Avast free & MBAM cannot remove trojan dropper?

Greetings! I’m not sure if this matter has been addressed already somewhere in this forum but my search for w32:bamital-T & w32:delfcrypt-f doesnt yield any results. These 2 trojan droppers infected my laptop through usb. Riding processes like svchost.exe, sometimes explorer.exe.

First instance of detection on normal windows, I booted windows on safe mode then ran Avast, these 2 droppers were detected (about8-9 of them) and were moved to chest. If asked to reboot, I did BUT I never booted on normal windows, instead went straight to safe mode again. Then ran MBAM, there came results also of what were seemed to be remnants of files overseen by Avast (thats why they best work together) and were also deleted after detection results. Then when asked to restart again, this time I booted on normal windows. But alas, Avast detected the same virus again and windows automatically shuts down/rebooted and unable to run windows normally to run any other diagnostics.

Did this whole process about 4-5 times already, but it is still there everytime I boot to normal windows. Malicious files of .exe & .sys on temp folders riding on processes i mentioned above. I already cleaned my temp folder & my System Restore is totally disabled on all drives.

Now what puzzles me lately is that after the last normal windows boot (virus was there of course), I booted on safe mode and ran MBAM, but both did not detect any virus or trojan! Did they mutate already? Im on Windows XP SP3, all virus & malware definitions are up to date. No other AV is installed other than the 2 I trust as they have worked effectively for me. I can say I am somewhat an advanced user on windows & drivers as well as virus handling but this is the first time I have encountered a stubborn trojan. Any ideas out there. TIA!

Although you have already done some of the steps, I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use MBAM (or SUPERantispyware or even Spyware Terminator) to scan for spywares and trojans. If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Clean your Hosts file (replacing it) with HostsMan tool.
  7. Disable System Restore and then reenable it again.
  8. Immunize your system with SpywareBlaster.
  9. Check if you have insecure applications with Secunia Software Inspector.

Some more information would help us to help you:

  • What avast! version and VPS file (virus database) number, e.g. 4.8.1368/5.0.545 and 100626-0, etc. (see about avast!) ?

Since you are using XP, I would suggest that you schedule a boot-time scan.

  • What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
  • You could post the contents of the MBAM log that had the detections in it ?

You could also try SUPERantispyware (SAS). On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required.

Tech & DavidR,

Guys thank you! the SuperAntispyware did well, its now clean of virus. It is really a necessity to have at least 2 similar tools of different products. I thought the MBAM & Avast can solely protect all throughout even with the latest updates. Now I have 2 on-demand programs as a back-up.

Best of all, its these forums like these that makes the computing world a better learning place.

mahler, you’re welcome. Feel free to come back any time you need help or just to change experiences 8)

No problem, glad I could help.

Welcome to the forums.