Virus Creating Itself!!

Hey, sorry for asking for help on my first post but i’ve come home from uni to find my parents have completely messed up his computer, I installed Avast and i came accross a bunch of trojans i can’t delete, so i ran Avast on startup and managed to delete the files…then i realised they were there again!
So i went into safe mode and deleted files that were believed to be viruses…then i started my computer up normally again to find that the same files were back on my computer!!!

I know there’s some sort of file that keeps creating these files every time i startup and i have no idea what file it is.

I just sent a few files to the chest, but some viruses still remain…some of them change names whenver they’re re-created…here’s a screenshot of what my C drive usually looks like…

http://img95.imageshack.us/img95/957/virusyv4.jpg

I usually have more files on there but i sent some to my chest, goto.exe and winstall.exe are usually on my C drive too.

There would appear to be more elements to the infection that restores or downloads the malware again.

  • What Operating System are you using ? is it up to date ?
  • What avast! version and VPS file (virus database) number, e.g. 0630-2 (see about avast!) ?
  • If you can give some examples of the infected file name/s, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?

Winstall.exe is usually associated with SpySherrif a rogue anti-spyware application that uses fake alerts and false positives, http://www.bleepingcomputer.com/forums/topic22402.html

This one has a combined Smitfraud (removes a number of different rogue programs) removal tool with instructions,
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php Smitfraud is mentioned in the first link.

It won’t hurt, on contrary, if you:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Download, install, update and run other trojan remover tools: a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator.

Don’t neglect to have a quick check for rootkits too. This is malware which hides itself- although not always 100%- files which keep appearing like this are sometimes the symptom of other malware hidden by a rootkit.

http://www.f-secure.com/blacklight/

I’m using MS XP Home SP2. As far as i know it’s up to date, apart from IE7…as it keeps rebooting whenever i try to install it. My avast version is 4.7-892 I think.

I’ve just sent a load of C:\Documents and Settings\Comet (no idea why it’s called that, not my pc) I also have a lot of infected files within Tempory Internet Files, which all re-appear after deleting!

Thanks, i’ll try that link you gave me

I suspect that you only have the windows XP firewall (?), which won’t stop unauthorised outbound internet access, which can make it difficult to clean your system.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

The other tools Tech mentioned in Step 4. above detect what ever it is that is responsible for them returning, so don’t ignore that advice or Frank’s.