A couple of days ago, I plugged in my sister’s friend’s USB to transfer some files over, but was alerted by the presence of an autorun virus (according to CIS, Worm.Win32.Autorun.dvw@9541971). I clicked Remove, and was informed by CIS that it had been removed successfully. After that, I ran complete virus scans on my whole computer, with CIS, Avast! Antivirus, Microsoft Security Essentials. To be extra safe, I also ran scans using Spybot - Search & Destroy, as well as Malwarebytes’ Anti-Malware.
Only CIS picked up something, which was Trojware.Win32.TrojanDropper.Binder.~J@1836329. Strangely, the file was located in [i]C:\Users[my Username]\AppData\Local\Temp_avast4_[/i]unp67833835.tmp.
After that, CIS alerted me to the presence of Trojware.Win32.Magania.~AAF@25568607, which first appeared in [i]C:\Windows\Temp_avast4_[/i]unp60440522.tmp, and then once more in the previously stated [i]AppData\Local\Temp_avast4_[/i] folder.
On a subsequent scan, it picked up Trojware.Win32.Vapsup.JBO@89285037 in the [i]AppData\Local\Temp_avast4_[/i] folder, upon which I clicked Remove and CIS reported having successfully removed it. However, I noticed that the alert for this particular Trojware kept appearing after every time I ran CCleaner. I kept “removing” it again and again, but to no avail. My other Anti-Viruses didn’t pick up on it at all, so I’m not sure if it’s a False Positive or if it’s something really serious.
I haven’t got HijackThis yet, but I will soon, if the log will be of any assistance to solving this problem. I would most certainly like to remove this, and any help is greatly appreciated. Thank you very much.
Thank you for replying. I’ve disabled Autorun for USB devices, as per the link given.
With respect to running virus scans in Safe Mode, I’m only able to run Avast! Antivirus, Malwarebytes’ Anti-Malware, Spybot Search & Destroy, as well as Microsoft Security Essentials, which all picked up nothing. Upon trying to run the anti-virus that comes with CIS, it gives an error that goes along the lines of it not being supported (Sorry, I will update this with the error code if it helps, later).
Being skeptical of my laptop having been cleaned, I downloaded bootable AVs from BitDefender and Avira Antivirus. The former detected nothing, and while the latter detected that there was 1 infected file, there doesn’t seem to be a way to be sure that the file had been removed, beyond picking the option under “Configuration”.
In addition, I’m not sure if this issue is related to the virus or not, but it did not appear prior to the infection, I have not been able to start up my laptop in normal mode. There’s a brief flicker of blue screen (which was too fast for me to read anything) when it tries to start up, before it restarts automatically and asks if I want to boot into Safe Mode, etc.
I'm only able to run Avast! Antivirus, Malwarebytes' Anti-Malware, Spybot Search & Destroy, as well as Microsoft Security Essentials, which all picked up nothing.
Let’s start with this
Avast runs in real-time <—Keep this
Malware-bytes is a great backup with no real-time <— keep this
Spy-bot is kind of out-dated and causes occasional problems (from my experiance from working on other peoples computers) <---- remove spybot
Microsoft Security Essential isn’t bad, but it also runs in real-time. Some people CAN have problems running more then 1 real-time antivirus program <—remove Microsoft Security Essential. You have avast for real-time antivirus anyway
To hopefull repair windows, do this
go here and read the step-by-step for repairing windows XP <------this is easy and simple steps
for vista (one of two methods below
If you have a Windows Vista installation disc, you need to restart (boot) your computer using the installation disc. If you do not restart your computer from the disc, the option to repair your computer will not appear.
If you have a Windows installation disc:
Insert the installation disc.
Restart your computer.
Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.
If prompted, press any key to start Windows from the installation disc.
Note
Note
If your computer is not configured to start from a CD or DVD, check the information that came with your computer. You may need to change your computer's BIOS settings. For more information, see BIOS: frequently asked questions.
Choose your language settings, and then click Next.
Click Repair your computer.
Select the operating system you want to repair, and then click Next.
On the System Recovery Options menu, click a tool to open it.
If your computer has preinstalled recovery options:
Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
Click the Start button Picture of Start button, click the arrow next to the Lock button Picture of Lock button, and then click Restart.
Do one of the following:
*
If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
*
If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to repair, and then press and hold F8.
On the Advanced Boot Options screen, use the arrow keys to highlight Repair your computer, and then press ENTER. (If Repair your computer is not listed as an option, then your computer does not include the System Recovery Options menu as a preinstalled recovery option.)
Select a keyboard layout, and then click Next.
Select a user name and enter the password, and then click OK.
On the System Recovery Options menu, click a tool to open it.</blockquote>
My apologies - so many replies and I didn’t list what my OS was. My laptop’s running Windows Vista Home Premium, 32-bit. I followed the steps listed and was able to repair my startup. Many thanks for that.
Thereafter, I downloaded and installed A-Square Free, and it is now scanning. Also, something rather… strange that I observed. Prior to running a scan on A-Square Free, I did a scan of Critical Areas using CIS’ Virus Scan, with 0 detections of malicious software. After that, I set Avast to scan C:\ and in the midst of the scan, an alert from CIS regarding the TrojWare popped up, in the same old directory. Avast itself did not pick up anything amiss.
I’m wondering if I should uninstall Avast, or if the problem somehow lies in Avast.
Also, worst thing that happens is that I reformat my computer (which I hope removes the virus). With regards to that, would it be safe to plug in a USB external hard drive to back up my current data before reformat, or is there a chance of the virus jumping over to the external hard drive?
I will update with more after the scans finish. Thank you for the help so far.
I believe that this may be caused by the method which CIS scans in real time. It scans the computer’s memory. Therefore when Avast unpacked a file it was scanned and detected by Comodo.
I may be wrong here, but that is how I believe it works.
If that is the case, then is there really a virus or is it just the way CIS scans? Or perhaps it’s hidden in, I don’t know, Avast’s folders? Sorry, I know little to nothing about these kinds of things. x_o
I did a few more scans overnight, and all of them picked up nothing by the end of the scan (including CIS), but during Avast’s scan, CIS did detect the TrojWare again. It seems like it’s only detected when Avast is running a scan, or when a utility is run to clean Temp files (eg. CCleaner).
So what should I do? Is it safe for me to plug my own USB external hard drive in to back up files, or is there still the possibility of the virus spreading?
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 11:50:33 PM, on 5/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal
Thank you for the clarification re: my DNS servers.
Any word on the status of Trojware.Win32.Vapsup.JBO[at]89285037 though, and whether I should be able to plug in a USB device to back up my data? I don’t get any alerts nowadays about the Virus, except when I’m running a scan on Avast (I think Chiron494 could be right about the way Avast unpacking files that somehow triggers CIS).
I’ve submitted the quarantined .tmp to CIS but I’m not sure how I’m supposed to get a reply from the people who analyse it.
whether I should be able to plug in a USB device to back up my data?
If you scan it with the anti-virus and it comes up clean, then by all means plug it back in
Trojware.Win32.Vapsup.JBO[at]89285037
There are times when someone doesn't get a response back. It happens sometimes :( I know they been busy lately upgrading the anti-virus servers
If you really like you can upload the file in question that gets the Trojware.Win32.Vapsup.JBO[at]89285037 alert to “www.megaupload.com”
then PM me the link, I’ll check it out. Remember I don’t work for comodo. I just volunteer here for fun
I’ll analyze it and tell you if it clean with a brief detail of it (I’ll copy and paste it in a text file)
Mmm well the weird thing is that the .tmp file doesn’t usually exist until I run an Avast scan. Oo And when I try to open the Quarantined folder in COMODO, it says that I can’t open it (makes sense, though). So I’m not sure how else I can get the .tmp file.
Thanks for the offer, though. I’ll try to get the file, if possible.
