VBS Malware Gen keeps coming back

[DavidR]

<snip>
Trojan.Unknown Origin
   C:\COMBOFIX\PEV.EXE
   C:\WINDOWS\PEV.EXE

This really is nothing to be too worried about as firstly it looks like combofix also detected this and I would have thought that would have deleted it and or put it in the combofix quarantine (so it shouldn't be detected in that area), but it doesn't appear to have either deleted the original (or that has been restored) nor has it moved it to its quarantine area.

As I mentioned before in other topics and mkis said here tracking cookies are much ado about nothing, but always let SAS take care of them. Have your browser block (or not accept third party cookies) and periodically clear cookies from your system.

I don't see anything obvious in your HJT log other than:
You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. The Vista firewall does have outbound protection, but it is disabled by default (it isn't very user friendly, is rule based and you have to create the rules).

- Vista Firewall Control, http://www.sphinx-soft.com/Vista/index.html and this, http://www.sphinx-soft.com/Vista/faq.html. Also check out this topic for a more user friendly Firewall control, Outbound protection, http://forum.avast.com/index.php?topic=30234.0.

[cindyk]

Thanks so much for all the help.
I havent had any trouble today
if you know anything more about pev.exe let me know
My machine is new and I want to keep it clean and fit.

I downloaded Vista Firewall control.
Do I need Winpatrol in addition or is that enough??

Thanks again for the quick replies!!

[cindyk]

Last question: Do I delete the quaraitained files from SAS and AVAST?

Thanks again!!

[mkis]

All cred to you cindyk

Do I need Winpatrol in addition or is that enough??

Its up to you really. I like WinPatrol, and others in the Forum use it. But looking for the right firewall for you to have as part of your defense is the main point. There's no doubt that WinPatrol is among the best. I'm getting to like Online Armor, which will probably end up my first preference.  http://www.tallemu.com/

if you know anything more about pev.exe let me know

I think prev.exe can be lots of variants. But I haven't had any first hand experience. From what DavidR said I think you've done a good job of dealing to it.

Do I delete the quaraitained files from SAS and AVAST?

You can keep quarantined files in avast for a while without worry. I'm not sure about SAS, I've only had those tracker cookie things with SAS and I just delete them. From what I gather, DavidR said they can be deleted - but probably best wait for confirmation.

[mkis]

Hi cindyk. Just checking back to see all is going okay.

If you haven't cleaned out your quarantines, and nothing new has happened, you may as well do it now.

Run a normal search of your drives with keyword prev.exe and see if anything turns up.
Run your scans and if same things turn up, then delete them.

Otherwise, I think you're fine with everything.

In case you haven't come across this link yet, here is directions for using a Flash Disinfector for ensuring that your USB drives are also kept clean of infections.

http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657


Edit - sorry about this but the Flash Disinfector link above no longer clicks through
If you haven't already found a good link, try thr one below.

FLASH DISINFECTOR

http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

[cindyk]

hello !

Thanks for checking back you know yesterday suddenly it reappeared and definetly when less expected. Was making a back up on DVD with no other online activity and Avast detected the same VBS again. This was this morning and now it came back again. So definetly havent gotten rid of it yet. Ive been using an USB though maybe the virus is in there.
so ill do the USB clean you recomended
Im using the firewall control but still getting used to it. Do I have to choose enable everytime i want to open a new page online?
I will take the time to read the help section of the firewall

So ill just star again with all the scans... It will take a while cos only have a few hours at night to do this..

I'm doing the search right now!

Keep you informed!

So grateful.......

Hi cindyk. Just checking back to see all is going okay.

If you haven't cleaned out your quarantines, and nothing new has happened, you may as well do it now.

Run a normal search of your drives with keyword prev.exe and see if anything turns up.
Run your scans and if same things turn up, then delete them.

Otherwise, I think you're fine with everything.

In case you haven't come across this link yet, here is directions for using a Flash Disinfector for ensuring that your USB drives are also kept clean of infections.

http://forum.avast.com/index.php?topic=43474.msg363657;topicseen#msg363657

[mkis]

Hi cindyk.

I'm not up on the Vista firewall as I use XP, but the pros and cons of firewalls and Vista are discussed in the forum quite often. I use Online Armor, which has a 'remember' check box to help it to pick up my preferences, and also NoScript, which tracks my decisions for future reference. But most good firewalls will query sites the first time unless they have them down as trusted sites. And you're right, you have to get to know them through their Help sections. I'm still getting familiar with mine.

Same with the antivirus and antispyware. But if you're into it for the long term, it becomes second nature over time. And the person who knows a computer best is the one who uses it, so now you've got some weaponry aboard you can run out your defense routines to keep malware on back foot. Also, (re)infection through USB flash drives is very common all the time, so best keep them disinfected as a rule.

You seem to have a good grasp of what's needed so run the scans and use your quarantine, and keep your eye out for that prev.exe, which you want rid of once and for all - dont think was too bad a malware intrusion, but good housekeeping is always best policy. Run some of your own HjT scans as well and compare them with others in the forum, and with your last ones that were okayed here, so you get to know your system better. And don't hesitate to reply post if you have any diifficulties.

Most important, take care out there. And we're not far away anyway.