Avast WEBforum
Other => Viruses and worms => Topic started by: Interista on January 02, 2013, 12:12:45 PM
-
Avast tells me I'm infected with Win32:Dropper-gen (Drp) when it does a run-time scan, but when I do a boot scan it tells me there is nothing there.
It also tells me the infection is in two places - 1. In Malwarebytes (which is strange in itself, except that Malwarebytes itself recently changed to a new version which is now blue instead of red - the program itself asked me to update though); 2. In a file in a folder where I have recently (i.e. yesterday) found 484 movies which I never downloaded totaling over 320GB of data (which is impossible as my computer doesn't have that much space). The infected file is called something like mediaoverlays.dll
Also, the movies are unplayable, and in my opinion its a lie that there is over 320GB of them because as I said there isn't space, but there's something strange going on.
Avast can't delete or quarantine this dropper.
The only misbehaviour of the computer lately is the internet has been dog slow. I contacted my ISP and explained all the problems and he said get rid of any torrent client you have like vuze (which I have done) and you should notice an up in speed - which I have albeit I only did it ten minutes ago and the internet speed has been fast and then slow repeatedly for about a month so I need to test this one further.
Any ideas what's happening?
If its of any help I've also gotten rid of sopcast and torrent stream so I don't know if they were the culprits for slowing the internet down.
Unfortunately, the internet has slowed right down again - I'm going to play hell with my ISP but I'd like to get this issue sorted first.
-
What are the file names and locations of these detections ?
-
Its finding the dropper in random programs (it just found it in Firefox) but it appears to be in:
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
And the movies are in
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads
-
Check the MediaIconsOverlays.dll file at: VirusTotal - Multi engine on-line virus scanner (https://www.virustotal.com/) and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to Open the chest and right click on the file and select 'Extract' it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.
I think the upload limit is 25MB, so I don't know if your movies are going to be able to be checked that way, but the location doesn't suggest that they are actually movies ...\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads
-
It doesn't give me an option to extract it and it tells me I can't move it because its being used by another person or program.
Does this suggest I've been hacked?
-
It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?
As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.
-
I can't check the movies with virustotal because they are too large (though I don't believe they are that large - the computer doesn't have enough space for them all).
I checked one of the codec packs that "came" with the movies though and VirusTotal says this...
https://www.virustotal.com/file/50fd783da568930951750f547aaffcf9b73f375fdfd49e9d8190c124f81ddee8/analysis/1357131118/
Should I now delete the file from the suspect folder?
-
It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?
As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.
That's one of the problems. Avast doesn't put it in quarantine and when I try to copy it it gives me the message that another program or person is using it.
Even if I try scanning it from its original location VirusTotal won't work, just says computing hash and freezes.
-
I can't check the movies with virustotal because they are too large (though I don't believe they are that large - the computer doesn't have enough space for them all).
I checked one of the codec packs that "came" with the movies though and VirusTotal says this...
https://www.virustotal.com/file/50fd783da568930951750f547aaffcf9b73f375fdfd49e9d8190c124f81ddee8/analysis/1357131118/
Should I now delete the file from the suspect folder?
Whilst they may not be 320GB, they could easily be more than 25MB.
Strange that avast didn't show a detection on that VT scan.
I'm always wary of codecs as they are a huge target, so you should be confident of the source you are getting them from. I usually use the K-Lite Codec Pack and its updates. Yes you can remove the 'copy' you placed in the suspect folder.
@@@@
It can't be in the chest and be in use by another program/person. Since you don't see an extract option, you aren't inside the avast chest ?
As your edited first post now states, "Avast can't delete or quarantine this dropper." So it isn't in the chest but in its original location, in which case copy it to the suspect folder that you created and excluded (given in my previous post). Then you should be able to upload it to VT for scanning.
That's one of the problems. Avast doesn't put it in quarantine and when I try to copy it it gives me the message that another program or person is using it.
Even if I try scanning it from its original location VirusTotal won't work, just says computing hash and freezes.
Try opening the avast chest, from the GUI, Maintenance, Virus Chest, right click in the right side of the window and select Add, from the new explorer like window, navigate to the MediaIconsOverlays.dll, select it and click Open (it doesn't actually open it), but copies it to the avast chest.
From here you should be able to 'Extract' it to the suspect folder and upload to VT (fingers crossed).
-
Getting somewhere now :)...
https://www.virustotal.com/file/8e4312aaee1dc062ef142633e400ebd7620e3cf86993e95e66b69074770055f1/analysis/1357134120/
Maybe its just wishful thinking but I have a feeling this could be behind the problems I've been having with hugely erratic internet speeds of late, and that we could be on the verge of the solution *fingers crossed*.
-
In case its of any interest... all the films seem to have arrived at the same time on the same day and they are all at 750MB which in my opinion is a nonsense. I have never seen a movie that was exactly **0MB and for them all to be the same is odder still. (Albeit it does seem to be over 32MB because VirusTotal won't accept it).
-
Malwarebytes found this...
I'll do the other scans and see what shows up.
It doesn't seem to have resolved the virus dropper issue though as Avast still tells me it exists. Is it worth using the Malicious Software Removal Tool by Microsoft?
-
AdwCleaner log.
-
Getting somewhere now :)...
https://www.virustotal.com/file/8e4312aaee1dc062ef142633e400ebd7620e3cf86993e95e66b69074770055f1/analysis/1357134120/
Maybe its just wishful thinking but I have a feeling this could be behind the problems I've been having with hugely erratic internet speeds of late, and that we could be on the verge of the solution *fingers crossed*.
Well there are certainly enough hits that consider it at least suspect, generic or heuristic detections. Whilst these type of detections are more prone to false positive detection, it is hard to see them all being wrong.
In case its of any interest... all the films seem to have arrived at the same time on the same day and they are all at 750MB which in my opinion is a nonsense. I have never seen a movie that was exactly **0MB and for them all to be the same is odder still. (Albeit it does seem to be over 32MB because VirusTotal won't accept it).
It does seem somewhat strange that the movies have all been downloaded on the same day and that you didn't intentionally download them (?). Does that also coincide with the creation date of this MediaIconsOverlays.dll file ?
The MediaIconsOverlays.dll file if legit is usually found in this location 'C:\ProgramData\Microsoft\Media Tools\MediaIconsOverlays.dll' do you have that in that location, if so does avast also detect it ?
-
No, the mediaiconsoverlays was created a little more than 2 weeks previous to the movies.
I can also only find it in the offending folder, not the one you suggest.
There's definitely something up because I was actually away when those films were downloaded.
I attach the OTL log.
-
Malwarebytes found this...
I'll do the other scans and see what shows up.
It doesn't seem to have resolved the virus dropper issue though as Avast still tells me it exists. Is it worth using the Malicious Software Removal Tool by Microsoft?
You could try copying/restoring that file and try uploading it to virustotal, the problem being MBAM restores to the original location (I don't like that with suspect stuff), this isn't the same as the MediaIconsOverlays.dll as system restore changes the file name but retains the file type and this isn't a dll file.
I'm not a fan of the Malicious Software Removal Tool as I don't think you have a great deal of control over it.
Do you actually have the Microsoft Media Tools installed ?
I can't ever remember installing this on either of my systems, so I obviously don't need it. I just wonder if you did install it, have you ever used/need it ?
-
No, the mediaiconsoverlays was created a little more than 2 weeks previous to the movies.
I can also only find it in the offending folder, not the one you suggest.
There's definitely something up because I was actually away when those films were downloaded.
I attach the OTL log.
OK, I take it you are using the information and tools mentioned in the 'Logs to assist in cleaning malware' topic, http://forum.avast.com/index.php?topic=53253.0 if so when you have the other logs attached I will get a malware removal specialist to take a look at them.
EDIT: A malware removal specialist has been informed of your topic.
-
I'm exhausting every angle because I'm worried that something is working away in secret (and that it may be slowing up my internet connection). I haven't heard of many of those films nevermind downloaded them.
I restored the file that MBAM found but now I can't find it.
AswMbr log here.
-
I have never used Microsoft Tools btw.
-
RogueKiller logs (though I'm not sure I needed to do them).
-
FSS log
-
My system just rebooted itself and then on reboot told me that windows had recovered from a serious problem (can't remember the exact terminology).
It gave me the following error report (code).
BCCode : 1000000a BCP1 : 00000023 BCP2 : 00000002 BCP3 : 00000000
BCP4 : 8050B781 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
-
Did you download Abraham Lincoln Vampire Hunter ? If not I will remove it next time round
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Did you download Abraham Lincoln Vampire Hunter ? If not I will remove it next time round
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\MediaIconsOverlays.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Media Tools\plugins\mediahash\downloads
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I did, why does it look dangerous?
-
No I was just curious as to whether that is part of the problem ;D
-
I've run your fix and scanning the system now. Is it likely that this has been the cause of a very erratic internet speed over the last month or so (the fact that the dates of the files coincide with the problems points in that direction)?
I attach the scan log.
-
I see that windows updates are set to disabled .. Did you do that ?
There is probably a correlation in the performance and the files
-
I see that windows updates are set to disabled .. Did you do that ?
There is probably a correlation in the performance and the files
No, I never did that (as far as I know).
The internet is working faster than it has in weeks... I still have to keep an eye on it as it has been going fast, then slow, then fast, then slow etc, but I feel there is a significant improvement so fingers crossed.
-
OK go to Control Panel > Administrative Tools > Services
Locate these two services
wscsvc
wuauserv
Right click them
Select Properties
In the drop down box set them to Auto
And then click Apply > OK
-
OK go to Control Panel > Administrative Tools > Services
Locate these two services
wscsvc
wuauserv
Right click them
Select Properties
In the drop down box set them to Auto
And then click Apply > OK
I can't find anything of those names.
-
Btw, out of interest, what was the infection?
-
The user friendly name for WSCSVC is 'Security Center'
The user friendly name for WUAUSERV is 'Windows Update'
-
It was not an infection as such but definitely an unwanted programme
-
The user friendly name for WSCSVC is 'Security Center'
The user friendly name for WUAUSERV is 'Windows Update'
Thanks, I found the security centre, but still can't find windows update, is it windows installer by any chance?
In my opinion, the internet speed problem is resolved - its working faster and steadier than it has in weeks.
Thanks very much!
-
I am not on my XP at the moment but it should be windows updates
One other way to do this is open security centre and turn it on there
-
I am not on my XP at the moment but it should be windows updates
One other way to do this is open security centre and turn it on there
Seems to be on there.
-
Could you try to update windows and let me know what happens
-
Visiting the Microsoft Updates site, it tells me its set to update when I look in Control Panel - Systems Update.
However, Avast has just signalled another dropper in the file system scan shields log, this time...
C:\System Volume Information\_restore{F7149EC7-4FA5-4148-81FA-2F7A6348FD9A}\RP74\A0058302.dll which seems to be related to the one found by Malwarebytes which was an .exe file. I tried to check this file on virustotal earlier but when I restored it from the malwarebytes chest I couldn't find it. I'm currently running Malwarebytes again to find it again, which I think it just did, perhaps triggering Avast to find it.
This time, however, Avast moved it straight to the chest.
-
OK that is in system restore, I will clear all that at the end
Were you able to update windows ?
-
OK that is in system restore, I will clear all that at the end
Were you able to update windows ?
Trying to do it via the website it tells me...
Thank you for your interest in obtaining updates from our site.
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
If you prefer to use a different web browser, you can obtain updates from the Microsoft Download Center or you can stay up to date with the latest critical and security updates by using Automatic Updates. To turn on Automatic Updates:
Click Start, and then click Control Panel.
Depending on which Control Panel view you use, Classic or Category, do one of the following:
Click System, and then click the Automatic Updates tab.
Click Performance and Maintenance, click System, and then click the Automatic Updates tab.
Click the option that you want. Make sure Automatic Updates is not turned off.
When I check in system - automatic updates it tells me its set to do it automatically at 20:00 each day.
I'm not sure avast automatic updates is set though - it shows me an exclamation mark in an amber circle where it says virus definitions version - the number is 130101-0 and it has a tab saying update. It also tells me its not connected with any avast account. I'm not sure are these problems, its just I'm looking at things in more detail now.
-
I am not on my XP at the moment but it should be windows updates
One other way to do this is open security centre and turn it on there
I was on my win7 system when I checked this out and it was definitely there, but for some reason it isn't there on my XP Pro system.
-
Download and install IE8 from here http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8
Then run the fixit on this page http://blogs.technet.com/b/srd/
Do a manual update of Avast and let me know if that works
-
MBAM found that .exe again in System Restore and quarantined it.
Avast seems to be updating on its own again. It tells me it had the current version and it told me that it had updated.
I ran both of those things with Internet Explorer 8 and also the fixit but when I try to do Windows Update on IExplorer I get this problem from the site...
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.
I'd be willing to gamble that the internet connection speed issue has been resolved though; everything is going well and is stable.
-
Did windows updates give an error code
-
No, just the website.
-
Run the fixit on this page and see if it resolves it http://support.microsoft.com/kb/971058
-
Still having problems, tells me to download windows service pack 3 but when I go to the site it just gives me the message about setting up windows automatic update.
-
Here you go .. SP3 http://www.microsoft.com/en-gb/download/details.aspx?id=24 ;D
-
I tried running that, but then it tells me there was a problem and tells me to undo all the changes (which the program proceeds to do).
-
It tells me Windows XP partially updated and may not work properly.
-
Did it give an error message ?
-
No, just said it had failed to update.
-
Are you still getting the same error on windows updates
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
It runs the scan then tells me...
Windows File Protection
Files that are required for Windows to run properly must be copied to the DLL cache.
Insert your Windows XP Professional CD2 now.
But its a long time since I bought the computer and I don't have this disk anymore.
-
When I try to run the repair the computer just reboots without letting me select what I want it to repair, then tells me Windows has recovered from a serious error.
-
OK try this small programme http://www.tweaking.com/content/page/repair_windows_updates.html
-
That seemed to work fine. Should I run the original tweaking repair program now?
-
Yes try again but skip the SFC portion
-
It still just reboots everything.
-
Are windows updates working now ?
-
If it is working, there should be an update for IE8 on XP (I got the notification this morning), presumably XP Media Centre version would still have IE8 (or earlier) and that would need updating.
-
Still gives me this screen :(.
-
Could you run a fresh FSS scan please
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Certainly :).
I attach the report. I did notice it was exceptionally quick - it did it in about 5 seconds so I don't know if that in itself is a problem.
-
Nope, that shows that everything is running as it should .. I need to do some quick research on this
-
Nope, that shows that everything is running as it should .. I need to do some quick research on this
Thanks for all your help :).
-
After you have added the following Web sites to the Microsoft Internet Explorer Trusted sites zone, run Windows Update.
To perform this method, follow these steps:
1.Start Internet Explorer.
2.On the Tools menu, click Internet Options.
3.Click the Security tab, and then click Trusted Sites.
4.Click Sites.
5.Click to clear the Require server verification (https:) for all sites in this zone check box.
6.In Add this Web site to the zone, type each of the following Web site addresses, and then click Add:
◦https://*.microsoft.com
◦https://download.windowsupdate.com
◦https://update.microsoft.com/windowsupdate
◦http://*.update.microsoft.com
◦https://*.update.microsoft.com
◦http://download.windowsupdate.com
7.Click Close, and then click OK.
8.Visit the Windows Update Web site or the Microsoft Update Web site.
-
Still exactly the same problem.
-
Are you getting any updates at all ?
-
Are you getting any updates at all ?
None.
-
Could you try to run windows repair from safe mode
-
The tweaking.com program you told me to download?
-
Yes please the windows all in one.. Skipping the SFC section
-
Nope, still just reboots it.
-
OK lets try this tool
Download the ESET services repair tool, (http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe) extract the file to your desktop.
- Double-click ServicesRepair.exe.
- If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
- Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
- A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.
-
That seemed to run except it wouldn't reboot - in fact afterwards the computer wouldn't switch off. However, I forced a reboot (not in a very sophisticated manner!!!) and the log is here.
Btw, it seemed to turn off my firewall, which I turned back on.
-
OK I have just completed one similar to this and the error is in an obscure area
Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe), save it to your desktop and run it.
(https://dl.dropbox.com/u/73555776/minitoolbox.JPG)
Checkmark the following checkboxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- Report FF Proxy Settings
- Reset FF Proxy Settings
- List content of Hosts
- List IP configuration
- List Winsock Entries
- List last 10 Event Viewer log
- List Installed Programs
- List Devices
- List Users, Partitions and Memory size.
- List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
-
That worked perfectly :).
-
OK lets now see if we can resolve it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
:Files
regsvr32 polstore.dll /c
:Commands
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here's the log.
-
Could you now try updates
-
It still goes to that screen.
I arrive at the Windows Update site, it asks me if I want to do express update or custom.
I click express.
It checks for latest updates.
Then goes to that page where it says its broken (that I showed you before).
-
Could you try custom please, as this is not a run of the mill problem and I may need to dig deeper
-
It does the same thing.
-
Could you download and install this please http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe
-
It seems to have improved things. It now gives me this screen when I press express.
-
OK download and install the additional components , it may ask for a reboot. Once completed try again with updates
-
Updates are installing there.
-
You should now be able to install SP3 from the MS site. Once everything is done can you let me know how the computer is behaving
-
Sorry for checking, but this?
-
Yes .. Unless windows updates offers it (the download will be smaller )
-
I've done that now, ran slowly on restart, but probably because it was finalising the updates or something. I'll see how it runs tomorrow and let you know.
-
The computer started up a little slowly this morning.
-
As you have had a lot of updates I would recommend that you now defragment the drive and see if that gives an improvement
-
Seems to be working ok now.
-
How is the general behaviour now .. Any problems
-
Sorry for taking so long to get back to you. Sometimes, if I switch it off it just says "Saving your settings" it just stays on that and won't switch off. Otherwise its perfect.
-
Is that a regular occurrence or just sometimes ?
-
Sometimes, but regular. I mean, probably 4 times out of 5 it switches off ok, but 1 out of 5 not. Then sometimes when it goes into hibernation it won't "wake up" when you click the keyboard/mouse.
-
That sounds as though a programme is not closing properly. Does this happen after you run a specific programme ?
-
I'll keep an eye out for it and let you know.