Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: homedog on April 24, 2011, 10:20:58 PM
-
avast5\arpot\883a92-1030-0.dat is infected by win32:Alureon-FZ
My internet browser started redirecting to mevio.com regardless of what I was trying to search for. I deleted all temp files/history/etc, ran CCleaner and Advanced System Care. I ran a Avast Quick Scan and found the virus. It prompted me to perform a boot scan and that is where I am right now. The boot scan found the virus above and I deleted it.
Why doesn't Avast prevent this virus from gettng to the computer?
Anything else I need to do?
Thanks in advance for the replies.
-
Could you upload that from the virus chest to Avast please as I think they will be very interested in getting it
-
Boot scan still running. Will see what is in the chest when it finishes. I selected Delete though so I'm not sure what is there.
-
if it is there, this is how
Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,1,22#idt_07
-
Not in the chest.
-
Add it to the chest manually, open the chest and right click in it and select add. From the navigation window pop-up, navigate to the avast5\arpot\883a92-1030-0.dat file and add it.
-
Can't find the file.
-
found the virus above and I deleted it.
How can you find the virus then ???
-
found the virus above and I deleted it.
How can you find the virus then ???
The boot scan found the virus above and I deleted it.
-
found the virus above and I deleted it.
How can you find the virus then ???
The boot scan found the virus above and I deleted it.
Thats what I am telling... Boot scan found a virus and he chose to delete it then how could he find it.. ???
-
Boot scan found a virus and he chose to delete it then how could he find it???
It's gone now. If the action under Settings for the boot scan was set to "ask" or "move to virus chest" then you could see it and perhaps do something with it. But once it is deleted...it's gone.
-
Just lost a big post because it said the attached file size was too large and not going to write it all again >:(
Long story short, after deleting the Alureon problem yesterday and thinking I had my problem solved, my overnight scan found another problem (ftdisk.sys, Rootkit: Threat: system mofication) I ran another boot-time scan that found the Alureon again (infected a different file) and a Malware-gen problem.
I moved both files to the chest this time if someone can tell me how and where to send them.
I also have screen shots in a word file I can send of the scan logs. File is only 664kb but too big to attach here.
-
Why isn't Avast catching these things coming in and blocking them?
-
if it is there, this is how
Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501&nav=0,1,22#idt_07
I submitted both files as directed in the link. Thanks.
-
I moved both files to the chest this time if someone can tell me how and where to send them.
You did it correctly with the posted link. It will be uploaded with the next virus definitions update.
-
Why isn't Avast catching these things coming in and blocking them?
Because it didn't detect them...
Maybe the infection is on your disc since a longer period already.
I would recommend a deeper inspection of your HD with other tools as well to make sure the infection has been removed.
You could start that with Malwarebytes Antimalware:
Click on MBAM in my signature, download the free version, install and start it.
Update the program via it's GUI after starting it.
Run a quick scan (just a few minutes).
Post the log here.
-
since this problem is comming back i would recomend you let Essexboy have a look inside
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )
OTS log must be saved as ANSI and not Unicode
Essexboy will look at the logs when he arrive here later today...
-
Looking at the shots you sent - Avast quarantined the droppers... This would suggest that there is an unknown file on your system trying to get it
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif)
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
THEN
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
-
Thanks essex. Had blue screen on computer when I got home >:(
Here are the scan results:
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 13:49:50
-----------------------------
13:49:50.687 OS Version: Windows 5.1.2600 Service Pack 3
13:49:50.687 Number of processors: 4 586 0xF0B
13:49:50.687 ComputerName: D2JZC5G1 UserName:
13:50:58.250 Initialize success
13:51:07.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
13:51:07.296 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
13:51:07.296 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HD501LJ_________________________CR100-13#5&163e592b&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
13:51:07.312 Device \Driver\atapi -> DriverStartIo 8ac18af1
13:51:07.375 Disk 0 MBR read successfully
13:51:07.375 Disk 0 MBR scan
13:51:07.406 Disk 0 scanning sectors +976768065
13:51:07.500 Disk 0 scanning C:\WINDOWS\system32\drivers
13:51:25.343 File C:\WINDOWS\system32\drivers\ftdisk.sys TDL3 **ROOTKIT**
13:51:25.359 Disk 0 trace - called modules:
13:51:25.406 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ac18ecc]<<
13:51:25.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8acb9ab8]
13:51:25.421 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000067[0x8aca0f18]
13:51:25.437 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8ac9f940]
13:51:25.453 [0x8ac5d0c8] -> IRP_MJ_CREATE -> 0x8ac18ecc
13:51:25.484 Scan finished successfully
-
see lower left corner > additional options > attach ;) OTS log must be saved as ANSI
-
Sorry for the clutter. Maybe a mod can delete that mess.
-
Sorry for the clutter. Maybe a mod can delete that mess.
you can do that... edit
-
see lower left corner > additional options > attach ;) OTS log must be saved as ANSI
What Pondus is trying to say: please resend and attach the OTS-Log as .txt-file.
[edit] ...too slow... :(
-
Sorry guys.
-
Sorry guys.
no need to be sorry....there is a first time for everything ;D
-
13:51:25.343 File C:\WINDOWS\system32\drivers\ftdisk.sys TDL3 **ROOTKIT**
Avast can not yet cure this -- But I know who can
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {0BDA0769-FD72-49F4-9266-E1FB004F4D8F} [HKLM] -> Reg Error: Value error. [IObit Toolbar]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BDA0769-FD72-49F4-9266-E1FB004F4D8F}" [HKLM] -> Reg Error: Value error. [IObit Toolbar]
YN -> "{B43176CC-4D9E-493B-A636-D9CBFE39C6DA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> [Reg Error: Value error.]
[Files - No Company Name]
NY -> dusevazo -> C:\WINDOWS\System32\dusevazo
[File - Lop Check]
NY -> ~0 -> C:\Documents and Settings\All Users\Application Data\~0
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
THEN
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
It forced me to reboot before it would finish. Log attached. Will continue on with next steps.
-
Yep that was whilst it cleared the remainder of your temp files - This next programme will identify ftdisk as neeeding curing, allow it to do so then reboot
-
It did. File attached.
-
If you could re-run ASWMbr now it should show clear ... Any other problems ?
-
Do you think this was my problem all along? Causing the frequent blue screens? What about the Alureon-FZ virus?
You have been tremendously helpful and it is much appreciated.
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-26 15:11:00
-----------------------------
15:11:00.296 OS Version: Windows 5.1.2600 Service Pack 3
15:11:00.296 Number of processors: 4 586 0xF0B
15:11:00.296 ComputerName: D2JZC5G1 UserName:
15:11:41.406 Initialize success
15:11:45.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:11:45.953 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476940MB BusType: 3
15:11:45.984 Disk 0 MBR read successfully
15:11:46.000 Disk 0 MBR scan
15:11:46.031 Disk 0 scanning sectors +976768065
15:11:46.140 Disk 0 scanning C:\WINDOWS\system32\drivers
15:12:13.046 Service scanning
15:12:21.375 Disk 0 trace - called modules:
15:12:21.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
15:12:21.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ac4dab8]
15:12:21.406 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000067[0x8acabf18]
15:12:21.421 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8ac93940]
15:12:21.437 Scan finished successfully
-
Yes it could have been - Avast was blocking the malware from updating by killing the droppers. And was warning about the infection... Although it could have been a little clearer
This is only one of the two specialist tools that I would trust to remove TDL3 - with other tools there is a high probability that the system will become unbootable. Intriguingly not even Kaspersky's AV will cure this - you need to run TDSSKiller on it ;D
Let it run for 24 hours and when you are happy I will remove my tools and tidy you up
-
Let what run for 24 hours? I don't think anything is still running.
-
The blue screens started in early March (2-3 weeks before I made this post http://forum.avast.com/index.php?topic=74899.0) and the first detection by Avast was 2 days ago.
Thanks again for your help.
-
I never saw that thread - As, if the hardware checks out OK then I would always check for an infection just to rule it out if nothing else
-
I supsected a virus from the beginning and that is why I made that post. I checked multiple times for nearly 2 months with nothing and then all of a sudden..............
-
Should have PM'd me to take a look see ;D
-
You bet I will next time. You are the man.
I am using regularly scheduled scans with Avast (quick scans daily and full-system scans weekly). Also run CCleaner and Advanced System Care almost daily. Is there anything else I need to be doing?
-
.....Advanced System Care .....
advanced sytem care info http://forum.avast.com/index.php?topic=77045.msg638176#msg638176
-
To be honest the number of scans is a bit of an overkill - I have my system set to screensaver scan - and once a month (if I remember, I have a boot scan)
I Have IE9 set to clear all temp internet files when closed and I use TFC once a month to get the last bits out. I never touch my registry as it is pointless. A fully clean and optimised registry will gain you 0.1 of a mini micro millisecond or thereabouts. It is better to empty the temps and do a weekly defrag ;D
Other security - well I have AIS and Malwarebytes (again when I remember to run it )
Total infections to date Zero - and I do visit some bad sites to get some samples (Using my VM of course)
As for utilities - well I use BlackVipers site to set my services and then just let windows run
-
.....Advanced System Care .....
advanced sytem care info http://forum.avast.com/index.php?topic=77045.msg638176#msg638176
Thanks Pondus.
-
essex,
So what should be running for the next 24 hours?
-
Just run your system normally and let me know if anything untoward happens - if not then we tidy you up
-
Will do. Will check results of Avast scan at about 5a CST in the morning.
-
K
-
K
:-)
Short Cornwall abbreviation for OK?
Nice work, essexboy.
-
No virus found on scan last night.
We'll see what happens to the BLUE SCREEN crashes. Sure seems like there are a lot of complaints going on about them and they all started at roughly the same time.
http://forum.avast.com/index.php?topic=76123.0
-
If you could upload the minidump files (latest) to mediafire and post the sharing linkI will have a quick look see
I feel this is something system specific as I have never experienced this problem on XP or 7
Or you could upload to avast.incoming with a note like BSOD with Avast
Either which ;D
-
You are going to have to be more specific than that.
-
Could you see if you have a folder called C:\windows\minidumps
If so could you upload the latest minidump to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
The folder is there but it is empty.
-
OK it was a thought that it might have given some data to go on
do you have anything in the windows error reports ?
-
Can't find anything. Lots of old .dmp files but nothing this year.
Should I uninstall the programs that you had me upload or leave them?
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points: For ASWMbr just delete the desktop files
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
This didn't end up well. Computer crashed and burned.