Avast WEBforum
Other => Viruses and worms => Topic started by: spades on February 28, 2014, 04:55:26 PM
-
When I run a custom Avast scan (which includes memory, auto-start programs and rootkits) I get the following results:
(http://imageshack.com/a/img199/9710/1sve.jpg)
These threats are detected while scanning the memory. There are no options to move them to the virus chest or to delete them.
When I run a standard Avast Full System Scan and a Boot-time scan I get a clean bill-of-health (no threats). Microsoft Windows Malicious Software removal tool also gives a clean report.
The last time I ran the custom scan was on 21 Feb with a clean report. The only thing that has changed on my PC since that date was that I replaced my DSL modem/router. The only websites accessed since the last custom scan were reputable sites such as IMDb, IGN, Facebook, Gmail etc.
Any help or advice would be appreciated - thanks!
-
Please follow this guide and attach logs from Malwarebytes, Otl and aswMBR(Not Under Win 8/8.1)
http://forum.avast.com/index.php?topic=53253.0
-
These threats are detected while scanning the memory. There are no options to move them to the virus chest or to delete them.
because they are not files that can be deleted/moved but a process loaded in memory
however you have as many others before you experienced what happens when you play with the scan settings.....and selected scan memory
DO NOT use the scan memory setting as this will give some weird scan results.....unless you are a computer geek and know what you are doing, but then i guess you would not post this
i recomend using avast default scan settings for a problem free avast operation....avast team have played with malware 24/7 for 20 years so there is a reson why the settings are as they are ;)
also detection in memory / memory scan is this forums second most frequently asked question....Nr. 1 is "some files could not be scanned" so there is plenty info if you forum search
When I run a custom Avast scan (which includes memory, auto-start programs and rootkits) I get the following results:
avast does a rootkit scan 8min after boot ;)
-
Please follow this guide and attach logs from Malwarebytes, Otl and aswMBR(Not Under Win 8/8.1)
http://forum.avast.com/index.php?topic=53253.0
Cheers Steven, I downloaded Malwarebytes, updated it and ran a quick-scan. All clear!
however you have as many others before you experienced what happens when you play with the scan settings.....and selected scan memory
do NOT use the scan memory setting as this will give some weird scan results.....unless you are a computer geek and know what you are doing, but then i guess you would not post this
We'll hopefully I'm not a complete noob either! I've been using Avast for about 10 years now and the fact that this is the first time I've had any problems should be a good testament to it's effectiveness. I've also been regularly using the same custom scan for about 3 years now and never had any problems before. Just weird that this is just happening out the blue right now... ???
-
Just weird that this is just happening out the blue right now...
if you want a check...attach OTL / aswMBR logs
-
I've got the exact same virus happening on a Windows XP machine, with iertutil.dll showing up as infected in memory. I've thrown every antivirus/antirootkit/antimalware utility I could find at it and nothing detected it. I tried both the avast! boot scan that you set off via the UI, and the avast! Rescue Disk, and neither of them found it.
The only place avast! detects it is in memory, and when I use Process Explorer to find the location of the DLL, it points to c:\windows\system32\iertutil.dll. Scanning that file directly shows no infection whatsoever. In order to figure out what that DLL is all about, I used WinDbg with sos.dll to dump the memory-resident iertutil.dll to disk. avast! immediately detects and blocks it from being written to disk, so the only way to dump it to disk is to disable the avast! shields temporarily. Once I dumped it to disk, I compared metadata and file byte sizes between the version dumped from memory and the one at c:\windows\system32\iertutil.dll and found them to be identical in those metrics. I used FCIV to compare the MD5 checksums of the two files and only then did they reveal differences. Opening them in Notepad++ and running the Compare plugin yielded differences in rows 3-6 if I remember correctly, but otherwise identical.
How can I submit this file to avast! for analysis?
-
Sent the file in a password protected archive to virus@avst.com Subject: missed sample
-
Sorry, my post may have been confusing. Only avast! manual scan finds it in memory, and it cannot remove it. Moreover, nothing from avast! finds it at or before boot. Would I still e-mail it to that address?
-
I am also having very similar scan results from a custom scan which included: System drive, Rootkits (full scan), Memory, Auto-start program, Auto-start programs (all users), top-to-bottom in that order.
Avast! reported the presence of "Threat: Sf:Zbot-K [Trj]" in various processes including firefox.exe, dllhost.exe svchost.exe, explorer.exe, reflextservice.exe, jusched.exe etc. And the "infected" memory block is always 0x000000003D3F0000, block size 2015232 (iertutil.dll). And this happens on 2 of my machines, both XP SP3. On my other Win7 and Win8.1 machines, nothing is detected.
The weird thing is that if I perform another custom scan with only Rootkits (full scan), Memory, Auto-start programs, Auto-start programs (all users) then it will report: No Threats Detected. (redoing the other custom scan again will give back the same list of ZBot-K threats in memory. So it is not something transient.)
FYI, I've also scanned the machines with mbam, anti-rootkits-beta, awsMBR but nothing has been found by them.
Pondus is probably, and most hopefully, correct that it is another case of "Stay Away From Memory Scans" but how are users suppose to know that memory scans should not be performed? And why is the inclusion/exclusion of the scanning of system drive affecting the memory scan results?
-
Hi,
basically, Avast! thinks it's caught a virus. It's a False Positive that I'm sure Avast! is working on. If you are worried, attach MBAM, OTL and aswMBR reports so we can have a look.
-
I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk. Something is either loading a substitute file into memory when iertutil.dll is called, or modifying iertutil.dll in memory directly. None of the utilities you mention find anything abnormal, so whatever this is, it's doing a damned good job of hiding itself from usermode utilities. Not sure how avast! manages to find it in memory, but it finds nothing on disk, even from the avast! Rescue Disk.
-
Either avast! knows something nobody else does, or you're right about this being a false positive:
https://www.virustotal.com/en/file/0c8a6787af4bd4e62d1a5c7fb534d99c2b7259db287e9caf3b650b3643f23fc8/analysis/1393899953/
That's the analysis of the file I pulled from memory. This doesn't really explain the discrepancy between the file on disk and the file in memory, though. Here are the relevant MD5 checksums:
C:\windows\system32\iertutil.dll: ac21aab649e781b067db56cfff303cc7
Dumped from memory using WinDbg: 6ffaa0f124d1df5e40bcc4c251256623
I'll try to get those logs pulled soon. Thanks for your help.
-
Iver wrote:
I initially thought it was a false positive as well, until I pulled the file from memory using WinDbg and compared it to the file it purported to be on disk.
You are making me worried. Since you have managed to dump that modified iertutil.dll file onto you HD, could you try to run MBAM or other virus scanners on that file to see if the virus signatures in it are indeed recognized by other scanners as well?
-
Check out the virustotal.com link I pasted above. It scans an uploaded file against a huge list of antivirus suites. Only avast! showed this as an infected file, so there's a pretty good chance it's a false positive. That or everyone else is asleep at the wheel.
-
How can I submit this file to avast! for analysis?
send file to avast lab, using one of these options
You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)
You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected
or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21
and see my first post above about using the "scan memory" setting
-
Pondus, it's VT. The file was already sent to all the vendors.
can you upload that file and send me a DL link so I can do a malwr.com anaylsis?
-
Pondus, it's VT. The file was already sent to all the vendors.
and that is why i gave him all the how to send to avast lab options. ;)
VT give this file info
Copyright© Microsoft Corporation. All rights reserved.
Publisher Microsoft Corporation
Product Windows® Internet Explorer
Original name IeRtUtil.dll
Internal name IeRtUtil.dll
File version 8.00.6001.23562 (longhorn_ie8_ldr_escrow.140131-1840)
Description Run time utility for Internet Explorer
-
same problem here on windows XP pro as well no option to move or delete, no problem with windows that is obvious. am not that experienced so to be able to find where it is
attaching screenie
-
same problem here on windows XP pro as well no option to move or delete,
see my first reply in this topic......
-
Uploaded to Malwr: https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/
-
Hi, that malwr analysis doesn't show much. Nothing is being contacted. only 2 files which are temp are made. Nothing is in the Registry and no domains are contacted. I'd say it's clean.
-
Uploaded to Malwr: https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/
yeap saw it :D I do hope its not serious, did the OTL and malwarebytes scans and everything looks ok
I guess if there is something dangerous it will be included in next avast update ?
Thank you :D
-
My custom scan (see first post) is now coming up clean. :)
I assume it was a false-positive and the latest virus definitions from Avast have corrected this?
-
Most likely yes. If you have any other issue. Feel free to come back!
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do. Unless Avast! detects malware or viruses, full scans don't need to be run very often. Keep MBAM around as an On-Demand scanner. MBAM will probably detect more then Avast!
-
You are doing a memory scan .. Which other anti malware tools are you using. They may have some files in memory
-
Most likely yes. If you have any other issue. Feel free to come back!
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do. Unless Avast! detects malware or viruses, full scans don't need to be run very often. Keep MBAM around as an On-Demand scanner. MBAM will probably detect more then Avast!
Ι only run a custom scan as a precaution once a month, just in case cause I am not that deeply experienced...
-
Did iXer send the dll dumped from windbg for scanning? I thought about the matter for a while and then searched the web a bit about the use of SOS.dll in Windbg for saving modules from memory to disk. It seems that there might be legitimate explanations for the discrepancies between the dumped version of iertutil.dll and the original one in System32. According to a discussion in stackoverflow, memory alignment could be one of the causes. So perhaps we are just worrying about sky-fall after all. However, the thought that a Zeus/ZBot has infiltrated our machines is just too scary -- who knows what such a bug could have stolen from us if it managed to penetrate our machines even with our (perhaps) over cautious way of scanning!
Michael (alan1998):
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do.
I echo paraxeno's sentiments. We are just trying to play safe and scan as thoroughly as possible, hopefully to increase the chance of catching any scary viruses like the ever-changing/polymophic Zeus-variants. Again, if custom or memory scans are not supposed to be done, then why would Avast provide the elaborate interface to allow users to do them? I am glad that it turns out to be another false alarm but I personally would rather go through such a drill once in a while and stay alert than to be complacent and get robbed clean :-)
PS. I scanned the machines with the updated Avast database and no threats are detected now.
-
Did iXer send the dll dumped from windbg for scanning? I thought about the matter for a while and then searched the web a bit about the use of SOS.dll in Windbg for saving modules from memory to disk. It seems that there might be legitimate explanations for the discrepancies between the dumped version of iertutil.dll and the original one in System32. According to a discussion in stackoverflow, memory alignment could be one of the causes. So perhaps we are just worrying about sky-fall after all. However, the thought that a Zeus/ZBot has infiltrated our machines is just too scary -- who knows what such a bug could have stolen from us if it managed to penetrate our machines even with our (perhaps) over cautious way of scanning!
I did upload it. Here is the result:
https://malwr.com/analysis/OTgzMGQ4ZjIxNTQyNDBhMjgyOTk2NDM4MGE0ZDMwZTQ/
It doesn't look like a change due to memory alignment to me when I do a compare in Notepad++ with the Compare plugin and load the version I pulled out of memory against the version on the disk. I did read that it's very common for DLLs to be modified in memory for totally benign reasons, though. I'm guessing that's what's going on. If a pre-boot scan via the avast! Rescue Disk didn't find any viruses, unless something is involved at the BIOS level, I'm pretty sure this is a false positive. The fact that avast! no longer detects the in-memory version of iertutil.dll as a virus corroborates that feeling.
Michael (alan1998):
Although, I must ask. Why are you guys running custom scans? The normal Full Scan or Quick Scan will do.
I echo paraxeno's sentiments. We are just trying to play safe and scan as thoroughly as possible, hopefully to increase the chance of catching any scary viruses like the ever-changing/polymophic Zeus-variants. Again, if custom or memory scans are not supposed to be done, then why would Avast provide the elaborate interface to allow users to do them? I am glad that it turns out to be another false alarm but I personally would rather go through such a drill once in a while and stay alert than to be complacent and get robbed clean :-)
PS. I scanned the machines with the updated Avast database and no threats are detected now.
Agreed on all counts. I learned a lot of stuff from this fire drill, so I'm not mad about it.