Avast WEBforum
Other => Viruses and worms => Topic started by: Syx0 on August 02, 2009, 06:17:29 AM
-
So, I use Avast normally, but I felt there still might be something wrong with my computer. I scanned with Avast and found nothing. I went to F-secure's on-line scanner. It scanned until it was about 66% and then it blue screen of deathed me. It did detect 3 malware though (the report is below). I am running Vista Home Premium and my Avast is up to date. If anyone could tell me what the report means and what I need to do about it, that would be amazingly helpful. The computer is only slightly slower and I thought I saw some sort of pop up flash for a minute (in several instances) as the computer was shutting down (I'm not sure if that isn't just a program resisting being shut down), past this the comp is asymptomatic. Anyway, I say all this just to ask for help, and I appreciate anyone who is willing to help.
Thanks in Advance,
Syx0
Scanning Report
Saturday, August 1, 2009 00:27:38 - 00:36:26
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ D:\ F:\ G:\
--------------------------------------------------------------------------------
3 malware found
Stealth_file (virus)
C:\ADSM_PDATA_0150\DB\_AVT (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\DRAGWAIT.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\_AVT (Not cleaned & Submitted)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 18870
System: 5022
Not scanned: 0
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Not cleaned: 3
Submitted: 3
-
Hello Syx0,
you can download malwarebytes antimalware(mbam) from here malwarebytes.org(free version) install, update and perform full scan and post the log here.
you can also try superantispyware(sas). dont worry about the tracking cookies it reports, let sas deal with it.
-
Don't forget to update MBAM & SAS before running a scan.
-
Hi Syx0,
It could well be you if you still would have Norton there or parts of Norton because this is known to be a Norton false positive. This time it was a F-Secure FP.
Question.
Do you have an asus machine? Because the Faux virus can be found as:
Hidden file : c:\adsm_pdata_0150\dragwait.exe
Hidden file : c:\adsm_pdata_0150\_avt
Hidden file : c:\adsm_pdata_0150\db\si.db
Hidden file : c:\adsm_pdata_0150\db\ul.db
Hidden file : c:\adsm_pdata_0150\db\vl.db
Hidden file : c:\adsm_pdata_0150\db\_avt
Hidden file : c:\program files\asus\asus data security manager\driver\x86\asdsm.sys
Hidden file : c:\program files\asus\asus data security manager\driver\x86\_avt
Hidden directory : c:\adsm_pdata_0150
Hidden directory : c:\adsm_pdata_0150\db
Hidden directory : c:\program files\asus\asus data security manager\driver\x86
So check on: C:\ADSM_PData_0150\DragWait.exe and upload it to virustotal.com for results,
as well as this one: C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys
So I would go for the False Positive, like to have that confirmed? Yes it is a FP more than likely...
polonus
-
Ok so forgive my ignorance but how do I go about getting said hidden files to appear normally. I can get them to appear in safe mode, but not in normal mode. This in effect means that I cannot scan the Dragwait.exe or other file without making them visible normally.
-
Oh and I do have an ASUS machine, and it came with Norton which I never used as I starteed this machine with Avast. In fact, I uninstalled Norton almost immediately.
-
Here is the Malwarebytes log:
Malwarebytes' Anti-Malware 1.39
Database version: 2548
Windows 6.0.6001 Service Pack 1
8/2/2009 10:30:52 PM
mbam-log-2009-08-02 (22-30-47).txt
Scan type: Full Scan (C:\|D:\|F:\|G:\|)
Objects scanned: 293731
Time elapsed: 46 minute(s), 41 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Run MBAM again and remove this item.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
Also try and run SAS (http://www.superantispyware.com).
-
It gave me the option to remove it so I did already and I am currently running SAS
-
Ok I ran SAS. It gave me some stuff about a few cookies. I couldn't find a way to copy the report. It didn't appear pertinent. As soon as I restart my system, it will remove them. I want to do what Polonus said(above) and check out those two files, but being that they are hidden I can't access them except when in safemode. Is there anything I can do to change that?
-
Syx0
you can do this.
go to virus chest > user files > add files > browse to the folder > type DragWait.exe or AsDsm.sys in the file area(even if you dont see it there.) and click ok.
then extract the file(s) to another folder, well let it be on the desktop, then try to upload it to virustotal. and post the link to that site here.
-
Here is the DragWait.exe file analysis:
File has already been analysed:
MD5: 49bd0a002320d9f3266a04b15ba1f933
First received: 2009.05.27 12:21:01 UTC
Date: 2009.06.21 19:40:21 UTC [>42D]
Results: 0/41
Permalink: analisis/d69c0f12a76360297e0fefc0aaa14010ca5b452cc45ee587279a7eb7e549cacf-1245613221
-
<snip>
3 malware found
Stealth_file (virus)
C:\ADSM_PDATA_0150\DB\_AVT (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\DRAGWAIT.EXE (Not cleaned & Submitted)
Stealth_file (virus)
C:\ADSM_PDATA_0150\_AVT (Not cleaned & Submitted)
did avast detect it? and said not cleaned and submitted?
accordin virustotal(vt) not one is detecting.
edit : or is it mbam?
-
It was neither. I posted at the top that it was F-secure. I normally use Avast and so I figured I would see if my Avast just wasn't detecting something that was there or if I needed to be worried.
-
<snip>
It was neither. I posted at the top that it was F-secure.
yes! it is there. missed it.
<snip>
I normally use Avast and so I figured I would see if my Avast just wasn't detecting something that was there or if I needed to be worried.
if you want make sure that avast is oki, you can use mbam instead of online scanners. No need to worry!
-
Alright, so im in the clear then?
If so, my final questions is concerning SAS. . .
I've been using Spybot, is this a better product?
-
<snip>
Alright, so im in the clear then?
if virustotal says its clean then it may be clean.(generally, since the file will be scanned using 40+ scanners)
If so, my final questions is concerning SAS. . .
I've been using Spybot, is this a better product?
spybot has not kept with the current threats(as many say) but sas is a good product when compared to spybot(as many say).
-
Thank you everyone who has helped me with all of this. I appreciate it very much. God Bless you all.
Syx0
-
<snip>
Thank you everyone who has helped me with all of this. I appreciate it very much.
you are welcome
God Bless you all.
thank you. and wish the same to you and your pc.
come back if you have any problems again.
foot note: come back again to check what polonus has to say(if he posts here).
-
Run MBAM again and remove this item.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
Also try and run SAS (http://www.superantispyware.com).
DON"T REMOVE THIS , IT IS NOT A VIRUS IT IS SIMPLY TELLING YOU TO CHANGE THE REGISTRY FROM A 1 TO A 0
-
It doesn't actually remove it I believe, but sets the registry to the good value.
-
I dont think removal would hurt, regardless.
But maybe, would? are there any issues with this entry?
-
I believe I did remove this earlier on, and I've not experienced any negative effects