Got infected with known Trojan while running Home 4.8 (4.8.1201) VPS 7-7-2008

[camer0n]

A file I downloaded was infected.. Avast spat up some data after execution (in what looked like a command-line window from the tray area) - something about denied additions into the registry.
The computer crashed (blue screen), and quickly rebooted..

After rebooting - I found the following suspect files running in memory:

flex006.exe, wintems.exe, hldrrr.exe

More info: http://www.viruslist.com/en/viruses/encyclopedia?virusid=21780028

Computer was running slow, and ZoneAlarm didn't load.
I suspected a virus.. so I scheduled a boot-time scan with avast and rebooted.
None of the files above were detected as problem files.

Did a bit of searching online.. and RegRun was recommended for RootKit/Trojans etc.
Installed the trial version and quickly found and removed the files above and their associate files. - infection is gone now it seems.

So, all things considered, shouldn't Avast-Home have at least detected this Virus/Worm/Trojan at boot-time?

Thanks.

[wyrmrider]

Glad you caught it
I'm too am hoping for a response from Avast
However no one program can possible remove all nasties
I'd do a double check
maybe an on demand on line scan with Kaspersky which is good at trojans and Bitdefender
you seem to know to google any hits
and to quarentene not just remove
maybe an antispyware scan
hope you are on high speed internet
Counterspy
or Spyware Doctor, Trojan Hunter
or
Super Anti Spy, Spybot Search and Destroy,  A-Squared
watch for false positives
If NT based system check all users

[camer0n]

Thanks.
Yeah, what concerns me is that this virus is over 6 months old.

[Spiritsongs]

   Hi :

 It appears you had/have "trojan(s)", NOT a "virus" !? This "type" of malware
 is best dealt with by antiSPYWARE/antiTROJAN program(s), such as the FREE
 Ver of "SUPERAntiSpyware" from www.superantispyware.com  and/or the FREE
 Ver of "MalwareBytes' Anti-Malware" from www.malwarebytes.org/mbam.php ;
 do you have these "types" of program(s) on your computer !?

[essexboy]

hldrrr.exe

Symptomatic of bagel/beagle

[Lisandro]

hldrrr.exe

Symptomatic of bagel/beagle

Take a lot of care handling this infection. It (can) corrupts avast installation.
Consider running a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[Dwarden]

i wonder if you sent these files in passworded archive to Alwil ...
if not they can't to take look if this was 'new' , 'modified' or abnormally 'packed' trojan

[camer0n]

Take a lot of care handling this infection. It (can) corrupts avast installation.

Indeed, Avast is slowing down my computer to the point where the mouse won't move some times and everything freezes.
I tried upgrading to the new beta, but it didn't help.

Any suggestions? Should I just uninstall and re-install Avast? Or can I install over the top somehow?

Thanks

[Lisandro]

Any suggestions? Should I just uninstall and re-install Avast? Or can I install over the top somehow?

I suggest an installation from the scratch:

1. Uninstall avast from Control Panel first.
2. Boot.
3. Download the latest version of Avast Uninstall and use it for complete uninstallation.
4. Boot.
5. Install again the latest avast! version.
6. Boot.
7. Check and post the results.

[camer0n]

That fixed it ! Thank you!

A word of advice for anyone using superantispyware and it's "BootSafe" program.

The malware above had destroyed the safemode registry entries of Windows XP, and hence when I used BootSafe - I got a blue screen of death at startup. Bootsafe modifies the boot.ini, so there is only 1 option - safemode! (which was corrupted).
The only way I was able to fix the issue (and get windows back) was to boot from an Ubuntu LiveCD, edit boot.ini and boot normally.
Then use a registry patch that I downloaded to restore the safemode registry entries.

What a learning curve. ;-)

[Lisandro]

You should use ERUNT to backup your registry regularly (or even automatically, daily).
http://www.larshederer.homepage.t-online.de/erunt/