Author Topic: New User with multiple viruses that somehow got past Avast...  (Read 28711 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #15 on: September 22, 2008, 05:39:35 AM »
The avast alert is normal, it's reading the file as SAS is movin it. Safe mode scans avoid this because avast is not running then.

I can get to virustotal with no problem. Try this instead

http://virusscan.jotti.org/

The malware scans should be all right even with other users logged on. It's just HJT.

wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #16 on: September 22, 2008, 05:43:25 AM »
http://www.virustotal.com/  worked for me

Is this last HJT after MBAM and SAS scans?
could you post the SAS and MBAM logs please?

    R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL

look in add remove programs for Ask tool Bar and/or Search Assistant and uninstall
or
 many applications have their own uninstall file that is placed in the same directory or program group.
See Start>Programs
or "program files" and look for ask toolbar and or search assistant

Typically, applications can be removed using 'Add/Remove Programs'. Should this option not be available, double-click the uninstall file applicable to the specific application.

if you can't find it or it will not remove post back
here is an authoritative view on ask toolbar- of course you can keep it if you want to but then do you need Yahoo toolbar?
http://www.benedelman.org/spyware/ask-toolbars/

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
I already asked you about this one- not malicious - we can FIX it if necessary but not urgent

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
oldman commented on this one
you can turn this off with startup manager if you are not using it

O4 - HKLM\..\Run: [MSN Messenger Mutex] msnstartup.exe  ???
are you using microsoft windows messenger  (not MSN instant messenger)?


O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
This one really concerns me  MBAM and/or SAS and or Avast should have nuked this one
let's see those logs

Polonus  oldman says to ignore these 010's  example>
O10 - Unknown file in Winsock LSP: icf.dll

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
let's see if MBAM and/or sas get's this one


rerun those scans and let em work
post the logs showing the fixes
then post a new hjt

let's hope those two baddies are gone and all their hidden friends with them
« Last Edit: September 22, 2008, 05:56:59 AM by wyrmrider »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #17 on: September 22, 2008, 05:56:25 AM »
Quote
O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe
oldman commented on this one
you can turn this off with startup manager if you are not using it
Actually it was CharleyO.  ;)

Quote
O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

Haven't seen anything on this one before. The file should be tested.

I meant to mention it before. You shouldn't use your email for a user id. It will get harvested and you will be buried in spam.

« Last Edit: September 22, 2008, 05:58:37 AM by oldman »

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #18 on: September 22, 2008, 06:11:42 AM »
virsscan result one:

 File:      c9hehpa.bat
Status:    
INFECTED/MALWARE
MD5:    ffb21ccb9aaabca76467c0f3731fbc97
Packers detected:    
-
Scanner results
Scan taken on 22 Sep 2008 04:06:51 (GMT)
A-Squared    
Found Worm.Win32.Viking.ex!ik
AntiVir    
Found TR/Vundo.Gen
ArcaVir    
Found Worm.Autorun.Epk
Avast    
Found Win32:Monga
AVG Antivirus    
Found nothing
BitDefender    
Found Trojan.PWS.OnlineGames.ZQF
ClamAV    
Found nothing
CPsecure    
Found W32.W.AutoRun.epk
Dr.Web    
Found Trojan.Nsanti.Packed
F-Prot Antivirus    
Found W32/Onlinegames.gen (probable variant)
F-Secure Anti-Virus    
Found Worm.Win32.AutoRun.epk
Ikarus    
Found Worm.Win32.Viking.ex
Kaspersky Anti-Virus    
Found Worm.Win32.AutoRun.epk
NOD32    
Found Win32/PSW.OnLineGames.NMY
Norman Virus Control    
Found W32/Viking.gen5
Panda Antivirus    
Found W32/Lineage.JMI.worm
Sophos Antivirus    
Found Mal/EncPk-EK
VirusBuster    
Found nothing
VBA32    
Found Trojan-GameThief.Win32.Magania.aayp

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #19 on: September 22, 2008, 06:18:49 AM »
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
This one really concerns me  MBAM and/or SAS and or Avast should have nuked this one
let's see those logs


Logs attached to post #9

I am running malwarebyte's anti-malware again now.

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #20 on: September 22, 2008, 06:20:05 AM »
results of online scan #2
:      foto.zip
Status:    
INFECTED/MALWARE
MD5:    e4b2fd0a8c4e51fe028576389ff29d94
Packers detected:    
-
Scanner results
Scan taken on 22 Sep 2008 04:14:03 (GMT)
A-Squared    
Found VirTool.Win32.DelfInject.AL
AntiVir    
Found BDS/Tofsee.P
ArcaVir    
Found nothing
Avast    
Found Win32:Rootkit-gen
AVG Antivirus    
Found BackDoor.Ircbot.EMO
BitDefender    
Found Trojan.Crypt.DY
ClamAV    
Found nothing
CPsecure    
Found nothing
Dr.Web    
Found nothing
F-Prot Antivirus    
Found W32/Backdoor2.BJTR
F-Secure Anti-Virus    
Found Backdoor.Win32.IRCBot.dkb
Ikarus    
Found VirTool.Win32.DelfInject.AL
Kaspersky Anti-Virus    
Found Backdoor.Win32.IRCBot.dkb
NOD32    
Found Win32/IRCBot.AAH
Norman Virus Control    
Found nothing
Panda Antivirus    
Found W32/IRCBot.CAY.worm
Sophos Antivirus    
Found Mal/Generic-A
VirusBuster    
Found nothing
VBA32    
Found Backdoor.Win32.IRCBot.dkb

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #21 on: September 22, 2008, 06:26:15 AM »
just finished malware scan, said all was ok; nothing bad found

here is results of last file from "suspect"
 CR-DVC45.exe
Status:    
INFECTED/MALWARE
MD5:    4af9dd7a51aba1ad838af605e8a80223
Packers detected:    
PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
Scan taken on 22 Sep 2008 04:24:45 (GMT)
A-Squared    
Found Generic.Graybird!ik
AntiVir    
Found TR/Spy.Bancos.GN
ArcaVir    
Found nothing
Avast    
Found Win32:Spyware-gen
AVG Antivirus    
Found PSW.Banker4.ADRO
BitDefender    
Found Trojan.Generic.377002
ClamAV    
Found nothing
CPsecure    
Found SpamTool.W32.Agent.v
Dr.Web    
Found nothing
F-Prot Antivirus    
Found nothing
F-Secure Anti-Virus    
Found nothing
Ikarus    
Found Generic.Graybird
Kaspersky Anti-Virus    
Found nothing
NOD32    
Found nothing
Norman Virus Control    
Found W32/Banker.BWMM
Panda Antivirus    
Found Trj/Banker.FWD
Sophos Antivirus    
Found nothing
VirusBuster    
Found nothing
VBA32    
Found Trojan.Win32.Drone.h

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #22 on: September 22, 2008, 06:50:36 AM »
It looks like SAS may have gotten most of it. The avast detections where good ones.

Open hjt and check mark this line and click fix checked
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

Then delete the file. 

I'll turn this back to wyrmrider and polonus.
« Last Edit: September 22, 2008, 06:56:45 AM by oldman »

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #23 on: September 22, 2008, 06:55:26 AM »
Rogue remover found nothing.

Dr. Web found nothing

superantispyware found nothing

attached hjack log just ran last

I disabled from startup those items suggested. Deleted ask toolbar

what do I do with the viruses in quarantine/ virus chest areas?
Do I delete folder "suspect" now?

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #24 on: September 22, 2008, 07:04:48 AM »
Open hjt and check mark this line and click fix checked
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe

Fix checked seemed to remove/delete the file.

Last question I hope (along with those few in previous post)
How do I get my computer to open directory normally when I double click on any of the drives in the "My computer" window? It still asks me what program I wish to use to open this file. I can access the directories through "folders" mode on the left panel, but never directly from the right panel.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: New User with multiple viruses that somehow got past Avast...
« Reply #25 on: September 22, 2008, 07:07:13 AM »
Quote
what do I do with the viruses in quarantine/ virus chest areas?
Do I delete folder "suspect" now?
They can't harm you there.

Yes you can delete the folder.

You may want to run an online scan as someone, I think has suggested.

ESET:
http://www.eset.eu/online-scanner is a good one.

 ESET Online Scanner Frequently Asked Questions
http://www.eset.com/onlinescan/cac4.php?page=faq

I'll have to research why the drive won't open. I'll get back to you.

REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #26 on: September 22, 2008, 07:17:37 AM »
Thank you oldman and wyrmrider (and others) for your kindness, and sacrifice of your time.

God Bless

Will check back tomorrow to see if you found out the answer to my directory problem...


REDACTED

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #28 on: September 22, 2008, 06:27:49 PM »
oldman, what do you recommend about the last post (deferred to your judgment)?
I ran ESET and it found 8  problems, but could not copy/create report nor clean... what to do?

OLDMAN OR ANYONE WHO KNOWS:
what do you feel about "STOPzilla" I ran across it and downloaded it to try... later I see that it costs $20. I assume free is always better. Just overkill? drop it? How about PC Tools AntiVirus Free Edition™ 5, it is free.

Is it counter-productive to have AVAST and other virus software running at the same time as a defense system?

thanks again for your invaluable advice.

wyrmrider

  • Guest
Re: New User with multiple viruses that somehow got past Avast...
« Reply #29 on: September 22, 2008, 09:11:10 PM »
can you summarize what ESET found
not in restore or in a quarantine file?

there are lots of reliable apps

Stopzilla well google it  anything good said is from those who profit from it
It will cause many more problems than it will ever solve
all it will do is give you false reasons to purchase and relieve you of $20

on demand Free Scanners
Spybot Search and Destroy
A-Squared
Malware Bytes Anti Malware
Super Anti Spy
Ad-Aware


Free  real time
Windows Defender
PC tools is an excellent product if you have the resources to run it
Spybot t-timer
a few others
BO Clean
Threat fire

several on line AV scanners
Dr Web- did that
Kaspersky
Panda
Bit Defender- will remove
etc

could you run a Kaspersky on line scan- it will not remove anything but has excellent detections


I have not used ESET much- anyone know how to extract a report?
did the help link help?

all much better choices than Stopzilla and other

in one of your posted you said that you had posted the MBAM and SAS logs in post 9
true  told us what to look for
but we also need the after clean up log to see if anything missed and then a HJT to see if, in this case MBAM and SAS, got the bad stuff

once you look at the ESET log if what is there is just in restore we can clean up system restore and set a new restore point
If what ESET found was nasty and live let us know

I'd also like to see a scan with Spybot Search and Destroy  from
http://www.safer-networking.org/en/mirrors/index.html
quarantine any hits

I've been away
did we ever determine what this is/was?
ProtectService\ProtectService.exe

I still have not seen an after "REMOVE SELECTED" MBAM log  did i miss it somewhere?
« Last Edit: September 22, 2008, 09:25:32 PM by wyrmrider »