Reappearing Virus

A couple of days ago, I plugged in my sister’s friend’s USB to transfer some files over, but was alerted by the presence of an autorun virus (according to CIS, Worm.Win32.Autorun.dvw@9541971). I clicked Remove, and was informed by CIS that it had been removed successfully. After that, I ran complete virus scans on my whole computer, with CIS, Avast! Antivirus, Microsoft Security Essentials. To be extra safe, I also ran scans using Spybot - Search & Destroy, as well as Malwarebytes’ Anti-Malware.

Only CIS picked up something, which was Trojware.Win32.TrojanDropper.Binder.~J@1836329. Strangely, the file was located in [i]C:\Users[my Username]\AppData\Local\Temp_avast4_[/i]unp67833835.tmp.

After that, CIS alerted me to the presence of Trojware.Win32.Magania.~AAF@25568607, which first appeared in [i]C:\Windows\Temp_avast4_[/i]unp60440522.tmp, and then once more in the previously stated [i]AppData\Local\Temp_avast4_[/i] folder.

On a subsequent scan, it picked up Trojware.Win32.Vapsup.JBO@89285037 in the [i]AppData\Local\Temp_avast4_[/i] folder, upon which I clicked Remove and CIS reported having successfully removed it. However, I noticed that the alert for this particular Trojware kept appearing after every time I ran CCleaner. I kept “removing” it again and again, but to no avail. My other Anti-Viruses didn’t pick up on it at all, so I’m not sure if it’s a False Positive or if it’s something really serious.

I haven’t got HijackThis yet, but I will soon, if the log will be of any assistance to solving this problem. I would most certainly like to remove this, and any help is greatly appreciated. Thank you very much.

Two things that need to be done

1. disable “autorun” for usb connection.
   To do this with xp
   http://www.filehippo.com/download_tweakui/
   find autorun and disable it

to do this with vista
http://www.howtogeek.com/geekers/DisableAutoPlay.zip
* DisableAutoPlay.reg will disable autoplay entirely.
* DisableAutoPlayRemovable.reg will disable autoplay on removable devices.

2)Now for the other thing (stopping the infection from comming back)

1. Restart computer, the second the computer restarts, immediately keep hitting the “F8” key until a new screen comes up

2)click on “run windows in safe mode”

3)run the anti-virus program(s) and clean what it finds. (SCAN AND CLEAN THE HARDDRIVE AND MEMORY STICK)

4)After cleaning, feel free to run it again, just to double check that it’s gone. (90% sure it’ll be gone)

5)Now restart the computer

P.S. scanning and clean in windows safe mode prevents the infection from coming back. Unless you reinfect your self.

P.S.S. Whoever you got the “memory stick” from, tell this person to do the same instructions as here

Thank you for replying. I’ve disabled Autorun for USB devices, as per the link given.

With respect to running virus scans in Safe Mode, I’m only able to run Avast! Antivirus, Malwarebytes’ Anti-Malware, Spybot Search & Destroy, as well as Microsoft Security Essentials, which all picked up nothing. Upon trying to run the anti-virus that comes with CIS, it gives an error that goes along the lines of it not being supported (Sorry, I will update this with the error code if it helps, later).

Being skeptical of my laptop having been cleaned, I downloaded bootable AVs from BitDefender and Avira Antivirus. The former detected nothing, and while the latter detected that there was 1 infected file, there doesn’t seem to be a way to be sure that the file had been removed, beyond picking the option under “Configuration”.

In addition, I’m not sure if this issue is related to the virus or not, but it did not appear prior to the infection, I have not been able to start up my laptop in normal mode. There’s a brief flicker of blue screen (which was too fast for me to read anything) when it tries to start up, before it restarts automatically and asks if I want to boot into Safe Mode, etc.

I'm only able to run Avast! Antivirus, Malwarebytes' Anti-Malware, Spybot Search & Destroy, as well as Microsoft Security Essentials, which all picked up nothing.

Let’s start with this

1. Avast runs in real-time <—Keep this

2. Malware-bytes is a great backup with no real-time <— keep this

3. Spy-bot is kind of out-dated and causes occasional problems (from my experiance from working on other peoples computers) <---- remove spybot

4. Microsoft Security Essential isn’t bad, but it also runs in real-time. Some people CAN have problems running more then 1 real-time antivirus program <—remove Microsoft Security Essential. You have avast for real-time antivirus anyway

5. get A-Square Free from http://www.filehippo.com/download_asquared/
   update it. then run it in windows safe mode <—A-squared is a great anti-virus backup

To hopefull repair windows, do this
go here and read the step-by-step for repairing windows XP <------this is easy and simple steps
http://www.windowsreinstall.com/winxppro/installxpcdrepair/indexfullpage.htm

for vista (one of two methods below

If you have a Windows Vista installation disc, you need to restart (boot) your computer using the installation disc. If you do not restart your computer from the disc, the option to repair your computer will not appear.

If you have a Windows installation disc:

  Insert the installation disc.

  Restart your computer.

  Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.

  If prompted, press any key to start Windows from the installation disc.
  Note
  Note

  If your computer is not configured to start from a CD or DVD, check the information that came with your computer. You may need to change your computer's BIOS settings. For more information, see BIOS: frequently asked questions.

  Choose your language settings, and then click Next.

  Click Repair your computer.

  Select the operating system you want to repair, and then click Next.

  On the System Recovery Options menu, click a tool to open it.

If your computer has preinstalled recovery options:

  Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

  Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.

  Do one of the following:
      *

        If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
      *

        If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to repair, and then press and hold F8.

  On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press ENTER. (If Repair your computer is not listed as an option, then your computer does not include the System Recovery Options menu as a preinstalled recovery option.)

  Select a keyboard layout, and then click Next.

  Select a user name and enter the password, and then click OK.

  On the System Recovery Options menu, click a tool to open it.</blockquote>

My apologies - so many replies and I didn’t list what my OS was. My laptop’s running Windows Vista Home Premium, 32-bit. I followed the steps listed and was able to repair my startup. Many thanks for that.

Thereafter, I downloaded and installed A-Square Free, and it is now scanning. Also, something rather… strange that I observed. Prior to running a scan on A-Square Free, I did a scan of Critical Areas using CIS’ Virus Scan, with 0 detections of malicious software. After that, I set Avast to scan C:\ and in the midst of the scan, an alert from CIS regarding the TrojWare popped up, in the same old directory. Avast itself did not pick up anything amiss.

I’m wondering if I should uninstall Avast, or if the problem somehow lies in Avast.

Also, worst thing that happens is that I reformat my computer (which I hope removes the virus). With regards to that, would it be safe to plug in a USB external hard drive to back up my current data before reformat, or is there a chance of the virus jumping over to the external hard drive?

I will update with more after the scans finish. Thank you for the help so far.

I believe that this may be caused by the method which CIS scans in real time. It scans the computer’s memory. Therefore when Avast unpacked a file it was scanned and detected by Comodo.

I may be wrong here, but that is how I believe it works.

If that is the case, then is there really a virus or is it just the way CIS scans? Or perhaps it’s hidden in, I don’t know, Avast’s folders? Sorry, I know little to nothing about these kinds of things. x_o

I did a few more scans overnight, and all of them picked up nothing by the end of the scan (including CIS), but during Avast’s scan, CIS did detect the TrojWare again. It seems like it’s only detected when Avast is running a scan, or when a utility is run to clean Temp files (eg. CCleaner).

So what should I do? Is it safe for me to plug my own USB external hard drive in to back up files, or is there still the possibility of the virus spreading?

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:50:33 PM, on 5/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Users\Irrylath\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Combined Community Codec Pack\MPC\mpc-hc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Irrylath\AppData\Roaming\Mozilla\Firefox\Profiles\eeoypbxh.default\extensions{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM…\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM…\Run: [HControlUser] C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
O4 - HKLM…\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [MSSE] “C:\Program Files\Microsoft Security Essentials\msseces.exe” -hide
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [ATKOSD2] C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
O4 - HKLM…\Run: [COMODO Internet Security] “C:\Program Files\COMODO\COMODO Internet Security\cfp.exe” -h
O4 - HKLM…\Run: [TMRUBottedTray] “C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe”
O4 - HKCU…\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU…\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - Startup: Dropbox.lnk = C:\Users\Irrylath\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CCS\Services\Tcpip…{54FDA53A-976C-4D02-89B0-4BD1B9BE66EF}: NameServer = 165.21.83.88,202.166.127.238,202.65.244.31,8.8.4.4,8.8.8.8
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe
O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

–
End of file - 7307 bytes

==================================

Any advice on whether I should plug a USB device into my laptop to back up my data?

Your hijack log seems fine too me, While I have alot of hijack this logs. There only 1 file I don’t seem to recall “afom.exe” <—It’s propably fine

C:\Users\Irrylath\AppData\Roaming\Mozilla\Firefox\Profiles\eeoypbxh.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe

Would you be able to upload afom.exe to
http://www.virustotal.com/
It’ll be scanned by a bunch of anti-virus company’s around the world and they’ll tell you if it’s clean or not. It’ll only take a few minutes

just in case this one looks weird to you (see below)

O17 - HKLM\System\CCS\Services\Tcpip\..\{54FDA53A-976C-4D02-89B0-4BD1B9BE66EF}: NameServer = 165.21.83.88,202.166.127.238,202.65.244.31,8.8.4.4,8.8.8.8

this should be “google dns”

I’ve uploaded afom.exe to VirusTotal, with the analysis available here:
https://www.virustotal.com/analisis/6359741f87d9eb20ea7dcae944cb16e4fd6cde0c708a860b58c1fb44d7a6d04b-1262622864

As a sidenote, I’m aware of what afom.exe (at least I think I am), as it only appeared after I installed the add-on Memory Fox (https://addons.mozilla.org/en-US/firefox/addon/53880).

Thank you for the clarification re: my DNS servers.

Any word on the status of Trojware.Win32.Vapsup.JBO[at]89285037 though, and whether I should be able to plug in a USB device to back up my data? I don’t get any alerts nowadays about the Virus, except when I’m running a scan on Avast (I think Chiron494 could be right about the way Avast unpacking files that somehow triggers CIS).

I’ve submitted the quarantined .tmp to CIS but I’m not sure how I’m supposed to get a reply from the people who analyse it.

whether I should be able to plug in a USB device to back up my data?

If you scan it with the anti-virus and it comes up clean, then by all means plug it back in

Trojware.Win32.Vapsup.JBO[at]89285037

There are times when someone doesn't get a response back. It happens sometimes :( I know they been busy lately upgrading the anti-virus servers

If you really like you can upload the file in question that gets the Trojware.Win32.Vapsup.JBO[at]89285037 alert to “www.megaupload.com”

then PM me the link, I’ll check it out. Remember I don’t work for comodo. I just volunteer here for fun
I’ll analyze it and tell you if it clean with a brief detail of it (I’ll copy and paste it in a text file)

Thanks for the advice.

Mmm well the weird thing is that the .tmp file doesn’t usually exist until I run an Avast scan. Oo And when I try to open the Quarantined folder in COMODO, it says that I can’t open it (makes sense, though). So I’m not sure how else I can get the .tmp file.

Thanks for the offer, though. I’ll try to get the file, if possible.