Hi!
It seems my comp has been infected by “win32:Trojano-1165[trj]” as my last boot-time scan indicated. A search in google hasn’t returned much at all. I ran avast and during the memory test, warnings pop up one after another telling me that “memory has been infected”. The files infected are many, and I’m not sure what to do right now.
I think this might have to do with my internet explorer somehow. I switched to firefox quite a while ago, but I do use ie once in a while. Today when I opened ie an avast warning popped up saying my C:\WINDOWS\registration\doc.dll is infected.
The other stuff my last boot-time scan picked up were trojan-gen{VB}, win32:swizzor-gen[trj], etc.
Any help is much appreciated! Thank you in advance!
When avast finds a virus in the memory it usually offers the option to run a boot-time scan, this is the best option. I don’t have a doc.dll file in the registration folder, windows XP Pro SP2 fully up to date.
A google search for the file name usually returns more information than the virus name as there is no naming convention/standards and AV companies often use different names. A search for doc.dll gives many hits relating to ghostscript but not in the windows\registration folder.
What action did you take when avast detected the virus on the boot-time scan and what were the file names and locations if you remember ?
A forum search for win32:swizzor-gen returns many hits, this being one http://forum.avast.com/index.php?topic=20552.0
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode. Ewido Security Suite
I did run the boot-time scan when the popup says that it’s dangerous to have virus in the operating system and that a boot-time scan is advised.
During the boot-time scan I deleted right off the files that were infected with trojano-1165, because I couldn’t repair them. I didn’t take any action towards the files that are in the “Windows” files because they cautioned against it; so I chose “ignore” for most of them.
The boot-time scan picked up a total of 31 infected files and many of them are in the WINDOWS file. I’m not sure if I should touch them. And as for the ones that I did delete from the WINDOWS folder, I’m starting to worry that maybe they’re vital and irreplaceable and shouldn’t have been deleted. What should I do now?
*Some of the infected file names/locations I remember are:
C:\WINDOWS\system32\usmt\runplay.dll
C:\WINDOWS\Help\wap.dll
C:\WINDOWS\msagent\msdll.dll
(the above are picked up by ewido and quarantined)
C:\WINDOWS\System32\kernet32.dll
C:\WINDOWS\System32\winsock.dll
C:\WINDOWS\System32\wsock32.dll
C:\WINDOWS\msagent\sinet.dll
(the above are in the virus chest in avast)
Run another boot time scan and select the option ‘move to chest’ to put the malware in quarantine: this way you can restore any legitimate files in the unlikely event that they are mistaken for malware.
You should also run a scan with Ewido, as David suggests. Do this in safe mode for best results. (Tap F8 while rebooting.)
I would also recommend scans n safe mode with Ad-Aware and Spybot Search & Destroy, if you don’t use then already.
As Frank mentions malware loves to hide in the system folders because people believe it is an important file. Should you find a file detected by avast or any other security based program, don’t delete it (never a good first option) as you have no way of recovery, send it to the avast chest or quarantine, etc. and investigate like you are here.
Do a google search on the file name detected as infected and this will often show it isn’t a system file at all but malware. There will be occasions where there are no references found and that in its own right is suspicious (but not confirmation) that it could be malware.
In order to be able to place files in the system folders (XP) requires administrator permission.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.