Author Topic: infected now, avast, mbam, sas, spybot S&D fail to find it  (Read 20597 times)

0 Members and 1 Guest are viewing this topic.

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
infected now, avast, mbam, sas, spybot S&D fail to find it
« on: March 31, 2009, 01:09:43 AM »
I decide to test how protected I am!!
I paused avast! web shield and standard shield and download a virus sample from TheSerials.com (infected) web site, run it as administartor and wait to see what would happen, and then run avast! again, now I am infected, after a scan with avast, avast found these:

Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\Omid Farhang\AppData\Local\Temp\VRTD280.tmp" file. 
Sign of "Win32:JunkPoly [Cryp]" has been found in "D:\Desktop\microsoft_office__enterprise.exe" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Users\Omid Farhang\AppData\Local\Temp\VRTF6ED.tmp" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\conime.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\dllhost.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\cacls.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\msdtc.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\SearchFilterHost.exe" file. 
Sign of "Win32:Vitro" has been found in "C:\Windows\System32\SearchProtocolHost.exe" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT48B2.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT8813.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT30CF.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT698C.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRTA15E.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT4B92.tmp" file. 
Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Windows\Temp\VRT5996.tmp" file. 

I watched and found suspicion transfer in these place:
TCP and HTTP to/from these IP using these process:
WMIPRVSE.EXE   WMI Provider Host
WINLOGON.EXE   Windows Logon Application
211.95.79.6
218.93.205.24

after every send/recieve to these bad IP, avast! found a new "Win32:Trojan-gen {Other}" in "C:\Windows\Temp\VRTXXXX.tmp"

ok, and now after scan with MBAM, SAS and avast I could not find anything, only normal process with their usual command line are running in my computer, I would post my hijackthis log now in the reply
« Last Edit: March 31, 2009, 01:20:44 AM by Omid Farhang »

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas fail to find it
« Reply #1 on: March 31, 2009, 01:11:13 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:20:43 AM, on 3/31/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Windows\VM305_STI.EXE
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Toshiba\Utilities\VolControl.exe
C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Foxmarks\IE Extension\foxmarkssync.exe
C:\Users\Omid Farhang\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Auslogics\Auslogics BoostSpeed\BoostSpeed.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe
C:\Windows\Explorer.exe
D:\Downloads\TrendMicro\HijackThis™\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.live.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [BigDog305] C:\Windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [OutpostMonitor] C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [Babylon Client] C:\PROGRAM FILES\Babylon\BABYLON-PRO\Babylon.exe  -AutoStart
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] C:\PROGRAM FILES\COMMON FILES\Adobe\CS4SERVICEMANAGER\CS4SERVICEMANAGER.EXE  -launchedbylogin

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas fail to find it
« Reply #2 on: March 31, 2009, 01:12:29 AM »
O4 - HKLM\..\Run: [TOSHIBA Volume Indicator] C:\PROGRAM FILES\Toshiba\UTILITIES\VOLCONTROL.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Foxmarks] C:\Program Files\Foxmarks\IE Extension\foxmarkssync.exe -q
O4 - HKCU\..\Run: [Google Update] C:\Users\OMID FARHANG\AppData\Local\Google\Update\GOOGLEUPDATE.EXE  /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] C:\PROGRAM FILES\DAEMON TOOLS LITE\daemon.exe  -autorun
O4 - HKCU\..\Run: [Auslogics BoostSpeed 4] C:\Program Files\Auslogics\Auslogics BoostSpeed\boostspeed.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth Monitor.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Foxmarks\IE Extension\foxmarksdll.dll (HKCU)
O9 - Extra 'Tools' menuitem: Foxmarks Favorites Synchronizer... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Foxmarks\IE Extension\foxmarksdll.dll (HKCU)
O13 - Gopher Prefix:
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12866 bytes

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas fail to find it
« Reply #3 on: March 31, 2009, 01:14:43 AM »
now I've blocked these IP and did not get any more alert by avast!, but, still those 2 process are trying to connect to those IP server in China and IP are blocked and they cannot:
211.95.79.6
218.93.205.24

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67250
Re: infected now, avast, mbam, sas fail to find it
« Reply #4 on: March 31, 2009, 01:15:29 AM »
Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
The best things in life are free.

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas fail to find it
« Reply #5 on: March 31, 2009, 01:18:19 AM »
Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
because I like to risk and see and feel them in real action, I want to feel their real impact on system performance and actions in real, not in a virtual... :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67250
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #6 on: March 31, 2009, 01:26:43 AM »
I want to feel their real impact on system performance and actions in real, not in a virtual... :)
I hope you don't have that much to lose... documents and data, in this particular computer...
In fact, the impact or infection in virtual will be the same as in real... just that you can backup (take a shot) of the system and have it clean back in 10 seconds...
The best things in life are free.

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #7 on: March 31, 2009, 01:33:09 AM »
I hope you don't have that much to lose... documents and data, in this particular computer...
In fact, the impact or infection in virtual will be the same as in real... just that you can backup (take a shot) of the system and have it clean back in 10 seconds...
anyway now I'm infected and I got one more alert now, and don't know where to look for the source of this alerts!!!

3/31/2009 3:56:00 AM - System - 1828 (ashServ.exe) - Sign of "Win32:Vitro" has been found in "C:\Windows\System32\msfeedssync.exe" file.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85373
  • No support PMs thanks
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #8 on: March 31, 2009, 01:56:38 AM »
Well vitro is an alias for virut which is a virulent .exe file infecter so your lucky to get away with so few infected files.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #9 on: March 31, 2009, 03:28:49 PM »
ok! now my system is clean, but with a clean install of my windows now...! avast killed my windows!!

the file logonUI.exe got infected and avast! could not clean it and delete that...! I could not back to windows after reboot and I decide to re-install windows instead repair...

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85373
  • No support PMs thanks
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #10 on: March 31, 2009, 04:13:07 PM »
No, lets get that straight, 'you' killed your windows but infecting it deliberately with a virulent .exe file infecter. One that had you checked the forums has resulted in virtually all ending up formatting and starting again.

As I said in my last post:
Quote from: DavidR
Well vitro is an alias for virut which is a virulent .exe file infecter so your lucky to get away with so few infected files.

So it looks like you weren't so lucky as it continued infecting files.

If you are going to take these risks then you really need to get your back-up and recovery strategy bullet proof first. Had you used hard disk imaging software and taken a disk image before, when everything fell down, you could have restored the hard disk image to did before the experiment. That would probably have taken 20-30 minutes tops to have your system as it was.

Or use VMware or some other virtual environment, but you chose not to do that, you could just as easily have seen this work in a virtual environment.

Well, you like to live dangerous... ;D
Why don't you use vmware virtual environments to test?
because I like to risk and see and feel them in real action, I want to feel their real impact on system performance and actions in real, not in a virtual... :)

So I repeat again, avast didn't kill your system 'you' did by starting the experiment in the first place.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #11 on: March 31, 2009, 05:16:29 PM »
ok! DavidR, I Killed my system, so, now a few questions:

1. What should do VRDB Generator? should not it get back up from important files like logonUI.exe and...?

2. should not a good antivirus be able to Repair infected files?

3. that virus was working and has his own risk, but it did not removed any files, it was avast! that delete my system files because of their infections, so, now who caused problem? virus or my antivirus?

4. an antivirus should be able to clean a infected system, did avast that for me?

Offline Mike Buxton

  • Full Member
  • ***
  • Posts: 155
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #12 on: March 31, 2009, 06:03:46 PM »
ok! DavidR, I Killed my system

This is not a chicken and egg problem:
you deactivated Avast and deliberately infected ¨yourself¨


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85373
  • No support PMs thanks
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #13 on: March 31, 2009, 06:21:24 PM »
1. the VRDB only protects certain files, you would have to have run the VRDB prior to infection, whilst that may be one of them, it would have the same problems in repairing a file as in point 2 below. If the VRDB covered the file, e.g. included in a VRDB generation prior to infection, then the Repair button on detection would be available (and a repair can be attempted), otherwise the repair option would be greyed out.

2. there are many viruses that encrypt their infection and change the infection for each file that they infect, some are now using two levels of encryption to prevent repair. the vitro, virut, etc. are particularly virulent. So you have to give avast a fighting chance to block/detect it before it gets established and disabling avast allows it to get established and once established you are on a losing battle.

3. avast didn't delete your files, it detects the infected file and alerts you to it, 'you' chose what action to take, move to chest, delete, etc. so 'you' make the choice and avast carries it out.

4. notes 1&2 are the same for this, when you weight the battle against your AV by disabling it and then deliberately infecting your system doesn't give the AV a fighting chance. So in this case I'm afraid you reap what you sow.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Omid's Site
Re: infected now, avast, mbam, sas, spybot S&D fail to find it
« Reply #14 on: April 01, 2009, 01:08:56 PM »
VRDB should backup all important system files, should not it? avast! should keep system able to boot

I used repair button, when I clicked on that avast went for repairing and then told me it could not repair and I had not any other else than move to chest and delete...

ok! everything that I say you would say I did it with my system! you don't want to accept/believe avast! could not clean my system...

it's not bad to know main virus.exe file that i ran in my system was detected as "Clean" file by avast