Author Topic: Question about virus warning last eve  (Read 7823 times)

0 Members and 1 Guest are viewing this topic.

Allochthonous

  • Guest
Question about virus warning last eve
« on: April 07, 2006, 04:08:22 AM »
Last night after clicking on an assumed innocent Google search result, my Avast A/V alarm went off and said that a virus had been detected in the link but it had been blocked by Avast, so there was no need to worry. I clicked OK and did a quick search for information on the virus. At a glance, I thought I had read that it was more of a spyware Trojan, so I went ahead with an Ad-Aware scan.

The Avast log says that the file name was http://69.56.176.76/weblugin.cab\wupdt.exe

Shortly after Ad-Aware began scanning, the Avast alarm went off again and said that the same virus had been detected. Here is what the Avast log says now:

Sign of “Win32:Trojano-305[Trj]” has been found in“C:\DOCUME~1\Paul\LOCALS~1\Temp\AAWTMP\C219062250\1AC2F0\wupdr.exe” file

I clicked “Delete” to delete the infected file. Ad-Aware found nothing major in its scan.

Concerned, I then decided to try to get a second opinion.  I probably should have just jumped right into a full Avast scan first, but went to Trend Micro and used House Call instead.

When House Call got so far, the Avast alarm again sounded.  Here is the log entry for this occurrence:

Sign of “Win32:Trojano-305[Trj]” has been found in“C:\DOCUME~1\Paul\LOCALS~1\Temp\V8AKFHa02872” file

This time I chose to isolate the file in the Avast Chest.  The House Call scan returned two spyware threats, ADW_SE 118698 and DIAL_SE 126407, but that was all. I have not had a chance to investigate these, as the House Call results page was not very explanatory. Note that Ad-Aware nor MS AntiSpyware nor PC Pitstop detected either of these.

I then deleted that infected file from the Avast chest, and ran a full Avast scan. It came up with nothing.

I then ran a boot scan with Avast – again nothing was detected. I then turned off System Restore and ran yet another full Avast scan and House Call scan. Avast came up with nothing, the House Call scan gave the same results as before.

When I do a search on my machine for the file wupdt.exe, it cannot be found.

Am I clean?  Should I take any further steps?  Why did Avast find the infection again if it said that it stopped it the first time?


PK

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: Question about virus warning last eve
« Reply #1 on: April 07, 2006, 04:17:11 AM »
Allochthonous, maybe cleaning temporary files with CCleaner help in this issue.
Other possibility is that running House Call with avast resident activated could make 'loops' between the detections.
Files into avast chest cannot be detected by House Call. This is not a problem here.
What is weird is that turning off System Restore brings avast! boot time scanning with nothing...
Maybe you need to run ewido and a-squared to look for trojans...
The best things in life are free.

Allochthonous

  • Guest
Re: Question about virus warning last eve
« Reply #2 on: April 07, 2006, 04:42:29 AM »
Also, I can't find the path where it says the infected files were located.

Now, I ran the boot scan BEFORE i turned off System Restore. Now that Restore is off, should i schedule another boot scan?

P.S. What is ewido and a-squared?

PK

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: Question about virus warning last eve
« Reply #3 on: April 07, 2006, 04:48:47 AM »
Now that Restore is off, should i schedule another boot scan?
No need as avast is not detecting it...

What is ewido and a-squared?
Best antitrojans round. Must have!
www.ewido.net
http://www.emsisoft.com/en/software/free/
The best things in life are free.

Spiritsongs

  • Guest
Ewido/A-squared
« Reply #4 on: April 07, 2006, 05:33:30 AM »
 :) Hi Allochthonous :

     Install "Ewido" IF your OS is Win XP or Win 2000 ONLY .
     There is a tutorial at www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf .

     Install A-squared ONLY if your OS is NOT Win XP
     or Win 2000 .

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: Ewido/A-squared
« Reply #5 on: April 07, 2006, 02:02:29 PM »
Install A-squared ONLY if your OS is NOT Win XP or Win 2000 .
Why?
I'm with XP and have no trouble with a-squared...  ::)
The best things in life are free.

Spiritsongs

  • Guest
Ewido/A-squared
« Reply #6 on: April 07, 2006, 06:34:11 PM »
    Hi all :

     I have read a "Discussion" on another forum that Ewido's
     scanner is better than A-squared, but that A-squared's
    "real-time" protection/shield is better than Ewido's . With
     the recent false-positives from A-squared ( hope this does
     NOT affect their "real-time" protection ), A-squared's
     scanner appears to be "unreliable" .

Allochthonous

  • Guest
Re: Question about virus warning last eve
« Reply #7 on: April 09, 2006, 02:36:32 PM »
UPDATE:

Ok, long story ahead, so please bear with me. This may stray out of the Avast subject, but since the initial occurence deals with Avast,  I think I'm still on topic.

After I posted here, I also e-mailed Avast Tech Support and posted on another forum that I frequent.

Here is the reply from Avast Tech Support:

"Hi,
Don't be afraid of some active infection. Your infected files are a parts of
webShield temporary stream. Avast saves downloaded data to your temp
directory, scans them and then forwards (if clean) or deletes (if infected)
them. But in this case the archive webplugin.cab was corrupted. This caused
some error (not critical, don't worry), so Avast stopped the testing of
stream, blocked it, but didn't delete these two files. That's why Avast
found the infection again. As you said - Avast did correct cleaning by
"on-demand" scan, so now you are safe again."

To which I replied:
"What is this archive "webplugin.cab" and if I deleted it, then will I have
issues in the future?

Why can't i find the path C:\DOCUME~1\Paul\LOCALS~1\Temp    ? Is this a Temp
folder that is created and then deleted by Avast?

Everytime that I have done an "on demand" scan (boot scan, regular scan,
boot scan with System Restore off, regular scan with System Restore off),
nothing has been found. The second time that the virus was detected by Avast
while running another product's scan, I had Avast move it to the Chest and
then deleted it manually.

Is there anything else I can do to make sure that I am clean???  I really
try to keep security tight on my system and get very frustrated when stuff
like this happens."

I have not received a reply yet.

Someone on the other forums gave me a link to a Symantec tool specifically designed to remove te wupdt.exe virus. (fxIEplgn.exe) I ran this program and it provided this log:

Symantec Adware.IEPlugin Removal Tool 1.0.5

C:\Documents and Settings\All Users\Application Data\Microsoft\Money\11.0\Webcache\clear.gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\MPZ4D8RM\CAI3S16R.gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\p_trans[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\STMJ09E7\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\YVYYMV2P\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\My Documents\General Computer Info\Belarc Advisor Current Profile_files\trans.gif: (deleted)
C:\Documents and Settings\Paul\My Documents\My Downloads\iRiver MP3 player\Regular Software and Firmware\firmware.aspx_files\s.gif: (deleted)
C:\Documents and Settings\Paul\My Documents\My Downloads\iRiver MP3 player\UMS Info and Firmware\ums.aspx_files\s.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\antique paper\images\trans.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\portfolio\images\trans.gif: (deleted)
C:\Program Files\Adobe\Photoshop Elements 4.0\shared_assets\webcontactsheet\vacation\images\trans.gif: (deleted)
C:\Program Files\Belarc\Advisor\System\local\images\trans.gif: (deleted)
C:\Program Files\Common Files\InstallShield\UpdateService\images\spacer.gif: (deleted)
C:\Program Files\Microsoft Picture It! 7\1033\Movies\spacer.gif: (deleted)
C:\System Volume Information: (not scanned)
C:\WINDOWS\I860\English\Windows\Photo\Other\spacer.gif: (deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Custom Search URL (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Search Asst (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search: SearchAssistant (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search: SearchAssistant (value set to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm")
registry: HKEY_USERS\S-1-5-21-299502267-1425521274-725345543-1004\Software\Microsoft\Internet Explorer\Main: Search Page (value set to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch")
Adware.IEPlugin has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 83404
The number of deleted files: 16
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 10

The guy (who I trust) said that most of these files were in my Temp Internet directory, so don't worry about those. The others are just GIFs which are expendable too. He said that the ":" indicates that they may have been infected.

I then ran McAfee online scan, which also turned up nothing.

I also ran Spybot, also nothing.

Just to be sure, I ran the Symantec tool again, but it came back reporting that it cleaned 6 more files.

Log:

C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\3FHFRXOW\blank[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\9O4RX189\p_trans[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\ATBOLKV2\1x1[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CHY7QIBT\dotclear[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\CHY7QIBT\transpix[1].gif: (deleted)
C:\Documents and Settings\Paul\Local Settings\Temporary Internet Files\Content.IE5\OD2R8DQR\blank[1].gif: (deleted)
C:\System Volume Information: (not scanned)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))
Adware.IEPlugin has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 84759
The number of deleted files: 6
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 1

I was very confused by this point, since the tool alread said that it had removed the malware.

The guy said to consider it clean. He said he was not 100% sure that the tool just does not simply clean out GIFs from the temp directory and throw the ":" on the end of all GIFs for display purposes.

I then ran TrendMicro AntiSpyware Web Scan, which yielded these results:


Adware_ABetterInternet
Adware_ClearSearch
Dialer_7AdPower

None of my other scans turned up these programs.

I then went on a scanning rampage. Here is what i did yesterday:
System Restore OFF
-------
TrendMicro AntiSpy for the Web
Detected:
Cookies (cleared out of browser after scan)
Adware_ABetterInternet - did not take action yet
Adware_ClearSearch - did not take action yet
Dialer_7AdPower - did not take action yet
-------
MS Defender
- Found nothing in nightly scheduled full scan
- Found nothing in quick scan.
-------
Ad-Aware SE - Full Scan Options - NO critical objects
-------
Spy-Bot - No Threats Found
------
Rebooted to move Avast interface so I could see it in Safe Mode and download Symantec Tool.

Restarted in SAFE MODE
-------
MS Defender - Found nothing in quick scan.
-------
Ad-Aware SE - Full Scan Options - NO critical objects
-------
Spy-Bot - No Threats Found
------
Avast! - Deep scan options - Nothing found
------
Ran Symantec Tool again - IEPlugin not found.

Rebooted into regular mode.
 
Ran TrendMicro Spyware Web Scan again, let it remove the 3 threats.
 
Ran HouseCall again, only cookies detected.

Is this damn thing gone now or what?  I can provided a HiJack This log if anyone can read it for me.  Did Avast block the malware or not?  Others suggest that it did block it, just not quickly enough.  What is this directory that Avast claims the malware was located in the second and third time (while i was doing the other scans) and how did it get there if i deleted it??

I REALLY like Avast, and would actually consider paying for it if it were not free (which is a definate bonus), but I have to say that my confidence in it is a bit shaken.


PK

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Question about virus warning last eve
« Reply #8 on: April 09, 2006, 02:53:46 PM »
Hi Allochthonous,

I think avast! blocked the original malware file you mentioned, and that your other problems are down to existing malware in you temp files, and to running two scanners at the same time.

To make sure all you temp files are cleared up, download and run CCleaner as Tech suggested:

http://www.ccleaner.com/

Run a cleanup. If the cleanup stalls and doesn't finish, it can be a sign that you still have active malware running from temp files.

If this happens, please post a HijackThis! log.

You would be more secure using an alternative browser like Opera or Firefox, rather than playing Whack-a-Mole with IE's vulnerabilities.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Allochthonous

  • Guest
Re: Question about virus warning last eve
« Reply #9 on: April 09, 2006, 08:42:32 PM »
I will check out this CCleaner program.  Can i run it without toying with my registry?


I do use Firefox on occasion.  I guess old habits (IE) die hard.

PK

Spiritsongs

  • Guest
CCleaner
« Reply #10 on: April 09, 2006, 08:51:19 PM »
 :)  Hi :

     To avoid having CCleaner "mess" with your registry
     ( a good idea from what I have heard ), just UNCHECK
      or do NOT run the "Issues" portion .

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Question about virus warning last eve
« Reply #11 on: April 09, 2006, 09:44:54 PM »
More info here:

http://wiki.castlecops.com/Malware_Removal:_Clean_out_the_Clutter#Crap_Cleaner

Cleaning out temp files won't affect the registry.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog