Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Omid Farhang on March 31, 2009, 01:09:43 AM

Title: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on March 31, 2009, 01:09:43 AM
I decide to test how protected I am!!
I paused avast! web shield and standard shield and download a virus sample from TheSerials.com (infected) web site, run it as administartor and wait to see what would happen, and then run avast! again, now I am infected, after a scan with avast, avast found these:

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\Omid Farhang\AppData\Local\Temp\VRTD280.tmp" file. 
Sign of "Win32:JunkPoly [Cryp]" has been found in "D:\Desktop\microsoft_office__enterprise.exe" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\Omid Farhang\AppData\Local\Temp\VRTF6ED.tmp" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\conime.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\dllhost.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\cacls.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\msdtc.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\SearchFilterHost.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\SearchProtocolHost.exe" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT48B2.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT8813.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT30CF.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT698C.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRTA15E.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT4B92.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT5996.tmp" file. 

I watched and found suspicion transfer in these place:
TCP and HTTP to/from these IP using these process:
WMIPRVSE.EXE   WMI Provider Host
WINLOGON.EXE   Windows Logon Application
211.95.79.6
218.93.205.24

after every send/recieve to these bad IP, avast! found a new "Win32:Trojan-gen {Other}" in "C:\Windows\Temp\VRTXXXX.tmp"

ok, and now after scan with MBAM, SAS and avast I could not find anything, only normal process with their usual command line are running in my computer, I would post my hijackthis log now in the reply
Title: Re: infected now, avast, mbam, sas fail to find it
Post by: Omid Farhang on March 31, 2009, 01:11:13 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:43 AM, on 3/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\VM305_STI.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Foxmarks\IE Extension\foxmarkssync.exe
C:\Users\Omid Farhang\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\Explorer.exe
D:\Downloads\TrendMicro\HijackThis™\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [BigDog305] C:\Windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Babylon Client] C:\PROGRAM FILES\Babylon\BABYLON-PRO\Babylon.exe  -AutoStart
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] C:\PROGRAM FILES\COMMON FILES\Adobe\CS4SERVICEMANAGER\CS4SERVICEMANAGER.EXE  -launchedbylogin
Title: Re: infected now, avast, mbam, sas fail to find it
Post by: Omid Farhang on March 31, 2009, 01:12:29 AM
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] C:\PROGRAM FILES\Toshiba\UTILITIES\VOLCONTROL.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Foxmarks] C:\Program Files\Foxmarks\IE Extension\foxmarkssync.exe -q
O4 - HKCU\..\Run: [Google Update] C:\Users\OMID FARHANG\AppData\Local\Google\Update\GOOGLEUPDATE.EXE  /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\PROGRAM FILES\DAEMON TOOLS LITE\daemon.exe  -autorun
O4 - HKCU\..\Run: [Auslogics BoostSpeed 4] C:\Program Files\Auslogics\Auslogics BoostSpeed\boostspeed.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Foxmarks\IE Extension\foxmarksdll.dll (HKCU)
O9 - Extra 'Tools' menuitem: Foxmarks Favorites Synchronizer... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Foxmarks\IE Extension\foxmarksdll.dll (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12866 bytes
Title: Re: infected now, avast, mbam, sas fail to find it
Post by: Omid Farhang on March 31, 2009, 01:14:43 AM
now I've blocked these IP and did not get any more alert by avast!, but, still those 2 process are trying to connect to those IP server in China and IP are blocked and they cannot:
211.95.79.6
218.93.205.24
Title: Re: infected now, avast, mbam, sas fail to find it
Post by: Lisandro on March 31, 2009, 01:15:29 AM
Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
Title: Re: infected now, avast, mbam, sas fail to find it
Post by: Omid Farhang on March 31, 2009, 01:18:19 AM
Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
because I like to risk and see and feel them in real action, I want to feel their real impact on system performance and actions in real, not in a virtual... :)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on March 31, 2009, 01:26:43 AM
I want to feel their real impact on system performance and actions in real, not in a virtual... :)
I hope you don't have that much to lose... documents and data, in this particular computer...
In fact, the impact or infection in virtual will be the same as in real... just that you can backup (take a shot) of the system and have it clean back in 10 seconds...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on March 31, 2009, 01:33:09 AM
I hope you don't have that much to lose... documents and data, in this particular computer...
In fact, the impact or infection in virtual will be the same as in real... just that you can backup (take a shot) of the system and have it clean back in 10 seconds...
anyway now I'm infected and I got one more alert now, and don't know where to look for the source of this alerts!!!

3/31/2009 3:56:00 AM - System - 1828 (ashServ.exe) - Sign of "Win32:Vitro" has been found in "C:\Windows\System32\msfeedssync.exe" file.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: DavidR on March 31, 2009, 01:56:38 AM
Well vitro is an alias for virut which is a virulent .exe file infecter so your lucky to get away with so few infected files.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on March 31, 2009, 03:28:49 PM
ok! now my system is clean, but with a clean install of my windows now...! avast killed my windows!!

the file logonUI.exe got infected and avast! could not clean it and delete that...! I could not back to windows after reboot and I decide to re-install windows instead repair...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: DavidR on March 31, 2009, 04:13:07 PM
No, lets get that straight, 'you' killed your windows but infecting it deliberately with a virulent .exe file infecter. One that had you checked the forums has resulted in virtually all ending up formatting and starting again.

As I said in my last post:
Quote from: DavidR
Well vitro is an alias for virut which is a virulent .exe file infecter so your lucky to get away with so few infected files.

So it looks like you weren't so lucky as it continued infecting files.

If you are going to take these risks then you really need to get your back-up and recovery strategy bullet proof first. Had you used hard disk imaging software and taken a disk image before, when everything fell down, you could have restored the hard disk image to did before the experiment. That would probably have taken 20-30 minutes tops to have your system as it was.

Or use VMware or some other virtual environment, but you chose not to do that, you could just as easily have seen this work in a virtual environment.

Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
because I like to risk and see and feel them in real action, I want to feel their real impact on system performance and actions in real, not in a virtual... :)

So I repeat again, avast didn't kill your system 'you' did by starting the experiment in the first place.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on March 31, 2009, 05:16:29 PM
ok! DavidR, I Killed my system, so, now a few questions:

1. What should do VRDB Generator? should not it get back up from important files like logonUI.exe and...?

2. should not a good antivirus be able to Repair infected files?

3. that virus was working and has his own risk, but it did not removed any files, it was avast! that delete my system files because of their infections, so, now who caused problem? virus or my antivirus?

4. an antivirus should be able to clean a infected system, did avast that for me?
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Mike Buxton on March 31, 2009, 06:03:46 PM
ok! DavidR, I Killed my system

This is not a chicken and egg problem:
you deactivated Avast and deliberately infected ¨yourself¨

Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: DavidR on March 31, 2009, 06:21:24 PM
1. the VRDB only protects certain files, you would have to have run the VRDB prior to infection, whilst that may be one of them, it would have the same problems in repairing a file as in point 2 below. If the VRDB covered the file, e.g. included in a VRDB generation prior to infection, then the Repair button on detection would be available (and a repair can be attempted), otherwise the repair option would be greyed out.

2. there are many viruses that encrypt their infection and change the infection for each file that they infect, some are now using two levels of encryption to prevent repair. the vitro, virut, etc. are particularly virulent. So you have to give avast a fighting chance to block/detect it before it gets established and disabling avast allows it to get established and once established you are on a losing battle.

3. avast didn't delete your files, it detects the infected file and alerts you to it, 'you' chose what action to take, move to chest, delete, etc. so 'you' make the choice and avast carries it out.

4. notes 1&2 are the same for this, when you weight the battle against your AV by disabling it and then deliberately infecting your system doesn't give the AV a fighting chance. So in this case I'm afraid you reap what you sow.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 01:08:56 PM
VRDB should backup all important system files, should not it? avast! should keep system able to boot

I used repair button, when I clicked on that avast went for repairing and then told me it could not repair and I had not any other else than move to chest and delete...

ok! everything that I say you would say I did it with my system! you don't want to accept/believe avast! could not clean my system...

it's not bad to know main virus.exe file that i ran in my system was detected as "Clean" file by avast
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 01, 2009, 02:04:49 PM
VRDB should backup all important system files, should not it? avast! should keep system able to boot
The problem is not the backup, but the restoration at boot time... why would help having a backup that you can't restore (due to Windows limitations)?

I used repair button, when I clicked on that avast went for repairing and then told me it could not repair and I had not any other else than move to chest and delete...
Not all the files could be repaired, not all the virus damages allow reparation.

you don't want to accept/believe avast! could not clean my system...
antivirus are thought to be protective and not for reparation, it must prevent, not essentially cure.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 02:22:50 PM
@Tech: Thanks for response. are you agree with any of my points?
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: DavidR on April 01, 2009, 03:11:22 PM
I really don't  know exactly what files are covered by the VRDB, but it isn't a back-up as in a copy of the file or the size of the VRDB database would be huge as it keeps three generations of the database. It retains only enough information to try and repair the file.

However, as I have said infections that use encryption that changes is trying to combat the ability of any AV to repair it and that doesn't apply just to avast. The VRDB function was when introduced a very useful tool but that use with the development of malware is limited and as far as I'm aware from avast 5 the VRDB won't be continued.

It has nothing to do with not accepting what you did or didn't do, by disabling avast to start with you didn't test the anti-viruses ability to protect you in the first place and once infected by one of the most virulent file infecters that has resulted in many having to format and reinstall and that isn't just avast users all you need to do is check the various anti-malware sites to see that.

You don't seem to want to accept that what you did was plainly stupid, sorry, but I have no other words for it.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 01, 2009, 03:35:43 PM
@Tech: Thanks for response. are you agree with any of my points?
Not, unfortunately, not.
I won't test the security of a system the hard way you've taken. I'd rather use backups and keep my security programs on and updated. There will be always a way to circumvent the protection, there will be always a non-detectable malware... that does not worry me as I won't have contact with such malware. I don't want to work with possibilities (or sense of security). I'd rather have a plan to work effectively on protection and restoration... Talking about this, time to make backups this afternoon ;)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: mevcit on April 01, 2009, 04:32:29 PM
i'm lolling still right now :D

Omid, you made my day after a shitty (sorry ;D) calculus midterm! ;D
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 06:11:26 PM
@DavidR: yes! many people think about these kind of risk as stupid actions!!

@Tech: I've not enough free space to take back-up, do you have any suggested program to take back up on DVD disc easy and fast to use them as recovery disk? :)

@mevcit: enjoy  :P ;)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: scythe944 on April 01, 2009, 06:42:10 PM
Quote
do you have any suggested program to take back up on DVD disc easy and fast to use them as recovery disk?
Go to this page http://easeus.com/download.htm and look for: EASEUS Disk Copy

It's supposed to be used with an external hard drive, but that will be faster to use than a DVD.

Actually, if you google search for backup programs, I'm sure you'll find plenty to use.
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 06:58:57 PM
Go to this page http://easeus.com/download.htm and look for: EASEUS Disk Copy

It's supposed to be used with an external hard drive, but that will be faster to use than a DVD.

Actually, if you google search for backup programs, I'm sure you'll find plenty to use.

Thank you :)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: scythe944 on April 01, 2009, 07:03:33 PM
Oh, this episode of Systm might help you too...

http://revision3.com/systm/harddriveswap/
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 08:24:19 PM
damn! again I'm infected after clean install windows.... I did format.. but... the Vitro is back!
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 01, 2009, 09:16:07 PM
Omid, take a look on this: http://forum.avast.com/index.php?topic=43904.0;topicseen
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 01, 2009, 09:16:56 PM
damn! again I'm infected after clean install windows.... I did format.. but... the Vitro is back!
Did you use fdisk to recreate the partition and overwrite the MBR (I think Vitro uses it to reinfect, I'm not sure...).
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: scythe944 on April 01, 2009, 09:20:16 PM
Or maybe it infected a flash drive or some other external media.  Check those too if you suspect them...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 01, 2009, 11:31:52 PM
Did you use fdisk to recreate the partition and overwrite the MBR (I think Vitro uses it to reinfect, I'm not sure...).
No, just using format option in my windows recovery disc that came with my laptop


Or maybe it infected a flash drive or some other external media.  Check those too if you suspect them...
Yes! same! all my .exe files that I've used durin last infection mode have get infected with this damned virus! it come back again when I run them...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: .: L' arc :. on April 02, 2009, 03:06:40 AM
-= :o You seem to put all trust to Avast..  ;D

-= It was trustworthy afterall.. hehe..
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 02, 2009, 10:42:40 AM
huurraaah!! my system now is clean! thanks to new AVIRA!!! it could find all risk and now it seems my system is working normal
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: .: L' arc :. on April 02, 2009, 01:28:19 PM
huurraaah!! my system now is clean! thanks to new AVIRA!!! it could find all risk and now it seems my system is working normal

-= In that case.. Are you having plans to switch to avira..?
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: yishigeshihua on April 02, 2009, 04:25:35 PM
 I never take the initiative to use avast antivirus;)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 02, 2009, 04:40:57 PM
I never take the initiative to use avast antivirus;)
So, you're on avast forums to check how it works, how is the support? ???
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: yishigeshihua on April 02, 2009, 04:47:33 PM
So, you're on avast forums to check how it works, how is the support? ???
[/quote]
Avast protection because it automatically, so I do not have to take the initiative  ;D
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 02, 2009, 05:10:24 PM
Avast protection because it automatically, so I do not have to take the initiative  ;D
I see... I thought initiative was meaning another thing...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 02, 2009, 06:46:28 PM
-= In that case.. Are you having plans to switch to avira..?
I don't know! AVIRA has his own problems too, like make delay to open web-sites and...
some of last problems in new AVIRA 9 is fixed, like loud alert sound and false postive is fewer than before...
maybe I back to avast! and care more about what I'm doing and maybe not, this is what I've seen

I did scan my drive with avast! and it found 10 file infected
then I did install AVIRA and did scan same location and it found 134 infected file... yes! 134 different file... now tell me what to do!
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 02, 2009, 07:18:13 PM
then I did install AVIRA and did scan same location and it found 134 infected file... yes! 134 different file... now tell me what to do!
Means nothing... could be only one infection missed, could be an Avira false positive...
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 02, 2009, 07:49:40 PM
Means nothing... could be only one infection missed, could be an Avira false positive...
no! I believe it's not false positive, about 120 of those 134 was W32/Virto.Gen and virto is already detected by avast, the different is between on power of scan and...
I never want to disturb avast!, avast! is a great anti-virus with so many benefites... easy to use for everone, small updates, easy to manage, large database of virus and compatible with any OS and other software...

for example one of them was foxit setup files, I did install it with avast! and found nothing, install it on my windows and get infected, then I did scan it with avira and detect sample of virto inside that... Tech...!!! hope alwil add things in next update to make it possible to detect with avast, I'm not enemy! I am friend!! ;)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Lisandro on April 02, 2009, 07:53:37 PM
Hope alwil add things in next update to make it possible to detect with avast
Did you submit (some of) the files to virus@avast.com to allow detection improvement?
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 02, 2009, 08:15:03 PM
Did you submit (some of) the files to virus@avast.com to allow detection improvement?
no, I did not knew the address that I can submit, I've them now in AVIRA quarinte, I would do it now :)

Thanks for the e-mail address!
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: .: L' arc :. on April 05, 2009, 04:50:46 PM
-= A ratio of 10:134.. Isn't it a little over-hyped..? In that case, avast wont just detect 10 if there are actually 134 infections, probably, most of the 134 are false positives..
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: Omid Farhang on April 05, 2009, 10:48:28 PM
-= A ratio of 10:134.. Isn't it a little over-hyped..? In that case, avast wont just detect 10 if there are actually 134 infections, probably, most of the 134 are false positives..
No, I BELIEVE it's not false positive, I'm sure those are infected files, almost 120 of those 134 files had "Virto" and other files had other kind of infections... all of those 120 files was .exe files and those were the files I did use when my computer was infetced.

*avast! could find about 10 files as infected with Virto and not any other...
*Norton 2009 said my system is clean! (F***!)
*Windows Defender not working in that case so I don't know about detection rate of that
*my internet is very slow so I could not use any online scanner

now... read my signature! it's the thing I decide to do (about your question to choose between avast! and AVIRA) :)
after problems that I had with AVIRA, after that I removed other security software such as outpost and... now my Internet connection is normal and even a little faster and system working in top performance :)
Title: Re: infected now, avast, mbam, sas, spybot S&D fail to find it
Post by: .: L' arc :. on April 07, 2009, 07:11:31 AM
-= Everyone has their own preferences so, I guess it explains it all.. Have a virus-free-life.. God bless..