Avast WEBforum
Other => Viruses and worms => Topic started by: bbowers0650 on August 30, 2012, 02:47:27 PM
-
Downloaded Avast Free on 8/26/12 as my Trend Internet Security expired. Ran Full and Boot Time Scan which show a virus. Was able to move the six items detected in the boot scan to the chest. When running a quick scan, shows no virus. When running a full scan, seems to hang up around 43-47,000 files. Redid scan and just let it go the whole night and it showed 8911 files infected after running almost 8 hours. Threat: Rootkit hidden file. But unable to move to chest. Downloaded Malwarebytes and did scan. No infection Items. Copy of log:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.28.02
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Barbara :: BARBARA-PC [administrator]
8/30/2012 12:45:20 AM
mbam-log-2012-08-30 (00-45-20).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 346378
Time elapsed: 1 hour(s), 11 minute(s), 34 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
What are the details of the avast detection, file name, location, malware name, etc. ?
Your MBAM database version is a couple of days out of date, whilst this may not be an issue here, before scanning you should always update.
-
I just updated Malwarebytes and running another scan. How do I post the results of the scan that showed the virus?
-
If it was from an on-demand scan then in the Scan Computer section of the UI you have the Scan Logs which can be opened.
-
I am doing another malware scan and will post results. Also doing another scan but it is taking forever and will post the results of that scan. The scan that was 8 hours and showed 8911 infected files. I looked at the report and do not know how to send it to you. I did make a screen shot of the first portion of the report and will attach it. I also clicked on support and generated a support package which I will attach. Tried to attach and it said file was too large. Will try screenshot again.
-
Seen something similar I think in another topic and that related to a windows update being done at or close to the time of the scan.
Whilst I can't see the full path the \...\ bit between winsxs\ and the \file name this may give more information. The number of 8911 is somewhat strange and more indicative of a file infecter, but that would show a different malware name and not be contained in the one folder. Since these seem confined to the same file (or few files, given your image) then it is a bit of a strange one.
iedvtool.dll = Internet Explorer F12 developer tools, so I don't know why there would be multiple alerts on this file, but since we don't know what the \...\ part is if it happens to be in more than one location or not.
-
So what do I do? I am attaching another copy with the file extended. Also below is the malwarebytes scan that was done after updates.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.30.02
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Barbara :: BARBARA-PC [administrator]
8/30/2012 9:08:17 AM
mbam-log-2012-08-30 (09-08-17).txt
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 346885
Time elapsed: 2 hour(s), 43 minute(s), 51 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
I have asked a malware removal specialist to take a look at this as it looks a little strange, but I'm not sure if it is a malware or not.
There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.
-
Have you updated and rescanned with Avast.. And are those files still showing as infected ?
-
Thanks for joining the topic essexboy, this is the other topic I was thinking about, http://forum.avast.com/index.php?topic=104187.0 (http://forum.avast.com/index.php?topic=104187.0) and the OP confirms a windows update had been run.
Pondus/essexboy, thanks for the replies.
yes, I think window update was running during the full scan or finished update but computer hasn’t been restarted. I probably restarted the computer and re-scanned then nothing came up.
-
Yes, I completed another scan and it is still showing a virus. This time it scanned 56,000 files (18.5g) and shows 6105 infected files. The previous 8 hour scan showed it scanned 225,505 files (87.7G) and showed 8911 infected files. I had to leave and when I got back I got the attached screen shot. I selected no got the attached restart screen. So I am going to restart my computer now.
-
OK lets have a shufti
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://dl.dropbox.com/u/73555776/aswMBRscan.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://dl.dropbox.com/u/73555776/aswMBRlog.png)
-
OK, I did the first part and here are the two logs.
-
Here is the second log.
-
Downloaded the aswMBR.exe and clicked the scan button. It seemed to stop, so I hit save--but then it continued. So I left it run and then my screen went small and Windows shut down. I opened it in regular mode and then got the attached message: Should I try the second step again? Will wait for your response.
-
***
Maybe I missed it, and forgive me if I did, but did you uninstall TIS before installing Avast Free?
And if you uninstalled TIS, how did you uninstall it?
***
-
I know I uninstalled it by going to the TIS program file on my computer and using the uninstall program. And I know the TIS program had expired and I got messages that it was no longer giving me coverage but I can't remember if I uninstalled first or installed Avast first and then uninstalled. Sorry. :(
-
Hmm lets take a look at the MBR
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
OK, finished. attached are the reports. Let me know if you need anything else or if I forgot any.
-
more reports
-
Didn't know if you needed this folder too.
-
Hmm that is showing that the MBR is good. After the combofix run could you run a boot scan with Avast and see if the files are still detected
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Hopefully I did not mess up. When I clicked the link, it went to my download folder, not desktop. So I clicked it there thinking it would not start right away. I had to go back to disable Avast antivirus after notifying me it was running, then clicked the OK button after I disabled. I couldn't find where to disable malwarebytes so I did not. So the first message is The recycle bin in C is corrupted. Do you want to empty the Recycle bin? Should I say yes. I stopped at this point to confirm that I should say yes.
-
Yes empty the bin..
-
OK, i went ahead and said yes to empty recycle bin and then it continued on. Later when I checked the computer, it must have rebooted itself as I saw my sign in screen. Signed in, and now have a small blue screen in the corner with Please wait in the box. None of my computer icons came up and also a very small box with "Swreg.3XE Application E..." at top and a red X and nothing else. I am hoping I did not majorly screw up my computer. I should have backed up my files first. Please tell me that it will be OK. I need to know whether to turn the computer off and on again. I'm not even sure if I can shut it down properly or just have to hit the off button.
-
I am using my husbands laptop to respond.
-
Click the red x as that is part of Combofix running
Reboot the computer using Control Alt Del
Let me know what happens then
-
That X was to close the blue window. The other one I clicked and nothing happened so i closed out of that one too. Rebooted by hitting control, alt, delete and then restart. Took forever to shut down. Came back up but now no internet on my laptop. Also I do not see the combofix.txt log on the desktop. I do have my icons back.
-
OK we are just discovering yet another variation on this theme
Go to system restore and restore to the point set by Combofix
Then re-run OTL with the following parameters
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
qmgr.dll
/md5stop
%systemroot%\$Recycle.Bin\*\*.@ /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
CREATERESTOREPOINT
-
I am getting upset now. I went to system restore and it said there was no restore point. I know I had it set. Now the computer is freezing up and I just got a black screen. I did have a problem with my computer in January-February of 2010 in which I lost my internet connection and think it may have happened when some window updates were being installed and my computer acted funny and then went into safe mode. Now I let it notify me when there are updates so I can download them when nothing else is running. The computer worked fine but could not get an internet connection. So my last resort was to basically save my files and do a complete reinstallation and start over. Now the computer is freezing up and I will try to shut it down and try once more. The screen came up so I am going to shut down. I think I better back up my files on an external hard drive. My computer is pretty fast and it is taking forever now. It was working fine before, I was just concerned with the Avast report and wanted to know if there was a virus on my machine. I am still waiting for the restart--may have to push the off button.
-
OK once you have restarted then run a fresh OTL scan as there was a sirfef infection... However, a new variant appeared yesterday and we are still trying to determine the exact functions
-
I am assuming I run the one I downloaded yesterday. I do not have internet connection now. Can I do this in safemode. It is taking forever for anything that I click. Also, i still have avast disabled. Should I leave it that way.? Nothing seems to be happening or is taking forever.
-
Yes run from safe mode and use OTL that you downloaded yesterday
-
Should I back up my files before proceeding. Should the avast still be disabled?
-
Yes backup and restart Avast
-
I am trying to turn on avast by hitting fix now and or hitting turn on real time shields and it is not working.
-
OK we will repair that on completion
-
I think I hit the disable permanently button by mistake. :-[
-
No problem that can be repaired
-
I am so sorry that this is taking so long. Finally got it in safemode after trying to get it to work in regular windows, Then I thought I would copy and paste the info you said to put in the scan box. But of course, my computer was so slow I don't think it recognized the flash drive. So had to manually type in commands hoping and doublechecking to make sure they were accurate. It is now in the process of the scan. Actually just finished so now have to get the notepad reports to you--hopefully I can copy in safe mode and then transfer to this computer. I have another question. Could this computer be infected. I ran complete scans yesterday and nothing showed up buy my husband's facebook and hotmail account was hacked. We are trying to get the accounts back but naturally he couldn't remember all his answers to security questions, etc. OK going to try to post the results,
-
Hopefully these are the right logs. I didn't see any other so I am assuming they updated the prior ones.
-
the second one
-
Can you do safe mode with networking ?
Combofix was updated last night to combat this new variant
So could you delete the current copy and download then run the new one
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I cannot connect to the internet in safemode. I think Avast may be causing the problem in the firewall as it is showing "block" connections and I don't know how to fix it. I think maybe I didn't disable Avast correctly. So should I delete Avast or can you tell me how to fix this and maybe I will have a connection. Then give me detailed instructions as to disable Avast before downloading the combofix. Also, give me detailed instructions to delete the first combofix. I did see a combofix folder as I was backing up files. Also, will the files that I backed up be infected. Hopefully I will not have to do a new install of the system on my laptop. I will wait for your instructions. Thanks.
-
Also, if unable to get internet, can I download it on this machine an save to a flashdrive. How do I save to desktop--on my machine downloads go directly to the download folder?
-
Still unable to connect to internet. Tried doing windows network diagnostics and it is still running so dont know if it is stuck (over an hour)--computer is so very laggy now in regular mode, a popup came up that was shaded black but at the top it said "AvastUI.exe" Application Error with an OK button. I am still anxiously awaiting your reply. Really would like to get the internet connected. I have wireless connection on this computer.
-
To download directly to the desktop use IE and right click the links and select Save As.. You will then be able to specify the desktop as the target location
OK to remove and then reinstal Avast
Download the latest version to your desktop from here (http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe)
Download aswClear from here (http://files.avast.com/files/eng/aswclear.exe)
Go to Programs and Features > add/remove and uninstall Avast
Reboot back to safe mode and run aswClear (select versions 6/7 of Avast ) once for each version, no need to reboot in between
After the last one reboot
Install the updated Avast
Just delete the combofix programme from where it is now the remaining folders are not a problem
Yes it can be transfered acroos on a flash drive and then copied to the desktop
-
OK, I will proceed. Can I remove the Avast program and combofix file in safe mode if I have problems in normal mode?
-
Certainly... As an aside all my programmes have now been updated to detect this variant
-
OK, I reinstalled the Avast and did the asw clear twice. Deleted the folder for combo fix. Still no internet. :( What next?
-
Could you now run the fresh copy of Combofix please and then this small programme to check your net registry/file items
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(https://dl.dropbox.com/u/73555776/FSS.GIF)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
OK, I want to make sure Avast is disabled and I did it right this time. What do I do to disable it? Also, I can still do this in safemode, right? Meaning disable Avast and run the other programs.
-
All this can be done from safe mode
To disable Avast
Right click the orange blob and select Shield Control
Select for one hour
Then run Combofix, it will still detect the low level Avast drivers but that will not be a problem
-
I feel so stupid but in safe mode, when I rghtclick the orange blob on the left side, it does not do anything. It does state that manual scans are available but realtime protection is not. Is it because I am not connected to the internet?
-
No in safe mode only the basics work on Avast, so you are good to run combofix
-
Tried to run combofix and got message that it detected the antivirus program and to disable it, I hit OK and it completely disappeared. so I double clicked it again, and got this error message. This was done in safe mode. Did not click anything more.
-
This is becoming very annoying for you I am afraid.. This one hit us unawares, you must have had the first copy
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
lucky me! By the way, I don't know how long you work but if this continues the next day, We will be leaving to go to my son's house--a 9 hour drive tomorrow morning our time, so if you don't hear from me right away, that will be the reason. Would love to get this resolved today. OK, will continue ...
-
Time Zone ping pong is probably going to the biggest hassle as it is already 10:21pm in the UK.
-
I am a tad hopeful as RogueKiller was also updated yesterday for this
But I am not concerned about time, I will work with you
-
I really appreciate all of your help. Don't know how I got this thing unless it appeared in the window that my antivirus expired and I installed avast. Here are the reports.
-
I just noticed that I didn't run farbar service scanner after I had a problem with combofix. Did you still want me to do that one?
-
Yes please, also could you go back to normal windows and let me know what the system behaviour is
-
We are on the road now. As soon as I can I will do the above. I still did not have internet access and still running very slow. Will try again when I do the above. Do I need to do combo fix again and I will need to disable avast. Hopefully I will do it right this time. :)
-
Yes run Combofix again please.. I feel that the sharedaccess registry key is probablly missing but FSS will confirm or deny that
Have a safe trip ;D
-
Do I need to delete the combofix and install a new one or just use the last one?
-
Us the one you downloaded
-
OK I am back, I am attaching FSS report. Will go back and try combofix.
-
I manually stopped all the avast shields for one hour. The web shield was already stopped. (Is that the problem why I can't get internet?) Then when i ran combofix got the warning about it detecting the antivirus program and to proceed at my own risk. I am doing this in safemode. OK here is the report. I am seriously thinking of just doing a complete resinstall. I am assuming that will get rid of it. :)
-
I am anxiously waiting for your reply. If I do a complete re installation, will that get rid of this virus? Any steps. I should do afterwards besides installing updated avast and maleware bytes to make sure it is gone? Are you able to tell me by all the logs when I got this virus and how. Just curious.
-
A re-install will clear it... Looking at the last two logs the malware has deleted/corrupted one of the registry keys that is needed to start before any of the other services are enabled..
There are three or four keys that fit that criteria but it will take time to run through the list. So for speed I would back up data and re-install
This malware has moved its files from the windows installer area to the recycle bin, hence the corrupted recycle bin earlier. We have since found that deleting the recycle bin actually sets the malware on a destructive trail as it goes out. So henceforth we do not delete it but remove the files cleanly
-
Old Timer has just updated OTL to look for base services and he thinks that may show which ones are failing
You will need to get the latest version of OTL to run this command
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay /s
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Do you want me to do the otr scan first before I do the reinstall?
-
I went ahead and did the OTR but got only the one report.
-
Alas that does not show the area I was after so I will need to talk about this again.. But thank you for running it for me
Yes I would suggest you go ahead with the re-install
-
OK I am going to do the reinstall. When finished, and and then installing avast and malwarebytes, do you need me to do anything else? I will do windows updates also.
-
No just let me know if anything untoward occurs , but a fresh install will give a pristine system
-
Thanks for all your help! If I need to put anything back on the computer from my backup, do I scan it first with the anti virus and malwarebytes program. Should pictures and documents be okay? Do you know how I got it? Was it a file I downloaded or playing games on Facebook? ???
-
It probably came from a facebook link, which triggered a supposed Java/Flash update
Pictures and documents are not a problem with this type of malware the only ones to scan would be the actual programmes
-
Well my computer is well again!!!! Did reinstall and everything is looking good. Thanks for informing me about how i maybe got it. I think I did get a message last week about a java update and also a friend has been getting popups for java but luckily she did not click. I guess I did. I will let people know. Thanks so much for all your help! Hopefully will not need your help anymore.
-
To be honest unless you really need Java I would uninstall it, as there are a lot of holes in it at the moment