Avast WEBforum
Other => Viruses and worms => Topic started by: cindyk on June 04, 2009, 04:32:52 AM
-
Hey !
Sorry for posting a new thread about an apparently old problem but havent foun d the solution to my problem yet among other posts.
Avast detects vbs malware gen all the time'
each time i put in the chest and it comes back
It began when i was checking my gmail yesterday
and now keeps popping up.
So i did all the windows updates
ccleaner
Super anti spyware
Combofix
and will be doing a Malbytes scan now
Also installed the latest hijack this but can't seem to install it in c/
I attach the hijack this log
and the combofix log just in case it might help you to help me
Is this very dangerous for the well being of my computer?
Thanks in advance for any info or help you can give me !!
-
-= You don't seem to be using any antivirus.. You should download one to keep yourself protected..
-= We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
-= It is very much recommended to use a firewall..
-
Hello !
Well actually I do have AVAST but had it disabled at the time of the scan maybe that's it seems disabled
It is my avast anti virus which detected the VBS malware gen and today it also alerted a Win 32 trojan gen
that s why i m wondering whats wrong?
Thanks for your help!
-
Hi Cindyk
I'm just popping through the forum at the moment but someone will reply soon. You dont seem to have posted a full HjT log and I expect when someone replies they will ask for a full log.
As for the SAS log - I expect the same will apply.
Avast will not work best when you have another antivirus (Norton) on your machine. This issue will also be brought up. As well, you have two antivirus and they are both disabled. Your Avast should be running, especially if it is alerting to malware.
I think best to enable your Avast and post a full HjT log.
Regards.
-
Hi Cindyk
I'm just popping through the forum at the moment but someone will reply soon. You dont seem to have posted a full HjT log and I expect when someone replies they will ask for a full log.
As for the SAS log - I expect the same will apply.
Avast will not work best when you have another antivirus (Norton) on your machine. This issue will also be brought up. As well, you have two antivirus and they are both disabled. Your Avast should be running, especially if it is alerting to malware.
I think best to enable your Avast and post a full HjT log.
Regards.
Thank you for your reply!
Will certainly do that and post the new logs
-
Hi Cindy. Just passing through again.
Post a HjT log should be sufficient to start with.
Also have you run a boot time scan yet? Here's a step by step if you haven't done one before.
Right click icon with 'a' bottom left hand corner of screen, and select to 'Start avast antivirus'.
- will quick test memory, then a Help guide will pop up (close this), followed by the scanner for GUI interface.
Open menu on top left hand corner of scanner, choose 'start scan', go through select area, and click to select 'local disks'. On the popup set 'thorough' and check 'archive' box (you dont have to do this, but it wont hurt).
Right click My Computer on desktop, and choose Properties. select tab that says System Restore and click. Check the box that says Turn off System Restore and click Apply button. Press OK. This will hopefully clear anything nasty the might be lurking about the back pages of the computer. Now you dont have to do this just yet if you dont want, you can just run the boot scan.
Return to the menu of the scanner and go down list to 'Schedule boot-time scan'. Click to get Scan local disks, make sure Archive is checked, then check Advanced button. I think best to select 'Move infected file to chest' and 'Allow delete or move' and then click Schedule button.
Click button to restart computer and let boot scan run its course.
If you do this, someone should have replied by the time you return here.
Otherwise just wait for a reply.
-
Hey there!!
Just came back home.....Thanks for the replies
Last night i did this:
ALL in safe mode
Removed wat was apparently left of Norton with Norton removal tool
CCLEANER
MALWARE BYTES
SAS
COMBOFIX
And hijack scan
AVAST THOROUGH SCAN
in the same order as listed above
I will attach to this message the logs of malware, sas, and hijack this.
Wasn't able to get the combofix log
And as ive mencioned above hijack this did not want to install in c drive because it needs administrator authorisation but i am logged in as administrator so dont understand why. Hope this doesn't affect the hijack log
About the reply from mkis:
will doing a boot scan and disabling system restore affect the information on my computer?
I dont want to lose the information cos not everything is backed up
Extra info:
Malware scan resulted clean
SAS scan found c/ windows.pev.exe threat
combofix wasnt able to access all files
and Avast either and found no threats
But i just started my computer and as soon as the main icons loaded the avast alarmed me again with the same threat:
VBS malware gen
It popped up at the same time as the MSN messenger page opened and simplify media loaded.
maybe they are infected?
I had no other online applications or pages open when the alarm went off
Yesterday while I was doing all the scans my desktop backgroud picture disapeared
Hope someone can help.....
Thanks in advance!!
-
Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?
Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.
You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?
If only the Vista firewall, outbound protection is disabled by default.
Other than that I don't see anything obvious, but it was run from safe mode.
-
Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?
Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.
You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?
If only the Vista firewall, outbound protection is disabled by default.
Other than that I don't see anything obvious, but it was run from safe mode.
Thanks !!
I did next on SAS but will do it again just in case
i ll do the HJT again in normal mode after that and post a log
About the firewall.... well i only have the avast and the windows firewall.
It is activated, is there anything i can do to improve the windows firewall or should I use an extra firewall?
Windows does mention that two firewalls running at the same time can bring interference
Do i disactivate the windows firewall and download a better one?
Do you have any suggestions?
-
Hi cindyk
I’ll just post this for now.
About the reply from mkis:
will doing a boot scan and disabling system restore affect the information on my computer?
I dont want to lose the information cos not everything is backed up
Well no, doing a bootscan can be done anytime and is not a problem. So nothing turned up when you scanned in Safe Mode but alerts were triggered after you restarted? Interesting.
And well yes, doing a bootscan and disabling system restore will affect information on your computer. So you could look at doing that later. Generally, the bootscan / remove system restore will affect your computer positively in that what is cleared out may have been helping to conceal malware. But because I am not actual there with you, and because you have actual made a lot of progress already, I think best holdfire on the scan / system restore. Unless one of the more experienced of the contributors like DavidR comes on and says go ahead. For myself, I nearly always disable system restore for bootscans.
Here is what Google returned on pev.exe –
http://www.google.co.nz/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=pev.exe&meta=&btnG=Google+Search (http://www.google.co.nz/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=pev.exe&meta=&btnG=Google+Search)
But may look worse than it actual is. Is pev.exe in SAS quarantine after the scan.
Otherwise, go ahead with what you’re doing. You seem to be doing well. And you’re in good hands with DavidR. I will have a look at your logs as well and see what your system is like.
You will need to install a firewall once you computer is back running smoothly.
-
Here are a couple of other things Cindyk. I thought better to post them now in case I forget.
The antirootkit can be run anytime - unless someone comes on and says otherwise.
The firewall for later on, when you're back running smoothly..
You might want to run anti-rootkit - here are a couple. Just download and run a scan.
http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm (http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm)
http://www.trendmicro.com/download/rbuster.asp (http://www.trendmicro.com/download/rbuster.asp)
Firewall
To help you install Windows Defender firewall - click on the following link
http://www.microsoft.com/security/portal/ (http://www.microsoft.com/security/portal/)
On the sidebar to the right you see latest Definition Updates. I presume you have 32bit. If so choose it and download. Run the download and ensure the install goes through cleanly. Make sure your firewall has come on - you will see a small grey castle with a green shield on the tray bottom right hand corner of screen.
Another firewall I like is WinPatrol which seems to sit beside Defender firewall no worries
You find WinPatrol here http://www.winpatrol.com/
WinPatrol's Scotty will help you set your WinPatrol according to your preferences.
-
Did you allow SAS to deal with this detection, e.g. quarantine it C:\WINDOWS\PEV.EXE (as the detection appears to be good) ?
Your HJT log was run from safe mode it should be run from normal mode as some malware won't be running in safe mode, so may not be reported.
You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?
If only the Vista firewall, outbound protection is disabled by default.
Other than that I don't see anything obvious, but it was run from safe mode.
I'm back with bad news i guess....
Yesterday as i said malware came clean, sas with windows.pev.exe
avast clean
and now following your advice of checking the SAS quarantine which had indeed quarantaned the pev.exe
Now it detected 5 items
Trojan.Unknown Origin
C:\COMBOFIX\PEV.EXE
C:\WINDOWS\PEV.EXE
Adware.Tracking Cookie
C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@2o7[1].txt
C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@ads.bleepingcomputer[1].txt
C:\Users\cindy\AppData\Roaming\Microsoft\Windows\Cookies\Low\cindy@doubleclick[1].txt
i then did a HJT scan
I hereby attach the two logs
Please help me
-
Dont worry about the tracking cookies, they are just a nuisance.
PEV.EXE
C:\COMBOFIX\PEV.EXE
C:\WINDOWS\PEV.EXE
These might be two separate readings of the same instance. Dont worry too much about this for now.
Is avast still sending out alerts after turn your computer on and it is running?
Does your computer run slow? Or, pev.exe aside, is everything running better?
-
Dont worry about the tracking cookies, they are just a nuisance.
C:\COMBOFIX\PEV.EXE
C:\WINDOWS\PEV.EXE
These might be two separate readings of the same instance. Dont worry too much about this for now.
Is avast still sending out alerts after turn your computer on and it is running?
Does your computer run slow? Or, pev.exe aside, is everything running better?
Well the first time is started the computer today two hours ago first thing it did was pop up with the VBS
But now since SAS scan no problems yet
-
Okay just separated those tracking cookies from prev.exe in my previous post.
If computer seems, okay, try a few things out, see if it is runnning okay. Probably a good time to install Defender and wouldn't hurt to set up WinPatrol, maybe try a disk clean up and defrag.
Just to see if any alerts, warnings, errors, etc...or whether smooth running.
Can tidy up loose ends later.
I have to go out for a while. I'll check the forum when I get back.
-
<snip>
Trojan.Unknown Origin
C:\COMBOFIX\PEV.EXE
C:\WINDOWS\PEV.EXE
This really is nothing to be too worried about as firstly it looks like combofix also detected this and I would have thought that would have deleted it and or put it in the combofix quarantine (so it shouldn't be detected in that area), but it doesn't appear to have either deleted the original (or that has been restored) nor has it moved it to its quarantine area.
As I mentioned before in other topics and mkis said here tracking cookies are much ado about nothing, but always let SAS take care of them. Have your browser block (or not accept third party cookies) and periodically clear cookies from your system.
I don't see anything obvious in your HJT log other than:
You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. The Vista firewall does have outbound protection, but it is disabled by default (it isn't very user friendly, is rule based and you have to create the rules).
- Vista Firewall Control, http://www.sphinx-soft.com/Vista/index.html (http://www.sphinx-soft.com/Vista/index.html) and this, http://www.sphinx-soft.com/Vista/faq.html (http://www.sphinx-soft.com/Vista/faq.html). Also check out this topic for a more user friendly Firewall control, Outbound protection, http://forum.avast.com/index.php?topic=30234.0 (http://forum.avast.com/index.php?topic=30234.0).
-
Thanks so much for all the help.
I havent had any trouble today
if you know anything more about pev.exe let me know
My machine is new and I want to keep it clean and fit.
I downloaded Vista Firewall control.
Do I need Winpatrol in addition or is that enough??
Thanks again for the quick replies!!
-
Last question: Do I delete the quaraitained files from SAS and AVAST?
Thanks again!!
-
All cred to you cindyk
Do I need Winpatrol in addition or is that enough??
Its up to you really. I like WinPatrol, and others in the Forum use it. But looking for the right firewall for you to have as part of your defense is the main point. There's no doubt that WinPatrol is among the best. I'm getting to like Online Armor, which will probably end up my first preference. http://www.tallemu.com/ (http://www.tallemu.com/)
if you know anything more about pev.exe let me know
I think prev.exe can be lots of variants. But I haven't had any first hand experience. From what DavidR said I think you've done a good job of dealing to it.
Do I delete the quaraitained files from SAS and AVAST?
You can keep quarantined files in avast for a while without worry. I'm not sure about SAS, I've only had those tracker cookie things with SAS and I just delete them. From what I gather, DavidR said they can be deleted - but probably best wait for confirmation.
-
Hi cindyk. Just checking back to see all is going okay.
If you haven't cleaned out your quarantines, and nothing new has happened, you may as well do it now.
Run a normal search of your drives with keyword prev.exe and see if anything turns up.
Run your scans and if same things turn up, then delete them.
Otherwise, I think you're fine with everything.
In case you haven't come across this link yet, here is directions for using a Flash Disinfector for ensuring that your USB drives are also kept clean of infections.
http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657 (http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657)
Edit - sorry about this but the Flash Disinfector link above no longer clicks through
If you haven't already found a good link, try thr one below.
FLASH DISINFECTOR
http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe)
-
hello !
Thanks for checking back you know yesterday suddenly it reappeared and definetly when less expected. Was making a back up on DVD with no other online activity and Avast detected the same VBS again. This was this morning and now it came back again. So definetly havent gotten rid of it yet. Ive been using an USB though maybe the virus is in there.
so ill do the USB clean you recomended
Im using the firewall control but still getting used to it. Do I have to choose enable everytime i want to open a new page online?
I will take the time to read the help section of the firewall
So ill just star again with all the scans... It will take a while cos only have a few hours at night to do this..
I'm doing the search right now!
Keep you informed!
So grateful....... :)
Hi cindyk. Just checking back to see all is going okay.
If you haven't cleaned out your quarantines, and nothing new has happened, you may as well do it now.
Run a normal search of your drives with keyword prev.exe and see if anything turns up.
Run your scans and if same things turn up, then delete them.
Otherwise, I think you're fine with everything.
In case you haven't come across this link yet, here is directions for using a Flash Disinfector for ensuring that your USB drives are also kept clean of infections.
http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657 (http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657)
-
Hi cindyk.
I'm not up on the Vista firewall as I use XP, but the pros and cons of firewalls and Vista are discussed in the forum quite often. I use Online Armor, which has a 'remember' check box to help it to pick up my preferences, and also NoScript, which tracks my decisions for future reference. But most good firewalls will query sites the first time unless they have them down as trusted sites. And you're right, you have to get to know them through their Help sections. I'm still getting familiar with mine.
Same with the antivirus and antispyware. But if you're into it for the long term, it becomes second nature over time. And the person who knows a computer best is the one who uses it, so now you've got some weaponry aboard you can run out your defense routines to keep malware on back foot. Also, (re)infection through USB flash drives is very common all the time, so best keep them disinfected as a rule.
You seem to have a good grasp of what's needed so run the scans and use your quarantine, and keep your eye out for that prev.exe, which you want rid of once and for all - dont think was too bad a malware intrusion, but good housekeeping is always best policy. Run some of your own HjT scans as well and compare them with others in the forum, and with your last ones that were okayed here, so you get to know your system better. And don't hesitate to reply post if you have any diifficulties.
Most important, take care out there. And we're not far away anyway.