I downloaded Malware Bytes, cleaned up anything it requested. Did a boot scan with Avast. Upon system load, it had warned that a threat was detected. (Win32-gen) I selected delete all, and it kept popping up over and over and over again. About 428 times before I hit escape. When it loaded, it had told me that Malwarebytes had been blocked and I needed permission to run it…I didn’t attempt to run it, because I hadn’t had permission to delete a particular file that turned out to be this worm

Any help would be great,if there is any.

Hello dubblel and welcome to the forum.

How is your machine acting and what prompted you to do the scans?

What is your OS, 32 or 64-bit?
What version of Avast did you install? 5.0.677 is the current version.
What product of Avast did you install? Free, Pro, AIS?

When you ran MBAM, did you update it first, then put the infections into quarantine? Or did you delete the infections? You should have put them into quarantine where they are safe (like the Avast Virus Chest). Can you please cut and paste your last MBAM log and post into your next post?

When you did the Avast boot-scan and deleted the infections, in the future, the best option is to put the infections into the Virus Chest where they are safe. Should they be false positives or something vital that your machine needs to work, malware removal can be done and things can be restored from the Virus Chest at a later date in some cases. If you have anything in the Virus Chest, please post exactly what it says or do a screen shot if possible.

Please open the Avast GUI > Settings > Virus Chest > Maximum Size of Chest > change the size to zero > click “OK.”

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining an OTL logs. Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).

Once your MBAM and OTL logs are posted, I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine if possible unless Essexboy instructs you do to malware removal instructions; use a different machine if possible to check email, sync your phone, etc.

Please do not make any further changes to your machine after you have provided the logs.

Let me know if you have any questions. Thank you.

Hi,

Thanks again so much for helping.

It’s acting ok, except the internet is being a little slow. This worm showed up after I downloaded a torrent, unfortunately. I tried downloading AVG at first, and when I couldnt’ get it to install, I downloaded AVAST Free 2011…pretty much a few mins after installation it was letting me know with continuous alarms that I had an infected file…when I tried deleting the location of the folder it was in, it would show up again.

I am running Vista Home Edition, not sure if it is 32 or 64 bit.

When I ran MBAM, it did update first, automatically. I did not quarantine them at first and I deleted it. However, when I went back to retrieve your log it says there is 8 files that are in quarantine.

Here is the log from the first MBAM scan:

=================================================================================================================

Malwarebytes’ Anti-Malware 1.50
www.malwarebytes.org

Database version: 5235

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

02/12/2010 6:57:37 PM
mbam-log-2010-12-02 (18-57-37).txt

Scan type: Quick scan
Objects scanned: 172092
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{6FD31ED6-7C94-4BBC-8E95-F927F4D3A949} (Adware.180Solutions) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\SrvID (Malware.Trace) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) → Value: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} (Adware.Zango) → Value: {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) → Value: bak_Application → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application (Hijacker.Application) → Bad: (http://www.helpmeopen.com/?n=app&ext=%s) Good: (http://shell.windows.com/fileassoc/x/xml/redir.asp?Ext=%s) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\User\AppData\Roaming\data.dat (Stolen.Data) → Quarantined and deleted successfully.

I will post the OTL Log once it is complete.

Here are the attached logs that you requested…

again, thanks again for all your help.

look forward to your reply.

Hi you will need to remove all traces of AVG to enable combofix to run. Download the removal tool from here http://www.avg.com/us-en/download-tools

About 428 times before I hit escape

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found. O3 - HKU\S-1-5-21-2841862182-2716321017-428646426-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found. O3 - HKU\S-1-5-21-2841862182-2716321017-428646426-1000\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKU\S-1-5-21-2841862182-2716321017-428646426-1000..\Run: [BS02NAV11] C:\Users\User\AppData\Roaming\BS02NAV11KG.exe File not found O4 - Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk = C:\Program Files\Advanced Registry Optimizer\ARO.exe File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

.
NEXT

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Hi, thanks for your help

Here is the Quick Scan log you requested…

It is attached.

I will post the DrWeb Log as soon as it is completed…

Dependant on what Dr Web reports we will then determine the next move

Ok i tried running a complete scan with Dr Web, but then in the middle of the scan the screen turned blue and notified me that windows encountered a technical error and was forced to shut down…

Should I restart in safe mode again and attempt to run the program once more?

Also, at first I ran an Express Scan and it did not find anything. Also, I couldn’t find where the log for the Dr Web Scan was when it completed. Is it just the summary at the bottom that details what it finds? Or does it produce an actual log

Anyway, that’s when I ran the complete scan, and it found at least two or three trojans before the ‘technical error’ forced a restart…

Yes please but run a full scan this time - it may take a while

unfortunately, I am unable to post a Dr. Web log. I have tried several times to run a complete scan, and a ‘technical error’ always happens, prompting the message on the screen with a blue background.

It does an express scan no problem. But in Complete Scan, it will find 1 or 2 trojans than sometime after that, it shuts down.

Do you have a copy of the files that Dr Web stalls on ?

What are your current problems ?

There’s really no problems with the system, but I know there is something in there as I saw it when I first did a Boot Scan…and the spot seems to vary each time where it shuts down. One time it shut down after scanning 150 000 files…the next time it shut down at 250, 000…i got as far as 430 000 before it shut down again…

i don’t know the files that it stalled on each time…though if yo uwant Icould run another scan and try to catch it… (the scan does take awhile)

Hmm if it was a file infector it should catch more than one on the express scan - so lets deviate a bit now

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Ok, here is the requested ComboFix log…

======================================================================================================

Well Combofix only found two items and the rest looks OK

What are your current problems

Hmm…well…

Lol. Sorry. Maybe I should do a Boot Scan again and see if it’s still there? Wonder why the Dr. Web complete scan couldn’t finish?

Yes? No?

Until Essexboy returns, it will not hurt to do another boot scan.