Win 32: Trojano-3099

I have been experiencing problems with the above virus. Avast detects and asks for its removal, which has been done, but the problem seems to be in the operating system and keeps re-propagating. I have turned off the system restore function and scheduled a boot-scan, but even this does not seem to eradicate the problem. What other methods can I employ to ensure I remove this once and for all? I keep getting pop-ups that my machine is infected and to “click here” to find out how to remove the infection.

Any tips greatly appreciated.

What is the file name that is infected and where is it located example (C:\windows\system32\infected-filename.xxx)?

Hi nodrog:

download this scanner here: http://www.mwti.net/products/mwav/mwav.asp
Go to secure mode, start the sacanner with the MVAVSCAN.COm or mvav.exe. Put all v’s and check "All files, Memory, Start-up folders, Registry, System Folders Services, Drive (all local drives), Folder [C;\Windows], Include SubDirectory, click scan. After use, you could remove scanner from your system.

See picture down:

polonus

Try Ewido Trojan remover, which can remove process injecting Trojans, which avast! seems to have a problem with.

It could also be a rootkit causing problems. Hopefully Ewido will find it and give it a more meaningful name if it is a rootkit.

As David said, knowing the filename would allow us to determine this.

http://www.ewido.net/en/

Thanks to all that have taken the time to respond.

Will be heading home in a few hours and will try the suggestions made and get the filename for further analysis if they fail. Will keep you all posted how it goes.

Nodrog

Hello,
I have the exact same problem. Infected file- c/docume~1/laura’s/locals~/temp/5.tmp

I have deleated it several times. jumps around. in 5 simular files.

the adress u gave said the free version could find it but not destroy it.

thanks for any help

Try Ewido (link in post above) and a-Squared (link below): the free versions of each will remove malware.

http://www.emsisoft.com/en/

Also worth trying are some online scanners which remove malware- Trend Micro Housecall, Panda, F-Secure:

http://www.geocities.com/dontsurfinthenude/antivir2.htm

Disable avast! before scanning or you’ll get some false positives- see the note on the page.

Trend Micro Sysclean is also very good if you can’t get Housecall to run- link on same page.

thankyou for the response

there is verson 1, 2, and 3 on said sight and down loaded #1.

should that be good enough?

I didnt disable avist.  will try that next .   thanks :)

I have this exact same virus. It says its in doc & settings\dan\local ect… I tried a-squared, deleting temp files, running avasts in boot, microsofts anti spyware, avast wouldn’t open the chest in safemode. Avast did isolate 'Trojan Hoaxalarm just before this all started on Dec. 28th. I’ll keep in touch here. Hope we come up with something soon! It seems to be getting worse. :-\

Here’s some generic advice about how to manually remove malware. The first line of attack is to run a boot time scan with avast!, and scans with Ewido and a-Squared.

Then run HijackThis! and look for suspicious entries:

http://www.bleepingcomputer.com/forums/tutorial42.html

Save a log file and analyse it here:

http://hijackthis.de/

You can submit unknown files to a multi-engine online scanner while viewing the results.

Unknown entries can be checked by Googling the file name.

Entries highlighted as nasty may not be- do some research before removing anything. Some ISP entries are classed as nasty. Do not assume that you can remove any such entries. Google the result first.

Fixing malware entries, rebooting into safe mode and deleting the file will sometimes remove the malware. Some malware is not removed so easily.

For malware in temp files:

Run Process Explorer and look for files starting from a temp file. (Click on each process to view details in the lower screen.)

http://www.sysinternals.com/Utilities/ProcessExplorer.html

Legitimate files do not normally start from temp files, but Google any processes found running from temp files. Malware files often have randomly generated names and will not come up on Google. It’s a pretty safe bet these are malware files.

If the process seems to have a random name, or is definitely identified as malware on Google, use Process Explorer to kill the process.

Use HijackThis! to identify the startup entry for the process and fix it. Reboot into safe mode and delete the file if you can find it. Alternatively, run CCleaner.

http://www.ccleaner.com/

CCleaner will stall if malware processes are running from temp files: If CCleaner completes its cleanup after you fix malware entries, it means the removal was successful.

Unsophisticated Trojans can often be removed in this way. Sometimes malware has two processes running so that one can protect the other, or uses other methods to protect itself.

If more than one malware process is found, Winpatrol has an option to kill multiple processes and delete malware files on reboot.

http://www.winpatrol.com/

If these methods don’t work, try to give us as much information as possible so we can suggest other ways of tackling the malware.

Give us the process name and the full location it is starting from

Try to submit the malware file to Jotti’s multi-engine online scanner to identify the malware that is at the root of the problem- You can submit files directly to Jotti from The HijackThis analysis, or here:

http://virusscan.jotti.org/

Good luck!

The Ewido anti-malware seemed to take care of the problem. Thank you for all your suggestions.

Welcome to the forums and A Happy New Year.