First, a virus infection, then Avast found malware after MS update...HELP!!

The first time I ran a scan of my computer after installing AVAST, it detected the WIN32:BHO-LA[trj] virus in 2 different files. During the scan, I sent both files to the virus chest instead of deleting them on the spot, as I wasn’t sure if the files were important to the operation of my computer or not. One was found in C:\Documents and Settings\All Users\ApplicationData\Symantec\SRTSP\Quarantine. We had already uninstalled our Symantec Norton Antivirus a week ago and installed AVEST because we were infected WHILE being “protected” by Norton. We wound up deleting that infected file, as we no longer use Symantec’s program. The other infected file was found in C:\SystemVolumeInformation_restore{B06C75F0-9FCC-4D32-A4A4-58CDE7C44A50}\RP8. I have no idea how to get rid of it.

Meanwhile, every time we go online, we eventually get the following Win32 error message and get bumped offline, even though our internet connection icon says we’re still connected and the disconnect feature doesn’t work. We have to reboot to do ANYTHING with the computer and get back online. Error Message:
Win32: Generic host process for Win32 services has encountered a problem and needs to close. Send Error report.
The link attached says the following:

Malicious software attack: install security update immediately
Malicious software attack: install security update immediately
This problem was caused by malicious software attempting to gain control of your computer. Windows shut down automatically to prevent the attack from continuing.
A solution is available that will solve this problem.
Solution :
To protect your computer from further attacks, go online to Microsoft Update and install all high-priority updates.
Get the update from the Microsoft Update website
Note: To use Microsoft Update, you need the latest Microsoft Update software. If you have not installed the latest Microsoft Update software, you will be asked to upgrade and restart your computer before you can use the website. After restarting, go to the Microsoft Update website. Click Get high-priority updates (recommended), and then install all high-priority updates.

Today, I downloaded all of the MS updates that were available for me to make sure I was up to date. I got the same error in the middle of the update download.

I spoke with MS virus tech support today about getting rid of the virus. They scanned me and couldn’t find it. Then, they had me download and run Rogue Remover, which also found nothing. Then, they had me download and run SUPERAntispyware, which found 3 things which I deleted. This was after I had run Spybot and it found nothing. I got the same Win32 error in the middle of the SUPERAnti scan. I wound up rerunning Avest’s thorough scan and, after all of that, it found 3 more malware infected files:
ybqqvrbb.dat.vir
C\QooBox\Quarantine\C\Windows\system32\drivers
Virus: Win32:Agent-PSI[Rtk]
Malware Type: Root kit
ybqqvrbb.dat
C\QooBox\Quarantine\catchme2008-02-16_130503.73.zip
Virus: Win32:Agent-PSI[Rtk]
Malware Type: Root kit
ybqqvrbb.dat.1
C\QooBox\Quarantine\catchme2008-02-16_130503.73.zip
Virus: Win32:Agent-PSI[Rtk]
Malware Type: Root kit
What the heck are those??
ALSO, after this Avest scan, the Trojan virus I originally had and had put in the virus chest, NOW says “No virus” under the Virus column of the chest. Does that mean that virus is now off my computer???
AND, after the MS updates, I now get a warning that my MS firewall in not on and should be. How do I turn the firewall on so it is compatible with Avest?

We have AVAST version 4.7 home edition and are running windows XP. We have a dial up connection to the internet.

HELP!!!


QooBox is a part of Combofix and these seem to be quarantined malware files.

Have you used Combofix in the past?


CharleyO,
No, I have never used Combofix before. That was one of the programs the Microsoft Virus Tech had me download and run. He was going through the scans so fast that I forgot we did that one. How do I get it completely off my machine? I see no icons for it.

:slight_smile: Hi :

One of the 1st things we ask former Norton users is did they use the “Norton
Removal Tool”, available at several Sites, in addition to “uninstalling” Norton !?

As to “removing” ComboFix, should click “Run”, type “ComboFix /u” ( without
the quotes AND Note the blank space after the “x” ) and go from there .

C\QooBox\Quarantine\C\Windows\system32\drivers Virus: Win32:Agent-PSI[Rtk] Malware Type: Root kit ybqqvrbb.dat C\QooBox\Quarantine\catchme2008-02-16_130503.73.zip Virus: Win32:Agent-PSI[Rtk] Malware Type: Root kit ybqqvrbb.dat.1 C\QooBox\Quarantine\catchme2008-02-16_130503.73.zip Virus: Win32:Agent-PSI[Rtk] Malware Type: Root kit

Good catch CharleyO, those sure look like combofix quarantine. Combofix dosen’t encrypt it’s quarantine, so av’s will find them. By the time stamp it was FEB 16 08

AHA!!!
CharleyO,
Apparently, Avast found the files that Combofix quarantined. I called MS virus tech back and they told me to just delete the QooBox file. My question is this:
Why didn’t Avast find the original infections and get rid of them itself? I had to run Spybot, RogueRemover, SuperAntispyware and Combofix, one after the other to find everything. Avast never found anything but the files found and quarantined by those programs first. It doesn’t seem very useful at this point.

Also, I have Windows XP, which has a firewall feature in it’s security center and it is not on. Would you happen to know how to set it up so it’s compatible with Avest?

And, I used the Symantec removal tool 3 times and still have 3 hidden files named Symantec in:
C:\Documents and Settings\AllUsers\ApplicationData
C:\Documents and Settings\DefaultUser\ApplicationData
C:\WINDOWS\System32\config\systemprofile\ApplicationData
When I open the first file, there is another file inside called SRTSP. Inside that file is a file called Quarantine. I can not delete that Symantec file. When I try, I get the following message:
“Cannot delete Quarantine: Access is denied
Make sure the disc is not full or write protected and that the file is not currently in use.”
The other 2 Symantec files are identical when opened. They contain other files named Identities, Microsoft, Real, Sample View, Sun & Symantec. I haven’t tried to delete those 2 as the Microsoft files inside look like they contain MS program files. Do you know if I can delete those? Is it possible those 3 Symantec files are keeping Avest from finding and stopping all the spyware and virus’ that the other programs have had to find?

Thanks for all your help so far. Am I boring you yet?

If you had downloaded combofix to your desktop, the command Spiritsongs gave you should remove all of combofix.

My question is this: Why didn't Avast find the original infections and get rid of them itself?

Avast probably detected the double extention. combofix adds a .vir

For you norton, check their forum on how to remove it from the command prompt. If it’s the backups I’m thinking of, a part of norton had to be disabled before uninstalling.