trojano-3238 and zapchast-m

[warmy]

avast detected these 2 viruses from my warcraft cd. I ignored it because of my addictiveness to warcraft. Now it slowed down my pc and adjusted my pc's time every now and then. I did a start up scan and a full scan in safe mode. My avast is up to date. How do i delete it?! pls help!

[Jtaylor83]

What are the filenames and location of the infections?

I need to see the avast! warning log.

C:/Program Files/Alwil Software/Avast4/DATA/log/warning.txt

It's best to send the infections to the Virus Chest rather than delete it.

I suggest:

SuperAntiSpyware Free
Spybot - Search and Destroy
Spyware Terminator (Exclude Crawler Toolbar, add on, and the ClamAV module)
MalwareByte's Anti-Malware

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

[warmy]

to Jtaylor 83, here are the two logs:
-Sign of "Win32:Trojano-3238 [trj]" has been found in "E:\Crack\dev-ft-keygen.exe" file.
-Sign of "Win32:Zapchast-M [trj]" has been found in "E:\Crack\Crack\revolt.dll" file.
I have malwarebyte's anti-malware, spyware terminator and ad-aware. Already tested my pc with those but found nothing.

to Tech:
Already cleane my temp file
Already used boot time sanning with avast with archive scanning turned on
Immunized my system with spyware blaster
I havent yet tried the other methods and i dont know how to use system restore.

To sum it up. I have avast,ad-aware, malwarebyte and spyware terminator before I even got (or install the cd) the virus..Theyre all up to date (but free :p). Scanned my pc on safe mode.

[Lisandro]

I have malwarebyte's anti-malware, spyware terminator and ad-aware. Already tested my pc with those but found nothing.

And avast? Does it still detect that files?

i dont know how to use system restore.

After you're clean, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After disabling you can enable it again. To use System Restoration it's necessary to disable avast! self-protection: avast! settings > Troubleshooting > Disable avast! self-defence module then start a System Restore.

[warmy]

I also have avast. I already scanned my pc with avast on normal mode, on boot-scan and on safe mode, all with archive scanning turned on. Avast only detected files that are already infected (mp3 files), ideleted those but still my pc is slow and always has a wrong time. It cannot detect the virus itself.

[Lisandro]

Maybe you should try full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)

[DavidR]

Well by your location of the previously detected infections, your practice of using cracks and keygens is a high risk strategy not to mention any legal or moral issues. So it is entirely possible that there is something hidden on your system.

Did you run MBAM ans SAS from safe mode where they are likely to be mor effective.

Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight

[warmy]

i boot time scanned again my pc, it detected something like -"File C:\Documents and SettingsTemporary Internet Files\Content.IE5\D57NWEL8\BIN_STDATA2[1].cab\BIN_STDATA2.SPT Error 42127 {CAB archive is corrupted.}

-"File C:\Documents and SettingsTemporary Internet Files\Content.IE5\GBJEUBTF\BIN_STDATA2[1].cab\BIN_STDATA2.SPT Error 42127 {CAB archive is corrupted.}

-"File C:\Documents and SettingsTemporary Internet Files\Content.IE5\GBJEUBTF\BIN_STDATA2[2].cab\BIN_STDATA2.SPT Error 42127 {CAB archive is corrupted.}

-"File C:\Documents and SettingsTemporary Internet Files\Content.IE5\NY003614\BIN_STDATA2[1].cab\BIN_STDATA2.SPT Error 42127 {CAB archive is corrupted.}

I already scanned in safe mode using panda anti rootkit super antispyware, the online scanners...
I'm losing hope here..help me guys.. or should I reformat my pc?

[DavidR]

There is nothing wrong with the items reported, they are not infected just that avast can't scan them because the cab file is corrupt.

That can be for a couple of reasons, a) they file is corrupt as stated (in which case there is nothing your or avast can do) or b) avast can't open the file completely and that might just be the type of archive is unsupported (again nothing to do).

Also based on the location these are in the Temporary Internet Files and as such are temporary files which aren't important, you should periodically clear your browser temporary internet files.

[CharleyO]

 ***

By the way, IE can be set to delete temporary internet files once a day, every 2 days, every 3 days, etc.


***

[warmy]

But I'm using firefox and I just emptied my temp internet files folder. Anyway, just want to know if it has something to do with my pc's slow performance and changing dates and time every now and then? I'll try to use avg free and avira.. hope it works!

[warmy]

hi all... i just reformatted my pc... sad part is, the date and time still changes...i dont know what to do now... pls pls pls help me...!!

[warmy]

-i hope this will help. I also just downloaded a program to correct my daylight saving time...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:56 PM, on 11/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 2160 bytes