« previous next »
Pages: 1 [2]   Go Down

Author Topic: Win32:BHO-WF Trojan  (Read 9587 times)

0 Members and 1 Guest are viewing this topic.

Confused1971

  • Guest
Re: Win32:BHO-WF Trojan
« Reply #15 on: April 26, 2009, 11:36:57 PM »
Quote from: polonus on April 26, 2009, 10:35:00 PM
Hi Confused1971,

Let me explain, why DavidR mentions this. First before you do anything to cure an infection, you have to follow some steps in a particular sequence and step by step.
1. Establish if you are infected or not. Is this a real time genuine infection or a false positive,
there is a sticky in this forum where we explain how to best go about this.
2. See what the infection is all about and that with all the evidence, so run hijackthis or other scanners but do nothing with these yet,
3. We have established what we have at hand and where it resides, then move to the chest, and the end option is to delete but better to fix. It could well be that a hidden infection vector process will re-install the infection on reboot or some system files were not taken out, or something in the registry could revive the malware circus anew.
So when advice is given follow these instructions meticulously, because the helpers have your best interest at heart and will take care not to harm your precious OS nor data,

polonus

Running each file through jotti gave me these results:
1) kernel32.dll in C:\WINDOWS\System32          Moonlight_Engine_1236.4.0.99.rar (MD5: 97431a2966xw386214d666f754c9142c) picked up by:
CPsecure:  Malware name: Troj.W32.Obfuscated.gen
Dr.Web:    Malware name: Win32.HLLW.Viking.34
Ikarus:  Malware name:  Backdoor.Bifrose
Quick Heal: Malware name: Trojan.agent.ATV
Sophos Antivirus: Nal/Inet-Fam

2) wnsock.dll in C:\WINDOWS\System32   setup_galil.exe (MD5: 940afcccd771dd9963acb51c8279114)
A-Squared:  Malware name: Trojan-Downloader.win32.Banload!IK
AntiVir: Malware name: DR/Delphi.Gen
BidDefender:  Malware name: Gen:Trojan.Heur.9083C6969
F-Prot Antivirus:  Malware name:   W32/Trojan-juke-based!Maximus
Ikarus:  Malware name:  Trojan-Downloader.Win32.Banload
Sophos Antivirus:  Malware name:  Mal/Behav-103
VirusBuster:  Malware name: Trojan.Crypt.Gen

3) wsock32.dll  in C:\WINDOWS\System32   Project1.exe (MD5:  3e91f2b68b94e7cbbec82c8c64b2d6cc)
A-Squared:  Malware name: Trojan.Banker.VB!IK
Ikarus:   Malware name:  Trojan.Banker.VB


Does this help?
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89061
  • No support PMs thanks
Re: Win32:BHO-WF Trojan
« Reply #16 on: April 27, 2009, 12:21:16 AM »
I really do wish Alwil would get rid of this All Chest Files collation of the three sections:
  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.
  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
  • The All Chest Files is a collation of the three sections.

So were these in the System Files section of the chest ?
« Last Edit: April 27, 2009, 12:22:52 AM by DavidR »
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Confused1971

  • Guest
Re: Win32:BHO-WF Trojan
« Reply #17 on: April 27, 2009, 12:28:22 AM »
Quote from: DavidR on April 27, 2009, 12:21:16 AM
I really do wish Alwil would get rid of this All Chest Files collation of the three sections:
  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.
  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
  • The All Chest Files is a collation of the three sections.

So were these in the System Files section of the chest ?

Yes.  After I moved the original virus to chest, these three came up.  I can delete the Win32:BHO-WF virus on the boot-time of avast, but when I open windows, the avast is still detecting the exact same virus in the exact same location.  When I run another boot-time after I am getting  both the original virus as well as a second infection by Win32:Agent-PSI [Rtk] in the file C:\WINDOWS\System32\drivers\skpfexuu.sys.
Logged

Confused1971

  • Guest
Re: Win32:BHO-WF Trojan
« Reply #18 on: April 27, 2009, 12:47:54 AM »
Quote from: DavidR on April 27, 2009, 12:21:16 AM
I really do wish Alwil would get rid of this All Chest Files collation of the three sections:
  • The only area you should be interested in is the Infected Files section, this is where the files detected by avast and selected by you to move to the chest are placed.
  • The User Files section is where the user can add files they suspect of being malware but not detected by avast.
  • The System Files section is where avast keeps back-up copies of important system files in case the original becomes infected (leave them alone).
  • The All Chest Files is a collation of the three sections.

So were these in the System Files section of the chest ?

I admit defeat.  I am just going to erase the hard drive and reinstall Windows XP.  Thanks for your help.
Logged
Pages: 1 [2]   Go Up
« previous next »