Virus Problem

So yesterday, Avira started going crazy on me, popping tons of runtime blocks. On top of that, every time I boot in to windows, Avira pops with an exe in my temp directory identified as tr/downloader.gen. I've tried running Avira full scan in safe mode, but it doesn't catch anything, it only trips active protection while in regular boot Windows. I'm becoming increasingly concerned. Can anyone help me out with this?

 

Best advice copy off everything you need and re-format install, or recovery as you never get rid of all the virus/spyware once they get in.

Also give Avast 5 free a go next time.

 

Actually ... before you run off and reinstall the OS like a fly without a head ...
- no insult intended to you 'Tinderbox', I suggest you download, install and update Malwarebytes (free), then run a quick scan with it.
If a quick scan doesn't find it, run a full scan.

And as an extra precaution download, install and update Super antispyware (free) ... then scan the system with that as well.

Generally, Malwarebytes should be enough, however, running Super antispyware just as a precaution after Malwarebytes would be good.

Please report after that.

I think you can run the scans in standard mode of operation, though if it doesn't work, then switch to Safe Mode.

 

Does a secondary scan with for instance Malwarebytes and/or Hitman Pro, come up with the same 'hit' on that file in the temp directory?
Are you able to upload that file to VirusTotal.com, to exclude the possibility of a false positive or to see if other AV's also flag it as malicious?

The Avira description here, shows it's detection characteristics have recently been updated.
While it is possible that a harmless file shows the same characteristics as a trojan, I'd be wary of this one.

Like Tinderbox wrote, be prepared for "the worst" by at least having a copy of important data.
It's not an absolute certainty that you need to reformat but if you have accidentally downloaded this trojan, it's probably trying to communicate outside in order to install other stuff.

 

To echo what others have said, back up any important documents and files asap and prepare for the worst case.

Malwarebytes is a great program and may fix your problem.

However, IMO, I am no longer comfortable with a system once it has been hit by a virus. Even if I get "rid" of it, I just won't feel the same about it and will always end up doing a clean install.

This is just me.

 

Well, that was fun... Malware found 16 or so things, including a rootkit and a hijacker. I cleaned them and rebooted, but Avira popped on downloader.gen after reboot again. This isn't looking good... I can't even imagine where I got a virus from, I got to the same 2 dozen or so websites pretty much exclusively, and have never had any issues.

 

I completely agree with this.

 

Damnit... SAS has already detected 10 threats related to this thing. It's only been scanning for 2.5 minutes.

 

Reading about all the nasties found sofar, it's time to safe time.
At this point you can deep scan for hours and hours without having the certainty that 'Matt is Pro' referred to.

Copy all important data and prepare for a full format+reinstall.
While you are at it, take 30 minutes to learn using imaging software.
That way you can make an image backup when you've installed OS+updates+most regular programs and use that image to do any future re-installs in 15-30 minutes.
A separate OS partition is needed though for such re-installs.

 

Wipe it and be done , it will only take a hour or so if you know what you are doing, once system files get infected , it take far too long to find and replace all of them all and you don't know what virus/spyware has been missed and is passing all your passwords and personal details to whoever.

 

I have to dig out my recovery disks... I don't even know where they are. I guess I could just restore from the IBM image...ugh, what a pain. *expletive deleted* viruses.

 

I hate to see people saying reinstall for a simple virus. It may be necessary in some rare cases, but the frequency with which it is suggested around here frightens me.

The first thing one should ALWAYS do is run system restore. ALWAYS. ALWAYS. ALWAYS.

Here's why: no matter what you call your particular brand of malware--virus, trojan, worm, bho--it is still at its core a program and like all programs it is governed by the same rules that apply to them all.

It has to be told to start.

Short of boot sector malware--virtually all programs that start automatically do so because of a registry setting or simple configuration file settings (there are a couple obscure virus that use a different trick, but I won't go into that right now).

If you use system restore and return to an earlier point in time, you replace the system registry and most configuration files with earlier versions that DO NOT HAVE THE MALWARE STARTUP SETTINGS in them. Therefore, the malware does not start.

What is so troubling about the most vicious of malware today is they start before you do, so you can not terminate them. If you prevent them from starting, they may still be on your drive, but they are not running.

The virus files will remain, but they are inert. Run an antivirus on the computer following a system restore to clean up the files that remain.

Again, this is not going to solve your problem 100 percent of the time. Boot sector viruses and rootkits that infect driver files and a couple of other neat malware programs will still start, but 95+ percent of the crap I am seeing can be defeated with a simple system restore (that is why some of the more elaborate malware out there actually disable system restore--then you have a battle on your hand, but that is still a rarity).

 

Two questions: Did you configure your normal user (the one you do all your regular actvities in, browse the web, etc.) as Administrator, rather than as a Standard User? Did you turn off UAC (assuming this is Vista or Win7)? If the answer to one of these is yes, then you should not be surprised at your fate. Next time around, make sure the answer to both is "no". Security software is no substitute for a fundamentally insecure system configuration.

Well, 95% of the crapware out there won't be able to do anything at all to your system if you run it in a rational, secure configuration, see the 2 questions above. None of the malware will be able to disable or modify any system facilities or settings at all. I wish people would realize that the very first thing to think about, before even considering any sort of security software, is to run your system securely.

Of course, I know that I am preaching to the wind here. People just love to run as administrators, turn off UAC, and use anti-virus software "instead", not understanding that this approach is a recipe for disaster, and virtually guarantees that they will fall victim to any number of malware attacks.

 

I run as admin, but UAC is enabled.

 

Reinstalling the OS is just about the most radical advice anyone can give.

Do you also call for the nuclear option when dealing with protesters?

 

System restore will not work, it errors out after reboot and tells me restore failed. And now I'm getting random ad audio playing in the background from nowhere. This is quite bad. I have no idea where this horrible thing came from... anyway, yeah, need to fix this.

I'm looking to reinstall from scratch, but my Windows product key on the bottom of my machine is partially rubbed out, and the support guy I just talked to at Lenovo says that that key would only work with the install that came on the machine to start with. This sounds fishy to me, but I didn't want to deal with his stupidity. He wanted me to install from the restore partition or pay $45 for a restore CD to be mailed to me...yeah, no. If I have to clean install, I'm not going back to factory state.

Anyway, yeah, does anyone know how to get your PK back? I have a legit one for this machine, and a legit disc to install from from my Sager, but the tech was telling me to use my Sager PK... which I'm pretty sure won't work. Any suggestions?

 

Try ABR it will backup you current key, the beta is supposed to work with Win7

When you re-install Win7 and it asks you for the key , click that you want to enter the key later after Win7 has installed, then use the ABR key restore.

http://directedge.us/content/abr-activation-backup-and-restore

 

I have Vista. I assume the old version works with Vista though?

Edit: Doh, I just realized... my IBM license is for Vista Business, but my Sager has Vista Ultimate. Will the Ult disk work for the Bus SKU?

 

I suppose it will work fine, but i have only use ABR with Vista Premium Oem, just check the ABR save director for the key.

 

download mcaffee and adaware and use them both a couple of times and there will be very little viruses on your computer also go into my computer and right click on the c drive and go to properties and do a disk clean up then go into tools and do error checking and defragmentation by the way sometimes error checking wont work so u might have to run it repeativeley or close everything else out while doing this

 

Uhm ... Mcaffee is resource hungry and just plain BAD in detection rates.
Adaware is not good as it used to be.

As I said before, install Malwarebytes, update it and run a quick scan with it.
Same with Super antispyware (just to be sure).

 

I've run full deep scan with SAS, Malware Bytes, and Avira 2X each in safe mode now. The second Malware run is going right now. If this virus isn't gone when I reboot after I get up in the morning, I don't think it is going anywhere without some serious action taken. So far the second runs of everything have come up clean... but the proof will come after reboot.

 

So far so good... I hope it works out, I really don't want to have to deal with reinstalling Windows.

 

I HIGHLY suggest formatting your computer mate! Dont forget to update your BIOS my friend! Good luck!

 

Computers are like cheating partners. Once someone else puts their software on your computer it feels icky. Sometimes a clean install just makes you feel better.

Visualize your web browsing sessions! this will completely close the door to browser based threats. Sandboxie is a great tool for this.

 

I think you mean virtualize....