Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Southern Man on October 01, 2007, 11:25:48 PM
-
Hi Guys,been using avast for some time now excellent! :D thanks all and to your great site!,not had much chance to use it only occasionally as i have not had much problems so far, up until the other day :o when i turned on my pc and the desktop screen loaded up and AVAST warning box came up with the warning of a virus,now i know this has cropped up a few times looking on the forum,this is what i had appear:-
D:\Windows\system32\Drivers\mchinj\Drv.sys\Win32.Trojan.gen detected!
I done some alternate scannning with spybot,a2 free v3.0,adaware,crapcleaner,cleared out all temp files,without any joy plus hijack this scan lots more,nothing?,the message warning happened everytime i restarted or started the pc up,so i put it into the avast virus chest as recommended.
Thinking about it a bit more i thought it might be hiding in the system restore points as everytime i quarantine the virus in the chest,when i restart the pc it shows up again!,soi turned off the restore on all drives and rebooted and done an avast pre-boot scan to see if anything picked up,nothing,so it seems whatever it was is now gone and system restore was initiating it,sorry for the long story but if anyone else has the same probs it might help to do what i have done,plus do a safe boot scan aswell!,just to be sure.
My question here is-this:-
I have 4 identical lines of the infected virus(e.g each time i restarted the pc 4 times i moved the virus to the chest same one each time) in the chest,what do i do with them now? ,can i now safely delete them or not?- advice please.
I have since rebooted 6 times and the warning message does not come up anymore.
regards ::)
Southern Man :)
-
each time i restarted the pc 4 times i moved the virus to the chest same one each time) in the chest,what do i do with them now?
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
1. Disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887) or Windows XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405). System Restore cannot be disabled on Windows 9x and it's not available in Windows 2k. After boot you can enable System Restore again after step 3.
2. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features for that.
3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).
4. It will be good if you download, install, update and run AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0), Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx) and/or F-Secure BlackLight (http://www.f-secure.com/blacklight/try_blacklight.html).
6. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here and, specially, scan and submit to on-line analysis the RunScanner (http://www.runscanner.net/) log would help to identify the problem and the solution.
7. After you're clean, use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or, which is better, the Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html) features of spyware/adware cleaning and removal.
8. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
-
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently over 30 different scanners.
Or Jotti - Multi engine on-line virus scanner (http://virusscan.jotti.org/) if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can't do this with the file in the chest, you will need to move it out.
You have done the right thing, 'first do no harm' don't delete, send virus to the chest and investigate.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
If these all relate to drv.sys then there would appear to be another element restoring or downloading it again (however if you say it is no longer detected on bot it doesn't appear to be live now), what is your firewall ?
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode. This may find any possible element that might have been restoring this.
1. AVG anti-spyware (formerly Ewido) (http://www.ewido.net/en/download/) Resident scanner during trial On-Demand after trial ends. Or SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version. Or Spyware Terminator (http://www.spywareterminator.com/) Resident scanner.
-
Yet again, the Themida driver file... No need to mass panic just yet...
-
bleh, another version of Themida.. ::)
will be fixed.. send the file to virus[at]avast[dot]com...
-
Thanks everybody for you kind and helpful tips,done all what you said,the main thing that removed it was turning off my system restore points,it never came up again!!.
I done scans in safe mode all ok nothing detected,stil have the offending things in virus chest so i will scan them as you recommeneded if all ok i'll wait a few weeks and delete them.
Thanks again for a great site a good product and great friendly support! :)
Regards
Southern Man