1.exe , 2.exe, 3.exe ... avast warning on each startup (WinXP)

[MG01]

Hi to all,
two days ago i started to get warnings from avast on each windows start for files from \"usersdocuments"\temp!
Every time two warnings for files named "number".exe ! Until now max number is 9!
Always delete files, than get some warning to click OK and that is it!

I have scan comp with avast on boot, adaware full scan, spybot SD full scane, and nothing is found!
How to get rid of this thing without of reinstall windows?

Thanks in forward and best regards,   

[Pondus]

Have you tried MBAM ?

http://filehippo.com/download_malwarebytes_anti_malware/

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Clean your Hosts file (replacing it) with HostsMan tool.
7. Disable System Restore and then reenable it again.
8. Immunize your system with SpywareBlaster.
9. Check if you have insecure applications with Secunia Software Inspector.

[manio]

Yesterday I had the same problem. And "Mozillla firefox" didn´t go to virustotal.com, when I told it to, but to some random infected website.

I have manually identified and solved the problem (Seeked and deleted the virus "manually" without antivirus).

I used "Sysinternals Process Monitor" to find the malware that was creating those files. It was
C:\Documents and Settings\usuario\Configuración local\Temp\0.9435061735453691.exe

I deleted the file (and saved a copy for later inspection). The file is detected as virus/trojan by several antivirus in virustotal and  virusscan.jotti.org

I rebooted the system, and the problem persisted.
Again with Process monitor, I found the program that was recreating "0.9435061735453691.exe" which in turn created 1.exe, 4.exe ...
The root of the problem was
c:\windows\system32\qtplugin.exe

I needed the utility tool "unlocker" to delete it ("on next boot"), as it couldn´t be deleted by windows explorer.
THIS IS NOT DETECTED AS VIRUS by virusscan.jotti.org, Only one (prevx) of the 41 antivirus in virustotal detects it. But it IS a virus for sure.

Both 0.9435061735453691.exe and qtplugin.exe where in several keys in windows register that I have manually removed.

I have a copy of the new virus qtplugin.exe and of the other one "0.9435061735453691.exe", just in case someone in avast! wants it. I just don´t know where to report it.

Regards

[Pondus]

@manio i have sendt you a PM

[manio]

Pondus: I have done as you told me in the PM.
Tell me if anything went wrong.

(Sorry about posting this here, but I´m not allowed to send PMs in this forum)

[Pondus]

It is OK, samples sendt avast / Malwarebytes

[Tarq57]

Nice work, manio.
Welcome to the forum.

[Pondus]

VirusTotal -  0.9435061735453691.virus - 26/41
http://www.virustotal.com/analisis/4b12acbaf3a2237bc5990bda4d289d993c4dac5a778a46a307286eb7d82c9915-1278090047

Malwarebytes: 0.9435061735453691.virus (Trojan.Oficla) -> Quarantined and deleted successfully

VirusTotal - qtplugin.exe.virus - 9/41
http://www.virustotal.com/analisis/e907694ed9dd79b0c352bb834d0465ca80404c6dce51786541447173f933dc94-1278089985

Malwarebytes: qtplugin.exe.virus - No detection ......maybe tomorrow 

[Pondus]

Malwarebytes got it now.........

qtplugin.exe.virus (Trojan.Meredrop) -> Quarantined and deleted successfully.

It is not everyone that is this quick to update.......