Avast WEBforum
Other => Viruses and worms => Topic started by: daveshans on May 12, 2013, 11:49:14 PM
-
I downloaded the newest Avast a few days ago and now every time my computer boots I get a warning about a virus being moved to the chest. It's identified as Win32:Malware-gen. It doesn't show up when I do a boot scan though.
I've run the scans in the pinned topic and attached the logs. Is there anything that can be done?
-
Extra attachment.
-
malware removers are notified, it may take hours before they arrive so be patient....
most of them are in European time zone and it is midnight here now so you may not see any until tomorrow
-
malware removers are notified, it may take hours before they arrive so be patient....
most of them are in European time zone and it is midnight here now so you may not see any until tomorrow
Thanks.
-
Hi,
Step#1
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
******************************
Step#2
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
standardsearch;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Done.
-
Second attachment.
-
Those logs doesn't looks so bad. We will run AntiRootkit Checking now.
Step#1
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
- Unzip/unrar MBAR in a folder to your Desktop
- Open the folder where the contents were unzipped to run mbar.exe
- Click on Next > then on Update button to download fresh definitions.
- When database updates click Next
- In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
- If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
- The Clean up procedure will be Scheduled for process.
- When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
***********************
Step#2
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
- Re-run TDSSKiller.exe and click on Change parametres.
- Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
- Click on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the C:\ directory.
-
Done.
-
All looks just fine.
I downloaded the newest Avast a few days ago and now every time my computer boots I get a warning about a virus being moved to the chest. It's identified as Win32:Malware-gen.
Do you still getting these warnings?
If you do, can you tell us the exact name with path of detected file?
Also, could you go here:
C:\ProgramData\AVAST Software\Avast\report
...and attach here "BehaviorShield.txt" log
-
No warning when I booted up just now.
The path was C:\Users\Dave\AppData\Local\Temp but the name was always different. The last few names were iefgtvgj.dll c4ygo0pm.dll ub4wuz1j.dll.
-
This is %temp% folders. CF is automated to deletes the contents of those folders.
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
We will keep other tools and let me know tomorrow how your computer running.
-
Unnistalled, I'll let you know tomorrow. Thanks for the help.
-
I've booted up a few times since yesterday without any issues.
I assume I should change all my passwords just to be on the safe side.
-
:) Will remove the used tools.
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
*****************
I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
All done, thanks.
-
here also many thanks magna86
-
(http://www.mycity.rs/images/smiles/Emoticon%208.png)
-
Hello i found same name "Virus: i would like very much to delete it
any help C:\Users\admin\appdata\Local\temp\wz9196
names like Office 2010 toolkit 2.0.1.exe
thanks!
-
This will "delete" your virus.
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
TFC Info:
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
-
Hello And thanks for your reply
i did as you said and i run a new scan now
but the file is still in virus chest (should be there?)
Also do u know what could be that file ?
Thanks again!
-
Hm nice found different file in folder of downloads
name of the file is stream_api.dll :(
( i should wait and write both together)
i dont see the folder that avast gives me in my download folder :(
Can you please help me again ?
Aplogise for any inconvenience
-
Hi,
i did as you said and i run a new scan now
but the file is still in virus chest (should be there?)
As it says this is virus chest. You don't have to worry about, nothing can escape from there.
Or...you can empty virus chest if you will.
Also do u know what could be that file ?
Nothing, location points to system %temp% folder where various program place its temporary files during installation or some running.
As there are malware that know to use %temp% as loading point avast know to flag this junk files. TFC cleans all temp files.
Can you please help me again ?
Of course, but I think you're not infected. If you wish check, run this:
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) ((http://www.mcshield.net/personal/magna86/Images/FRST_canned.png)) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Next...
Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:
Gmer download link (http://www2.gmer.net/download.php)
Note: file will be random named
Double-clicking to run GMER.
- Wait for initial scan to finish - if there is any query, click No;
- Click [ Scan ] button and wait until the full scan is complete;
- Click [ Save ... ]- save the report to the Desktop (named ARK );
- Then click the >>> button and select Autostart card;
- Click [ Scan ] button;
- After quick scan, click Copy button;
- Open notepad and Paste text. Save report to the Desktop (named autostart )
> Attach here both Gmer logreports. (ARK.txt and autostart.txt)
-
"Of course, but I think you're not infected. If you wish check, run this"
wish no but yes i would like to do aaaand...
Here you are!
Thank you very much for your help!
P.S do you know any good links or books (yes there are still people who prefer paper than screen ) that i can learn more about internet/wifi/password security. this i would like to do is to build a secure pc!
or i want to become like you?
Thanks again
-
Hi,
Do not be alarm on Gmer's Rootkit warnings, they are avast related driver.
Start > ControlPanel > remove the following:
BS Player ControlBar Toolbar for IE (x32 Version: 6.17.1.25)
Then...
note: this isn't malware, they are just adware leftovers (bad toolbar values) and we are removing them...
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
C:\Users\Antonis\AppData\Local\Conduit
C:\Program Files (x86)\BS_Player_ControlBar
C:\Users\Antonis\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx
HKCU\...\Run: [BackgroundContainer] - "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Antonis\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun <===== ATTENTION
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
MountPoints2: {5666d534-3431-11e3-94fb-18a905caaa67} - H:\setup.exe
HKU\Lucienka\...\Policies\system: [LogonHoursAction] 2
HKU\Lucienka\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.daemon-search.com
URLSearchHook: HKLM-x32 - BS Player ControlBar Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player_ControlBar\prxtbBS_P.dll (Conduit Ltd.)
URLSearchHook: HKCU - BS Player ControlBar Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player_ControlBar\prxtbBS_P.dll (Conduit Ltd.)
SearchScopes: HKCU - {AD22EBAF-0D18-4fc7-90CC-5EA0ABBE9EB8} URL = http://www.daemon-search.com/search?q={searchTerms}
BHO-x32: BS Player ControlBar Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player_ControlBar\prxtbBS_P.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - BS Player ControlBar Toolbar - {fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5} - C:\Program Files (x86)\BS_Player_ControlBar\prxtbBS_P.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {FED66DC5-1B74-4A04-8F5C-15C5ACE2B9A5} - No File
CHR HKLM-x32\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Antonis\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx
Task: {032959A5-A6A7-42C6-9B35-0CBE8835FFA8} - System32\Tasks\BackgroundContainer Startup Task => C:\Users\Antonis\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll [2013-10-15] (Conduit Ltd.) <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:C31F31E6
AlternateDataStreams: C:\Users\Antonis\Cookies:cXgwAEbKFHTXn9yyVrBxxaDYF
AlternateDataStreams: C:\Users\Antonis\AppData\Local\EadHWeQGYJSi93:QRgnEnpqhFkalTfgHgtJk0Q0
CMD: ipconfig /all
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-
First step i did
but for the second i had second thoughts about it
Could you please explain me what will do ? was my question
please find attached the report
Thank you!
Friendly,
-
P.S do you know any good links or books (yes there are still people who prefer paper than screen ) that i can learn more about internet/wifi/password security. this i would like to do is to build a secure pc!
Unfortunately, I do not have non a single link at hand. :(
or i want to become like you?
If you wanna learn how to fight malware, I recommend next school with English based language:
http://www.techsupportforum.com/forums/
http://www.geekstogo.com/forum/
http://www.bleepingcomputer.com/forums/
My home forum also provide malware removal school but they are non-English language based.
Could you please explain me what will do ? was my question
This I do not understand. To do with what?
-------------------------
Fix went fine. How's your computer running now?
-
Hi and thanks for everything
Computer is running fine
but also before was fine just Avast found all these and i said to get rid of them
Many many thanks for everything
if everything was in balance i will be sure that all this "good" will come back to you, now i just hope so :)
Have a good day
Antonis
P.S i will take a look
-
:)
You are malware (http://en.wikipedia.org/wiki/Malware) free. Posted logs are now appear cleans and show no signs of active infection.
Good workman always cleans up after himself.
• The following will implement some post-cleanup procedures:
=> Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by Xplode to your Desktop.
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
--- --- --- --- --- --- --- --- --- --- ---
• To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:
1. Keep Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam-download.php), update it regularly or from time to time and run a Quick Scan weekly.
Malwarebytes will detect and remove all traces of known malware. MBAM isn't AntiVirus and it can NOT replace it.
2. Keep MCShield Anti-Malware (http://www.mcshield.net/downloads.html), the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
MCShield, has been designed as a lightweight scanner that's smart enough to catch even new worms and work in fully automatic removal mode.
3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
Temp File Cleaner aka TFC by OldTimer (http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/)
TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.
--- --- --- --- --- --- --- --- --- --- ---
• How to protect yourself?
- I recommend that you use one of the fantastic opportunities provided by (http://www.mcshield.net/pg/images/avast5.png) avast! 2014.
1. Adjust avast! to target PUP (http://computersecurity.wikia.com/wiki/Potentially_unwanted_program) software:
Run avast! 2014 by clicking the system tray icon in the lower right corner of the screen.
Click on Settings, in the new window that opens, click on Active Protection, then under File System Shield click on gear wheel...
Under Sensitivity part of option check box for Scan for potentialy unwanted programs PUP.
2. avast! Software Updater. Run avast!, click on Tools > Software Updater.
For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.
3. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.
4. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
Every once in a whilere, it's recommended to preform virus scan with avast! 2014.
- Windows Updates, beeing up to date is very important. Please be sure to activate automatic updates in your control panel.
Widnows XP (http://support.microsoft.com/kb/306525); Windows Vista (http://windows.microsoft.com/en-US/windows-vista/Understanding-Windows-automatic-updating); Windows 7 (http://windows.microsoft.com/en-US/windows7/Understanding-Windows-automatic-updating) and Windows 8 (http://windows.microsoft.com/en-us/windows-8/windows-update-faq)