Trojan in temp

[frj1001]

Hi
I am using Avast ver 5.0 free antivirus. Recently i am receiving a win32:Trojan-Gen virus threat pop ups by avast every time i log in, shut down my computer or almost at any activity that i do like opening programs, browsers etc. This is the infected file
C:\Documents and Settings\Administrator\Local Settings\temp\ssm.dat
I have already deleted all the files in the temp folder and turned system restore off but this ssm.dat file keeps coming back. i have also deleted it after the avast scan through avast and also tried to repair it but to no avail. plz can someone help me get rid of this virus for good.   

[DavidR]

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1.  MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
• 2. SUPERantispyware (SAS). On-Demand only in free version.

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

[frj1001]

Hi
i have tried both Malware bytes and SAS but neither has detected the threat. what should i do now?

[Pondus]

Try this

Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

no install, just save to desktop and run from there.
When they have done the work you can just dragg and dropp in the resycle bin

if this does not work, then Essexboy is next.....

[frj1001]

No luck again. The malware softwares delete the file temporarily but the trojan keeps coming back. I think the registry is infected. Can someone help me with this?

[Pondus]

Follow this guide from Essexboy and post the log`s in your next reply here as attachments
http://forum.avast.com/index.php?topic=53253.0

down left corner > additional options > attach  (OTL.Txt / Extras.Txt. / MBAM log )

[frj1001]

mbam doesn't detect any infection. here are the log files

[frj1001]

i'm not being able to upload the log files

[DavidR]

What files and Why, e.g. what errors are you getting ?

[frj1001]

Guys i think i did it but i need your help on this one. i've deleted the temp folder that contained the infected file through the command prompt and the pop ups are not appearing anymore and i've scanned the folder it doesn't show any infection now. has the trojen really gone or is there still a threat? is it okay to delete the files from the avast chest now

[CharleyO]

***

Where was this temp folder located?


***

[DavidR]

You need help but we need answers to the questions we ask so that we can offer better advice.

[frj1001]

this is the location of temp
C:\Documents and Settings\Administrator\Local Settings\temp

[frj1001]

here are the log files again, earlier i was having some connection issues

[essexboy]

It looks like you have an infected USB drive

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

Code: [Select]

:OTL
O33 - MountPoints2\{ed0f3480-7f52-11df-9f41-080046c09b71}\Shell\Autoplay\COmmanD - "" = vkoesa.cmd
O33 - MountPoints2\{ed0f3480-7f52-11df-9f41-080046c09b71}\Shell\AutoRun\command - "" = vkoesa.cmd
O33 - MountPoints2\{ed0f3480-7f52-11df-9f41-080046c09b71}\Shell\ExPlOre\CoMManD - "" = vkoesa.cmd
O33 - MountPoints2\{ed0f3480-7f52-11df-9f41-080046c09b71}\Shell\OPen\COMmand - "" = vkoesa.cmd

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
[/list]