after several attempts to get rid of the worm and trojan in my Win Xp “restore” folder I’m getting nowhere! Need your help! Tried to “delete” the files and “move to chest”, but nothing. Also followed the instructions on how to disable system restore, incl a reboot, but that’s not helping either. Also got Ad-Aware Pro, but it’s not helping either against the Trojan…
The files are:
Win32:IRCBot-BTC [Wrm]
Win32:Trojan-Gen {Other}
A third file now popped up. In the same folder as the previous ones, but the file (Resource1.zip) is Avast “unable to scan: The file is a decompression bomb”, have no idea what that means… doesnt sound good.
Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
Decompression bomb is a file that may be rather small, but decompresses to an enormous amount of data (when processed as a packed archive). Such file are not malicious per se, but they may block an antivirus program when it tries to scan them.
This kind of files is rather hard to detect (and avoid) precisely - so, it is possible that there are some false alarms. It’s not a big problem in this case, however - the “decompression bomb” announcement actually means something like “The file has a very high, maybe even suspicious, compression ratio and the AV is not going to scan the archive content”.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:15, on 2008-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
*Superantispyware, avast! antirootkit or any other program dont find any flaws in the system, just the normal avast! virusprogram still finds the 2 corrupt files and the 3rd one. I’ve quarantined the 2 files that’s currupt during the boot time scanning, but still does the files show as bad during the virusscans. Is my computer now fixed, or is there anything else I can do? I have followed your tips all the way from 1-8.
Ok, have fixed the entries with HijackThis now. But the same files: “Win32:IRCBot-BTC [Wrm] and Win32:Trojan-Gen {Other}” are still beeing found when scanning with avast! how do I get rid of these?