Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: sgrbrlnd on December 06, 2004, 06:21:28 PM
-
I've read about the Avast! cleaner that can fix only some virus not all of the them . What have I to do against them ???!!!
Thanks a lot. ::)
-
Hi,
is your PC infected with a (specific) "virus", that's not in the CLEANER's list ?
Then please work through the link "VirusRemoval" below in my signature, and come back with specific info, e.g. Virusname & location/Folder/Filename
if not:
- only a very few "viruses" can be cleaned/repaired,
- other "infected" files like trojans/worms have to be deleted or,
- if it's a destructive malware that damaged/deleted vital system files: restore them from backup, e.g. your own backup or avast's VRDB
Morale: Secure your system, so you don't get (active) viruses/malware on your PC
Details: also in the mentioned "VirusRemoval"-link and in links in there ;) and basically all over the board here
;)
-
Thank you.
I've read only a part of all your advices (I'll do later the remainder ) . I see many online scanning sites and moreover they give the fix tool ...... where is their profits ?
-
Avast ! says that a file is a Virus Win32:Trojan-gen.
Kaspersky,AVG and Trendmicro say the system is not infected.
Then it can be a false positive....isn't it ?
-
It could be. submit the file to JOTTI (http://virusscan.jotti.dhs.org/) and let us know the results.
only a very few "viruses" can be cleaned/repaired,
Not true. Every virus, or better every file that is infected with a virus can be cleaned. That is one of the characteristics of a virus. If a infected file can not be cleaned it is not a virus, but other malware.
Some explanations/definations can be found HERE (http://212.204.166.18/smf/index.php?topic=2.0)
-
Hi Eddy,
a) that's why I set "virus" in "" as I didn't want to get into this discussion (e.g. avast CLEANER in conjunction with Virus is quite a bit misleading apart from e.g. Parite)
b) not strictly true either, some file-infectors are damaging -> not cleanable as such that after Code removal the host-file will run properly..
& if "CLEANABLE =removing Code" is one of your definitions of a true virus: I can also CLEAN trojans then ...
;D
-
Maybe a malware............
I attach the Jotti log....
PS- what is this atlvb32.exe ?.... I've analyzed epid.exe !
I've also analyzed Hijackthis log in that your site online and get >>>> R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
that have to be fixed ! It seems really strange ........
Thanks a lot.
-
atlvb32.exe is a file thas was scanned and found infected before you ran a scan.
-
Thank you.
About Hijackthis log analyzer .........could you tell me your name in "LinksFolderName = " ?
I suspect that the request to fix this entry is because of my lenguage ......
Many thanks.
-
The analyzer doesn't know everything and is far from failsave; neither are we, but please post the complete HJT-Log here ;)
-
Many thanks, I attach the log.
Ps- Can I insert an image only with a URL ?
-
Log seems clean (is this the complete log..?);
I don't think the collegiamenti is a problem
do you know the URL/adresses in the R0/R1 entries.. ?
Do you experience any problemns with the PC at all ?
rescan EPID.EXE with Jotti, and if still only avast detetcs it:
-> please send it in as a false positive to:
virus (at) avast.com
best put it in a pasword-protected ZIP or RAR
Also work through the link "VirusRemoval" below on how to secure yoru system/browser better ;)
-
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
Is identified as bad ^^
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Unnecessary ^^
--lee
-
Hi lee,
@ R= ... collegiamenti...:
Why is this bad (apart from HJT-Analyzer's saying so..) ?
What's supposed to be the danger.. ? ???
-
Hi lee,
@ R= ... collegiamenti...:
Why is this bad (apart from HJT-Analyzer's saying so..) ?
What's supposed to be the danger..
The problem/danger is 'R0' because they are almost always Spyware, more specificly hijackers, also 'R0' as far as i know is a way of hiding something the the registry from the user, so when i saw R0 i went and looked for info on the web by using hijackthis analysers and general information from google search engine, and i came to the conclusion that it was indeed bad.
--lee
-
HijackThis doesn't say if something is bad or not. That is for the user to find out.
-
Lee16,
this seems an opinion................This entry was analyzed in a Hijack forum where no exception was arised about it !
http://forums.net-integration.net/index.php?showtopic=24919
-
lee,
lookup the respective RegKey on your machine, and you'll probably find "Links" as entry there
could this mean "collegamenti" in italian ? (just guessing ;) )
-
collegamenti means connections.
-
Collegamenti means both connections and links......
in this case it means "links"
(http://www.geocities.com/landolini/IE.jpg)
(http://www.geocities.com/landolini/HIJ.gif)
-
Mabey i didn't make myself clear :)
I checked the log with an analyser first, saw it was the only entry that was listed as 'bad' so i did some research on it, and it seemed bad, so i suggested to remove it, but ofcourse it was an opinon, it looked bad to me really, but if its good there is a simply solution, don't remove/fix it ;)
But i do know that its not always hijacker on R0, as my log has them to (see below)
Logfile of HijackThis v1.98.2
Scan saved at 14:19:51, on 08/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\MrPostman\wrapper\wrapper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0\bin\java.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kieron\My Documents\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Kieron\Application Data\Mozilla\Profiles\default\mrbif5hs.slt\prefs.js)
O1 - Hosts: 82.129.40.116 irc.westwood.com
O1 - Hosts: 82.129.40.116 servserv.westwood.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PowerVRUninstall] C:\WINDOWS\pmxreg.exe -setupUninstall
O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\system32\pmxinit.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Kieron\Application Data\Mozilla\Firefox\Profiles\2nlsvz7t.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Kieron\Application Data\Mozilla\Firefox\Profiles\2nlsvz7t.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
--lee
-
R0, R1, R2, R3 - IE Start & Search page
What it looks like:
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing
What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.