Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: x2397 on June 09, 2010, 04:22:39 PM
-
I have the latest avast updates. When I did a scan last night there were 6 viruses found, one of them was something called Isass.exe and there are whole bunch of MSL:crypt AF. then I turned on my pc today and the file system shiled detected a MSLI: inject and thre were like 5 of them. So I don't know whether this is an issue with the software. please help. I say there may be a problem with the software because months ago there was a problem with false positives that made many innocent files look like they were infected.
-
also there was something called a win 32 dropper or something and every time I restart my pc it takes longer and says that Isass cannot be found. I deleted a lot of supposedly infected files but then started moving them to the chest when the # of infections went out of control. At this rate my system will be crippled. anyone else have the same problem?
update: I have scanned again and have found 2 MSIL:inject drp and 2 win 32 malware gen, so more of the same.
-
Sorry, I'm not an expert on cleaning. Let me suggest the general cleaning procedure...
If a virus is replicant (coming and coming again), you could follow the general cleaning procedure:
1. Clean your temporary files. You can use CleanUp (http://www.stevengould.org/downloads/cleanup/) or CCleaner (http://www.ccleaner.com/) for that.
2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).
If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. It will be good if you download, install, update and run MBAM (http://malwarebytes.org/mbam.php) (or SUPERantispyware (http://www.superantispyware.com) or even SpywareTerminator (http://www.spywareterminator.com)).
If any infection is detected, it is better and safer to send the infected file(s) to quarantine (Chest), rather than simply deleting them.
4. If you still detecting any strange behavior or even you're sure you're not clean, maybe it will be good to test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp) for XP/Vista. For XP only: Panda (http://research.pandasoftware.com/blogs/research/archive/2007/04/27/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx).
5. Also, if you still detecting strange behaviors or you want to be sure you're clean, maybe making a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Browser hijacking and problems with antivirus update could be managed in some scenarios by cleaning the hosts file (at C:\windows\system32\drivers\etc folder). The file does not have an extention, it's simply hosts.
The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1 localhost
You can get a good replacement with HostsMan that keep it clean (avoid infections) and updated: http://www.abelhadigital.com
7. After you're clean, disable System Restore on Windows ME (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887), XP (http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405) or Vista (http://support.microsoft.com/?scid=kb%3Ben-us%3B936212&x=6&y=13). System Restore is not available in Windows 9x and 2k. After disabling you can enable it again.
8. Use the immunization of SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
9. Finally, when you're clean, check for insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/) to update insecure applications and avoid reinfection.
-
I tried the boot scan and it did detect 1 malware. but when it boots I still get a message that lsass cannot be found and it still takes longer to boot. what do you think about the chances of it being a false positive? because there are way too many of the viruses found. For safety Im moving all files to chest.
-
ok I installed Malwarebytes but now avast is going crazy! Help it detected two threats and all I could was block it
-
Restart PC in safe mode by tapping F-8 key, choosing "Safe Mode with Networking" from menu. Download, update, run Malwarebytes, removing what it finds. When back in normal mode download, run Hitman Pro, ccleaner and restart PC.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
http://download.cnet.com/Hitman-Pro-3/3000-2239_4-10895604.html?tag=mncol
http://download.cnet.com/ccleaner/?tag=mncol
-
I did a complete system recovery so everything should have been back to normal, but then I went to watch youtube the same viruses came back again on certain videos I believe. I submitted the files to the avast team and now I am waiting a response. I am, again, thinking it is a problem with the software.
-
System recovery (I assume you mean system restore) may have had copies of the virus
(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)
- Download GMER
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select Scan all users
- Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
No I meant full system recovery as in factory settings. multiple files infected with the same virus. Win:32 trojan gen. all starting with something called lsass.exe. again same viruses infecting multiple files. Also wondering whether any avast user has gone on youtube(some videos, can't really say which) and then getting the viruses.
-
Are you clean now ?
-
Nope I am not clean, I just scanned and theres more viruses. I have navigated the forums and found that there are some cases similar to mine. They say that avast keeps saying the same files are infected. I don't know how infection is possible, I downloaded avast again. for a couple of days there were no infections. I haven't been to youtube for the past few days. but then I go once and infections from beginning post starts all over again. I have submitted files to avast. If you look around the forums you will see that people are posting similar, recent, posts about avast detecting many files as malware, so maybe it is some kind of software problem.
-
Could you run the analysis programmes in my previous post
-
My pc cannot extract zip files because I don't have the programs.
-
I have already tried boot time scans and Malwarebytes. the problem does not go away. Avast is going on a rampage about the same viruses. And they are not all detected in one scan. just now a temp/avast 5 was found as a virus.
-
The analysis logs will show me where it is hiding and what the trigger files are
-
My pc cannot extract zip files because I don't have the programs.
You need winrar or winzip to extract the files.
And follow essexboy steps.
Or
You can try my steps
I think you should disable Avast temporarily just for scanning..
1. Right click avast ball
2. Avast shield control
3. Disable for 1 hour
I think what you've stated that MBAM is installed on your system now right?
If so?
Update the latest version then try scanning MBAM.
If you really needed removing for malware and viruses? you can visit this site and post you problem their.
http://forums.malwarebytes.org/index.php?showforum=7
-
I scanned with malwarebytes here's the log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4192
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/13/2010 9:32:05 AM
mbam-log-2010-06-13 (09-32-05).txt
Scan type: Full scan (C:\|)
Objects scanned: 123736
Time elapsed: 15 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Microwsoft (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mswupdate (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe "C:\Documents and Settings\Dollars\Application Data\lsass.exe") Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Good!
So still Avast detecting files as viruses?
Im sory but im no expert and authorized for completely removing malware.
Mbam is good but its not complete for removing..
Some case malware still lurking on your system. Even scanning Antivirus + Antimalware no found.
You need powerful tools to remove it but its only authorized malware experts to check it.
Maybe you can try visiting this site.
http://forums.malwarebytes.org/index.php?showforum=7
Post their wait for their reply.
-
well I did another scan with malwarebytes and nothing. did a scan with avast and nothing. so I think I am clean. But what do I do with the files on the vault?
-
well I did another scan with malwarebytes and nothing. did a scan with avast and nothing. so I think I am clean. But what do I do with the files on the vault?
What you mean on virus vault? In Avast Virus Chest? or Mbam Quarantine?
Its would be best not to delete them first why?
Some virus and malware can harm your system which malware and viruses infect system files which can cause problematic.
Just observe your system for a week. If its running FINE then you can delete the virus and malware on the quarantine or virus chest.
Btw we have viruses and worms section.
I hope this thread will be moved and can be check by Avast Team Experts and Mods.
-
If you need something to extract files you may use 7zip which is a free tool :)
You may download it here:
http://filehippo.com/download_7zip_32/
Glad to hear that you are clean
-
well here are the files in the avast chest and all are infected with win32:Trojan-gen:
A0001910.exe Location: system volume info.
lsass.exe Location:documents and settings
unp229685330.tmp and 2 other variants of these with different numbers location: C:\windows\temp\_avast5_
The problem is that I don't know where all the infections originated from.
-
If you need something to extract files you may use 7zip which is a free tool :)
You may download it here:
http://filehippo.com/download_7zip_32/
Glad to hear that you are clean
thanks but, as Chubalz said, my system may still be having stuff lurking around even if my AV software and malwarebytes cannot detect it.
-
well here are the files in the avast chest and all are infected with win32:Trojan-gen:
A0001910.exe Location: system volume info.
lsass.exe Location:documents and settings
unp229685330.tmp and 2 other variants of these with different numbers location: C:\windows\temp\_avast5_
The problem is that I don't know where all the infections originated from.
AFAIK, and CMIIW, lsass.exe is located in the folder C:\Windows\System32, not in the document and settings. (its "l" (L) not "I"(i) )
here's the some links about lsass.exe : http://www.neuber.com/taskmanager/process/lsass.exe.html
http://www.processlibrary.com/directory/files/lsass/
-
If you are concerned about stuff lurking - which it may well be
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Check the box that says Scan All Users
- Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
Should I just wait the week and see if my system runs fine and then delete all?