Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: egr on August 14, 2008, 08:23:05 PM

Title: malware contamination, help!
Post by: egr on August 14, 2008, 08:23:05 PM
i posted this in another topic:

i am not really too technical so i hope you understand my problems if i explain it as well as i can...

i have a windows sp2 on a 512 mb ram 1.8 gHz AMD sempron processor computer, with about 80% of the hard used. (it's a small 80 gb hard and yes i know i could do way better, i just haven't and can't afford any upgrades soon).
the AV is the avast home edition 4.8 and i also use windows firewall. i didn't install anything more since i am not sure what is good and what is not.

i've been having problems since saturday, the 9th (updates are automatic so i've no idea if there was a program update then or not).

problems are:

first, i had a "powerscan antivirus" popup unrequested on my firefox browser (which crashed immediately). since i've had a bad history with unrequested AV popups, i ran a scan on my c: and all it found were ALL the alwil software files (namely all avast files) that were infected with a trojan. at that point i got really scared, uninstalled avast, redownloaded, re-installed, updated the virus database and ran two scans.
one in safe-mode, after installing the AV - it found only one infected file - not an .exe file - (a trojan, it said) in the d: partition system restore files.
i am not sure if i did well but i disabled the system restore hoping to delete all files, then re-enabled SR.
then i did a second thorough scan, with archive scanning included, after entering windows. it didn't find anything more.

so this took care of the unrequested popups.

second problem: it takes forever since then to access the internet with firefox. i don't like iexplorer and i don't want to use it, i like firefox and i want to keep using it. but it takes a very long time to go online and also to browse pages once the browser is open. the main processes that strain the system are svchost.exe which seems to be running in separate locations for SYSTEM and NETWORK (i'm in a network so maybe that's ok but i'm not sure. avast is only installed on my computer, i don't know what the others have.) the processor hits 100% usage all the time and it's not really healthy for it.

reading through this thread i noticed that some users have disabled the archive scanning after doing the safe-mode scans so i've disabled it too to see if it makes any difference. so far i've seen none.

so what i wonder is this...

1. does the latest update make this happen? overusing the processor and slowing down my system??
it's getting annoying when even google won't show because of the long delays that cut the connection.

2. is it possible that by uninstalling the "positive" infected avast files i actually allowed a virus to spread and infect my computer? does re-installing and scanning in safe-mode provide a safety belt for this?

3. is it possible that a virus database used as an update was corrupted and made my AV go crazy on me?!

4. which online scan could i use to make sure the system IS clean and not giving me false good reads? i don't want to stop avast for an online scan by another AV, are there some good enough that wouldn't require stopping the running AV?

5. is it really the fact that avast was updated to fit with better, newer systems that's making it incompatible with my older and slower system?

sorry for all the questions. i am just getting really freaked out here.

to which, i got this reply:

different problem here so best not to Reply to this but to start a new post in the virus and worms forum (below)

start by going to malwarebytes and running their on line ROGUE REMOVER and THEN
their FREE ANTI MALWARE  update and run a full scan

post the log in your new post/ thread
Are you using Windows XP/Vista?
Scheduling the Boot Time Scan

Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files (suggestion: send to Chest)
Choose how to automatically process infected system files (suggestion: ignore/do nothing)
Click the Schedule button to confirm the settings.

thank you for the reply, btw~

the OS is a windows XP unlicensed (yes i know. i can't find it to buy it at a reasonable price in my country, after the vista explosion. i do NOT want vista.)

so i did as advised above and used rogueremover (didn't find any rogues) then installed and run a quick scan of the system with malwarebytes' anti malware program. it found about 290 results of which there are some trojans and some adware.

avast didn't tell me anything about these at any scans.

a lot of the trojans and other things mbam found in my system are located in the registry keys. if i delete them, will that kill my system? or those keys are only opened and used by the viruses?

please tell me if deleting them all might kill my OS :(
i am attaching the mbam scanlog. if anyone could help me, i would be grateful!!

i am tempted to just go ahead and delete them anyway... but i am scared of getting a system crash and i don't have a boot disc...


EDIT: the log is in romanian, anyway, what it says is that there were no dangerous infections found but there are those registry keys and files/folders infected with trojans and with adware.
Title: Re: malware contamination, help!
Post by: wyrmrider on August 14, 2008, 11:09:18 PM
mbam should have a quarantine function
do not delete
now you see why you run both RR and MBAM :)
can you post the MBAM log with a google translate or perhaps some of the Avast folk speak Romanian
there may be other things
can you try a DR Web Cure it scan?
Title: Re: malware contamination, help!
Post by: wyrmrider on August 14, 2008, 11:36:24 PM
I have some additional time to reply to your first post
First there are several baddies with power in their name
PowerAntivirus 2009
Powerscan antivirus
you can see descriptions here
go to the bar on the right to see two other Powerantivirus descriptions
any idea which one you have?
Any will slow your system including firefox
glad your boot time avast scan was almost virus free- an active virus makes removing malware even tougher
Do an on line AV scan soon

your system should be perfect for avast

Any MBAM experts out there that can answer poster's question
Title: Re: malware contamination, help!
Post by: egr on August 14, 2008, 11:50:36 PM
thank you, wyrmrider...

i did a thorough scan of c: only (there are no programs installed on my second partition, i use it for storage of media files and the like), and it came up completely clean. no registry keys heads-up or anything.

so i ran yet another quick scan and lo! there are all the same infections. with the mention of, it said "scanning for active infections" and found none, then moved on to "scanning for infected registry keys" and found all these bugs.

aren't all system files supposed to be where the OS is installed?! why do separate scans not find the same results?!
Title: Re: malware contamination, help!
Post by: egr on August 14, 2008, 11:53:34 PM
(i took a look at the 2-viruses site. it might've been the powerscan adware. but there's no trace of it in the mbam scan, it detects instead a lot of adware.enrgyPlus or something, and also a lot of vundos.)

what if i place the files with viruses in the avast chest, will that be good enough to stop them from slowing down my system?...

i wanted to attach two screenprints of the scans, for comparison and my link died on me. it reached 14 kbs up then went dead - i should have a 7.3 mbs connection. :(
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 12:09:38 AM
ok, moved all files mbam said were carrying vundo to the avast chest. will let you all know if it made a difference to the system's performance.

so what exactly would happen if i deleted all registry keys with the adware.enrgy.Plus in them? there are a lot of them... :(

EDIT: added the translated scan results from mbam. it's a google translation that i looked over to make sure it says the same things it says in ro. - now if i didn't get the tech terms right please forgive me.

(btw, since "exiling" the files the system works a tad faster, though the online browsing hasn't shown any improvement.)
Title: Re: malware contamination, help!
Post by: wyrmrider on August 15, 2008, 01:13:30 AM
In the report there are boxes which are checked and you can right click on the entrie and select Quarantine, etc. so let MBAM deal with all

Superantispyware and Windows defender are reputed to get adware energy plus and should do all of that work for you
Vundo is more difficult  SuperAntispy and Windows Defender will help depending on the version

perhaps someone running XP can take a look at this
there is also
Vundofix  --for example
get the latest version HERE
but let's run a couple of general purpose removers first just in case there is something even nastier lurking

adware-hotbar should be removed automatically or see (for example)
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 01:22:43 AM
are these compatible with avast? will avast stop them from working as they should?

if i get and install them, will they have to remain in my system? too many antispyware and antiadware and anti whatever make me anxious already, since they could all be in conflict with each other and detect each other as threats :(
Title: Re: malware contamination, help!
Post by: wyrmrider on August 15, 2008, 01:36:43 AM
we are only talking about on demand scanners here
nothing that runs every time you start up
so in effect they are only taking up disc space
paid versions of some of these programs do have real time monitoring

they will not conflict with avast
-note to self- check on windows defender

any comments from others?
did you move all of those entries by hand?
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 01:43:23 AM
no comments from others, thank you for your help.

i selected the infected files through the "user files - add" option in the avast virus chest.

i browsed the atribune forum (for info on vundofix) and there's a lot of tech there i don't understand - it looks to me they're dealing with each separate pc problem and not making a general fix.

i can't get the vundofix, unless it's a 117 kb file (somehow i doubt it's so small). is it that small? i am not sure if it should be run if it might be corrupted.
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 02:05:29 AM
this post on atribute has the EXACT infected files i have on my computer. but i didn't get to quarantine and delete.
someone who knows how this works, please tell me - deleting the reg keys will KILL my OS or NOT?

*3 AM, really tired, sorry*
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 02:26:55 AM
quarantined and deleted the files. they're not deleted from my computer, YET, since i have no idea how this will affect it.

i ran a speedtest after... download has increased to 3.6 MBS (edit: retested: 6.2 MB, which is good :)) from 250 kbs previously, but i seem not to be able to upload anything measurable. :(

what can this be?? firewall and antivirus settings aren't blocking any site i recognize.

i've also scanned for another possible malware and updated the mbam database. no malware found :)
Title: Re: malware contamination, help!
Post by: wyrmrider on August 15, 2008, 02:34:16 AM
Do this when you are fresh
first do the regular anti-spyware and AV apps
quarantine do not remove any hits
that should get rid of most of the bad stuff without you needing to worry about your os

is this where you tried to get the fix
it is NOT a big file

If running MBAM and Super-antispyware do not get the Vundo
and Vundofix does not get it on the first pass
I'd consider going to the Atribune site
 and reading all the stickies and posting what ever they want there with a link to this post
They are the experts on this particular infection
stay cool- you can get this
Get some sleep

if you do go to a specialist malware removal site follow instructions exactly
ask questions
but do not do any fixes unless asked for
glad your internet is better- you are going to need it
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 02:44:28 AM
thank you :)

well, it seems that the very restricted upload (got a 28 kbs on upload, as compared to 5.5 mbs steady download) it's something with the network firewalls and settings. and i am not the admin so i guess i should stay cool indeed and wait for him to get his head around it.

i will try vundofix just to check out if mbam left something behind.

i am thinking my network server and other computer may have gotten the same virus - i tend to care for my AV to be updated and running well, but not all my colleagues do.

thank you again for all your help, i'll post here if anything else goes well/bad :)

*off to bed*
Title: Re: malware contamination, help!
Post by: wyrmrider on August 15, 2008, 03:11:20 AM
nite nite
Is it dawn yet?
FYI VUNDOFIX is about 115-118 kb

you may have 4 different things so let's get em all
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 03:20:58 AM
not off yet... had to uninstall and re-install java. it seems that older versions are doors for viruses.

vundofix did a fast scan and the system came out clean. upload still s*cks so i guess it IS the LAN blocking uptraffic and not my computer, cause i can download very well. i am guessing that the router/modem/whatever makes the connection to the internet needs a restart too. (we had some nice 3-per-minute power shutdowns when the electrical power failed due high usage - it's a heat wave here, maybe those powerdowns did something to the hardware in my admin's place. i can't go there and check though.)

did you say windows defender? does that need to install or will it run a clean scan like vundofix?


EDIT: read something on it. i can't use it, my xp is a clone :(
Title: Re: malware contamination, help!
Post by: wyrmrider on August 15, 2008, 04:59:55 AM
we do not need windows defender

the drill is shown in this thread post 42- we will  try MBAM again at the finish
(you are not the only beginner- more of them (us) than geeks methinks)

meanwhile let's try
or an online antivirus scan
F protect - see list below  we want to see both clean Anti spyware and Anti virus scans

DrWeb Cure It

for reference
here is a list of on line AV
I can only suggest full computer on-line scanning:
Kaspersky (very good detection rates)  will not remove anything but will show if still infected
Trendmicro housecall
BitDefender (free removal of the malware)

Quarantine do not remove/delete
Title: Re: malware contamination, help!
Post by: egr on August 15, 2008, 10:51:15 PM
thank you :)

i will try an online scan when the upload speeds up. i don't want to get stuck in an unfinished scan :(

umm, i had bitdefender once upon a time, and it announced all found viruses but took no action - or said it couldn't delete them -  so i ended up with 101+ malwares and that computer went dead (they had delivered it with everything installed and no motherboard or drivers' installation cd so we couldn't even wipe it and re-install windows on it. it left me a very bad taste and i don't want to go close BD ever again.)

NOD32 has been used by people in my LAN, they're not happy with it. i'll try kaspersky online but i can't right now, because of the speed.

(which is caused by the so lovely admin who actually created two separate network groups using the same internet access, of which one is used by the most of us and the other is set aside for a guy who plays CS day and night. wyrmrider, no offense if you're a gamer, but boys and their games are...  >:(
i am about 90% convinced he didn't protect his computer since he's carrying BD and if he stays connected so much, the uplink is used by the games and the adds he got.)

in the meantime, my computer speeded up when offline and i can do whatever i want with it, so that's one great relief :)

thank you for all the help!
Title: Re: malware contamination, help!
Post by: wyrmrider on August 16, 2008, 04:57:19 AM
If you have not run your on line av scan
usually I would recommend a Kaspersky AV scan at this point however JeanInMontana at the Malwarebytes forum recommends a Panda active scan to help with the fakeAV2008 infection had has posted a detailed how to here:
How To Do a Panda Active Scan and Save The Log, Complete With Illustration
in addition Panda will remove what it finds for free (after asking you to buy)
I am hoping that you will be comfortable with this step by step instruction

If you are comfortable with Kaspersky go for it- just turn everything on
(Kaspersky will not quarantine so the log is essential!

with any scan watch for false positives and quarantine do not delete/ remove
(except for the funny instructions for MBAM :)

I never can get Bit Defender to work on my system either !