I have a virus that Avast couldn't detect - Help

[Michael (alan1998)]

Reiyad,

What he means by "What is the system status" is: Anything else wrong with the computer? Is it slower than normal? Programs not working? etc.

I think the file not found he's referencing it actually the reg keys: (Found by opening regedit.exe). HKLM is HKEY_LOCAL_MACHINE in your registry.

Code: [Select]

HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\unins000.exe => key not found
HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\wampmanager.exe => key not found


[REDACTED]

Michael thanks for clarifying, The status of system is ok, I don't think it is in anyway slower nor that anything strange happened at all, everything I use everyday is working, I didn't encounter any problems at all, no strange login activities on any of my accounts such as email or others...etc.

I am not sure about the registry edit files to be honest so this is kind of strange, because Wamp server is working for me, mysql database and everything is working, code editors I use for programming are also working, so I didn't notice any strange behavior.

And I just tested Skype now and it seems to be working as well, however I am still a bit scared to open my paypal or bank account as I am scared my passwords could be stolen.

Please let me know if you think I am not infected? I know it is very hard to tell, but do you think I am safe enough according to the file I sent, and how I opened the file...etc.?

Thanks

[Michael (alan1998)]

Michael thanks for clarifying, The status of system is ok, I don't think it is in anyway slower nor that anything strange happened at all, everything I use everyday is working, I didn't encounter any problems at all, no strange login activities on any of my accounts such as email or others...etc.

I am not sure about the registry edit files to be honest so this is kind of strange, because Wamp server is working for me, mysql database and everything is working, code editors I use for programming are also working, so I didn't notice any strange behavior.

And I just tested Skype now and it seems to be working as well, however I am still a bit scared to open my paypal or bank account as I am scared my passwords could be stolen.

Please let me know if you think I am not infected? I know it is very hard to tell, but do you think I am safe enough according to the file I sent, and how I opened the file...etc.?

Thanks

As long as the file wasn't opened, from the perspective of that file, you're fine. As for the rest of it, I couldn't tell you. This is why Sass Drake is here. The IFEO's were removed (I PM'd Milos, an Avast! team member to find out if that's actually their doing.)

I didn't see any obvious signs that you had a keylogger, but again, wait for Sass Drake to give you the all clear.

Tidbit: If you're using a mySQL database and program, I would be inclined to move all of your data/databases/dev projects to a VM, and leave the surfing/emailing to a different VM. That way you don't risk anything potentially important. I know our University has 2 designated VM's deemed the attacker and defender for this exact sort of thing. We also have CentOS as an OS, with the option to load a Windows X VM. (Sort of like a dual boot, but not really. It's a weird thing.)

[Sass Drake]

Michael thanks for clarifying, The status of system is ok, I don't think it is in anyway slower nor that anything strange happened at all, everything I use everyday is working, I didn't encounter any problems at all, no strange login activities on any of my accounts such as email or others...etc.

I am not sure about the registry edit files to be honest so this is kind of strange, because Wamp server is working for me, mysql database and everything is working, code editors I use for programming are also working, so I didn't notice any strange behavior.

And I just tested Skype now and it seems to be working as well, however I am still a bit scared to open my paypal or bank account as I am scared my passwords could be stolen.

Please let me know if you think I am not infected? I know it is very hard to tell, but do you think I am safe enough according to the file I sent, and how I opened the file...etc.?

Thanks

FRST logs doesn't show traces of infection so you are clean.


• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

@Michael, thanks for your help

That's the problem sometimes with us developers we are way too lazy to take the extra step like to move to VM, I wanted to do that two months ago but got lazy, I usually check files with virustotal.com before I open them, but when I got this file I was sleepy and wanted to go to bed so I just wanted to check it really quick to see, but then I figured it is a virus.

I know about all of these things you mentioned, virtual machines, centos...etc. I was a system administrator 10 years ago, but that was the last time I worked as a system admin, and it wasn't my thing anymore, I am just into programming now.

I was a Microsoft Certified System Engineer, MCITP, MCTS and MCP but like I said it is not my thing anymore forgot most of the things I learned and applied, I still have a little bit of experience that can help me understand how things work but I try to get rid of the things that I don't use anymore out of my head, and memorize the important stuff instead lol.


Thankfully it doesn't seem like I have a keylogger, also Sass Drake is reassuring that my computer seems to be clean.

@Sass Drake, Thanks a lot for your help

I downloaded Delfix and read the report everything seems to be alright now hopefully.

Thanks a lot for your help guys, you guys are amazing and quick, much appreciated!

Best,