Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: dford3772 on November 25, 2008, 08:05:40 PM
-
I finally found David's instructions from some time ago and my SUSPECT file is still in C. I extracted the
two culprits showing I have Win 32.Trojan gen into the file but could not upload to Virus Total because of
warnings going mad.
Since I wrote the first post I have done a lot of reading. They still could be false but maybe not. They
are now in my SUSPECT file which is entered in Standard Shield as a non-scan BUT they are also no longer in the chest.
I really need to know what to do next.
Donna in AR
-
Enter into avast Chest, go to User folder and right click the blank area. Choose in the context menu the entry called "add" and make a copy of the file into Chest. You can send to Alwil from there (right clicking the file).
-
Thanks. I think I got that done. I had one of these files in line to be sent to VirusTotal for 1:15. I had to
give that up and I have a cable connection. For now I've moved the two files back to the chest.
Donna
-
Thanks. I think I got that done. I had one of these files in line to be sent to VirusTotal for 1:15. I had to
give that up and I have a cable connection. For now I've moved the two files back to the chest.
Donna
Submit the files to Alwil analysis...
Be a little patient with virus total ;)
-
Late in the afternoon I ran another Avast scan and it found two more files in the same areas but with different numbers. After completing the scan Avast listed a bunch of files that it could not scan (which
I've not seen before) and then showed the two additional that I also sent to chest.
Maybe I should try a different time of day for VirusTotal and see if I can get one file and if it is for real then
I suppose the rest will be too.
Donna
-
I finally found David's instructions from some time ago and my SUSPECT file is still in C. I extracted the
two culprits showing I have Win 32.Trojan gen into the file but could not upload to Virus Total because of
warnings going mad.
That is because you haven't excluded the suspect folder and its contents from a standard shield scan.
Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\*
That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
Lets not forget what we did before malware names, file names and locations, etc, ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.
-
Late in the afternoon I ran another Avast scan and it found two more files in the same areas but with different numbers.
Typical malware behavior...
-
I do have it excluded in standard shield on my XP machine. I finally did get it to begin sending one file through VT but with little experience I gave up at an hour and 20 minutes.
I have an XP box and an Acer Vista box networked on a wired router and a KVM switch. They do not share files; I simply flip back and forth as needed
to do different tasks. The XP is the one I've been working with all day, the one I updated Avast on, and it is the one that shows four infected files. I just
now flipped to Vista and ran Avast which is still running 4.8.1229; it turned up one infected file which I sent to chest and also e-mailed to Alwil.
I use each box's firewall and a router firewall as well.
Location: C:Program files\Acer Game Zone\Backspin Billiards\Launch.exe
Never used this as I'm not a gamer. It says it has Win32. Trojan-gen also. I may try to send it to VT very early a.m. Will have to create a Suspect file for the Vista machine first.
I just really don't quite know what I'm dealing with and guess I won't until I get a confirmation. Then if it is real I guess a major clean-up (how?)
is in order.
-
If you did then it wouldn't alert (your 'the warnings going mad' comment) and once avast alerts it won't allow you to do anything to that file. So exactly what did you put in the standard shield exclusions ?
Though the normal issue when avast alerts when you try to upload to VT is that the file loads relatively quickly as it end up there as a 0byte sized file, e.g. empty. So why exactly it took that long before you eventually gave up I don't really know.
-
In Standard Shield I have Resident Task Settings>Advanced>C:\Suspects
Maybe Avast simply would not let it load; the file appeared in VT from my Suspects file finally and frankly
I don't remember how I made it do it. VT darkened the foreground and a box appeared that said it was sending file and said not to close the screen. It stayed like that for over an hour and 20 minutes.
Donna
-
It needs to be C:\Suspects\* as in my example in Reply #5 of this topic. That is why avast was alerting on your exclusion.
The \* is important as it this is what excludes the contents of the folder.
-
Hopefully I have attached a PNG file of VT's reading of one of the trojan files
-
Here is the C:Program Files\Acer Game Zone\Backspin Billiards\Launch.exe after submission to VT. It looks deadly!
-
See what happens when you get the exclusion right ;D
Most of these are generic detections, which are more prone to false positive detection though they all follow the same theme, a password stealer. It would have been easier to copy and paste the URL from the VT Results page into the post, saves you having to create an image and we get to see the full information.
So I would suggest that you don't use on-line banking until this is resolved and then change your passwords.
You're still very shy of name (only found by the name of the image attachment) and its original location. This could help us to try and work out what it program it might be from or how it got in.
See http://www.google.co.uk/search?q=NSsetup.exe (http://www.google.co.uk/search?q=NSsetup.exe) for hits on the file name.
-
On contrary of David, I think the file could be indeed infected.
-
Here is the C:Program Files\Acer Game Zone\Backspin Billiards\Launch.exe after submission to VT. It looks deadly!
Again the majority of the detections are Generic or Suspicious (Heuristic), which are more prone to false positive detection.
So the jury is still out.
If you haven't already done so send these to avast for further analysis as possible false positives.
-
Thanks to both of you. I want to clean out the Suspect files and return them to the Chest; how do I do that? I thought I could right click and do it but not so.
Since I've played with these so much I'm going to run another Avast scan on both machines and if I get more files I'll VT them too. I guess just file in chest and keep scanning to see if still infected?
-
On contrary of David, I think the file could be indeed infected.
Where did I say it 'is' a false positive.
Most of these are generic detections, which are more prone to false positive detection though they all follow the same theme, a password stealer
<snip>
So I would suggest that you don't use on-line banking until this is resolved and then change your passwords.
<snip>
So where in here am I suggesting it isn't infected, I'm urging caution whilst at the same time giving information to be checked about the NSsetup.exe file. Many setup files are detected by generic signatures because of what they do and we haven't got the full information on where it was located.
Games are notorious for this kind of checking to ensure no hacking but that is speculation as we don't have the full information. So I will let you obtain that and continue with this one.
-
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP1324\A0171333.exe
I included this path of one of them in an earlier post. Is this the name you are talking about? I guess I get
too nervous to do copying and pasting when I'm into a mess like this.
Donna
-
Well that file name doesn't match any of the files you uploaded to virustotal.
But as I have said before in another topic, there really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.
Worst case scenario it isn't infected and you delete it, you can't use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.
So if thee is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.
-
OK current scans are coming up empty. All Suspect files are restored to chest. I know that if this is real it may re-infect on bootup. I have mailed all
files but one to Alwil but I don't know which one I left off; when might I hear from those and how?
Is there a cleaning regimen I should follow? I'm always very careful and I can't figure where I got this unless from some site I visited. At the least I guess
I need to scan on bootup. I don't do online banking but I do order things online so it is worrisome. I guess I just thought I was safe because I've gone for a long time without a problem.
Donna
-
Is there a cleaning regimen I should follow?
I suggest:
1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
-
I use SuperAntispyware and Ad-aware. When I'm using any of these apps what do I do with Avast--disable
it or uninstall?
Thanks for the help,
Donna
-
I use SuperAntispyware and Ad-aware. When I'm using any of these apps what do I do with Avast--disable
it or uninstall?
Thanks for the help,
Donna
You can run the programs with avast active, you don't need to disable or uninstall avast.
-
Yopu don't need to disable and certainly not uninstall, that would be a game of ping pong I wouldn't like to play.
However, when I run another security scan (not avast) I pause the Standard Shield, not because you have to but because it would effectively cause duplication in scanning, SAS wants open a file to scan, so avast would also scan that file before allowing SAS to open and scan it. This also reduces the small possibility of a clash but the main reason is it will reduce the overall scan duration.
I would get rid of adaware it is a waste of hard disk space and get MABM as a second on-demand anti-malware to replace it.
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
What is your firewall ?
-
On both XP and Vista I run the Windows firewall and then I have a wired Lynksys router for boxes and printer and I run its firewall also ion each machine.
Thanks for all the help. I've been gone for a couple of days and simply shut everything down so now I'm going to see if the malware has reappeared.
I had already decided Ad-Aware a waste of space as all it has ever found fior me is cookies. I'll try the MABM immediately.
Donna
-
Well the windows firewall has its limitations XP no outbound protection, Vista outbound protection disabled by default, not very user friendly if enabled. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0 (http://forum.avast.com/index.php?topic=30234.0)
Router, hardware firewall, unless it specifically says it providers outbound protection, then it doesn't.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
-
I thought a hardware firewall closed ports but then I'm new to that game anyway. What firewall would you recommend? I had and liked Comodo for a long time BUT their version not too long ago became far too complicated and that is when I got into the router as hardware firewall.
Since one of the Acer games was infected, I'd like to remove the Acer Game Zone and all the games that go with it as I have no use for those and need the space. I've looked online but I can't really figure out if I'd get into serious trouble removing such "crap" as it is so lovingly called.
I installed MABM and love it! A scan revealed no problems on either machine. I also ran another Avast one and neither machine is showing a problem.
Maybe I'm OK for now.
Donna
-
The problem is that downloads initiated by you/your system will be let back into your system, which is why checking for unauthorised outbound connections is important.
- There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 (http://forum.avast.com/index.php?topic=30808.0)
See http://www.matousec.com/projects/firewall-challenge/results.php (http://www.matousec.com/projects/firewall-challenge/results.php).
-
The links for a software firewall are great! However, I'm lost on this question: I have everything on an ethernet hookup which I like very much so can I
disable the router firewall and run something like PCTools keeping the ethernet hookup?
Donna
-
You don't disable the router firewall, it will take care of the inbound firewall actions to the point that PC Tools firewall would have nothing to do but possibly catch something that may get past the router firewall.
The PC Tools firewall would take care of the outbound connections and the router would be none the wiser that something had been blocked before it gets to the router.
The two firewalls are operating on different levels one the router, outside your system and PC Tools firewall on, within your system and never the twain shall meet. So you shouldn't have any issue just install the software firewall.
-
David,
Thanks so much for all your help and advice. I'm going to use PCTools because on the chart it looks to be the easiest to use and highest rated.
I only have one more very important question about Avast ( I promise for now--LOL). I do not have my Suspect files in the C drives set up with the *.
Should they be identical to Standard Shield in that respect. If so I guess I thought Windows would not allow a symbol like that to be used.
Hope you are having a good day,
Donna
-
And you shouldn't as windows would stop you doing it - That isn't part of the folder name that is the wildcard that is used only in the avast exclusions and that wildcard depending on its position can have a different effect.
Your folder name would be Suspect (or suspect it doesn't matter windows isn't case sensitive).
To exclude the suspect folder in C:\suspect\ the \ backslash is a folder divider so the * after that backslash excludes anything after the C:\suspect\ folder path in windows, that could be more sub folders or files.
e.g. C:\suspect\folder1\anyfile.txt or C:\suspect\folder2\anyfilename.txt or C:\suspect\asuspectfile.exe or C:\suspect\suspectfile2.exe, would all be excluded from scans by placing C:\suspect\* in the avast exclusions list.
The wildcard saves you having to create a new exclusion entry for every file in that folder, so if you have three files in the suspect folder and you didn't use the * wildcard in your exclusion lists you would have to create three entries and not one with the use of the wildcard character *.