Avast WEBforum
Other => Viruses and worms => Topic started by: sportflyer on June 22, 2008, 05:16:20 PM
-
Here is what Avast4 found on my first scan. I placed them all in the Vault to be safe. Please advise whether these are really trojans or other virus:
6/21/2008 10:54:35 AM SYSTEM 1376 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL" file.
6/21/2008 10:48:46 PM Jeff 3872 Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\Program Files\PPMate\ppmate.exe" file.
6/22/2008 12:14:30 AM Jeff 3872 Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\Program Files\PPMate\PPMNet.exe" file.
6/22/2008 12:15:03 AM Jeff 3872 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\Program Files\Realtek AC97\alcwdm64.sys" file.
6/22/2008 12:18:26 AM Jeff 3872 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043744.dll" file.
6/22/2008 12:18:46 AM Jeff 3872 Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043754.exe" file.
6/22/2008 12:18:48 AM Jeff 3872 Sign of "Win32:Agent-YKJ [trj]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043755.exe" file.
6/22/2008 12:18:49 AM Jeff 3872 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{2558BA0C-74FC-4BA3-9BC0-4DAD418FEE87}\RP803\A0043756.sys" file.
It seems to me that some of them might be false?
Thanks
-
***
Your problem may be coming from the use of PPMate. To be sure where your problem is ...
Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. Someone will review your log and then offer help.
http://filehippo.com/download_hijackthis/
***
-
Can you submit the first 4 files to www.virustotal.com and post the results?
I also suggest:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
6. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or, better, submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) or Windows Advanced Care (http://www.iobit.com/AdvancedWindowsCarePersonal/index.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
OK will run hijackthis and post results. So far the only problem I have found is not being able to run PPmate because the .exe program has been moved to the virus vault. This is not a big problem for me. I can do without this program anyway.
-
***
Your problem may be coming from the use of PPMate. To be sure where your problem is ...
Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on "Additional Options..." below left of the posting box. Someone will review your log and then offer help.
http://filehippo.com/download_hijackthis/
OK here are the results in an attachment : This scan was taken after the so called viruses have been moved to the Avast Virus Vault . Tks
***
-
***
Hi sportflyer -
I do not see much amiss in your HJT log but I could have missed something. You can run HJT again, checkmark the below entry, and click fix.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
There is no file associated with the entry above so it is not needed.
Have you tried following Tech's suggestions in his post above?
***
-
***
Hi sportflyer -
I do not see much amiss in your HJT log but I could have missed something. You can run HJT again, checkmark the below entry, and click fix.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
There is no file associated with the entry above so it is not needed.
Have you tried following Tech's suggestions in his post above?
***
I have not tried Techs suggestion yet.
What should do with the stuff that is in the Virus Vault? Should I restore them and run HJT after deleting the item you suggested above? Tks
-
***
First, we would have to know what entries you have in the virus chest. Can you list them here? You can also right click the entries in the chest and select scan. It is possible that some entries might be false positives.
As far as the HJT entry is concerned, it will not matter when you fix it since the entry has no file association which means the entry is useless. After doing this, I suggest again that you follow Tech's advice above.
-
The virus entries are listed right at the top of this thread. I rescanned as you suggested above and they all come out as "+ve " . Is there any more you would like see ?
So far I have deleted /quarantined all the spyware found using Spybot S&D, Adware and SuperAntispyware. I also have Spyware Blaster installed for some time and have been keeping it up todate. I have not had any problems with all my application programs. I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it .
-
I wouldn't restore any of them before running HJT, it will have no impact on that scan, the registry entry may still be there and as such would be recorded by HJT.
-
I have not been using ppmate for a while so I can actually uninstall it. However to do this I might have to restore it then immediately uninstall it .
Too dangerous...
Why don't you wait some days to see if this is really a false positive? Then, go ahead.
Right now, you can use Revo Uninstaller (www.revouninstaller.com).
-
Thanks for the inputs. I will go ahead and perform the steps you indicated above. Revo uninstaller looks like a great program.
-
Revo uninstaller looks like a great program.
Yeah, it is ;)
-
Here are 3 files after going thru the process Tech indcated above. Secunia shows I needed to update the Quicktime and Macromedia players to latest versions.
I cant upload the Runscanner.bin files where to send them for analysis and feedback.
Tks
-
***
I see only 3 things in the HJT log but I might have missed something.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Again, this has no file association and is therefore useless.
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
Do you or did you once have McAfee av on your computer?
***
-
***
From the avast log :
Win32:Adware-gen [Adw]" has been found in "C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL" file.
Prevx says this about the above entry ......
DEFINITION OF: VMNTOOLBAR.DLL
Safety Rating: Known Malware, do not run
Malware Family: Part of Malware group - Adware Generic NKL
Malware Form: EXPLOIT
***
As would be expected, the above mentioned toolbar also shows up in the Runscanner log :
105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
-----------------------------------------------------
Dictionary (VMN Toolbar) : file://C:\Program Files\VMNTOOLBAR\Cache\SelectedContextTranslation.htm
***
-
CharleyO, Tks for quick response.
I will fix the 02 -BHo etc (no file) today.
I had Maccaffee and uninstalled it because its too bloated and slow. What should I do with this entry?
What to do with the VMNtool~1.dll Fix it?
BTW Secunia shows 2 instances of Macromedia in my files but they are of different revisions. 6.X and 8.X How can this be? If I install 9.X would it replace both . Which s/w to install Macromedia flash player or Flash player and Shockwave ? Do I need to uninstall before installing?
-
First run this tool.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe)
Check if the entries have gone from HJackThis if not fix them.
-
First run this tool.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe (http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe)
Check if the entries have gone from HJackThis if not fix them.
The entries are still there in HJT after running both programs. The strange thing is that in one of them the description ( http://...../mcinstal.cab) is missing although the hex code is still there. The other is still intact? I suppose I will have to use Fix to remove.
-
You should only have needed to use one of the tools, the second was specific to McAfee 2007.
Yes you are going to have to fix the entries in HJT.
-
David, I removed them with HJT.
-
Now that the virus have been in the vault for about 2 weeks with no problems with the computer , can I fix all of them ? Some of the entries are Restore files.
I am a bit confused about the Restore function in Win XP. When I restore the function after stopping it for a scan , have I lost all the prior restore points ?
TKs
-
What do you mean by fix them all, if you mean delete from the chest, then always scan files within the chest (after three weeks, there really is no rush they can do no harm there) and if still detected as infected, delete.
When you disable system restore and reboot, it clear ALL restore points infecter or otherwise, that is a consequence of disabling system restore and there is no way round that. Enabling system restore again will create a new restore point.
You can't take chances if there is a suspicion of an infected restore point or at some point in the future you could reinfect your system by going back to a point that includes the infected restore point, so you have to clean house. It is usually a recommendation to disable system restore before clearing an infection from the system folders as it is likely to be saved in a restore point (avast is relatively good at removal from the system folders without this happening), these are the facts and consequences of having to disable system restore.
Assuming you are clean when you re-enable system restore that will create a clean restore point.
-
OK. I understand. Tks
I scanned some of the files in the virus vault and it shows no virus ...does this mean its ok to restore these files? Did these files get in there as false positives?
-
That is the reason why we leave them in the virus chest for a reasonable time and scan before deletion, so if they do happen to be false positives you haven't deleted what might be an important file.
Yes that is the likelihood and you can restore them.
-
Thanks very much. You have been a great help
-
You're welcome.