Hi to all,
two days ago i started to get warnings from avast on each windows start for files from "usersdocuments"\temp!
Every time two warnings for files named “number”.exe ! Until now max number is 9!
Always delete files, than get some warning to click OK and that is it!
I have scan comp with avast on boot, adaware full scan, spybot SD full scane, and nothing is found!
How to get rid of this thing without of reinstall windows?
Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
Yesterday I had the same problem. And “Mozillla firefox” didn´t go to virustotal.com, when I told it to, but to some random infected website.
I have manually identified and solved the problem (Seeked and deleted the virus “manually” without antivirus).
I used “Sysinternals Process Monitor” to find the malware that was creating those files. It was
C:\Documents and Settings\usuario\Configuración local\Temp\0.9435061735453691.exe
I deleted the file (and saved a copy for later inspection). The file is detected as virus/trojan by several antivirus in virustotal and virusscan.jotti.org
I rebooted the system, and the problem persisted.
Again with Process monitor, I found the program that was recreating “0.9435061735453691.exe” which in turn created 1.exe, 4.exe …
The root of the problem was c:\windows\system32\qtplugin.exe
I needed the utility tool “unlocker” to delete it (“on next boot”), as it couldn´t be deleted by windows explorer. THIS IS NOT DETECTED AS VIRUS by virusscan.jotti.org, Only one (prevx) of the 41 antivirus in virustotal detects it. But it IS a virus for sure.
Both 0.9435061735453691.exe and qtplugin.exe where in several keys in windows register that I have manually removed.
I have a copy of the new virus qtplugin.exe and of the other one “0.9435061735453691.exe”, just in case someone in avast! wants it. I just don´t know where to report it.