| Other > Viruses and worms |
| System Integrity Scan Wizard |
| (1/2) > >> |
| phoenixankit:
I'm getting this popup, and Avast is unable to detect the spyware causing it. I was doing something this moorning, and The avast 'A virus has been detected' popup kept coming up. I tried to delete the file, but it still came up, so I had to close the webpage. Now, I get this System Integrity Scan Wizard and a few other popups in my computer. How to solve this? HJT Log attached. AND, another problem has come up after this one started and I think it has been caused by System Integrity Scan Wizard thing itself; Firefox does not open. I mean, when I click on it's icon, the whole window comes up, but it has just got the titlebar, and the rest of the screen is white. I am running IE right now. CRISIS PLEASE HELP!!! |
| DavidR:
What is the malware name, the infected file name, where was it found e.g. (Malware name, C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. You say you tried to delete the file, tried' to me implies it didn't work, if so what errors were displayed ? Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate. You also mention a web page, was this one you visited intentionally or one displayed without user input ? You could find that this page has been hacked and is trying run a malicious file to download onto your system. The web shield is possibly what intercepted this and would only give one option, abort connection to stop the download. So the information about these detections from the avast log viewer would give us some more information to help you further. What is your firewall ? Ensure you have the latest version of JRE (JAVA Runtime Environment) because older versions can be vulnerable to malware, yours is out of date by a few updates. First remove All Older Versions From Add/Remove Programs. Then get the latest update from here http://java.sun.com/javase/downloads/index.jsp Or JRE version 6 update 5 http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html These are suspect, upload to virus total for checking (see below) and report the findings. C:\WINDOWS\system\lsass.exe C:\WINDOWS\system\lsass.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system\lsass.exe This it isn't in the correct folder for XP, it is normally in system32 folder. C:\Documents and Settings\All Users\Application Data\ipilgruv\ylqvurot.exe C:\WINDOWS\system32\mtszwvop.exe Zero hits on google search, suspect in its own right. O3 - Toolbar: vnbptxlf - {D212F823-17B0-470A-832F-86D3B30EE0D1} - C:\WINDOWS\vnbptxlf.dll --- Quote ---Parasite causing false spyware warnings and connecting to fake "security sites" - member of the FakeAlert aka SmitFraud malware family --- End quote --- I have stopped at this point as your system is riddled so I would say you need to take some remedial action before using HJT again. If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the finding (it should product a log file). In the preferences, Scanning Control tab, tick all scanning options. SUPERantispyware On-Demand only in free version. #### Upload to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below. Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that. #### |
| phoenixankit:
1. Malware name: Various types(11) of Win32:Vaspup[adw] 2. I meant that as soon as I clicked on delete, another one popped up. 3. The website was intentionally visited 4. No firewall (I was finding some good one,any recommendation?) 5. I have 2 java things in add and remove: J2SE runtime environment 5.0 update 9 AND Java(TM) SE runtime Environment 6 update 1 (wtf? also, sometimes, in the sys tray, i have 2 java icons asking for updates running) Which one should i uninstall or both? |
| phoenixankit:
Hey I found on http://www.help2go.com/Tutorials/Spyware_Information/System_Integrity_Scan_Wizard_:_How_to_remove_it.html that --- Quote ---Continue with the instructions in the Get Rid of Spyware guide. When you reach Step 5 in that guide you will run a program called HijackThis. In the HijackThis screen, you will be looking for two entries that look like this: O4 - HKLM\..\Run: [95c514b2.exe] C:\WINDOWS\system32\95c514b2.exe O4 - HKCU\..\Run: [95c514b2.exe] C:\Documents and Settings\Username\Local Settings\Application Data\95c514b2.exe Note that the filename will be different - it may not be "95c514b2" - it may be any sequence of random letters and numbers. But the System Integrity Scan Wizard will always show up as a matched pair of these files - one of them running in your system32 folder, and the other running in your Application Data folder. --- End quote --- I dont have the these hklm and hkcu entries, but I do have similar suspicious objects in the runnning processes I'm running SUPERantisp. and it has already retected 600-odd threats. And, I've also uploaded to VirusTotal and it is Scanning |
| DavidR:
OK on 1 & 2. 3. It would seem that the site has either been hacked and the web shield is blocking malicious downloads. 4. this is the reason your system is riddled, a firewall is an essential part of your security. It should be capable of blocking unauthorised outbound Internet Connections. Windows XP's firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn't provide outbound protection. Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential. - There are many freeware firewalls such as, Comodo, PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version. See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0 See http://www.matousec.com/projects/firewall-challenge/results.php. 5. Both of those JAVA version are out of date and the updates are generally closing security holes, so it is essential you uninstall the old ones unless you have a program that only works with a certain version. I certainly wouldn't use a program requiring an old version as it leaves the system vulnerable. I would say your priority at the moment is download, install, update SAS, and run from safe mode as I mentioned. Choose a firewall that provides outbound protection and install, without this as quickly as malware is removed it could be replaced. What is the exact version of avast that you are running, 4.8.1169 is the latest current release ? |
| Navigation |
| Message Index |
| Next page |