Please can anyone give me some details on how to remove this virus
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
Report the contents of the two logs that are generated by MBAM and SAS.
(i’m not the first user who started thread, but since i found same issue i’ll reply)
I’v just came home today and i found a lot (something like 12) of dialogs say something like:
read error 9Just remember this 9, and looked to me like vb error.
I’v notice they had a very unique icon… and strange name.
http://www.freeimagehosting.net/uploads/th.e49793e1f7.png
After scan with avast i got this:
(Yes i pluged my USB to check if the malware came from there, guess not)
23/05/2009 11:30:18 PM vaca 3208 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 23/05/2009 11:32:49 PM vaca 4684 Sign of "[b]Win32:Agent-AFFV [trj][/b]" has been found in "C:\Documents and Settings\vaca\f3k7i64f5.exe" file. 23/05/2009 11:39:26 PM vaca 4320 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:00:07 AM vaca 5024 Sign of "Win32:Alexabar [trj]" has been found in "C:\WINDOWS\system32\AlxRes.dll" file. 24/05/2009 12:00:14 AM vaca 5024 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\system32\AlxTB1.dll" file. 24/05/2009 12:01:07 AM vaca 3332 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:03:22 AM vaca 6076 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:11:15 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:11:29 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\WGH4UDE7\EXmay[1].jpg" file. 24/05/2009 12:11:47 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\U1AUT2DN\EXmay[1].jpg" file. 24/05/2009 12:11:57 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:13:14 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\WGH4UDE7\EXmay[1].jpg" file. 24/05/2009 12:13:20 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:14:53 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\U1AUT2DN\EXmay[1].jpg" file. 24/05/2009 12:15:19 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:15:26 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "F:\ROOT\SYSTEM\MaY.exe" file. 24/05/2009 12:15:42 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:15:46 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:15:58 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:16:06 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:16:16 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:16:20 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:16:36 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\WGH4UDE7\EXmay[1].jpg" file. 24/05/2009 12:16:47 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:16:50 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:16:56 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:17:14 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:17:18 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:17:37 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:17:42 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:17:55 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:19:28 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:19:33 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:19:48 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:19:59 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\U1AUT2DN\EXmay[1].jpg" file. 24/05/2009 12:20:07 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:20:14 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\WGH4UDE7\EXmay[1].jpg" file. 24/05/2009 12:20:25 AM SYSTEM 1628 Sign of "Win32:Trojan-gen {Other}" has been found in "F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/05/2009 12:20:34 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 12:20:42 AM SYSTEM 1628 Sign of "BV:AutoRun-R [Wrm]" has been found in "F:\autorun.inf" file. 24/05/2009 12:21:38 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\Local Settings\Temporary Internet Files\Content.IE5\U1AUT2DN\EXmay[1].jpg" file. 24/05/2009 12:21:44 AM SYSTEM 1628 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file. 24/05/2009 1:08:19 AM vaca 4324 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\k7y5e9f1l9t6.exe" file.
Even after me or avast delete the file, it popups up again there, and i notice it first start with 140 kb and no icon. 2 seconds later it became this 500 kb file with anime icon.
However the dialog error doesnt show anymore.
I’ll leave SUPERAntiSpyware scanning during night.
Must i say thatavast on-acess protection was off when dialogs poped up. (mostly because falsepositive on 64k demo-intros)
Ah, another information i’v just found, that strage jpg file infected says it was access from members.lycos.co.uk/redem1234/EXmay.jpg
Oh yes it did.
24/05/2009 12:15:58 AM SYSTEM 1628 Sign of “BV:AutoRun-R [Wrm]” has been found in “F:\autorun.inf” file.
24/05/2009 12:16:06 AM SYSTEM 1628 Sign of “Win32:Trojan-gen {Other}” has been found in “F:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe” file.
Download http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html Start the program,let it scan for bad autorun files, then insert your flash drive in. Remove the autorun.inf files.
Then run boot time scan with avast.
Install update and run MBAM and SAS, then HJT.( choose scan and save a log file )
Post the logs from Avast,SAS,MBAM, and HJT.
http://www.digitalred.com/avast-boot-time.php
http://www.filehippo.com/download_malwarebytes_anti_malware/
-= Was it an Akatsuki from Naruto…?
SUPERAntiSpyware logs:
SUPERAntiSpyware Scan Log http://www.superantispyware.comGenerated 05/24/2009 at 01:06 AM
Application Version : 4.26.1002
Core Rules Database Version : 3908
Trace Rules Database Version: 1853Scan type : Quick Scan
Total Scan Time : 00:32:55Memory items scanned : 504
Memory threats detected : 0
Registry items scanned : 492
Registry threats detected : 26
File items scanned : 2249
File threats detected : 1Adware.Alexa
HKU\S-1-5-21-789336058-1450960922-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\InprocServer32
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\InprocServer32#ThreadingModel
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\ProgID
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\Programmable
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\TypeLib
HKCR\CLSID{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333}\VersionIndependentProgID
HKCR\AlxTB.BHO.1
HKCR\AlxTB.BHO.1\CLSID
HKCR\AlxTB.BHO
HKCR\AlxTB.BHO\CLSID
HKCR\AlxTB.BHO\CurVer
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}\1.0
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}\1.0\0
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}\1.0\0\win32
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}\1.0\FLAGS
HKCR\TypeLib{547AB549-4DD8-4ea0-B070-F6EA062148FF}\1.0\HELPDIR
C:\WINDOWS\SYSTEM32\ALXTB1.DLLAdware.TrustInCash
HKU\S-1-5-21-789336058-1450960922-839522115-1003\Software\TrustIn
HKCR\InetLoader.WeeklyExecuter
HKCR\InetLoader.WeeklyExecuter\CLSID
HKCR\InetLoader.WeeklyExecuter\CurVer
HKCR\InetLoader.WeeklyExecuter.1
HKCR\InetLoader.WeeklyExecuter.1\CLSID
SUPERAntiSpyware Scan Log http://www.superantispyware.comGenerated 05/24/2009 at 04:10 AM
Application Version : 4.26.1002
Core Rules Database Version : 3908
Trace Rules Database Version: 1853Scan type : Complete Scan
Total Scan Time : 02:12:23Memory items scanned : 472
Memory threats detected : 0
Registry items scanned : 6576
Registry threats detected : 0
File items scanned : 45213
File threats detected : 201Adware.Tracking Cookie
C:\Documents and Settings\Administrador\Cookies\administrador@atdmt[2].txt
C:\Documents and Settings\Administrador\Cookies\administrador@mediaplex[1].txt
C:\Documents and Settings\Administrador\Cookies\administrador@2o7[2].txt
.yadro.ru [ C:\Documents and Settings\Administrator.R2Z\Application Data\Mozilla\Firefox\Profiles\xcan2bc2.default\cookies.txt ]
.hotlog.ru [ C:\Documents and Settings\Administrator.R2Z\Application Data\Mozilla\Firefox\Profiles\xcan2bc2.default\cookies.txt ]
.cs.sexcounter.com [ C:\Documents and Settings\zed\Dados de aplicativos\Mozilla\Firefox\Profiles\xubm1bz7.default\cookies.txt ]
.cs.sexcounter.com [ C:\Documents and Settings\zed\Dados de aplicativos\Mozilla\Firefox\Profiles\xubm1bz7.default\cookies.txt ]
statse.webtrendslive.com [ C:\Documents and Settings\zed\Dados de aplicativos\Mozilla\Firefox\Profiles\xubm1bz7.default\cookies.txt ]
.ehg-techtarget.hitbox.com [ C:\Documents and Settings\zed\Dados de aplicativos\Mozilla\Firefox\Profiles\xubm1bz7.default\cookies.txt ]
.ehg-techtarget.hitbox.com [ C:\Documents and Settings\zed\Dados de aplicativos\Mozilla\Firefox\Profiles\xubm1bz7.default\cookies.txt ]
C:\temp\Cookies\vaca@atdmt[2].txtTrojan.VXGame-Variant/D
C:\R2\CRACKTROS\REFLEXIVE.ARCADE.GAMES.UNIVERSAL.KEYGEN-TSRH.EXETrojan.Agent/Gen-FSG
C:\R2\CRACKTROS\THE SIMS 2 KEYGENERATOR\KEYGEN.EXE
These last too in green i’m almost 100% sure of false positive…
Avast did scan before booting, but i couldn’t find that log.
What i got was the log right before rebooting:
24/5/2009 11:55:44 1243176944 SYSTEM 1728 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\SYSTEM\S-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file. 24/5/2009 11:55:44 1243176944 SYSTEM 1728 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\ROOT\SYSTEM\MaY.exe" file. 24/5/2009 11:57:08 1243177028 SYSTEM 1728 Sign of "Win32:VB-LQT [Drp]" has been found in "C:\Documents and Settings\vaca\l4d7i9k1s5s7.exe" file. 24/05/2009 12:06:14 PM 1243177574 vaca 4008 Sign of "Win32:VB-LQT [Drp]" has been found in "c:\root\system\may.exe" file. 24/05/2009 12:06:23 PM 1243177583 vaca 4008 Sign of "Win32:Trojan-gen {Other}" has been found in "c:\system\s-1-5-21-1482476501-1644491937-682003330-1013\sys.exe" file.
Of course they are ;D
You download cracks, then ask for help, when you get infected. :
Those are cracktros, crack intros, and demo animations, available for free. Most of witch can’t crack anything.
I never had any problem with them, they must have been on my HDD over a year…
If this files have anything to do directly with infections i reported first, please let me know. If not then …
I’m not only asking for help, since ATM I’m clean, according to avast and SUPERAntiSpyware, but my posting mean also to report and guide other users who might have similar infection.
Hi R2-D2,
Trojan.Agent/Gen-FSG is a generic detection for malicious files intended to be a freeware program but upon execution it will download a threat hosted from a remote location. Trojan.Agent/Gen-FSG infections includes excessive popup advertisment and installation of potentially unwanted program.
Furthermore look here: http://www.bleepingcomputer.com/forums/lofiversion/index.php/t137124.html
polonus
Thanks polonus. I’v find out someone installed Alexa toolbar on my IE7, never use IE so havent seen this before.
Also a game called Zuma might have been the source of all this.
Anyway, i’m clean now.
Thanks one more time polonus.
I’m glad you think so ;D