problem with jthvsend.dat

[bagdet46]

Hi dear avast community,

Avast found a virus in C:\ProgramData with the name jthvsend.dat and moved it to the virus chest.
My problem is that on the next startup Windows 7 said that jthvsend.dat is missing.
With some serious doubt did I restore the data and nothing happened.

Was that by any means a big mistake?
I'm not sure if that is the problem, but from today on videos from youtube and other sites are not working right now.
My OS: Win 7 U 64bit with avast free antivirus.
Hope you guys can help me and thanks in advance.

Bagdet

[Pondus]

what was the message from avast? .....what malware name did avast give the file

upload jthvsend.dat to www.virustotal.com and test it.....if scanned before, click new scan
post link to scan result here

[Eddy]

Are you sure it is jthvsend.dat?
You really did not made a typo in the name?
Google gives zero results on that filename.

If the name is correct, it is only logical that you get the missing file error.
A .dat file does not run at all, it is something else that is trying to use the file.

[bagdet46]

thanks for your help!

1. avast named it Win32:Rootkit-gen [Rtk]

2. https://www.virustotal.com/en/file/5a6a35b545fca085edb5ddb2e2435f9ade325ecc592e47ecb7c4f048be48260a/analysis/

[Pondus]

virustotal link you posted show a file named lol.exe  .... and scan was done   2014-05-08  ?

[bagdet46]

virustotal link you posted show a file named lol.exe  .... and scan was done   2014-05-08  ?

thats weird. whats lol.exe?
i just did upload the file...
well i try uploading again

https://www.virustotal.com/en/file/5a6a35b545fca085edb5ddb2e2435f9ade325ecc592e47ecb7c4f048be48260a/analysis/1399716000/

ok after another avast full scan right now i found two "threats"
one called oem-drv86.sys, severity high, Win32Rootkit-gen [Rtk]
and the other being jthvsend.dat

[Pondus]

thats weird. whats lol.exe?

It is just a file name ..... can be changed to anything by the one that upload.....

Whats important is the SHA256 number you see on top, telling us that the file in first link is the same as the one in second link

Anyway it sure looks infected....... but all detections seems to be generic/heuristc detection so chanse of FP is bigger

[Pondus]

Follow instructions and attach Malwarebytes / OTL / aswMBR logs     http://forum.avast.com/index.php?topic=53253.0

[bagdet46]

thats weird. whats lol.exe?

It is just a file name ..... can be changed to anything by the one that upload.....

Whats important is the SHA256 number you see on top, telling us that the file in first link is the same as the one in second link

Anyway it sure looks infected....... but all detections seems to be generic/heuristc detection so chanse of FP is bigger

ah ok, just dont know how to proceed further...
i just did a virustotal scan on the other file that was "infected":
https://www.virustotal.com/en/file/55abdf52735ff3086de2eb41cee5cca27e9d596b172443d2cf4e2a1d357a0ca6/analysis/1399717286/

[bagdet46]

Follow instructions and attach Malwarebytes / OTL / aswMBR logs     http://forum.avast.com/index.php?topic=53253.0

ok will do that, i have malwarebytes alrdy tho

[bagdet46]

ok done

[essexboy]

Allow Avast to quarantine the file

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-1774388504-1158229226-2952920880-1000..\Run: [jthvsend] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Eddy]

Just some notes:

Windows 7 and IE 9 :-(
System is far from up-to-date.
That already is a major problem/security risk.

Using the system with a user account that has admin rights.
Another huge security risk.

Punkbuster installed.
Most likely without the user knowing it and without approval.

[bagdet46]

ok ive done the checkup with OTL

should i quarantine oem-drv86.sys too?
https://www.virustotal.com/en/file/55abdf52735ff3086de2eb41cee5cca27e9d596b172443d2cf4e2a1d357a0ca6/analysis/1399717286/

[essexboy]

Not overly sure about that as :

oem-drv64.sys is filename of the driver running on Microsoft Windows operating system. This driver belongs in most cases to product OEM-SLP2.1 ACPI Patch Driver (HPD64) and is developed by secr9tos company. File version information describes this process as oem-drv.sys is used to provide SLIC2.1 support for OEM activation of WindowsNT6.1 based systems.. Process is in most cases loaded from directory C:\Windows\System32\DRIVERS.

Is Avast alerting on it ?  As AswMBR did not call it