I went to www.dwelle.org and avast alarmed me that there are some trojans trying to install themselve… I clicked abort connection, and instantly my floppy started to run… and it repeated it every few seconds…
I knew instantly that that autorun worm is back again…
So i’ve checked following:
Did it created this:
C:\Program Files\Microsoft Common\svchost.exe YES it did!
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = "C:\Program Files\Microsoft Common\svchost.exe YES it did!
Bummer!
Then I turned on MBAM and it instantly found something suspicious in that file. But recommendation was to ignore.
Few minutes after that I got message from avast! that there is virus in my memory and that it is dangerous to work with virus in memory and that I should schedule boot scan and restart. I clicked No. (there was no description of what kind of problem it is, just that there is “something” in my memory.
I restarted comp manually. And after restart floppy was still grinding and avast did not reported anything!
I have deleted that registry string and renamed file. After doing that floppy stopped with it activity.
Tried to scan on virustotal, and only panda and other one unknown (to me) software found it suspicious. Just as suspicious file. No major AV software found it suspicious.
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
Use Task Manager to terminate the virus process.
Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
Delete the following parameters from the system registry (Make a backup of the registry then edit the registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
DisableTaskMgr = 1
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
NoFolderOptions = 1
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“Worms” = “%System%\logon.bat”
Delete the following files:
%System%\config\csrss.exe
%WinDir%\media\arona.exe
%System%\logon.bat
%System%\config\autorun.inf
h:\autorun.inf
f:\autorun.inf
i:\autorun.inf
g:\autorun.inf
k:\autorun.inf
l:\autorun.inf
o:\autorun.inf
j:\autorun.inf
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) → Bad: (Explorer.exe logon.exe) Good: (Explorer.exe) → Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\856FODAJ\ftp[1].exe (Trojan.Agent) → Quarantined and deleted successfully.
G:\Software\Learn to Draw\LearnToDraw\CRACK_Learn to Draw for Beginners 1.0\Keygen.exe (Malware.NSPack) → Quarantined and deleted successfully.
C:\WINDOWS\system32\logon.exe (Trojan.Agent) → Delete on reboot.
I hope this will solve problem.
What happened with avast? Why it failed to stop threat?
My avast version is 4.8-1335. Green window is popping now and then informing me that new version is available… should I install it?
when MBAM detected it I was asked what do I want to do.
There were 2 options: Delete (or something like that) and Ignore.
And recommendation by MBAM was to ignore it.