Virus I can't get rid of

[dutoit]

Hi
Please help!

PLease excuse I'm new at this
.
-My Avast detects 2 files in the background scanner every time I connect to the internet.
-I can't delete, or repair the files and if I move or rename them they just come back.
-the files are named:  d1al.exe and  LoL_1_.jpg
-They are in temporary internet files folder
-It began yesterday and I have no clue as to how it got onto my system
-Avast gives me the following message: Win32:Trojan-gen {Other}

It disconnects me from the internet every time I connect to my wireless internet

Please help if you can

[nmb]

can you some how upload the files(one at time) to virustotal.com and post the link.

[dutoit]

Sure, Thanks
This is for the file: d1al.exe

http://www.virustotal.com/analisis/4798df508c6510237642b433a7a2c4852e47ec4983d7955e474d87ba2327ba2d-1253033446

[dutoit]

This is for the other one:
LoL_1_.jpg

http://www.virustotal.com/analisis/4798df508c6510237642b433a7a2c4852e47ec4983d7955e474d87ba2327ba2d-1253033373

[nmb]

did you try avast! boot time scan?, no? : http://www.digitalred.com/avast-boot-time.php (move all the files infected to chest, when asked what to do)

post back.

[dutoit]

I didn't try the boot time scan will do so now

Every time I move it to the chest it reappears again and I'm prompted again, I did this a few times and it still comes back

[prashant_sharma1984]

Hello,


1. Try cleaning up the Temporary files folder.
2. Boot your PC In safe mode and networking .
3. Step 2 done then try downloading one of the following :
    a) Malware antibytes
    b) Super anti spyware
Update the database and do a full system scan..

Let me know if this was helpfull.

Regards,
Prashant Sharma


 

[nmb]

move to chest in the sense during boot time scan it asks what to do with the infected file. select move to chest.

edit : remove the temporary files after the boot time scan.

[dutoit]

Okay did the boot time scan and moved the files to the chest when propmted.
The result now produced more 3 more infected files in the system volume information folder with the names A0031464.exe, A00331496.exe, and A0031745.exe

I cleaned out the temporary internet files folder after the scan and rebooted

The problem persists,
will try and download the other 2 programs now

[nmb]

yup, now you can try other two programs. do not worry about the adware cookies reported by superantispyware. let it deal it self.

get mbam here : malwarebytes.org update and perform full scan. post log here, please.

[dutoit]

I got the log and found 6 files infected

Should I remove them?

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67kln5j0-4opm-01we-aax2-5657qca554112} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ravav (Worm.RJump) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> No action taken.

Folders Infected:
C:\VIDI\UNUK (Backdoor.Bot) -> No action taken.

Files Infected:
C:\VIDI\UNUK\DRG.exe (Backdoor.Bot) -> No action taken.
C:\VIDI\UNUK\DesKTop.ini (Backdoor.Bot) -> No action taken.

[nmb]

exit all the browsers you are using, remove the infections. and reboot if asked to do so.

was it a quick scan or full scan?.

come back.

[dutoit]

Hey,
It was a full scan.

 looks like it worked! All files were removed after the reboot and I haven't had a detection as yet

Thanks for everything you were really helpful!   

[nmb]

great that everything is fine now. consider this, please:

secunia psi : http://secunia.com/vulnerability_scanning/personal/

welcome to the forums.

[dutoit]

I will have a look,
thanks again