Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on August 07, 2015, 05:18:53 AM
-
Hello, I've spent the past couple of days upgrading someone's laptop to Windows 10.
After installing Avast I realized that the program detected a "FileRepMetagen" infectionat msaudioeng.exe located in App\Data\Local\Temp, the program blocked the thread, sent the file to quarantine and prompted me to restart the system and do a boot scan to make sure there's no infections left, I left the scan run but the cycle repeats, as soon as the system restarts the infection gets blocked and Avast asks me to perform a boot scan.
Additionally, I noticed that the warning doesn't trigger if my internet is down when I restart the system.
Feedback would be appreciated! I'll attach the proper logs.
-
As it stands I can see no infection, I believe that this may be a false positive. Could you submit to Avast from the virus chest
-
I'm very confused by this, the file keeps showing up after every restart.
Thanks for the reply! I just submitted the file, the scan says that the file was detected by the taskeng.exe process too so I'm utterly confused about this being a false positive or not.
Maybe my registry isn't clean?
This situation is oddly similar t this https://forum.avast.com/index.php?topic=169463.0 I'm tempted to run the script but as stated, that only applies to that user.
-
I can see no registry that that triggers it to start, lets empty the temp folder could you post the full path
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
After countless restarts, scans and running the file, the detection still persists.
Apparently, on top of the FileRepMetagen detection, Avast also detects and blocks a Win32:Malware-gen infection every time the system starts up and there's internet connection.
Here's the log.
-
OK that tells me it is running as a task.. What is the full path to that file
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Task: {395509BA-93E3-4E3C-8284-DF30FBCD9982} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d No Task File <==== ATTENTION
Task: {3956C0BC-97C7-4B87-B30C-875BF3834A73} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d No Task File <==== ATTENTION
Task: {43CBC954-57E7-477F-BB1E-4D99291B73A4} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig No Task File <==== ATTENTION
Task: {54BFFD46-A170-4C96-9044-EE1AF4614754} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION
Task: {7F9661C2-44C1-4AA1-B3C8-3BD93BABC8EB} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d No Task File <==== ATTENTION
Task: {84C5D55E-CCC9-4697-B81A-C6C8506EC29B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent No Task File <==== ATTENTION
Task: {9AE2E5FF-5390-4E18-B92F-E35C2D9549C9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d No Task File <==== ATTENTION
Task: {9C5294C7-86A3-45A5-ABD0-DA78B6FA9F6E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d No Task File <==== ATTENTION
Task: {BA1862F8-840F-47B6-BAA8-12EFB2ED9454} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent No Task File <==== ATTENTION
Task: {D2014A6F-72EE-4BD7-A171-D6E2D2EC416B} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd No Task File <==== ATTENTION
Task: {F796414B-1AA2-411D-A7CB-8D1D512F2420} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B No Task File <==== ATTENTION
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Here's the log, the infection remains after restarting.
According to Avast's log the full path is [Chest] C:\Users\Francisco Cardoso\AppData\Local\Temp\msaudioeng.exe, naturally the file is gone after the detection since it gets sent to quarantine, so t gets created every time I restart Windows.
Here's the log
-
OK run FRST and in the search box type :
msaudioeng.exe
Then press the search registry button
On completion a report.txt will be generated please post that
-
Search.txt was generated instead of report.txt, here's the file.
Edit:
I see some important information in the log, is this a keylogger? As I've mentioned before, this isn't my computer it's a family member's and I was just upgrading it and scaning for maware. I had to access my email account here to register here so hopefully I'm not at risk.
-
No it looks as though edge stores its data in the registry for some reason
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Reg: reg delete "HKEY_USERS\S-1-5-21-3814934023-2203844418-3234572544-1001\SOFTWARE\940e37e4c37c12466498af104f8c7f07" /f
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Here's the log, the program prompted me to restart after running fix and the infection is still there.
-
OK I will need to have a little think about this one
Meanwhile ..
Click here (http://www.eset.com/us/online-scanner/) and select the blue Run ESET Online Scanner button:
(http://i1278.photobucket.com/albums/y503/DanoNH/ESET/ESET1_zps23a5e840.png)
If using Internet Explorer:
- Accept the Terms of Use and click Start
- Allow the running of add-on.
If using Mozilla Firefox or Google Chrome:
- A link to esetsmartinstaller_enu.exe will be provided. Make sure to download it to the desktop
- Double click esetsmartinstaller_enu.exe
- Allow the Terms of Use and click Start
To perform the scan:
- Make sure that Enable detection of potentially unwanted applications is checked.
- In the Advanced Settings dropdown menu:
- Make sure that Remove found threats is unchecked
- Scan archives is checked
- Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked
- Use custom proxy settings is unchecked
- Now click on Start
- The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- Now click on Finish
- Use notepad to open the logfile located at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic]
-
I appreciate the help so far.
ESET found something a bit more concrete, two infections I believe so here's the log.
-
OK that confirmed it, I have also checked my windows 10 and the location for that file is wrong
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
C:\Windows\taskeng.exe
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Here's the log, it seems like the infection is gone after this restart since I haven't seen the usual detection so far.
Any additional steps or precautions to make sure this system is clean?
-
Nope now I know where it is ...
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix (http://www.bleepingcomputer.com/download/delfix/)
Select the options as shown
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes (http://www.malwarebytes.org/mbam-download.php)
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
Thank you!
I did install Malwarebytes to check for infections, I'll run the rest of the programs, automatic updates is enabled so the rest shouldn't be an issue :)