Hi,

I’m using AVAST 4.8 Home edition. From yesterday onwards i’m getting a pop up (picture attached). Even if it is deleted, it comes after restart of the PC. some body please help me.

Earlier i got the same message, but that time the file name was a.bat.

thanks in adavance

Shaju

Hi…

To help clarify if this is an actual infection or a false positive, please download and run the following tools…

F-Secure’s Blacklight…

http://www.f-secure.com/security_center/

(scroll down to “downloads.”)

Trend Micro Rootkit-Buster…

http://www.trendmicro.com/download/rbuster.asp

Also, you might want to have your system scanned by an online virus scanner such as this one…

http://housecall.trendmicro.com/housecall/

I would also recommend downloading and running a scan with MalwareBytes and SAS…

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

http://www.superantispyware.com/

What operating system are you running?

Please post back with the results.

May God Bless you!

.

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Hi…

I don’t understand what you mean. ???

Best Regards…

ardvark, maybe the user needed to edit his post… the message body can’t be left blank.

Hi Tech…

Perhaps, but it the post was left that way. It might mean “I’ll get back with you on this.”

Best Regards…

Sorry, it was a mistake from me to do that blank posting.

let me come back to the business,

I have tried as ardvark suggested,

F-Secure’s Blacklight…

http://www.f-secure.com/security_center/

(scroll down to “downloads.”)

Trend Micro Rootkit-Buster…

http://www.trendmicro.com/download/rbuster.asp

Both gives me sccfg.sys in root folder. then i deleted it in safe mode after changing the attributes of this file.

when i checked thoroughly i got one exe ----vamsoft.exe, I suppose this is creating problem for me.

it is creating yb12j.cmd in root folder and it is creating commands in autorun.inf in root folder. it also creates ciuytr1.dll in c:\windows\sytem32 folder.

I deleted c:\windows\system32\vamsoft.exe
c:\yb12j.cmd
c:\autorun.inf
c:\windows\sytem32\ciuytr1.dll in safe mode (all files deleted after changing the attributes attrib - h -r -s).

But after restarting all except autorun.inf is coming again. Autorun.inf is not there now

I am running windows XP SP3

If any body can help me to solve this issue, it will be very helpful

thanks in advance

Hi…

It appears avast was on to something.

Prevx has a page on this particular item and their information (and free software) may help you to get rid of it…

http://www.prevx.com/filenames/X1811314716733461838-0/VAMSOFT2EEXE.html

Hope this helps.

Best Regards…

wow…

with the latest update of Avast (06/01/09) database, all these files deleted. thanks a lot

thanks avast
thanks ardvark
thanks Tech

Hi…

You’re welcome, I’m glad the updated database was able to get rid of the infection.

Best Regards…