Avast WEBforum
Other => Viruses and worms => Topic started by: reefraider on February 19, 2009, 02:25:44 AM
-
Hi,
After reading the instructions posted here I wish to first check,
My Computer was acting odd so I down loaded Avast it did a scan and found fujack now it gave me a list of choices not giving a explanation of the selection when the first one came up I pressed "delete" then I had a think and though gee chest sounds good and selected it for the rest (no idea what I was doing first time I'd used Avast) so I have about 30 in the chest and one deleted, the computer is still freezing but now with Dr Watson Postmotem de Bugger coming up as well, I ran the cleaner and it showed none, but could not access one file, I am very willing to learn and try to help myself, but if someone is nice enough to help me out could you answer laymans I do not know anything about directorys and files etc (if thats what you call them) but I am unsure of the next step because I deleted the first file.
A-J
-
Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest where it can do no harm and investigate. There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
To access the chest, right click the avast 'a' icon, select Start avast! Antivirus, after the memory check the Simple User Interface is displayed, Menu, Virus Chest. Or directly C:\Program Files\Alwil Software\Avast4\ashChest.exe.
Those file you sent will be in the Infected files section of the chest and is the only area you are concerned with.
It is possible there might be other elements undetected or hidden on your system.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
-
No I did not have any...............yes I regret it now its just that they were interferring with the wirless modem, so tec told me to disable, I only have avast. (paid version)
-
I ran superantisypwear, which only found a heap of cookies, which I deleted then clear all temp-folders, internet files, did not know how to do the java-cashe, after I wait 2 weeks how will I know when I delete the items in the chest that they are not files that also run other applications?
-
You only delete files in the infected files section of the chest after a few weeks and only then if you scan them within the chest and they are still reported as infected.
The fact that they run other applications is irrelevant if they are infected.
What is the malware name, the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
It might be easiest for you to get this information direct from the source file using notepad, C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log.
-
Firstly thanks for continuing to help me, I followed your instructions and cut and paste them first one it said could not open and in the warning section it is empty. ??? So I looked in the chest and a heap of the files now have restored but I noticed where it lists the virus name there is also one file with HTML:Iframe-inf on it. Another little sod has wormed his way in.
under the original location in the chest it lists quite a lot of drivers mainly to do with dell, video, modem, media direct, I don't want to copy any info from here because I don't know what I am doing and would rather only do what I am told :-) awaiting your next instructions
A/J
-
I'm unsure what it is you are trying to cut and paste, what and from where ?
That is why we need the full information that was asked for, the malware names, file names and original locations (in full) for the detections, without it we haven't got a clue as to what to advice, it would just be speculation.
I also don't know what you mean by a heap of files have restored ?
Restore in relation to the chest has a very specific meaning, that is restoring a file from the chest to its original location and this most certainly doesn't happen automatically.
Files just can't worm their way into the chest, they have to be detected in a scan and the user elects to send it to the chest as the action to take.
-
In the log viewer the, emergency,alert,critical,error,warning are all emply, except for the notice tab
now in the chest is the name of the file and date it was transfered and the name of the virus (as you know)
AOO31236.exe. c:\systemvolumeinformation\_restore
up to 56.exe.
is an example of some of the files in the chest (where I put them) after I ran the scan.
Another is:
Dellbutn.HTM c:\dell virus HTML:I frame inf
Another is
Setup.exc c:\drivers\audio\R 158235 virus is win-32fujack-AQ
there are a heap of them I am not sure what you are asking me to do if the warning file is empty
-
OH if I sound frustrated I am sitting in a tin fishermans shack in a remote area of WA, on top of a sanddune in 38 degree heat, with a wireless antenna stuck to the top of the shack, with varying signal and an overheating generator!
I do appreciate help............its just soooo hot mix that with having no idea what you are doing................. :'(
-
Those that were in the c:\System Volume Information\_restore points (now in the chest) are only there because they were previously deleted or moved from systems or were files monitored by system restore. The file names aren't those of the originals, but those given by system restore, but retaining the tile type of the original, .exe file type.
If there is any suspicion about a restore point then it is best out of the chest as if you use system restore at some point in the future it could possibly infect your computer. The worst case scenario is that these suspect restore points wouldn't be available in the future even if they weren't infected (I think unlikely), but the older these restore points are the less value they have.
Personally I would suggest that you periodically clear out all restore points if your system is clean and running normally as it can consume large amounts of HDD space.
The avast detections of HTML:Iframe malware has been very accurate and as a local file if related to Dell Solution Center it might be that the iframe in this file imports information from some other source and it could be this which is found suspicious. So it requires further investigation, see below.
The c:\drivers\audio\R 158235\Setup.exc may be related to Dell, but not in that location or in a differently named folder as I found zero hits on that location in a google search. However, a search for \R158235\Setup.exc then returns hits in the Dell folder or sub-folder of dell c:\dell\drivers\audio\R158235\Setup.exc.
So this is still suspicious and could still be infected in the drivers folder and you should check it out at virustotal also.
####
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.
-
Oh dear me I think this is getting to hard:
1.Ok if I don't want the restore points in my chest how do I get them out and what do I do with them?
2.I moved the files but not into a temp. folder I created a new one........ok stuffed up that one..........could not and did not understand standard shield etc suggestions and could not wait a whole day to get your answer so I just turned off the avast :-\
3.Ran all the files 41 through the virus total and they came up as posted below,(only 1) did not understand what findings you wanted or what the address bar of the VT results page, sorry I just don't understand what these are...................I have been at this for hours, and we are now on the 3rd day?
I then turned on the avast and put the files into the chest so now there are 2 lots in the chest! OK I am blond but I am trying ??? This is just one of the results I didn't think you would appreciate all 41, thanks for your help
Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.22 Worm.Win32.Fujack.cc!IK
AhnLab-V3 2009.2.21.0 2009.02.22 Win-Trojan/Hupigon.287264
AntiVir 7.9.0.87 2009.02.21 Rkit/Agent.gcf
Authentium 5.1.0.4 2009.02.21 W32/SelfStarterInternetTrojan!Maximus
Avast 4.8.1335.0 2009.02.22 Win32:Fujack-AQ
AVG 8.0.0.237 2009.02.21 SHeur2.KPI
BitDefender 7.2 2009.02.22 Dropped:Rootkit.11110
CAT-QuickHeal 10.00 2009.02.22 Backdoor.Hupigon.foae
ClamAV 0.94.1 2009.02.22 Worm.Fujacks
Comodo 983 2009.02.20 -
DrWeb 4.44.0.09170 2009.02.22 Win32.HLLP.Whboy.origin
eSafe 7.0.17.0 2009.02.19 Suspicious File
eTrust-Vet 31.6.6368 2009.02.20 Win32/Emerleox.GI
F-Prot 4.4.4.56 2009.02.21 W32/SelfStarterInternetTrojan!Maximus
F-Secure 8.0.14470.0 2009.02.22 Worm.Win32.Fujack.cq
Fortinet 3.117.0.0 2009.02.22 -
GData 19 2009.02.22 Dropped:Rootkit.11110
Ikarus T3.1.1.45.0 2009.02.22 Worm.Win32.Fujack.cc
K7AntiVirus 7.10.639 2009.02.21 -
Kaspersky 7.0.0.125 2009.02.22 Worm.Win32.Fujack.cq
McAfee 5532 2009.02.21 W32/Fujacks.aw
McAfee+Artemis 5532 2009.02.21 W32/Fujacks.aw
Microsoft 1.4306 2009.02.22 Virus:Win32/Viking.JB
NOD32 3877 2009.02.22 a variant of Win32/Fujacks
Norman 6.00.06 2009.02.20 W32/DLoader.MEON
nProtect 2009.1.8.0 2009.02.22 Backdoor/W32.Hupigon.78343
Panda 10.0.0.10 2009.02.21 W32/Autorun.AFR
PCTools 4.4.2.0 2009.02.21 -
Prevx1 V2 2009.02.22 -
Rising 21.17.62.00 2009.02.22 Suspicious.Trojan.Win32.Downldr.a
SecureWeb-Gateway 6.7.6 2009.02.22 Rootkit.Agent.gcf
Sophos 4.39.0 2009.02.22 Sus/Behav-1004
Sunbelt 3.2.1855.2 2009.02.17 Win32.Looked.P (v)
Symantec 10 2009.02.22 Trojan Horse
TheHacker 6.3.2.4.263 2009.02.21 Backdoor/Hupigon.foae
TrendMicro 8.700.0.1004 2009.02.20 PE_FUJACKS.AD
VBA32 3.12.10.0 2009.02.22 Backdoor.Win32.Hupigon.foae
ViRobot 2009.2.20.1617 2009.02.20 -
VirusBuster 4.5.11.0 2009.02.21 -
Additional information
File size: 397861 bytes
MD5...: 86e272b8b07c20e0f28e7a918409509f
SHA1..: b8b816bd3f87c13609a37dd34f4011a6d28eceba
SHA256: 61d0f34d713c20eefa4697c1e6748d31d3b5481dd4da956bbda38139b4a9beee
SHA512: 3d99281dda59e03f6f93ea4b1303122502827b232dce98cdcfce690a071087ba
c9f4fae0aa538efbe3b254d3d583d2083fc384ee6a1c4a963dcb7b7ee814b012
ssdeep: 6144:96izSHaGyEl/YkAfz84u9CNcFW1y5OmrCGH/SPfop/50o:wiWHaw28R0NcV
QGfSXod
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
TrID..: File type identification
UPX compressed Win32 Executable (32.5%)
Win32 EXE Yoda's Crypter (28.2%)
Win32 Executable Delphi generic (15.6%)
Win32 Executable Generic (9.0%)
Win32 Dynamic Link Library (generic) (8.0%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x4473e0
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x35000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x36000 0x12000 0x11600 7.90 7aa430a8c01bd06218d62146fd37069c
.rsrc 0x48000 0x2000 0x1800 4.33 eb4cf2026cc46cf8c10a7d35c54c0724
( 13 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> advapi32.dll: RegCloseKey
> gdi32.dll: SetROP2
> mpr.dll: WNetAddConnection2A
> netapi32.dll: NetRemoteTOD
> NTDLL.DLL: ZwDuplicateObject
> ole32.dll: CoInitialize
> oleaut32.dll: VariantCopy
> shell32.dll: ExtractIconA
> URLMON.DLL: URLDownloadToFileA
> user32.dll: GetDC
> wininet.dll: InternetOpenA
> wsock32.dll: htons
( 0 exports )
packers (Kaspersky): UPX
packers (Avast): UPX
packers (Authentium): UPX
packers (F-Prot): UPX
-
1. They can do no harm in the chest, it is a protected area. There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
2. A new folder is a temporary folder too, the folder I suggested isn't in the conventional Temp folder. The main thing is not to place them back in the original location as that would effectively reactivate them.
3. When virustotal completes its scan, the address bar (where you would enter virustotal.com if entering it manually) changes to a page that is displaying the results. You can copy and paste that link, it saves having to copy and paste all the results into the post.
I wouldn't have run all 41 (I didn't even suggest that) but a couple as they are so close and being the same malware type, just to confirm the detection as it certainly does.
You shouldn't have needed to put them in the chest again as the export (as I said) leaves a copy in the chest, when your investigation is done, then you can simply delete the file you exported to the temporary location to upload to virustotal.
The two files that I actually suggested you check (as there could be some doubt and require further investigation) the setup.exe and the dellbutn.htm you don't appear to have checked ?
-
http://www.virustotal.com/analisis/1f72ca029b511358a27f065c4a2fa9c2
http://www.virustotal.com/analisis/316aab9acc6e5595d7af46e642ef0bed
-
Well it is pretty conclusive that the DELLBUTN.HTM appears to have been infected.
Though still no results for the c:\drivers\audio\R 158235\Setup.exe file, but you have now introduced another files not previously mentioned, DellTpad.exe wherever that might be located, is once more pretty conclusively infected. Though it seems a strange on if it is related to a Dell track/touch pad as the malware win32.fujack is a worm and not a file infecter.
For more info, http://www.threatexpert.com/report.aspx?md5=a2fad9dfd0cbbf5a3a6563719d5e1949 (http://www.threatexpert.com/report.aspx?md5=a2fad9dfd0cbbf5a3a6563719d5e1949), the win32:fujack-aq also has an alias (what other AVs call it) of win32:fujack-cq there are many more in the VT results page.
I would also suggest these tools - If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- 1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
- 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
-
Hi
1. I have the superantispyware you suggested it in the first post and is installed, I ran it then and today and only showed cookies, should it have picked up anything in the suspect files?
2. I click on your thread re malwarebytes and it came up setupfiles are corruped please obtain a new copy of the programe.
3. I am wondering if I paid for Avast why can't I use this to help me with this fujack problem, why can't I get a log from it, why do I have to download all these other programmes.
4. I have always had 41 files in the chest, I just selected 2 at random to show you, but when they go to be scanned at VT when you search the file they are hard to recognise (for me anyway) I though I had sent you the one you requested if it was as easy as just entering the requested file I would I just don't know how to do it.
5. Why can't I just trust Avast and believe I have fujack and fix it, what are we looking for?
-
1. The purpose is to see if it might find something that may have been downloaded yet undetected by avast, there is no certainty that will happen. It is a multi application approach to security by combining compatible applications to improve overall detection rates, no single application will provide 100% protection.
2. When you say you clicked on the link for MBAM, how (?) exactly what did you do ?
You should be right clicking and selecting save as, etc. as per the instructions to download to your hard disk.
3. For the reasons mentioned in 1. above, these are specialist anti-spyware/malware, where avast incorporates anti-spyware into the regular scanning, the others do scan the registry for spyware or suspect entries, avast only scans your HDD and if spyware is found then it would check for associated registry entries. There is a subtle difference as some registry entries can be modified to lower security policy, etc. preparing the way for malware when malware may not actually present or hidden/undetected.
4. As the instructions on sending to virustotal (VT) said, you can't send them directly from the chest, avast would block that (0 byte size). From the outside of the chest you can't see the original file name avast changes that and the files are encrypted, this is all part of ensuring they can do no harm in the chest.
So they have to be exported to a temporary folder that you have created and excluded (as per the instructions) so they can be uploaded to VT.
5. If you read the link I have on the fujack info there can be much more to this complex worm relating to the registry and that is why I suggested the specialist tools for the job.
-
thanks for all your help got a tec eventually and sorted the prob ASAP prob should not have worried you as it was fixed in no time, sorry, but thanx for your time anyway.
-
thanks you but got tec and got it sorted ASAP should have done it sooner but thanx anyway.............
-
You're welcome, is that an echo I hear in the forums ;D