Avast WEBforum
Other => Viruses and worms => Topic started by: Chiprocks1 on August 13, 2009, 05:53:34 AM
-
My pc is infected with this Trojan Horse.
Literally the entire day, I have been trying to get rid of it. When the avast warning box pops up, its recommended action is to move to chest, which I do, but then get another pop up box saying that I can't move because it's being used by another program.
I've also run Malwarbytes to detect and delete the infected files. Upon completion it says I need to reboot computer to finish the deleting process, which I do.
And then as soon as Im back to desktop from reboot, the same problem starts all over again.
Need help please. At wits end here.
-
Hi Chiprocks1,
What was the file in which the infection was found? Can you upload that to virustotal.com because this has also been found to be a so-called false positive,
polonus
-
Thanks for the reply.
This is my first time coming here to post anything about viruses. So there's alot I don't know about posting stuff and whatnot. You may have to walk me thru this so I don't leave any info out.
As for the infected file, if I remember correctly, it was popping up from the Temporary Internet Files.
-
I also forgot to mention, every few times, I get a popup box telling me I have to enter my OS disc to get back lost files, but the first time I did this, I got a message saying that the operating system currently running is newer than the one on the disc (duh).
Not sure what to do with this.
-
Can you post ( copy/paste ) your last MBAM log
-
(http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/MalwareWarning001.jpg)
(http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/SuspiciousFilesFound001.jpg)
(http://i74.photobucket.com/albums/i266/Chiprocks1/Misc/WindowsFileProtection001.jpg)
This is what came up after latest Reboot.
And where do I get MBAM log from? What is MBAM?
Thanks
-
MBAM is malwarebytes,open the program, click on logs, double click on the log that found the infection.This will open in txt, copy/paste that txt log
-
Malwarebytes' Anti-Malware 1.40
Database version: 2615
Windows 5.1.2600 Service Pack 3
8/13/2009 8:16:51 AM
mbam-log-2009-08-13 (08-16-51).txt
Scan type: Quick Scan
Objects scanned: 152651
Time elapsed: 1 hour(s), 45 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\user\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\figaro.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv391250047226.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\wpv481250008288.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv931248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.
-
As soon as I back from reboot, I run Malwarebytes to see if it's clean, and I seem to get even more infected files each time I do this.
-
Try running this rescue disc, read the instructions.The program is automatically burnt to cd, then insert cd into infected machine and reboot. Please report any findings/problems
http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130 (http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130)
-
This is the only computer I have. Is it safe to go ahead and burn the CD on this infected one and run the program? Or is it all moot?
-
I keep getting message that a Rootkit has been found everytime I reboot. What is it and can I get rid of it?
-
did you try the disc ?
-
did you try the disc ?
I never heard back if it was safe to burn and then run the disc, as this is the only computer I have (which is infected).
-
I never heard back if it was safe to burn and then run the disc,
I don't think its a matter of 'safe', but whether the malware would interfere/block the download.So its well worth a try. I think this rootkit has replaced one of your system files ( beep.sys ) So you will probably need to replace this with a clean copy, if you can remove the rootkit http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2 (http://www.symantec.com/security_response/writeup.jsp?docid=2008-050916-1055-99&tabid=2)
So i would try the disc.
You can also post a log from rootrepeal ( i am new to this program, but its worth posting a log )
http://rootrepeal.googlepages.com/ (http://rootrepeal.googlepages.com/)
Open the program, click on 'report' then select scan, tick all the boxes,ok, select drive,then scan. Post the log here.