Avast WEBforum
Other => Viruses and worms => Topic started by: finalglimpse on February 06, 2011, 09:56:02 AM
-
i have read the instructions on this link http://forum.avast.com/index.php?topic=53253.0
all up to the last page and they kept on telling the others to create a new topic( i hope i got it right)
-----------------------------------------------------------------------------------------------------------------------------
so here i had this win32 malware gen via message from facebook.
a message from 5 friends sent via facebook mobile containing a link. i opened it and "poof" my computer was infected.
i run avast boot scan and i commanded to delete all threats. ( it was past 2am already and i'm already wasted so i stupidly chose to delete instead of moving to chest).
7am that day, i run windows defender and avast custom scan to check if there are any threats that was not deleted, so no threats were found.
that same they i opened my computer again and annoyingly received a threat message from avast about this malware gen. annoyed i always delete whenever avast pops out with that malware thing.
it has been weeks already and avast stopped popping out with malware gen but yesterday, i went out to print a document(i run out of black ink) and the internet cafe's antivirus detected a worm from my flash drive, i was alarmed so i run boot scan again today, and viola! win 32 malware is still alive. this time i moved everything to chest
after that i researched about this malware gen and i came up to this forum i followed the steps for the link above and here are the logs
MBAM log after removing all selected files
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5688
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
2/6/2011 4:43:33 PM
mbam-log-2011-02-06 (16-43-33).txt
Scan type: Quick scan
Objects scanned: 142375
Time elapsed: 4 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
the OTL logs
http://www.mediafire.com/?gsrvofg7ygiv7fh
http://www.mediafire.com/?wiaoim5stsutkvg
i really do hope that i did everything right
i posted here because i don't know what to do next. hehe. :)
by the way i'm using avast! 4.8 professional edition.
-
hey and welcome to the forum. I hope someone else can check your log there I'm no expert on them. but i suggest a boot scan might be a good first step sens it sounds that avast is detection something that is reaper if i understand your post.
http://www.schmahl.net/avastbootscan.php
during the boot scan send anything it finds to the chest.
good luck
-
It is OK.....you could have just posted the logs here as attachments ;)
Essexboy is notified
by the way i'm using avast! 4.8 professional edition.
why not upgrade to avast 5 pro, it is free if you have a valid icense
-
^ ow about the log files, i've read the other post and i've read to upload the logs on mediafire so that is what i did.
^ and by the way, that was fast! i wasn't expecting an "OK" reply that fast.
. about upgrading, i am planning, just don't have enough time to manage my pc.
>>> also. gonna start boot scan. ^^ as suggested.
-
Hi there lets get the show on the road ;D
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
FF - prefs.js..extensions.enabledItems: wtxpcom@mybrowserbar.com:4.1
FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
FF - HKLM\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin
[2011/01/18 19:35:11 | 000,010,055 | ---- | M] () -- C:\Users\Llorry Manto\AppData\Roaming\Mozilla\Firefox\Profiles\5jg3qqux.default\searchplugins\SmileyCentral_1v.xml
[2011/01/08 10:03:51 | 000,000,000 | ---D | M] (Widgi Toolbar Platform) -- C:\PROGRAM FILES\COMMON FILES\SPIGOT\WTXPCOM
File not found (No name found) -- C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN
O4 - HKU\S-1-5-21-1131567986-3692601068-143179124-1000..\Run: [SME] C:\ProgramData\9e6caa\SM9e6_2204.exe ()
[2011/01/10 21:25:25 | 000,000,000 | ---D | C] -- C:\ProgramData\lOgIo04300
:Files
ipconfig /flushdns /c
C:\ProgramData\9e6caa
C:\PROGRAM FILES\MYWEBSEARCH
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
here is the log.
by the way, after rebooting the pc, an OTL window opened and i run it, then a notepad pops out
i included the file on the attachments.
-
Ok methinks I need a slightly stronger tool as one element did not want to play. Once this run is complete can you let me know what problems remain
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
^ ow, i could not disable avast. i don't know why, i've denied full control of the system already just like what i did in MBAM but combofix keeps on detecting it.
-
Could you run combofix from safe mode please
-
I have Avast 5,Free edition. I have not been infected by a single virus, in ten years, until four days ago. I do daily scans, on startup, every day, except Saturdays. So, the infection must have occurred late on last Wednesday. To my recollection, three things happened on that evening. My wife spent a lot of time on Facebook, and before shutting down, I installed the latest security updates of Open Office(3.3), and Opera 10.01.
Several files were found to be infected. Among them some system volume restore info., a few system files, and on boot scan the Avast 5 cleaner file. The latter is interesting since I had intended to remove Avast, which had recently replaced AVG, as a test, and because a Search listed many complaints with Win32.Malware.gen, all reported by Avast users.
To me, it meant that, either, Avast was seeing things, or it was the only good AV.
The day after the boot scan, Avast found a couple other infections. At that point, I did scans, with Malwarebytes AntiSpyware, which found several malware items, all but one in the Registry. I did a virus scan with Housecall Trendmicro on line, and another antispyware scan with SuperAntispyware, which removed more junk. I did a manual scan Saturday, and the usual automatic scan, with Avast. Both clean, but today, though clean, but computer tried to shut down by itself, at scan's completion. On restarting both antispyware programs found a couple of Registry issues, which I cleaned up.
I am not sure if I am done with this Malware, or if Avast is reliable. Interesting to note is the fact that the Avast cleaner file was infected. I did a redownload, and it went straight into the Vault, with 0 Kb in the download location. After the complex clean up, a redownload succeeded. I think that I eliminated the issues with Open Office and Opera. Facebook is, still, suspect.
-
There was a minor glitch where the removal tool was detected as malware - this was rectified with the next update
-
okay. i'll try it, but maybe tomorrow. (busy schedule. :))
>> avast was already disabled yet still, combofix keeps on detecting it.
-
a big mistake that many do is, they think they're infected just because they download something but that's wrong; in order to have an infected computer the malware has to run active in memory (if it's a rootkit it's an other story).
this may be offtopic but it's important knowledge.
Regards,
Tenko
-
hi .:) so i've encountered yet another problem so i repeated the steps that i did. here is the MBAM log and the ots log
and also i haven't run combo fix ever since due to a tight schedule.
i promise to do everything that you want me to do right away this time .
i will also run avast boot scan today
-
>> avast was already disabled yet still, combofix keeps on detecting it.
Disable Avast image 1 and 2
recommendation > Replace USB Disk Security with MCShield http://amf.mycity.rs/programs/mc/mcshield/
-
Why disabling the avast self defense help in anything with virus manipulation? ???
-
I understand that Avast prevent Combofix run
-
if i happen to run combo fix in safe mode, do i have to disable my security softwares?
-
if you run ComboFix in safe mode ,CF will work in reduse mode
and some of function of CF will not work. CF is maint to run in normal mode
if you do not know how to run CF, first uninstall your antivirus and then re-start CF tool
-
but essexboy said to run it in safe mode
-
feel free to do as I wrote would, not be angry essexboy ;D
-
Generally, although sUBs does not like you to run CF in safe mode (restore point creation problem) it will work sufficiently to see where the problems lie
Just disabling the Avast shields untill reboot is normally good enough (well last time I ran CF about 3 days ago)
Is your ISP in the Phillipines ? Also what are your current problems ?
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > ->
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\"{c2db4fe6-8409-45ce-8010-189a7b5cce86}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "30010196-8b9c-4ed9-8b0f-6819b81256c5" -> C:\ProgramData\30010196-8b9c-4ed9-8b0f-6819b81256c5.dat [rundll32.exe "C:\ProgramData\30010196-8b9c-4ed9-8b0f-6819b81256c5.dat", rrurghqqjfdisc ]
[Files - No Company Name]
NY -> 30010196-8b9c-4ed9-8b0f-6819b81256c5.dat -> C:\ProgramData\30010196-8b9c-4ed9-8b0f-6819b81256c5.dat
NY -> Internet Protection.lnk -> C:\Users\Llorry Manto\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Protection.lnk
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
yes, i am from the Philippines an honestly, i do not know what the real problem is.
Just the moment I came home from school, my younger brother reported that his pc may have gotten some viruses.
* He said that he just opened "internet explorer" then an unknown program pops out scanning the pc and detecting 18 threats namely win32, trojan, worm etc etc and said that those threats tries to get the log in informations found on the pc (like accounts on popular online games) . what made it worst is that "windows defender" won't work anymore also the "windows security center" is turned off.
* so far i haven't yet performed boot scan, just thorough scanning and detected a "spyware doctor" and i don't have any clue on what's happening.
anyway, here's the result :
-
OK disable Avast shields now until reboot and then run combofix - allowing it to update if it asks
-
i did what you instructed but combo fix still detects avast,. (in normal mode, haven't tried it in safe mode)
-
i also did what the "other guy" instructed
-
i had repeatedly tried to disable avast but combo fix keeps on detecting it.
so eager to be able to do this on a faster pace, i uninstalled avast(i have my installer so i could reinstall it after running combofix :).) but still i always receive a dialog box from combofix saying that it is still active .
-
This is weird - as just disabling the shields should allow it to run
Download and run the Avast uninstall tool then retry CF http://www.avast.com/uninstall-utility
-
this also happened the first time you instructed to run combofix.
-
Need to discuss this with sUBs
-
It happens with version Avast6 same with AVG, must uninstall Avast before running Combofix
-
i'm done uninstalling avast. should i try using combofix again?
-
It happens with version Avast6 same with AVG, must uninstall Avast before running Combofix
i did uninstall avast using the control panel option
but there, still detected .
i uninstalled avast again using the utility essexboy gave and now i'm waiting for a "go" signal to start running combo fix
-
Go ;D
-
errr . . . same error message :'(
-
Does it still come up if you click OK ?
-
here's what i got after clicking "ok"
:'(
needs urgent help :( will be leaving for a week and i don't want to leave the pc at this state :(
-
Yep click OK again
-
here's the log.
-
still, windows defender won't work
-
Wait essexboy, you have malware (driver).
-
Yep 'tis a worm. What error do you get when you try to run defender ?
1. Please open Notepad- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
File::
E:\FXDrv32.sys
Driver::
FXDrv32
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
4. Save the above as CFScript.txt
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
-
do i need to disable avast again before doing this? *sorry for a week of absence, been out for a while .
-
Yes disable Avast for say one hour - then when combofix has finished the reboot and log, restart Avast
-
okay :) just checking. i'll have it done tomorrow. :)
-
here's the log
same problem exist :( windows defender still won't work .
-
Could you go to this page http://support.microsoft.com/kb/931849 and follow the instructions to uninstall and then re-install windows defender