JunkPoly Virus found

Avast Free Antivirus / Premium Security
1

Saturday Avast began notifying me that a virus had been found. The virus was identified as JunkPoly and I had alerts from Avast all day long. The alerts continue despite the fact that I opted to send the virus to the chest. SuperAnti-Spyware has located the virus and quarrantined it, yet it keep coming back. Please advise.

2

here is info on this nasty http://www.precisesecurity.com/blogs/2009/03/22/win32_junkpoly/ and manual instructions to get rid of it. http://forums.spybot.info/showthread.php?t=38963 here is where you can get spybot http://www.safer-networking.org/en/index.html

3

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

4

My firewall is Windows Defender. I have run Malawares:

Malwarebytes’ Anti-Malware 1.37
Database version: 2193
Windows 6.0.6001 Service Pack 1

2/5/2010 12:58:23 AM
mbam-log-2010-02-05 (00-58-09).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 270997
Time elapsed: 2 hour(s), 23 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\livesrv.exe (Security.Hijack) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwizreg.exe (Security.Hijack) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\seccenter.exe (Security.Hijack) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\hosts (Trojan.Agent) → No action taken.
C:\Windows\System32\hosts (Trojan.Agent) → No action taken.

5

Your version of Malwarebytes is old. The latest is 1.44 with database 3693. You may want to update and rescan, but it looks like you have some things already found that should be cleaned.

6

bdagent.exe
livesrv.exe
vsserv.exe
bdwizreg.exe
seccenter.exe

This are LEGIT BitDefender files .
Have you uninstalled it properly using their uninstall tool ?

7

@ moorman20
Windows Defender, isn’t a firewall.

Vista is on service pack 2, so you are out of date there and could leave your system more vulnerable to attack - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

Is this version of BidDefender antivirus resident (seems so) ?
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.

8

Sorry, could not get computer to operate as infection keeps shutting me down. I still need assistance though login may be sporadic. I am update Malawares and removing bdagent.exe
livesrv.exe
vsserv.exe
bdwizreg.exe
seccenter.exe

thanks

9

Those files are from a previous BitDefender installation and your JunkPoly alert may be a simple false pozitive.Unless you ve used a “non- ortodox” BD kit.
To remove all traces of BitDefender do like here and download the tool linked in the description → http://www.bitdefender.com/KB333-en--How-to-uninstall-BitDefender.html