Avast WEBforum
Other => Viruses and worms => Topic started by: Misuzu on August 09, 2012, 08:30:34 AM
-
Hello. I have a question regarding a malicious file that seemingly "disappeared".
While browsing a website, both Windows Defender and Avast! told me that there was a suspicious/malicious file detected. Avast! then warned me about a malicious file that was trying to execute on my PC, and asked if I wanted to open it using sandbox. I wrote down the location of the file and exited out of the Avast "warning window". I checked out the file myself; I scanned it with Avast! and MBAM. Avast! found it safe, MBAM detected the file as malicious. However, for some reason I wanted to check to make sure, so I scanned the file with VirusTotal for a second opinion. Thus, I didn't quarantine the file using MBAM beforehand. After scanning the file with VirusTotal, it detected the file as malicious. I went to delete said malicious file a few minutes later to find that it was missing. Here is the location and name of the file:
C:\Users\Family PC\AppData\Local\Temp\8812824
Malicious file in question is named: 8812824
It was an .exe file.
I was able to find said file by "searching temp folder" before, but after what I described above, I could no longer find it. I later did a up-to-date full scan using MBAM and it detected 4 malicious files (the log for that is attached below), but none of them were the "8812824" file above.
Should I be worried about this file? Or is it safe to assume that it's gone?
Thanks in advance!
Best regards.
-Misuzu
-
send the files to virus lab please...
Open avast user interface>>open maintainence tab>>chest>>right click and click add>>browse the files and select them and click open>>right click on the files added to chest and click send to virus lab>>update definations manually to send them>>on next update>>scan the file again added in the chest and if not detected send it again...
You would have to restore the files from Mbam quarantine first...open MBam>>select quarantine tab>>and click restore all
files will be restored back here:
C:\Users\Family PC\AppData\Local\Temp\8806693.exe
C:\ProgramData\OynibzecCafs.dll
The above 2 files are to be sent to virus lab.
-
Thank you for the fast reply!
Are you saying that the two files you asked me to restore and send to virus lab are responsible for the disappearance/originated from said disappeared file or something?
I cannot find the disappeared file, as stated. So I couldn't send it in.
I'm sorry if I'm misunderstanding your post, I'm not very knowledgeable about this kind of stuff. My apologies.
Thanks again! :)
Best regards.
-
You will have to restore the 2 files in mbam quarantine to their orginal locations these 2 things are need to be sent...[locations to which they are restored in previous post..]
Whats next?? follow the guide to ensure you are clean: http://forum.avast.com/index.php?topic=53253.0
-
I understood that. The missing file is "8812824", not the two files you are asking me to send in. I was curious why I needed to send those two files when the file I was asking about was the missing file? Will sending in those two files help me determine if I somehow quarantined the "missing file"? Or did I unsuccessfully quarantine those two files?
I'm so sorry, I'm having difficulties understanding. I appreciate your help, I'm just kind of slow about these type of things... Sorry for bothering you with this.
Thanks for all your help!
-Misuzu
-
Nope...we wanna help avast improve protection...by sending those 2 files you help avast improving their protection.
after sending those files folow the guide and attach all logs here: http://forum.avast.com/index.php?topic=53253.0
-
did you run any other programs?
did you clean the temp folder?
-
Pondus,
This could have been a possible path of a Ukash or Spyware.Zbot infection, so I would advise a qualified remover should look into the issue, also because the file has a random file name. Don't you agree with me here?
polonus
-
also because the file has a random file name. Don't you agree with me here?
yepp. ;)
-
Thanks for all the replies guys!
So the "random file name" malware thing (Ukash or Spyware.Zbot infection) might have caused the "disappearance" of the file in question?
Nonetheless, I'll try doing another full MBAM scan, but what else should I do about this?
Thanks!
-
We could have a quick look at the system ;D
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Hi essexboy!
I use Firefox and it, by default, downloads files to the "Downloads" folder, not the desktop. Can I just download OTL and move it from the "downloads" folder to the desktop, or must I directly download it to the desktop?
Also, I did do an up-to-date MBAM full scan and it didn't find anything.
Thanks!
-Misuzu
-
Can I just download OTL and move it from the "downloads" folder to the desktop, or must I directly download it to the desktop?
you can move it...... and the logs will arrive at same place as OTL
-
I am so sorry for such a long delay. The OTL logs are too large to attach in one post, so I'll post both logs as attachments in different posts. It wouldn't let me attach a log onto this post for some reason ... ?
Other Things: (skip if you wish)
Also, Avast! kept trying to scan/terminate OTL in fear that it was malicious. It terminated OTL twice before I turned off Avast!. I'm not sure if this would have affected the scan at all?
I'm also painfully aware that my family's PC is very out of date (I'm pretty sure anyway?). My relatives assumed that the newest Windows Update (at the time) was preventing this one program my relative needed to use (for her telemarketing job) from working. So we disabled any further Windows Updates. I know this was a bad decision, but since I'm not smart at technical computer stuff, and because my relative's work is important, I went along with it.
Anyway, sorry for the long post.
Thanks for everything! :D
-
Here's the OTL log.
-
... And here's the Extras log.
Do you see any malicious/other problems? (Besides the out-of-date issue)
Thanks everyone! :D
-
Hi there is still malware on the system so lets kill that first. There is also Norton running on the system
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\Users\Family PC\AppData\Local\{9a63ac42-5acb-f4c2-1f90-46a955d779fb}
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
FINALLY
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(https://dl.dropbox.com/u/73555776/FSS.GIF)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
When I pasted in the CODE you posted and hit "Run fix", soon after, a Windows pop-up said Windows was about to shut down the PC and to save anything I was working on. OTL continued to run, but about a minute later Windows restarted. Was this from OTL or did Windows restart itself WHILE OTL was still working?
Will this cause problems if it's the latter?
After Windows restarted...
I also noticed my PC started up and is moving slightly slower and these "faded" icons appeared suddenly in the library (see attachment) and two files called "desktop.ini" appeared in my library AND on the desktop. All the files names went from something like "sunset" to "sunset.png" or "song" to "song.mp3" and so on. I know these are the normal extensions (I think that's what their called?) for these files, but for some reason their appearing in the files name, which didn't happen before.
Is this normal? Did I do something wrong?
Besides what I listed, mostly the PC is acting normal.
-
That is normal as OTL has reset some system settings for the duration of the fix.. They will be rehidden on completion
Once combofix has run you should be fairly clean and FSS will let me know if your services are OK
-
Oh good. Glad everything is okay. :)
I'm going to run a Quick Scan with OTL soon. Should I paste in the code (or whatever it's called?) that you posted in your first post when I Quick Scan or not?
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
A quick scan will suffice ;D
-
Okay here's the OTL log. It didn't produce an "extras log" this time.
Since you didn't tell me to, I didn't check mark "scan all users". Is that okay?
Is the malware gone now?
Also, I think I'll have to use Internet Explorer to save ComboFix to the Desktop. I can't figure out how to download/save to desktop on Firefox.
-
Not quite.. We will need Combofix to check out the services.exe file first
-
I accidentally downloaded ComboFix, via IE, to the Downloads folder. Would it be safe to just delete it and empty it from the recyle bin?
I'm not very good with/knowledgeable about this kind of stuff, so I want to make sure I do this right and don't mess anything up.
Sorry for all the trouble.
-
Just right click Combofix, select cut
Then on your desktop right click and select paste
-
Ok I did what you said.
Here's the log.
EDIT: Forgot to include this...
The computer is running pretty smoothly. All the "problems" I listed above are gone now.
-
Here's the FSS log.
Note: I drug the FSS executable file that I downloaded from the Downloads folder to the desktop. Hope that didn't affect anything?
Is there anything left that I need to do?
Thanks for everything! :)
-
How is the computer behaving now ? Any problems ?
-
The internet seems to be running slightly faster now. Avast! still is unable to update (whether automatically or manually) despite being connected to the internet. But this has been happening for a while. And if I remember correctly, the logs I posted said Avast! was updated, despite all the pop-ups I get about it needing updating/being unable to update. Otherwise, I see no problems. Then again, I usually don't notice anything "bad" or suspicious when computers get malware unless it's obvious (i.e wallpaper changes, new favorites that weren't there before etc...)
Did you see anything "bad" in the newest logs I posted?
Thanks again!
-Misuzu
-
No that looks OK now .. For Avast have you tried a repair ?
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Whenever I type in "ComboFix /Uninstall", ComboFix runs like it did the first time I used it. In other words, it asks if I want to update it etc... When I let it update, several warnings from Avast! popped up. I keep getting several warning pop-ups from Avast! everytime I type "ComboFix /Uninstall" into the Run box. (as seen in the attachments)
What am I doing wrong?
Sorry to bother you.
-
Not a problem .. Skip that step and OTL will uninstall it for you when you run the cleanup button
This happened once before and sUBs needed to make a minor adjustment to the uninstall routine.. I will let him know
-
Alright, I "cleaned up" using OTL and installed a new version of Java. I'll be making a new restore point soon. :D
EDIT: I created a new restore point but I can't find Start > All programs > Accessories to get rid of the infected ones. I used Windows Help and Support to find "Disk Cleanup". However after "Disk Cleanup" gets done calculating how much free space I'll get, it asks me what I want to permanently delete. What should I checkmark or just leave it on default? (By default it says it'll delete "Internet Downloaded Programs" (or something like that), "Temporary Internet Files" and "Thumbnails").
One last question, if you don't mind?
I think my family's MP3 Player(s) have been plugged into this computer around the time of infection. So the MP3 Players may be infected, I think? I wouldn't want to get infected again. I use "Panda USB Vaccine" to protect this computer from malware via removable media. Is this an effective method to protecting computers from removable media? It doesn't seem to be able to "vaccinate" all kinds of removable media, but it seems pretty good so far.
Do you have any suggestions when it comes to protecting computers from removable media malware? Or is what I have good enough?
Thanks for everything! :D
Sorry for all the questions and problems.
-
A little picture to help ;D
Yes select all to delete and on the more options tab delete all bar the latest restore point
I use "Panda USB Vaccine" to protect this computer from malware via removable media
That is good
-
I was looking for "Disk Cleanup" under "Control Panel", no wonder I couldn't find it. ???
Following your instructions, I cleaned out all the previous/older restore points! :D
The computer seems to be working slightly faster after all this too.
Sorry this whole process took so long.
Thanks so much for all your help! :D
-Misuzu
-
Not a problem, it keeps me off the street and out of the bars ;D