Avast Home v Schedule Boot

[qim]

I did a schedule boot and it found

File C:\Documents and Settings\All Users\Documents\xrktkl.exe is infected by Win32:Trojan-gen {Other}, Moved to chest

How is that possible if in between scheduled boots the computer was ALWAYS protected by Avast?

Does that mean that sheduled boot knows about trojans that Avast Home does not?

qim

[Lisandro]

Which is your Standard Shield security level?
Which is your virus database date version?

[qim]

Version: 081221-0 21/12/2008  I have automatic update so the trojan would have got in with an updated version.

As for the security level, I am not sure where to look but in 'On-access protection control' the slide is in Normal for all 6 providers

Is this trojan a serious threat, and is it totally clean now, or it may have done some harm already?

Thanks for your help

qim

[Lisandro]

To be sure you're clean, I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

As a second stage, I suggest a full computer on-line scanning:
Kaspersky (very good detection rates)
ESET NOD32
Trendmicro housecall
F-Secure
BitDefender (free removal of the malware)


Why did avast miss that infected file? Most probably you get it between avast updates and the detection signature was added meanwhile

[qim]

I did all you asked and here are the results: first, the virus found BitDefender and then the HijackThis log done last.


Scanned File
  Status
 
C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx=>(message 2313): Fun-n-merry Christmas wishes from Alex
 Infected with: Generic.Peed.Eml.91E7CEC9
 
C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx=>(message 2313): Fun-n-merry Christmas wishes from Alex
 Disinfection failed
 
C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx=>(message 2313): Fun-n-merry Christmas wishes from Alex
 Deleted
 
C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx
 Updated
 
 
 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26:23, on 22/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\mgabg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\POP Peeper\POPPeeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Qim\Local Settings\Temporary Internet Files\Content.IE5\8KL856VN\HiJackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1218033047_184abef8741a08b71819a49cd3d884c2&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe

--
End of file - 6063 bytes

[Lisandro]

C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx=>(message 2313): Fun-n-merry Christmas wishes from Alex
 Infected with: Generic.Peed.Eml.91E7CEC9

I'm not an expert on cleaning... but take care on handling this or you can lose all your emails while avast is trying to clean only a particular message. Better will be opening Outlook Express, going to that particular email, deleting it, empty Outlook recycle items.

[DavidR]

It appears to have been dealt with.

C:\Documents and Settings\Qim\Local Settings\Application Data\Identities\{B332EB8E-D832-45E9-829C-E897E4F6BEF7}\Microsoft\Outlook Express\Arquivo.dbx
 Updated

I believe the arquivo.dbx is the sent items folder ?
If so it isn't so serious if there was a problem that caused it to be corrupted. However, it makes me thing if this is the sent items folder, then it is alerting on an email that you sent, which would mean at that time your system was infected.

[qim]

Thank you all

For some strange reason I was unable to sign in since yesterday even if I had the correct username and password...

Anyway, the Arquivo.dbx is a folder where I archive old email (both inbound and outbound)

What I really need to know now is whether the TWO viruses/Trojans found by Avast and BitDefender are serious.

Thanks

qim

[Lisandro]

Anyway, the Arquivo.dbx is a folder where I archive old email (both inbound and outbound)

While they are inside of the mail box, I think not.
If you open the email, save the files, etc., well, then you could be in danger.
But I suggest you remove that particular email from your mailbox asap.

[DavidR]

@ qim

If the email in the archive dbx file is safely removed no problem, even if it were still there you would have to open it and most probably open an attachment as that is effectively what would have contained any malware.

Well it is possible that as new or updated signatures are added to the avast VPS file it could catch something not previously found. The filename typically looks randomly generated, which is suspicious and a google search only reveals this topic as a hit, which is also suspect if it were a legit file. It is hard to say what this was exactly as the -gen detections are generic.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.