Author Topic: Ok, I think I found a virus that Avast cannot kill (Read 4039 times)

sunnyyen · « **on:** December 24, 2005, 03:30:42 AM »

Recently, everytime when my system starts, Avast will report a "Win32: Trojano-3111" found in C:\drsmartload1.exe, also some file with the same virus under "temorary internet file" directory, and I just let Avast delete it, and do a boot scan. The boot scan found nothing, but same thing happens again when system starts, and the warning will popup periodically -- without doing much damage. When I look at my ADSL router's log, I can see that my computer is sending out requests to contact addresses like "192.168.*.*" more than 20 times in every minute. I found a process "MG.exe" running in the system, and after I kill this process, the warning doesn't happen anymore. I located the file "MG.exe" under C:\windows\temp and deleted it, hoping that I've resolved the problem. But after reboot, same thing happens again, and I cannot find where "MG.exe" is. All that I can do now is to kill the process "MG.exe" after every system startup to prevent any damages.

In Google search of "drsmartload1.exe", I found that it's been widely talked about on non-English sites, but haven't yet found a simple solution.

Dwarden · « **Reply #1 on:** December 24, 2005, 04:07:11 AM »

please try upload suspicious files here (if bigger than 1MB then i suggest zip/rar it)
Kaspersky got quite huge database and good naming scheme ...

http://www.kaspersky.com/scanforvirus

sunnyyen · « **Reply #2 on:** December 24, 2005, 04:25:31 AM »

Problem solved by looking more carefully:

I found another unfamiliar process "msbitsec.exe" which claims itself a system process from Microsoft Corporation, but the file created date is 2005.12.13, after which I had all the problems. It restarts immediately everytime after I kill the process. So I have to delete the file under "safe mode". After this file's deleted, no problems anymore.

Rick F · « **Reply #3 on:** December 24, 2005, 05:29:25 AM »

That sounds like "W32/Sdbot-AJS" according to Sophos. See this link and then click on 'Advanced' tab.

http://www.sophos.com/virusinfo/analyses/w32sdbotajs.html

(just in case you need to edit your windows registry)

Barr_y · « **Reply #4 on:** December 26, 2005, 12:03:04 PM »

Hi did you ever try turning off your system restore before trying to delete the file? This is necessary for it not to reform again. Don't forget to turn it back on again though after deleting.

Lisandro · « **Reply #5 on:** December 26, 2005, 02:17:04 PM »

Quote from: sunnyyen on December 24, 2005, 03:30:42 AM

I located the file "MG.exe" under C:\windows\temp and deleted it

For future cases, better is add this file to Chest before cleaning.
Run avast, open Chest and then add the file there. From there you can send the file to Alwil for analysis.

Quote from: sunnyyen on December 24, 2005, 03:30:42 AM

But after reboot, same thing happens again, and I cannot find where "MG.exe" is. All that I can do now is to kill the process "MG.exe" after every system startup to prevent any damages.

For the future, you can use Process Explorer (www.sysinternals.com, freeware) that will show the full path of any running process.

Author Topic: Ok, I think I found a virus that Avast cannot kill (Read 4039 times)

sunnyyen

Ok, I think I found a virus that Avast cannot kill

Dwarden

Re: Ok, I think I found a virus that Avast cannot kill

sunnyyen

Re: Ok, I think I found a virus that Avast cannot kill

Rick F

Re: Ok, I think I found a virus that Avast cannot kill

Barr_y

Re: Ok, I think I found a virus that Avast cannot kill

Lisandro

Re: Ok, I think I found a virus that Avast cannot kill