HELP: win32:Trojano-1165 & popups

[sxyangel7731]

I keep running avast, about 5 or 6 times a day, atleast one of those times I get the same virus win32:Trojano-1165.  I have also ran Ad-aware and I still get pop ups on every other screen. I just got one now from cheaptickes... everytime I get one I go to tools, internet options, click on security and mark the pop up site as restricted, atleast I'm not getting the same one over and over, however the popups are endless I have a dell inspiron 2200, with windows xp, aahhh just had another pop up please help I can't get any work done, major term paper due monday!!!

[DavidR]

Why do you keep running avast 5-6 times a day ?

avast is a resident scanner active at all times so you shouldn't need to run on-demand scans with this frequency, I run one weekly, standard scan without archives.

- What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
- What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
- What actions have you taken to try and resolve the problem ?

[sxyangel7731]

first, thank you for responding today (be it that it is a holiday)!!
Apparently I have version4 home / resident and vps. 0639-1 (there was no about I had to go into my comp... prog files..avst and managed to find a file that had the information.
I ran ad-aware 5 minutes ago and I'm getting pop-ups like crazy its like some one has taken over
Avast hasn't picked up on it today all I know is the information that it has consistently given is: win32:Trojano-1165[Trj] another one it gave me several times a couple days back but hasn't been found again was Trojan SPM/LX
my failed attempts at resolving it have been running avast and ad-aware atleast 2x a day

[DavidR]

Sorry but the infected file name and location are more help than just a virus name in isolation.

Are you running adaware when standard shield is also running ?
This would slow the overall scan as avast would be scanning files that adaware tries to open to scan. It could also spring false detections if adaware signatures happen to get scanned. So I hope you can see why the file name and location are important (and pause standard shield when doing any other security based scan).

Check the avast Log Viewer (right click the avast icon), warning section and the full details of the detections are there.

When I ask what actions you took I meant was of the various options avast gave move/rename, repair (unlikely to be available for this), move to chest, delete, what action did you choose ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
1. Ewido, a.k.a. avg anti-spyware or a-Squared free.

[sxyangel7731]

it only said warning virus detected and the only option was OK apparently only a notification, ?I don't know how to run on safe mode I have turned off the system restore, and no I don't run programs at the same time, I had Norton and Ad-aware which apparently were not compatible so I always ran them seperately.
only avast is running(I had to stop it to get info) and current version of virus database is: 0650-2
the following is the information in the warning log
11/24/2006 6:21:21 AM   Marlene Cruz   288   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\gmsjlhbu.dll" file. 
11/23/2006 11:33:18 AM   SYSTEM   368   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\gcxftbeq.dll" file. 
11/22/2006 11:31:26 AM   Marlene Cruz   320   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\imnbmlyy.dll" file. 
11/20/2006 7:19:36 PM   SYSTEM   228   An error has occured while attempting to update. Please check the logs. 
11/20/2006 7:19:33 PM   SYSTEM   228   Function setifaceUpdatePackages() has failed. Return code is 0x20000004, dwRes is 20000004. 
11/20/2006 1:03:28 PM   Marlene Cruz   280   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\hprprhxs.dll" file. 
11/19/2006 12:15:38 PM   Marlene Cruz   284   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\ucfbagbf.dll" file. 
11/18/2006 12:14:35 PM   Marlene Cruz   284   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\ufjxfufp.dll" file. 
11/17/2006 12:41:41 PM   Marlene Cruz   3576   Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7. 
11/16/2006 11:53:02 PM   SYSTEM   1344   Sign of "Win32:Trojano-1165 [Trj]" has been found in "C:\DOCUME~1\MARLEN~1\LOCALS~1\Temp\kobqrjgh.dll" file. 

[FreewheelinFrank]

Hi sxyangel7731,

From previous experience, I think you might find this page useful:

http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure

If you don't find signs of a rootkit in steps 1 & 2, deploy the removal tool in step 8.

(Credit to Polonus who originally suggested Trojano-1165 was Vundo.)

http://forum.avast.com/index.php?topic=23390.0

[sxyangel7731]

Thanks to both of you... Hopefully I'll be back with good news

I'll post results
Again! Thank you so much!!

[sxyangel7731]

Well, it looks good so far... I did steps 1 & 2 I think I would recommend people to skip to step 8 it seemed wasteful... However that program VundoFix.exe deleted approx. 6 files and I have no pop-ups yet.
Thanks FreewheelinFrank!!!
DavidR thank you for your time and attentions as well, Happy Holidays!
angel

[FreewheelinFrank]

The removal tool has in fact been updated to remove the rootkit variant, making steps 1 & 2 redundant:

Note: - After these instructions were written, the VundoFix by Attribune was updated to remove the rootkit variant, so you need only complete Step 8 of these instructions for complete removal of Vundo and its rootkit.

[DavidR]

Glad that the problem is sorted, welcome to the forums.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.