My computer is infected but Avast can not find a thing

[JerryM]

It is disturbing that Avast Pro did not prevent or cannot find and remove the worm.
I would try both Bib Defender and Kaspersky online scans at Jotti's.
http://virusscan.jotti.org/de/
Jerry

[DavidR]

Other than sending out spam and doing a very good job of hiding it doesn't appear to be harming the computer, which would draw attention to it.

If you had checked the HJT log you would have seen that it numerous entries for on-line scanners, such as, Symantec, McAfee, TrendMicro, Panda and has also ran Ewido one of the best trojan hunters not to mention avast and BackLight, all of which have found nothing.

So I suppose disturbing would be appropriate if it wasn't directly aimed at avast!

We have been trying to help and now that doront99 has an active firewall that checks outbound activity he can do something to block it where previously he couldn't.

@ doront99
Did you run Ewido from safe mode ?

[JerryM]

Hi David,
{So I suppose disturbing would be appropriate if it wasn't directly aimed at avast!}

But is it not the job of an AV to prevent worms, etc from getting on the computer? I would find it disturbing whatever AV was being used.

I would like to see how it makes out with the scanners I mentioned. Maybe no difference, but I do  have some problem believing that it has been around for more than a day, and none detect it.

It would be interesting to submit it to Jotti's and see if any recognize it.

Worms are not Avast's strongest point according to AV Comparatives. Not especially weak, but less than some others by 15% or so.

Jerry

[DavidR]

What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven't found anything. So I don't feel avast alone should come in for your criticism "It is disturbing that Avast Pro did not prevent or cannot find and remove the worm."

No one AV is ever going to catch everything and new variants will have a lifespan before detection. Jotti may turn up something possibly in the generic of heuristic AV scanners.

@ doront99
You could also send the services.exe to avast.
If you are not getting a virus warning that you believe is a new, undetected virus then if you can zip and password protect ('virus', will do) the suspect file and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a either a new, undetected virus and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

[JerryM]

Hi David,
[What is disturbing is that a rootkit tool, a good trojan hunter and a whole slew of anti-viruses and hijackthis haven't found anything. So I don't feel avast alone should come in for your criticism "It is disturbing that Avast Pro did not prevent or cannot find and remove the worm."]

But that slew of AVs did not include the one with the best detection rates, KAV. I will withdraw my criticism if he runs an online scan with KAV and/or Bit Defender. I am convinced that one or both will find it. Sure I may be wrong, but until I have tried the best AVs, considering the detection rates, I will continue to think that it is the primary fault of the AV.

I am using Avast Home on my laptop. However, I am not wedded to any software, and that includes KAV 6 which I use. I just want to find out if an AV with higher detection rates would find the worm. I believe it would.

It is not like I am insulting a member of your family, but trying to find out whether Avast should have caught it if it had better detection rate of worms. Why is that something that you should be defensive about?

I realize and agree that the immediate problem is to help get rid of the worm, but it should be of interest to improve the AV.

It is obvious that Avast is inferior in the area of detection to several others. Maybe one uses it for years and does not have an infection. That is great, but when one does I do not believe in excusing the primary tool to prevent that infection, until I find that the best ones also would not have prevented an infection.

Regards,
Jerry

[doront99]

Hi All,

I will try now also the Kasperski and Bit defender.

I did not run Ewido from safe mode, but I know that though I am in safe mode, this malware is still running.

I tried to overwrite the services.exe and svchost.exe from a clean computer (by taking out the hard drive to another computer), but it did not help. So the virus is not in the services.exe or svchost.exe.

I will come back soon with results...

Many thanks,
Doron

[doront99]

Hi All,

Both, the BitDefender and Kasperski, were found nothing at the online scan (this time in safe mode).

The machine is still infected of course.

Doron

[ardvark]

Hi doront99...

My personal opinion is that unless you want to send the services.exe file to Avast for review and wait for a signature update that includes the new detection, then you might have to just format the hard drive and reinstall your OS.

Best Regards...

[doront99]

I don't have a problem to send the file to Avast, I just don't think that this malware is in this file, since I replaced the file with a one from a clean machine and the malware is still active.

Doron

[DavidR]

I'm at a bit of a loss as to how this is hiding, but to be able to run during safe mode it would have to be a service I believe. Usually we say you should run HJT in normal mode to see what is running, but if this is running in safe mode, try running HJT in safe mode (and post contents here), which should reduce some of the clutter and see if it narrows down the field.

Also see Hidden things http://invisiblethings.org

Some other tools you could try:
UnHackMe - Claims to fix this Hacktool rootkit: http://www.greatis.com/unhackme/ let us know how you get on.

RootKitRevealer from system internals - http://www.sysinternals.com/utilities/rootkitrevealer.html, this will check if there is in fact a rootkit type virus deeply hidden. Now this tool is a little like HJT in that it only provides data and not an analysis, so you would have to investigate the results.

[DukeNukem]

I think you may be right, it is something else that is infected.

When u said u tried kaspersky, were u on about their online scanner and not jotti?
http://www.kaspersky.com/virusscanner

Try a online scan of your hard drive with Authentium,

http://www.authentium.com/

For those who didnt know about authentium, you can add it to your favourites

[Spiritsongs]

   Hi "Duke" ( & others ) :

     "Authentium" will definitely NOT be added to my favorites;
      as I posted on May 19 : "I visited the "authentium" site and
      saw they used 'Aluria' ( the antiSPYWARE Experts avoid
      this company ) & 'Pest Patrol', which has a 'history' of
      false-positives.  "

[JerryM]

David,
My apologies to you, and I withdraw my criticism of Avast.

BOY! This is a hard one.

Regards,
Jerry

[DavidR]

No problem Jerry, this has all the hallmarks of a rootkit hiding the spambot trojan and very difficult to resolve. I think MS even state that the only real option is to reformat and start again from scratch, something which I don't agree with because that process for most is fraught with problems/hassle/difficulty.

I wouldn't like to have to embark on that option, so this is why I have Drive Image and take weekly hard disk images as a system back-up/recovery strategy. It would take a few minutes to go back to the last good image.

[JerryM]

Thanks, David.
Not to hijack this thread, but I wonder what anti-malware programs doront99 had on his machine.

It is of first importance to help  him get rid of the malware. But I also think in terms for all of us as to what layering might have prevented it.
In addition to an AV I have Ewido plus, Snoopfree, UnHackMe, Win Patrol, Spyware Guard, and LooknStop firewall.

It is always interesting to me to learn what one had on his machine when he got infected. I know that MS has said that when some of that stuff gets on the computer it cannot be removed, and reformat is necessary. Or whatever.

So it is most important to keep the stuff off, if we can determine the best combination of layering. It is a given that no one application, no matter how good, will always protect.

Jerry