Avast WEBforum
Other => Viruses and worms => Topic started by: flame_induced on June 07, 2008, 06:39:01 PM
-
Infected filename: C:\Program\ICQToolbar\tbu1\tbupdate.cab\toolbaru.dll
Virus: Win32:Trojan-gen {Other}
When I run my Avast 4.8 home edition, I get a message that I have this virus obove...
What do I do to get rid of it?
I´ve send it to the chest, but is there any other way to remove it?
Help, please!!!
-
I suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
Personally befor even considering the above steps, I would confirm the detection.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
1. Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
2. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\*
3. That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
-
Consider this info:
http://www.spywaredata.com/spyware/malware/toolbaru.dll.php
Could be a FP, only when this toolbaru.dll is in another place, it could be part of malware,
polonus
-
You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
1. Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect.
2. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\*
3. That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
I have a similar trojan...well two actually...and (I'm sorry I know this is probably a stupid question...but I really don't know very much) I've done what you've outlined here and extracted them into a temporary folder to have them scanned and confirmed, but now how do I put them back into the chest...or rather, do I delete the temporary folder? I'm sorry, I've been searching all day for a way to get rid of these viruses and looked all over the message boards, but I'm a little worried to actually do a lot because I don't know what I'm doing. But I'm trying to do what I can on my own so you guys have one less shmuck to have to help.
-
They should still be in the chest if you did as suggested, extract to temp location.
If the detections are good (confirmed) all you need do is delete the one/s in the temp location. Don't delete the temporary location you created and excluded as you can use it in the future should you need to, so you won't have to set everything up again.
I'm sorry, I've been searching all day for a way to get rid of these viruses and looked all over the message boards, but I'm a little worried to actually do a lot because I don't know what I'm doing.
Do you mean anything different to what I have already answered ?
-
Thank you so much for clearing that up. Sorry I had to ask such a simple question.
Do you mean anything different to what I have already answered ?
Well, yes. I'm trying to figure out how to get rid of these viruses altogether but without having to ask you all directly. I don't want to bother you guys, because I can see how many people ask you the same question everyday and I'm sure that gets extremely annoying. So I'm going to follow the instructions left by Tech above in this thread and hopefully that'll work for my trojans.
-
Are you saying that these trojans, a) were undetected by avast, b) even though they are detected by avast, they keep coming back or c) you just want to know how to be able to remove future infections without assistance ?
Have a look at my signature and you will see that I don't only have avast looking after my security.
1. I also use SAS free as an on-demand anti-spyware scanner once a week.
2. I have a good firewall, that can prevent infection by blocking unauthorised outbound connections, this can stop undetected/hidden malware on your system gaining access to the internet to possibly download more.
3. I use DropMyRights (there are others) for applications that connect to the internet (browsers, email, etc.), this reduces (drops) the rights to that of a limited user and can prevent any malware getting established. e.g. putting files in the system folders, creating registry entries to run them.
If you are using Vista then don't disable the UAC function as that prevents similar actions.
4. You could go a step further by logging on with a limited user account, though some find that to be a measure they don't find acceptable.
Whilst the last two (or three) items are preventative, prevention is much better than cure. But if you have to apply the cure, then follow the steps outlined by Tech.
There is no problem in helping anyone and it isn't annoying or we (avast users, helping other avast users get the best out of avast) wouldn't be here.
-
Are you saying that these trojans, a) were undetected by avast, b) even though they are detected by avast, they keep coming back or c) you just want to know how to be able to remove future infections without assistance ?
My viruses were detected by avast but I don't know what to do now. And I didn't want to bother you all too badly so I was searching for a means to get rid of them throughout the boards but the few solutions that I've found I'm afraid to use because they either a) may not necessarily apply to my virus or b) I'm afraid I'll screw it up and hurt my computer.
I double checked on an online virus scanner and only one other program detected them.
I've done all the things that Tech suggested above, except post a HijackThis report because I didn't want to be bothersome. But I'm guessing that's the key to getting rid of it, since I obviously don't have the ability or confidence or get rid of it on my own and I suppose I'll have to ask one of you smarter people to look at my HijackThis log anyway.
There is no problem in helping anyone and it isn't annoying or we (avast users, helping other avast users get the best out of avast) wouldn't be here.
I know. I still didn't want to bother you though. But thank you for the assurance that I'm not too bothersome.
So I guess I'll humbly ask for your assistance at looking at my HijackThis log, please. If you're not too busy. :-\
-
1. If avast has detected a virus, take action, send it to the avast chest (first do no harm) and investigate, using the forums and virustotal, google the file name, etc.
Letting us know the malware name, file name and location of the detected file helps us to assess what other action to take if required. You can't hope to make this decision on your own without a reasonable knowledge.
Yes you could make an informed decision after the three steps of investigation mentioned above, that is likely to take you some time though. But, as you have see there are different circumstances that require different actions, so asking for help isn't a failing as you can learn from the help given. That is how many of those who help on the forums started.
2. Using something like Virus Total, if there is only 1 detection by avast it could be a false positive, even with a few detections it isn't certain. That is why it is important to report the findings of a check made at VT. So as you can see the process is one of checking and confirmation and that can best be done with a little help until you get a little more knowledgeable.
3. No problem in posting your HJT log and we will look at it, you can either attach the file to your post or copy and paste it into a post (or more than one if it is large).
So post away.
-
Thank you so much for taking the time to look over my HijackThis logfile! I'll try to give any additional information that will help.
I'm running Windows XP Home Edition. I found the viruses while running a manual virus scan on Avast!4.8 Home Edition.
Their locations were found in "C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP537" and then the other was found in "C:\Program Files\AIM6". The restore file trojan was named "A0038541.exe" and the AIM6 trojan was named "uninst.exe".
I'm not sure if I have malware exactly but the program I downloaded, that I assume is where the trojans came from, is AIM 6.5. I had previously had 6.5 but it wasn't the newest version and I was having trouble getting video chat to work with a friend who had ichat. So I downloaded the newer AIM 6.5. (I didn't unistall in the older version, I assumed that the newer would overwrite it. I don't know if that may have messed something up.) A day after I had just downloaded the newest version I found the viruses. When I temporarily put the files in the suspect folder (while in "Tiles" view), there was a descriptive note under both file names that said "AOL LLC". So I assume they both came from my downloading the newest version of AIM.
When I ran VirusTotal the only other program that caught anything was this one:
VBA32 3.12.6.7 2008.06.09 suspected of Trojan.StartPage.41 (paranoid heuristics)
Here's my HijackThis logfile:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:54 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
-
HijackThis logfile cont...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/learnmore/learnmore.asp?close=true&lcode=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 8394 bytes
Thank you so much once again. This really helps me out! Thank you!
-
I think the AIM6 one has been covered in the forums and is most likely a false positive, I suggest a forum search on the file name, uninst.exe and AIM6. If you still have the file it can be checked at Virus Total
The one in the C:\System Volume Information\ restore point is more difficult to identify without restoring that file and I wouldn't suggest doing that, let avast take care of it by sending it to the chest.
HiJackThis:
You don't appear to have an active firewall, what is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.
There are some that feel viewpoint is malware, see google search http://www.google.co.uk/search?q=ViewpointService.exe (http://www.google.co.uk/search?q=ViewpointService.exe) and this one http://www.bleepingcomputer.com/forums/index.php?showtopic=120989&view=findpost&p=685946 (http://www.bleepingcomputer.com/forums/index.php?showtopic=120989&view=findpost&p=685946).
C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
This one seems to be something to do with McAfee, did you have any McAfee product installed (if so it might be a remnant) ?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
This one is different as the IP differs from those below and is associated with att.net.
O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83
The IP Location: Ukraine Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
So I would have though one of these is wrong ( a USA and Ukraine IPs polar opposites), exercise care as fixing these could stop you connecting. If you happen to lose internet connection HJT has a Backups list that you can restore changes. Click the config button, Backups and select the backup you wish to restore.
Other than these I don't see anything obvious
-
I think the AIM6 one has been covered in the forums and is most likely a false positive, I suggest a forum search on the file name, uninst.exe and AIM6. If you still have the file it can be checked at Virus Total
The one in the C:\System Volume Information\ restore point is more difficult to identify without restoring that file and I wouldn't suggest doing that, let avast take care of it by sending it to the chest.
So should I restore the uninst.exe? Or leave it the chest?
HiJackThis:
You don't appear to have an active firewall, what is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections.
I do have a firewall I'm pretty sure. But it's just the windows firewall. Should I have another?
There are some that feel viewpoint is malware
I looked at your links. Thanks a lot! However, I don't know if I should uninstall it since it may have something to do with my AIM video chatting. Despite the fact that video chat has been giving hell lately, I wouldn't want to possible mess it up any further.
This one seems to be something to do with McAfee, did you have any McAfee product installed (if so it might be a remnant) ?
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
Yes, I did previously have McAfee installed. Should I delete this since it is now useless?
This one is different as the IP differs from those below and is associated with att.net.
O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83
The IP Location: Ukraine Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
Are also useless or potentially harmful and should they be deleted as well as backed up?
-
1. Don't restore without confirmation, extract it to a temp location and scan it at VT as in my first reply with instructions.
If confirmed as a false positive, add it to the exclusions and restore it to the original location and send the sample to avast, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.
2. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
- There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 (http://forum.avast.com/index.php?topic=30808.0)
See http://www.matousec.com/projects/firewall-challenge/results.php (http://www.matousec.com/projects/firewall-challenge/results.php).
3. If viewpoint is related to AOHell I would leave it.
4. McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe)
So if the registry entry was left behind it would be best to run the uninstall tool and then check HJT again and see if that is gone also.
5. I would hope that one of them is your ISP, what is your ISP ?
Extreme caution has to be exercised here and don't go doing anything until you confirm what your ISP is or you could lose your ability to connect. That is why I gave instructions on what to do if you jumped in with both feet and you lost your connection, you would at least be able to reverse the fix.
I can't make this decision for you as I don't know if either of them is legit for your connection/ISP.
-
1. Don't restore without confirmation, extract it to a temp location and scan it at VT as in my first reply with instructions.
I did and only one other scanner that caught anything(besides avast!) was this one:
VBA32 3.12.6.7 2008.06.09 suspected of Trojan.StartPage.41 (paranoid heuristics)
I ran the uninstall tool you gave me for getting rid of that mcaffe file but after running the 2007 one from the link you gave, the file "O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -" is still in my HJT logfile. Is this something I need to be concerned about?
5. I would hope that one of them is your ISP, what is your ISP ?
My ISP is http://clearwave.com/main.php (http://clearwave.com/main.php) Clearwave Communications. It's a local company...I'm not sure how much that helps you ^^;
That is why I gave instructions on what to do if you jumped in with both feet and you lost your connection, you would at least be able to reverse the fix.
And I greatly appreciate that! Thank you for being patient with me.
-
OK it might still be a false positive detection as the other detection is using heuristics and a step further paranoid heuristics, which would be even more prone to false detection.
Since the avast detection was also a generic detection you should send it to avast for analysis and correction as required.
If it is indeed a false positive and I believe it is, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.
OK now for the O17 entries:
Well this is the range of IP addresses for clearwave.com 64.83.240.0 - 64.83.255.255 so none of the O17 entries exactly match that range.
However this one is likely to be legit as it is at least in the USA. It is a similar case to my own, where my ISP gets customers but uses a major Internet Provider for its services, that may be the case for you with clearwave getting its service from ATT.
O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83
So I would say these ones are suspect:
The IP Location: Ukraine Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
So I want you to ensure that in the Config section of HJT that the Make backups before fixing items, see image. Now put a check mark to the left of the two entries above and now click the Fix selected button. Run HJT again and ensure the two entries have gone.
Disconnect from the internet and try to connect again, hopefully you should be able to connect and that should be the end of it.
If you can't and I think this would be a big if, then you would have to restore those fixes as I outlined in a previous post.
Before you do any of this I would suggest you print out everything in this topic so that you have the information to hand if you should need it.
That is me for the night as it is a little after 1:45 a.m. here, good luck.
-
OK it might still be a false positive detection as the other detection is using heuristics and a step further paranoid heuristics, which would be even more prone to false detection.
I've restored both files and sent a password locked zipped archive file with both in it to virus@avast.com. I've also added them to the exclusions list in avast.
Now, all of that stuff is new to me and I'm gonna run through what I did to make sure I didn't mess anything up. OK, so I wasn't sure how to make exclusions in Avast so what I did(I'm using the 4.8 home edition with the simple user interface) and the link you sent me had directions that were slightly different than what I did. I went to Settings tab, Settings..., Exclusions. And typed in the file location where it asked me to "enter mask." And I wasn't sure what a "mask" was so I wanted to check with you and make sure I didn't mess that one up.
I didn't really know how to make a regular folder into a zipped one. So I looked around the forum and in my help on my comp. The help section talked about making a new zipped folder the same way you make a new folder but for some reason when I look where I make new folders there is no option to create new zipped folders, like there's supposed to be apparently, but no matter! I opened up winzip and looked around it's help a little and figured out how to make a new archive. And so I encrypted that with a password and sent it to avast! (I couldn't use the emailing from the chest for some reason. I just kept getting an error message. I looked in the forums for help with that and no one really had a solution. I know you had success when changing it to MAPI instead of SMTP or vice versa. But I couldn't get either one to work for me. Both gave me error messages.)
Also, that McAffe file was still in my HJT logfile after I ran the uninstaller.
However this one is likely to be legit as it is at least in the USA. It is a similar case to my own, where my ISP gets customers but uses a major Internet Provider for its services, that may be the case for you with clearwave getting its service from ATT.
O17 - HKLM\System\CCS\Services\Tcpip\..\{B42876B7-90B1-42FD-B0C1-9B890D930532}: NameServer = 12.127.16.83,12.127.17.83
Yes, I'm sorry, I should've told you sooner though I didn't pay attention. These IP address are most certainly clearwave's. I had to manually put these in at the instruction of a tech person from clearwave who helped my get my wireless to start working.
So I would say these ones are suspect:
The IP Location: Ukraine Ukraine Ukrtelegroup Ltd (as it relates to the IPs in these entries below) ?
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.123 85.255.112.178
I've deleted these and my connection still works fine. Thank you so much! I don't know why in the world I had IPs from the ukraine on my comp but I'm glad they're gone. Thank you.
-
I'm sorry, I'm dumb...I realize where the standard Shield is now. Should I not have used that other area for typing in the exclusions?
-
Re sending sample via the chest:
You a) need to be using an email client and pop3/smtp email and not webmail where you view your email via a browser and b) have completed the Program Settings, SMTP section. If I send from the chest I have to leave it on the default setting of MAPI, if I change it to SMTP my email would also fail.
If you can't send it from the chest it isn't an issue if you have been able to send it zipped and password protected.
The reason we suggest using the copy in the chest is it avoids having to zip and password protect, which some find more difficult.
You now need to run HJT again and fix the McAfee entry to remove that in the same way you did the O17 entries.
Re the O17 entries:
Some infections put entries directing you at servers to maintain control over your system so you are going through their servers to access the internet. Now they are gone that shouldn't be an issue.
Re Exclusions:
You need to add it to both locations, as the standard shield handles on-access scanning, if you or something else tried to open this it would be scanned by the standard shield. The Program Settings, Exclusions handles on-demand scans, which is where this was first detected.
-
Ok then, all of that is done. There's no more McAfee file and things seem to be running fine. And the "viruses" don't seem to be hurting anything, so probably nothing to worry about. I think it's pretty much fixed for now. Thank you sooooooooooooooooooooooooo much!!! I only have one more favor to ask.
I'm still having a little trouble with aim video chatting. You wouldn't happen know of any forums that might help? If you don't it's no big deal, I'm just curious. And I don't want you to go looking anywhere on the web for me, you've done enough. I just didn't know if you knew anything off the top of your head?
Thank you soooo much once again! You've been an amazing help, you have no idea! Thank you, thank you, thank you!
-
Sorry I don't use any chat application so I can't say I have had a look at any forum/s like that.
Try this google search http://www.google.co.uk/search?q=trouble+with+aim+video+chatting (http://www.google.co.uk/search?q=trouble+with+aim+video+chatting) modify it to be more specific to the problem you are experiencing.