Some problems for a woman...

Viruses and worms
1

I have my avast! for 2 months, but yesterday I had received some viruses- trojans…
their names:
tmp1.tmp
tmp2.tmp
tmp2.tmp
tmp2.tmp
tmp2.tmp
tmp28.tmp
winsyst32.exe
winsyst32.exe
I can’t find it enywhere, what to do with this…
Every time when I start my computer, I have a window, it says: new virus has been detected.
It’s still the same one, but it multiplies.
Can you help me? You know, I am a woman, it says, that I am not good at computer technology…

2

It sounds like rogue spyware download rogue remover from here and run it http://www.majorgeeks.com/downloadget.php?id=5360&file=10&evp=2e0d43eb67e1e71c0b31e62c003599c0

A log will be produced at the end. Post it here and let us know how your system is running, if by some chance that doesn’t work then we will look a bit deeper :-*

Investigation shows W32.HLLW.Morb@mm so it may need superantispyware free to remove it That is available here http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE but a scan will take at least 30 minutes. Instructions for SAS

On the first page select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT

Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply

3

essexboy: I had downloaded… Spyware… and it detect Trojan, but it said: file is deleted. Ok, so I downloaded another one, Avast! something, which should help me to delete this files, and it hasn’t detected anything. But in Avast! quarantine I’ve got still 8 files (7 trj) and 1 Adw.
Your hints should help.
Now I can’t do this, in the evening I should say you something.

And how to scan my computer? What you reccomend?

Please, help me!

PS. Sorry for my poor English, but I am Polish…

4

I assume you are talking about the avast! virus cleaner ?
If so this a specific tool designed to clean up after certain virus infection and not a general anti-virus. It is only looking for specific virus infection, the names are listed on the page where you downloaded the avast virus cleaner.

The avast! virus cleaner is a part of the avast anti-virus and if those specific viruses are found the tool would be used to clean infected files.

You have done the right thing, ‘first do no harm’ don’t delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

5

yes, I mean Avast! cleaner.
but why I’ve got stilll the same window, that visru has been found? It multiplies!

6

Because it is likely you have an undetected trojan downloading more malicious content, which is being detected by avast.

The superantispyware that was mentioned by essexboy is more of a specialist trojan hunter, did you run that scan ?
It may find the trojan responsible.

Is this window an avast alert or this rogue program ?
Can you post a screenshot of the window.

Where are these infections found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

7

ok, here is the picture from the chest

if you mean picture of warning window, I can’t do that now, but tomorrow I can send it to you, is it ok?

If I have found this viruses and I had something like this Docume1\Katarz\Ustawi\Temp\tmpA.tmp
I think, it is in Temporary Internet Files. Can I delete all the files from this folder?

8

OK all the locations were detected on your hard disk and are now safely tucked up in the avast chest (quarantine), where they can do no harm.

However how did they get there as they should be detected by the web shield if they came from a web site. The temporary internet files are usually in a slightly different location, but you may have changed that ?
You can delete the temporary internet files, but you may get a file in use warning. Some temp folder cleaners, ClearProg - Temp File Cleaner or CCleaner - Temp File Cleaner, etc..

You didn’t say if you did the scan for the superantispyware link ?

No problem, whenever you can get the image of the warning.

9

Whenever I turn on my computer, the information from Avast! is the same:
win32:small-gen2 [Trj]

I have downloaded SUPER Anti Spyware, it gave me the detection on the window as follows:

Thak you for your links to help, I’m looking forward to hearing from you. Thanks a million, I hope you know the answer.

10

We appreciate the images and keeping the size down but we (well I) can’t read them, so a little larger would be great.

11

sorry ;D

here there are:
<new, today’s scan>

Every time when I scan my computer I have different number of my viruses… 5 mins ago I had 21…
but it is still about 20, I think

12

Hi Kayla,

The Rustock registry entries and the detection of winsyst32.exe suggest you have a Rustock infection which uses rootkit technology to hide itself.

The real infection is hidden: that’s why you can’t remove it.

Try scanning for rootkits.

I’d recommend F-Secure BlackLight, the Panda scanner, the BitDefender Scanner and maybe the Sophos scanner listed here:

http://www.antirootkit.com/software/index.htm

Legitimate applications can sometimes have hidden processes, so check here if you find anything suspicious.

If you find and remove a rootkit, run a scan with avast! immediately afterwards.

13

There’s also a removal tool you could try here:

http://www.greatis.com/security/Rustock(lzx32.sys)_free_removal_tool.htm

Direct link:

http://greatis.com/reanimator.zip

Also instructions here using RkUnhooker:

http://forum.sysinternals.com/forum_posts.asp?TID=9471&PN=1&TPN=3

Seems Panda may be onto the problem so their scanner might work, although there is a warning:

The problem is that the system could be left unstable after deleting/renaming the hidden objects, maybe not even being able to boot correctly. In that case we're thinking about a boot control, so that if the system is unable to boot correctly after cleanup, during the second boot we would restore the system to the previous (infected) state for manual removal.