VBS Malware Gen keeps coming back

[cindyk]

Hey !
Sorry for posting a new thread about an apparently old problem but havent foun d the solution to my problem yet among other posts.

Avast detects vbs malware gen all the time'
each time i put in the chest and it comes back
It began when i was checking my gmail  yesterday
and now keeps popping up.

So i did all the windows updates
ccleaner
Super anti spyware
Combofix
and will be doing a Malbytes scan now
Also installed the latest hijack this but can't seem to install it in c/

I attach the  hijack this log
and the combofix log just in case it might help you to help me
Is this very dangerous for the well being of my computer?

Thanks in advance for any info or help you can give me !!

[.: L' arc :.]

-= You don't seem to be using any antivirus.. You should download one to keep yourself protected..

-= We didn't detect any active process of a firewall on your system. Reasons maybe:

(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.

-= It is very much recommended to use a firewall..

[cindyk]

Hello !

Well actually I do have AVAST but had it disabled at the time of the scan maybe that's it seems disabled

It is my avast anti virus which detected the VBS malware gen and today it also alerted a Win 32 trojan gen

that s why i m wondering whats wrong?
Thanks for your help!

[mkis]

Hi Cindyk

I'm just popping through the forum at the moment but someone will reply soon. You dont seem to have posted a full HjT log and I expect when someone replies they will ask for a full log.

As for the SAS log - I expect the same will apply.

Avast will not work best when you have another antivirus (Norton) on your machine. This issue will also be brought up. As well, you have two antivirus and they are both disabled. Your Avast should be running, especially if it is alerting to malware.

I think best to enable your Avast and post a full HjT log.

Regards.

[cindyk]

Hi Cindyk

I'm just popping through the forum at the moment but someone will reply soon. You dont seem to have posted a full HjT log and I expect when someone replies they will ask for a full log.

As for the SAS log - I expect the same will apply.

Avast will not work best when you have another antivirus (Norton) on your machine. This issue will also be brought up. As well, you have two antivirus and they are both disabled. Your Avast should be running, especially if it is alerting to malware.

I think best to enable your Avast and post a full HjT log.

Regards.

Thank you for your reply!

Will certainly do that and post the new logs

[mkis]

Hi Cindy. Just passing through again.

Post a HjT log should be sufficient to start with.

Also have you run a boot time scan yet? Here's a step by step if you haven't done one before.

Right click icon with 'a' bottom left hand corner of screen, and select to 'Start avast antivirus'.
- will quick test memory, then a Help guide will pop up (close this), followed by the scanner for GUI interface.

Open menu on top left hand corner of scanner, choose 'start scan', go through select area, and click to select 'local disks'. On the popup set 'thorough' and check 'archive' box (you dont have to do this, but it wont hurt).

Right click My Computer on desktop, and choose Properties. select tab that says System Restore and click. Check the box that says Turn off System Restore and click Apply button. Press OK. This will hopefully clear anything nasty the might be lurking about the back pages of the computer. Now you dont have to do this just yet if you dont want,  you can just run the boot scan.

Return to the menu of the scanner and go down list to 'Schedule boot-time scan'. Click to get Scan local disks, make sure Archive is checked, then check Advanced button. I think best to select 'Move infected file to chest' and 'Allow delete or move' and then click Schedule button.

Click button to restart computer and let boot scan run its course.

If you do this, someone should have replied by the time you return here.

Otherwise just wait for a reply.

[cindyk]

Hey there!!

Just came back home.....Thanks for the replies

Last night i did this:

ALL in safe mode

Removed wat was apparently left of Norton with Norton removal tool
CCLEANER
MALWARE BYTES
SAS
COMBOFIX
And hijack scan
AVAST THOROUGH SCAN

in the same order as listed above

I will attach to this message the logs of malware, sas, and hijack this.
Wasn't able to get the combofix log
And as ive mencioned above hijack this did not want to install in c drive because it needs administrator authorisation but i am logged in as administrator so dont understand why. Hope this doesn't affect the hijack log

About the reply from mkis:
 will doing a boot scan and disabling system restore affect the information on my computer?
I dont want to lose the information cos not everything is backed up


Extra info:
Malware scan resulted clean
SAS scan found c/ windows.pev.exe threat
combofix wasnt able to access all files
and Avast either and found no threats
But i just started my computer and as soon as the main icons loaded the avast alarmed me again with the same threat:
VBS malware gen

It popped up at the same time as the MSN messenger page opened and simplify media loaded.
maybe they are infected?
I had no other online applications or pages open when the alarm went off

Yesterday while I was doing all the scans my desktop backgroud picture disapeared

Hope someone can help.....
Thanks in advance!!

[DavidR]

Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?

Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

If only the Vista firewall, outbound protection is disabled by default.

Other than that I don't see anything obvious, but it was run from safe mode.

[cindyk]

Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?

Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

If only the Vista firewall, outbound protection is disabled by default.

Other than that I don't see anything obvious, but it was run from safe mode.

Thanks !!

I did next on SAS but will do it again just in case
i ll do the HJT again in normal mode after that and post a log

About the firewall.... well i only have the avast and the windows firewall.
It is activated, is there anything i can do to improve the windows firewall or should I use an extra firewall?
Windows does mention that two firewalls running at the same time can bring interference
Do i disactivate the windows firewall and download a better one?
Do you have any suggestions?

[mkis]

Hi cindyk

I’ll just post this for now.

About the reply from mkis:
 will doing a boot scan and disabling system restore affect the information on my computer?
I dont want to lose the information cos not everything is backed up

Well no, doing a bootscan can be done anytime and is not a problem. So nothing turned up when you scanned in Safe Mode but alerts were triggered after you restarted? Interesting.

And well yes, doing a bootscan and disabling system restore will affect information on your computer. So you could look at doing that later. Generally, the bootscan / remove system restore will affect your computer positively in that what is cleared out may have been helping to conceal malware. But because I am not actual there with you, and because you have actual made a lot of progress already, I think best holdfire on the scan / system restore. Unless one of the more experienced of the contributors like DavidR comes on and says go ahead. For myself, I nearly always disable system restore for bootscans.

Here is what Google returned on pev.exe –
http://www.google.co.nz/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=pev.exe&meta=&btnG=Google+Search

But may look worse than it actual is. Is pev.exe in SAS quarantine after the scan.

Otherwise, go ahead with what you’re doing. You seem to be doing well. And you’re in good hands with DavidR. I will have a look at your logs as well and see what your system is like.


You will need to install a firewall once you computer is back running smoothly.

[mkis]

Here are a couple of other things Cindyk. I thought better to post them now in case I forget.


The antirootkit can be run anytime - unless someone comes on and says otherwise.
The firewall for later on, when you're back running smoothly..

You might want to run anti-rootkit - here are a couple. Just download and run a scan.

http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm

http://www.trendmicro.com/download/rbuster.asp


Firewall

To help you install Windows Defender firewall - click on the following link

http://www.microsoft.com/security/portal/

On the sidebar to the right you see latest Definition Updates. I presume you have 32bit. If so choose it and download. Run the download and ensure the install goes through cleanly. Make sure your firewall has come on - you will see a small grey castle with a green shield on the tray bottom right hand corner of screen.

Another firewall I like is WinPatrol which seems to sit beside Defender firewall no worries
You find WinPatrol here   http://www.winpatrol.com/
WinPatrol's Scotty will help you set your WinPatrol according to your preferences.

 

[cindyk]

Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?

Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

If only the Vista firewall, outbound protection is disabled by default.

Other than that I don't see anything obvious, but it was run from safe mode.

I'm back with bad news i guess....
Yesterday as i said malware came clean, sas with windows.pev.exe
avast clean
and now following your advice of checking the SAS quarantine which had indeed quarantaned the pev.exe

Now it detected 5 items

Trojan.Unknown Origin
   C:\COMBOFIX\PEV.EXE
   C:\WINDOWS\PEV.EXE

Adware.Tracking Cookie
   C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@2o7[1].txt
   C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@ads.bleepingcomputer[1].txt
   C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@doubleclick[1].txt


i then did a HJT scan
I hereby attach the two logs

Please help me

[mkis]

Dont worry about the tracking cookies, they are just a nuisance.

PEV.EXE

C:\COMBOFIX\PEV.EXE
   C:\WINDOWS\PEV.EXE

These might be two separate readings of the same instance. Dont worry too much about this for now.

Is avast still sending out alerts after turn your computer on and it is running?
Does your computer run slow? Or, pev.exe aside, is everything running better?

[cindyk]

Dont worry about the tracking cookies, they are just a nuisance.

C:\COMBOFIX\PEV.EXE
   C:\WINDOWS\PEV.EXE

These might be two separate readings of the same instance. Dont worry too much about this for now.

Is avast still sending out alerts after turn your computer on and it is running?
Does your computer run slow? Or, pev.exe aside, is everything running better?

Well the first time is started the computer today two hours ago first thing it did was pop up with the VBS
But now since SAS scan no problems yet

[mkis]

Okay  just separated those tracking cookies from prev.exe in my previous post.


If computer seems, okay, try a few things out, see if it is runnning okay. Probably a good time to install Defender and wouldn't hurt to set up WinPatrol, maybe try a disk clean up and defrag.

Just to see if any alerts, warnings, errors, etc...or whether smooth running.
Can tidy up loose ends later.

I have to go out for a while. I'll check the forum when I get back.