Author Topic: New User with multiple viruses that somehow got past Avast...  (Read 28710 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
New User with multiple viruses that somehow got past Avast...
« on: September 21, 2008, 05:10:51 AM »
Hello all,
Strangely enough I posted a need for my daughter's computer last week, which she has turned over to her school tech dept. (she gave up), but now MY pc has a ton of viruses on it thanks to my daughters who love to download pics and music. I thought I was safe since I've been a fan/ user of Avast for a number of years now,  but apparently it's not bullet proof. I freely admit that I am not an expert. I did follow the previous advice given, and here are the results:
But first, the scenario:
On restart yesterday, all of a sudden the computer came up with all kinds of virus alerts. Apparently some weeks ago, my daughter loaded on some music from a friend that is/was infected (not the friend, but the files ;D). My daughter started using the "delete" option instead of "virus chest" so I don't know what might have been harmed before I got to her. At the moment, The computer is operating fine except that when I try to look at my files using "My Computer", "Explore", or view the contents of my 500gb external drives, I get the dialog box asking me which program I want to use to "open this file"... "My documents" and the other folder style elements work fine.

1) I ran avast and put everything I found in the virus chest. results attached.

NEXT, I downloaded Dr. Web and ran it. It found two things and here they are.
ProxyPac.dll;C:\Program Files\dialcom\Client-Svc;BackDoor.Gtps.origin;Incurable.Moved.;
A0054391.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP424;BackDoor.Gtps.origin;Incurable.Moved.;

---
NEXT, I downloaded and ran "Hijackthis" per request and the results attached:



What on the planet earth should I do now? Thanks so much for your kindness.


wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #1 on: September 21, 2008, 05:35:33 AM »
First
Let's not worry about those items in system restore
second
can you make a folder called "suspect" in your root drive
C:\suspect
then go into avast and exclude that folder C:\suspect from the avast scanner
copy or extract the files (not the ones in restore) to c:\suspect
then go on line to virustotal   (google) and then navigate to c:\suspect and upload
I am interested especially in the -gen files and would like to get a positive ID
third
clean temp files you can use ATM Cleaner or C Cleaner or internet options
fourth
go to malwarebytes.org and update and run free rogure remover and malware bytes anti malware
with mbam update scan and check any malware found then click "remove selected"
post the logs
fifth
download update and scan with super anti spyware
post the log
then a new HJT

do each of hhe kids and you have user accounts or is everyone running as administrator?

what firewall

I'll try and get a peek at your hjt a little later

wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #2 on: September 21, 2008, 05:51:04 AM »
what are these

C:\Program Files\Internet Content Filter\SafeEyes.exe


   C:\Program Files\Spontania Video Collaboration\SpontaniaVideoCollaboration.exe

can you uninstall this one or make it not start  ask toolbar
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

this may go away or we may fix it
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
It may have been Windows live messenger  if it was it is just as well gone- did you REMOVE MSN messenger?

what is this?
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [MSN Messenger Mutex] msnstartup.exe

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')

LSP errors
Check your system with
LSPFix from Cexx.org. These entry should not be fixed with HJT!
Your best bet to repair it is to try the LSPFix from Cexx.org.

what's this?
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

have the girls google anything they are not familiar with (just look at reliable sites)
let me know what you find
I'll dbl check anything left after the antimalware scanns mentioned

CharleyO

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #3 on: September 21, 2008, 09:43:35 AM »
***

What is SafeEyes ...

from http://www.spyany.com/files/SafeEyes_exe.html :

Quote
   SafeEyes.exe is the main executable for Internet Content Filter software, which enables you to block unwanted contents from being displayed.


A little more info here :

http://www.processlibrary.com/directory/files/safeeyes

http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=10485

What is SpontaniaVideoCollaboration ...

http://www.prevx.com/filenames/1171926210008894659-0/SPONTANIAVIDEOCOLLABORATION.EXE.html

http://www.runscanner.net/filelibrary/spontaniavideocollaboration.exe.html

This one ...

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

... belongs to Microsoft and is used to monitor hardware components for performance bottlenecks.

This one is bad ...

O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

Info on ckvo.exe ...

http://www.prevx.com/filenames/1945005718982325452-X1/CKVO.EXE.html

http://www.bleepingcomputer.com/startups/ckvo.exe-23750.html

http://www.threatexpert.com/files/ckvo.exe.html

What is Keyscrambler ...

This encrypts keystrokes to defeat keylogers.

http://www.qfxsoftware.com/

This one seems to be related to a FaceBook trojan ...

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

http://g.s.scandoo.com/search?hl=en&q=ProtectService.exe&btnG=Search


I hope this helps.


***

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #4 on: September 21, 2008, 06:22:23 PM »
Safe Eyes=parental control
http://www.internetsafety.com/safe-eyes-parental-control-software.php

The 010 lines are valid and belong to this program also.

I'm not sure if I'd be running Facebook from the Trusted Zone. This zone has lower security settings.

wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #5 on: September 21, 2008, 06:46:08 PM »
thanks oldman
let's see what the general purposes scanners remove before trying point by point removals
This system needs some work
and some of it can/t be done by HJT without leaving tons of garbage

I just spent some time on my brothers Vista Laptop
all the dual core and memory wasted
98SE even with SSM Avast and Counterspy (or Spyware Doctor) is more responsive

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: New User with multiple viruses that somehow got past Avast...
« Reply #6 on: September 21, 2008, 06:54:42 PM »
Here we have the system scan information through the hjt log file txt presented above.
What could be observed is that there seems not an active software firewall to be running, why is this?

Overview of running tasks:  (Click on the task for more info)
smss.exe   

System task
   

Session Manager Subsystem
winlogon.exe   

System task
   

Microsoft Windows Logon Process
services.exe   

System task
   

Windows Service Controller
lsass.exe   

System task
   

Local Security Authority Service
Ati2evxx.exe   

Driver
   

ATI Display Adapter Assistant
svchost.exe   

System task
   

Microsoft Service Host Process
svchost.exe   

System task
   

Microsoft Service Host Process
svchost.exe   

System task
   

Microsoft Service Host Process
aswUpdSv.exe   

Virusscan
   

Avast Anti-Virus Component
ashServ.exe   

Virusscan
   

Avast
brsvc01a.exe   

Backgroundtask
   

Brother Print Processor
spoolsv.exe   

System task
   

Microsoft Printer Spooler Service
brss01a.exe   

Application
   

Brother Print Processor
AppleMobileDeviceService.exe   

Backgroundtask
   

Apple Mobile Device Service
AsfIpMon.exe   

Driver
   

Broadcom ASF IP Monitor
mDNSResponder.exe   

Backgroundtask
   

Bonjour for Windows Component
GoogleUpdaterService.exe   

Backgroundtask
   

Service Component

RioMSC.exe
   

Unknown task
   

Unknown task
svchost.exe   

System task
   

Microsoft Service Host Process
Explorer.EXE   

System task
   

Microsoft Windows Explorer
ctfmon.exe   

System task
   

Alternative User Input Services
ashMaiSv.exe   

Virusscan
   

Avast Anti-Virus Component
ashWebSv.exe   

Virusscan
   

avast! Web Scanner
jusched.exe   

Backgroundtask
   

Sun Java Update Scheduler
stsystra.exe   

Driver
   

SigmaTel C-Major Audio Tray App
cli.exe   

Application
   

ATI Catalyst
DVDLauncher.exe   

Backgroundtask
   

A process belonging to the Cyberlink PowerCinema video viewing software which allows you to play DVDs upon insertion.
DLACTRLW.EXE   

Backgroundtask
   

Sonic Solutions Drive Letter Access (DLA)
svchost.exe   

System task
   

Microsoft Service Host Process
ashDisp.exe   

Virusscan
   

Avast AntiVirus
Monitor.exe   

Backgroundtask
   

Scheduler for the Pagis scanning suite from Scansoft.
isuspm.exe   

Backgroundtask
   

InstallShield Automatic Updater

SafeEyes.exe
   

Unknown task
   

Unknown task

E_S4I4D1.EXE
   

Unknown task
   

Unknown task
iTunesHelper.exe   

Application
   

Apple Itunes
DSAgnt.exe   

System task
   

Dell Support Agent offers additional support and update features for your Dell computer or laptop
Skype.exe   

Backgroundtask
   

Skype Internet Telephoney
NMBgMonitor.exe   

Backgroundtask
   

Nero Home
NMBgMonitor.exe   

Backgroundtask
   

Nero Scout

SpontaniaVideoCollaboration.exe
   

Unknown task
   

Unknown task
Wcescomm.exe   

Backgroundtask
   

Microsoft ActiveSync Connection Manager
MsnMsgr.Exe   

Application
   

MSN Messenger
NMIndexingService.exe   

Backgroundtask
   

Nero Home
NMIndexStoreSvr.exe   

Backgroundtask
   

Nero Home
GoogleUpdater.exe   

Backgroundtask
   

Google Updater
GoogleUpdater.exe   

Backgroundtask
   

Google Updater
WinCinemaMgr.exe   

Backgroundtask
   

WinCinema Manager is needed when using the WinDVD Remote Control for WinDVD from Intervideo.
soffice.exe   

Backgroundtask
   

OpenOffice StarOffice suite
soffice.BIN   

Backgroundtask
   

OpenOffice Module
rapimgr.exe   

Backgroundtask
   

Microsoft ActiveSync Module
iPodService.exe   

Backgroundtask
   

Apple iTunes
SkypePM.exe   

Backgroundtask
   

Skype Extras Manager
cli.exe   

Application
   

ATI Catalyst
ashSimpl.exe   

Virusscan
   

Virus scanner
jucheck.exe   

Backgroundtask
   

Sun Java UpdateChecker Module
firefox.exe   

Application
   

Mozilla Firefox
launch.exe   

Backgroundtask
   

Vantarakis Launch Application

_start.exe
   

Unknown task
   

Unknown task
setup.exe   

System task
   

Standard setup
HijackThis.exe   

Application
   

Merijn Hijackthis
NOTEPAD.EXE   

Application
   

Windows Notepad

ashChest.exe
   

Unknown task
   

Unknown task
thunderbird.exe   

Backgroundtask
   

E-mail manager
NOTEPAD.EXE   

Application
   

Windows Notepad

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: New User with multiple viruses that somehow got past Avast...
« Reply #7 on: September 21, 2008, 08:17:41 PM »
Safe Eyes=parental control
http://www.internetsafety.com/safe-eyes-parental-control-software.php
To the ones that need parental control, consider www.k9webprotection.com for free and can be used side by side with other programs.
The best things in life are free.

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #8 on: September 22, 2008, 01:27:09 AM »
Thanks to you all... I see a bunch of comments including:
'm not sure if I'd be running Facebook from the Trusted Zone. This zone has lower security settings.
Should I follow the advice I got on the first response? Any modifications to that advice or proceed?

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #9 on: September 22, 2008, 04:21:32 AM »
wyrmrider and others,
I have followed instructions as best as I could decipher. I have a couple of questions, answers, and observations.
first, the site "virustotal" is not working as far as I can tell. It comes up blank in my browser while all others work. what now? I exported the virus-affected files that were NOT of the "restore" list (with restore in the directory name listed in the virus chest report) into the directory suggested.

second, question, what is HJT

THIRD,"download update and scan with super anti spyware - post the log" is the instruction; I assume don't clean/remove or the equivalent? I am on hold with that till I get an answer. The report is attached below.

Fourth: malware bytes anti malware report attached. done in order suggested in your post.

Fifth: There are individual accounts, to answer your question to my original post.

Sixth: Firewall is standard windows firewall, to answer your question to my original post.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #10 on: September 22, 2008, 04:44:43 AM »
I'll try to answer your questions. With SAS, you should quaratine whatever it finds. The same with malwarebytes, except it's quarantine is "remove selected". I see you didn't do that.

HJT is hijackthis.

www.virustotal.com  is the correct link for virustotal. What happens when you click on it. We may be able to find a way to get you there.

If there are multiple accounts, HJT may see the other accounts if the users are not logged off.

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #11 on: September 22, 2008, 04:54:42 AM »
do I want to have the other accounts logged on, or off?

thanks oldman

wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #12 on: September 22, 2008, 05:03:34 AM »
no idea on the other accounts question- I'd try it with everything turned on
on mbam
from my first post
"with mbam update scan and check any malware found then click "remove selected""
a quick scan will be ok then remove selected
At least we know it will remove some things

I think oldman answered about SAS CLEAN or whatever and Quarantine, Chest, Vault whatever just do not delete/remove where it is completely gone

It does take a while to get started if you have never done this before

Is the upload to virus total drill ok now?

get your girls to help with this

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #13 on: September 22, 2008, 05:08:32 AM »
here is the Hijack log latest...  btw, while I was letting Superantispyware quarantine its files, Avast sounded off with an alert...
Logfile of Trend Micro HijackThis v2.0.2

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #14 on: September 22, 2008, 05:10:33 AM »
I still get a blank page when I try to access the virus total page... are you able to access it now?