back after the computer.
And I can say that it is bugging me. I can't kill it if I can't find it and neither can the different virus scanners.
Reply With Quote
It might be a rootkit that's causing the files to be hidden (extremely bad, worse than trojans), or the viruses/trojans are using a feature called Alternate Data Streams (ADSs) on the NTFS partitions - most virus and spyware scanners cannot scan ADSs, and of thos that can, they cannot clean them. The version of AVG I currently use can scan but not clean ADSs, I don't know if that's been changed more recently 
AVG finding stuff inside an ADS might also be why you think it's a non-existant file - ADSs are invisible even to Explorer 
