Avast WEBforum
Other => Viruses and worms => Topic started by: icezbox on November 09, 2009, 05:59:40 AM
-
I scanned my Laptop and it appears that C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp & C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus is infected by a Win32:Malware-gen. How can i get rid of the virus? Is it safe to delete it? or is it a false positive?
-
hey i suggest you upload the file to virustotal.com and post the result here. otherwise you can try MBAB and or SAS and see what they come up with.
http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/
good luck and write back if you getting problem.
and welcome to the forum.
-
Step 1: Windows Disk Cleanup Utility ============
1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK
Step 2: avast! Boot Time Scan ============
1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan...
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time
Step 3: Malwarebytes Antimalware (MBAM) ============
1 Download Malwarebyes' Antimalware here (http://www.filehippo.com/download_malwarebytes_anti_malware/)
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes' Antimalware and Run Malwarebytes' Antimalware checked
4 Malwabytes' Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.
Step 4: Hijack This (HJT) ============
1 Download Trend Micro Hijack This here (http://www.filehippo.com/download_hijackthis/)
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.
-
I scanned my Laptop and it appears that C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp & C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus is infected by a Win32:Malware-gen. How can i get rid of the virus? Is it safe to delete it? or is it a false positive?
I don't know what everyone is jumping up and down about if you look at the path to the infected file, you will see it appears to be something related to Panda AntiVirus (pavtmp) and a portable antivirus, see below. So far from being false positives, I believe the detections are good but on the unencrypted virus signatures of both.
{C:\Windows.old.000\users\Monskieth\AppData\Local\Temp\pavtmp
&
C:\Windows.old.000\Program Files\Data0.Net Software\Portable Antivirus}
So the questions are:
Have you installed a a portable antivirus (if so uninstall it as the signatures should be encrypted to prevent detection) ?
Have you used any Panda AntiVirus products ?
-
Hi, Im a newbie. :-[... and I did what you wrote down here. And I have 2 attachments here. So, what I do next? :'(
1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files. Optionally, you may check other options too
4 Click OK
Step 2: avast! Boot Time Scan ============
1 Double click avast! antivirus desktop icon and wait for memory test to complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select Schedule Boot Time Scan...
3 Click Advanced options and select Move infected file to Chest on the first dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it is enabled, scanning would be more thorough but would take more time
Step 3: Malwarebytes Antimalware (MBAM) ============
1 Download Malwarebyes' Antimalware here (http://www.filehippo.com/download_malwarebytes_anti_malware/)
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes' Antimalware and Run Malwarebytes' Antimalware checked
4 Malwabytes' Antimalware GUI would appear, from there select Perform Quick Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop. You may now close MBAM.
Step 4: Hijack This (HJT) ============
1 Download Trend Micro Hijack This here (http://www.filehippo.com/download_hijackthis/)
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on your desktop
6 Go back here on your topic and start a reply. On the Reply window, click Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click more attachments to have more slots for attaching files)
NOTE: Do not have HJT fix anything yet.
[/quote]
-
This is what you should fix with HJT:
C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
Nasty
Must be fixed! SearchSettings.dll - Vendio "Search Settings" foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Vendio "Search Settings" foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty
O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll
Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files
To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the "Enter" button on your keyboard. If don't know where pehuraba.dll DLL file is located, use the "dir" command to display the directory's contents.
To unregister "pehuraba.dll" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u pehuraba.dll.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.
O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix
polonus
-
... Seriously, Ím not familiar with Windows Command Prompt and also,... English. Can you please show me little more details? Thank you very much
This is what you should fix with HJT:
C:\WINDOWS\system32\FastNetSrv.exe
The filename is associated with these malware groups:
Banking Info Stealer
Rootkit
System Back Door
Malicious Software Trojan
Nasty
R3 - URLSearchHook: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
This entry is classified as malware, spyware, adware, or other potentially unwanted software
Should be fixed.
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
Nasty Fix
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb128\SearchSettings.dll
Nasty
Must be fixed! SearchSettings.dll - Vendio "Search Settings" foistware - reportedly installed without notice - see here, http://groups.google.com/group/mozilla.s upport.firefox/browse_thread/thread/dcc6 bd1e6009abe8 and here, http://www.tutorials-win.com/SupportXP/
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Vendio "Search Settings" foistware, bundled with its Dealio toolbar, which is in turn bundled with numerous third party applications
Nasty
O20 - AppInit_DLLs: C:\WINDOWS\TEMP\42844kou.dll c:\windows\system32\dukotova.dll,pehuraba.dll
Use Windows Command Prompt to Unregister dukotova.dll & pehuraba.dll Files
To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the pehuraba.dll DLL file is located and press the "Enter" button on your keyboard. If don't know where pehuraba.dll DLL file is located, use the "dir" command to display the directory's contents.
To unregister "pehuraba.dll" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u pehuraba.dll.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file. Do the same for the other file.
O21 - SSODL: pirumotan - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
O22 - SharedTaskScheduler: gahurihor - {0c9c9d08-e0a2-4303-b396-2c7596487748} - (no file)
Fix
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\WINDOWS\system32\FastNetSrv.exe
Nasty (2.17 / 5.00)
Fix
polonus
[/quote]
-
You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) -> No action taken.
You should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
-
Here is it the log file.
Thank you for helping me
You have serious rootkit infection, HJT is no use to you. From your MBAM log C:\WINDOWS\system32\drivers\kbiwkmbpbpfqxy.sys (Rootkit.TDSS) -> No action taken.
You should run Combofix and post the log. Follow all instructions carefully
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
[/quote]
-
Combofix has removed the rootkit. Your pc has many infections.I would uninstall combofix now http://www.bleepingcomputer.com/forums/index.php?s=eab68518186b64fb0677524792426b02&showtopic=114269&view=findpost&p=650524 (http://www.bleepingcomputer.com/forums/index.php?s=eab68518186b64fb0677524792426b02&showtopic=114269&view=findpost&p=650524)
You should now run a full scan with MBAM, this time have it remove the threats it finds and post the log.
I would then reboot and run another scan with MBAM and see if anything removed first time, returns. Your pc is so infected, I am hoping Essexboy will look at your logs and comment,
-
I've tried it but, first, I accident installed combofix into desktop\Downloads. And I can't uninstall the program. Then I type
CMD (enter)
C:\Documents and Settings\Dominic Nguyen>cd Desktop\Downloads
Desktop\Downloads\Combofix /u
enter
... And the combofix started to run scan and give me the log again
Please help
-
Hi
Let's see if I can help a bit here. You still have some nasty infections.
We'll use combofix again, but run it differently.
First locate combofix.exe on your desktop, right click it and select delete.
Download a new copy from one of these links and save it directly to your desktop. DO NOT run it yet.
It must be on your desktop, not in a folder on your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Please follow all previous instructions regarding security programs.
Open a new Notepad session - Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
File::
c:\windows\system32\FastNetSrv.exe
C:\jlkdtrnv.exe
C:\tfwhkfp.exe
C:\mwoqywsu.exe
c:\windows\system32\netskt.sys
Driver::
fastnetsrv
BtwSrv
netskt
NetSvcs::
BtwSrv
In the notepad - Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Please post the combofix log in your next reply.
Thanks
-
Here is my log file. BTW, thank you
-
Hi
That looks much better. Did you run MBAM before running the fix I posted?
Please make an uninstall list- Start HijackThis
- Click the Config button
- Click the Misc Tools button
- Click the Open Uninstall Manager button.
- Click the Save list button and save it to your desktop.
When you press Save, a notepad will open with the contents. Copy/paste the contents of the notepad file in your next reply.
Please post the uninstall list and a new HJT log.
Thanks
-
Thanks for replied,
Yes, I did run MBAM, because I've wait too long for someone reply my post. LOL
-
Hi
Ok, that explains what happene to some of those entries I had in the CFScript.
Let's see if anything is left.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.
Please go to Kaspersky (http://www.kaspersky.com/kos/eng/partner/default/pages/default/check.html?n=1258422493278) website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions.
- You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
- Mail databases[/b]
- Click on My Computerr under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Change the Files of type to Text file (.txt)
- Set the Save In to Desktop
- click the Save button.
- Please post this log in your next reply.
-
Thanks for waiting ... I ran the Scan last night. And the electric shortage when about finish, LOL. So, I have to run it again this morning.
BTW, here is the file
... And... Uhm, do I have to uninstall combofix, now?
-
I have the same problem with my ISP installation sofware...so I delete it re-download to my desktop and verify it, it still show as a Virus Win:32:Malware-gen!
I am not a PC literate but need to connect is it dangerous for me to log with this file, remember I cannot do so without it!
Thanks for anyhelp here.
-
Mr. Oldman please help me :'(
Thank you
-
Hi domdom63,
My apologies, I missed your post. We will remove combofix shortly.
One bad detection, the other 2 are in restore points and will be removed when we remove combofix.
Please follow all previous instructions regarding security programs.
Open a new Notepad session - Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
File::
C:\WINDOWS\tepie\install.48143.exe
Dirlook::
C:\WINDOWS\tepie
In the notepad - Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.[color="red"]Close all browser/windows first.[/color]
[color="blue"]**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**[/color]
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Please post back with he combofix log.
Thanks
-
Hi Mr. Oldman
I've done what you asked me to do. but, it automatics rebooted after it done. And I don't see any combofix.log. Maybe this one I found in windows\temp (T30DebugLogFile.txt) but, it nothing in there (0 KB)
-
Hi
The log should be at C:\Combofix.txt
If you can't find the log there we will use another tool to have a look at that folder.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield
- Do not copy the word CODE , please note the script starts with the :
:file
C:\WINDOWS\tepie\install.48143.exe
:dir
C:\WINDOWS\tepie- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Please post the combofix log if you found it or the SystemLook log.
Thanks
-
Thanks for the replied, Mr. Oldman
Yes, I believed that I found combofix.txt in c:\comboFix
-
Hi domdom63,
Combofix dosen't seem to have completed. Let's try again with a new copy.
Please delete the copy you have and download a new one. Don't run it, we run it with a command.
Download a new copy from one of these links and save it directly to your desktop.
It must be on your desktop, not in a folder on your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Please follow all previous instructions regarding security programs.
Don't be alarmed if your desktop disappears during the fix. It will reappear. Don't mouse click or do anything else while the tool is tunning.
Open a new Notepad session - Click the Start button, click run
- in the run box type notepad
- click ok
- In the notepad, Click "Format" and be certain that Word Wrap is not checked.
- Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
KillAll::
File::
C:\WINDOWS\tepie\install.48143.exe
Folder::
C:\WINDOWS\tepie
In the notepad - Click File, Save as..., and set the Save in to your Desktop
- In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
- Click save
Next, click your start button, click run.
In the run box, copy and paste the following bolded line (it's one long line), then click OK.
"%userprofile%\desktop\combofix.exe" "%userprofile%\desktop\combofix.exe\CFScript.txt"
Please post back with the combofix log.
-
Mr. Oldman,
I've tried that but, when I enter
"%userprofile%\desktop\combofix.exe" "%userprofile%\desktop\combofix.exe\CFScript.txt"
The comboFix.exe started
After a few minutues I have this messages
ERROR - Script format is incorrect
Rich Text Formats (RTF) are unacceptable !!
Please save CFScript commands as a textfile, using notepad.exe
... But I did exactly what you told me to do
-
Hi
Are you using notepad? The message would see to be consistant with using wordpad.
-
yes, i used notepad.exe
-
Oh, never mind Mr. Oldman,
I redo the text file and draged it to combofix's icon and it does the works. And here is the log.txt file for you.
Thank you
-
Oh no,
My computer is crashed. It keeps reboot. I have to put the recover disk to install the window now. Ím using my laptop to reply to you :(
-
Hi,
What were you doing when it crashed?
-
I turned off before to bed
The next morning it was been up all night with booting windows still on
-
Hi
You shut the computer down completely and it attempted to restart?
Before you do anything drastic like reinstalling windows, is your disk a full copy of XP?