Antivirus Pro 2010 not detected by Avast Home

[Dch48]

Well I posted more in response to the title of the thread and the question of how something could get past Avast! I attempted to further explain how something can get past Avast! (or anything else) if the authors of the malware have changed the app without changing the name of it. I also didn't see anybody mention SuperAntiSpyware as a removal tool so I threw that in as well. I certainly didn't mean to step on anyone's toes.

[Tarq57]

Hey, no toes stepped on, here, I welcome any input to help someone with malware.
In this case, I didn't think it was especially relevant, because of the users' inability to run programs, that's all.
And you're right; nobody did recommend SAS in this thread. My mistake, there.

[Meteora]

Thanks for all the help, guys. You are wonderful people/

On the third page, I posted a picture about AOL Explorer...can someone tell me if it has the features of IE8 or not? Is it not safe? I'm not going to use it if it's not safe but it is my favorite browser...and I just want to know how to check if it has all the things that make it safe, like no script in firefox, etc.

Shubham, thanks for wanting to help so much, but all those programs were the first thing I considered and downloaded. This crappy malware kills all of them instantly. It's insane. First it's MBM (even followed the instructions to make it not get detected by saving the setup as a different name as well as the application exe file, and did nothing), then Spyware Doctor, then SuperAntiMalware, then Avast boot scan which somehow disables my keyboard so I can't delete the damn infected files, NOD32, then Viper, then even my full Symantec security system my bro got from his college, did nothing. Well at least, I wasn't able to install it right. Safe mode apparently is not even safer than normal mode (at least I can install stuff in normal mode). I'm now giving NOD32 another shot, and it just finished the scan and I'm going to see what it needs to do next. Then after that I'm trying Viper (only installed it, didn't use it) then maybe I'll run symantec again...after that...I will manually delete all the crap from regedit (I could have done this last week but I heard it could break my computer, so I imported all my valuable files to the laptop I'm trying to install Dell software on lol.

Some mentioned earlier that viruses can screw up the very files one has, and, of course I believe that, but for some reason, out of the 50 times I've been infected with online stds none of my files broke down. Oh well, I mean they are a lot of files...pictures...movies...music...hopefully I will not notice anything in the long run. No way am I going to check these files individually to see if they work or not.

Hold up, if I do a full computer scan and if one of my valuable files are infected, will it just tell me and ask me if I want to get rid of it? Since I was always under the assumption, a scanner just deletes what you got infected by, not necessarily what got infected, whatever that means. Not sure if it means the file is missing parts to it, or has something attached to it that prevents it from working.

Last question, if a file I want is infected is it possible to get it cleaned and cured? I ran into this while searching: http://forum.kahuki.com/general-discussions/3967-does-virus-scanner-clean-heal-file-delete-file.html

I wonder if you guys have to say the same thing. I sure wouldn't want to delete something I like so much...k get back to me.

-Edit- Just found out the links Soure gave on the third page for me are useless...as I mentioned my disc drive has long since been dead, lol. Crap...oh well, gonna have to go another route...probably a risky one.

[Dch48]

Some scanners can delete both the virus itself and the files it has injected itself into, some can remove the injected code without having to delete the file (sometimes). Some infected files can sometimes be cleaned is the best answer I can offer. Most scanners can attempt to clean the file and if that is not possible, place it in quarantine or delete it. There is no simple yes or no answer. It depends on the virus and on the capabilities of the scanner or scanners used.

[Tarq57]

Quote from: Soure73 on 10-10-2009, 20:51:06
I see that you can't do any scan because the virus is blocking your attempts Sad
 Download this from a clean computer and burn a cd: 
    http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
    http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/
    http://www.freedrweb.com/livecd/ 

 Good luck!
 PS: Have you tried a boot time scan with Avast?
     

I will try that. Hopefully a USB will suffice, as my disc drive on my infected computer has not been working for almost a year now; has nothing to do with the recent virus though.

Maybe you should consider removing the drive from your computer, and slaving it to one that can run the rescue disk.
Or get a new CD/DVD drive for your own computer.
The link you posted above is for general malware cleaning questions, and at a fairly basic level. It's really only applicable if you are able to run scanners to start with.
Is Avast still functioning on your sick computer? (Sorry, I'm really not to sure on where you're up to.) If so, keep updating it and scanning with it after each update. If it can detect and remove any part of this malware, then it's time to try MBAM again.

[Meteora]

Quote from: Soure73 on 10-10-2009, 20:51:06
I see that you can't do any scan because the virus is blocking your attempts Sad
 Download this from a clean computer and burn a cd:  
    http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html
    http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/
    http://www.freedrweb.com/livecd/  

 Good luck!
 PS: Have you tried a boot time scan with Avast?
      

I will try that. Hopefully a USB will suffice, as my disc drive on my infected computer has not been working for almost a year now; has nothing to do with the recent virus though.

Maybe you should consider removing the drive from your computer, and slaving it to one that can run the rescue disk.
Or get a new CD/DVD drive for your own computer.
The link you posted above is for general malware cleaning questions, and at a fairly basic level. It's really only applicable if you are able to run scanners to start with.
Is Avast still functioning on your sick computer? (Sorry, I'm really not to sure on where you're up to.) If so, keep updating it and scanning with it after each update. If it can detect and remove any part of this malware, then it's time to try MBAM again.

Avast wasn't bad, it's just that when it was doing a boot scan, my keyboard somehow goes dead...even though the rest of my USB devices (USB drive, and I think my scanner, and other stuff connected via USB) are working. I know my USB drive is, since there's light coming from it.

The keyboard has the green light where the caps and num locks are, but when avast starts doing the boot scan the lights go off, and my keyboard no longer functions at this point. Someone recommended virtual keyboard but that can only be accessed via start mode, so that's not a possibility. Wonder why avast just won't let you use your mouse or something, not that I can even navigate the mouse cursor during boot scan or anything. It's really dumb...

MBM will never work. It always shuts down exactly at 4-5 seconds into a scan.

Forgot to say this in my last post, anyone should google "Windows Smart Security" and see just how many results there are about it. There were absolutely zero the night I got infected, and one by the next morning. There are at least 10 now, and each result link to an antimalware program, for some reason. Maybe the authors do not realize or have actually got infected with WSS, which will disable 99% of anti-malware, especially the ones they advocated.

I have yet to try their secondary methods, which is the manual removal of this garbage. I will do it when I have completely transferred all files I care about, since they said manual removal may destroy my computer (since some registry are apparently random and we have to guess for these ones). If my XP goes bad, sending it to a Lebanese guy I know who's familiar with computers and fixing, lol.

[lloyd3]

Hello all!

I'm using my laptop to write this as my desktop is still infected. It seems that I should have used Avast Pro (as I have in the past) and not the home edition. Ongoing unemployment has me cutting costs that perhaps I shouldn't?

I've tried just about everything mentioned in earlier posts to no avail. Antivirus Pro 2010 is still running things (by disabling Avast and just about everything else). I've backed up my personal stuff and my Outlook to a thumbdrive and am ready to do something drastic to this older desktop(circa 2004). Was a concensus ever arrived at as to how to kill this thing without gutting the present operating system?

Is there a simple fix that really works? 

LM

[Meteora]

No, there is no fix for this, at least nothing you can download to get rid of it.

Also I was wondering if having avast pro with script blocking, allows me to browse with any browser and be safe?

Also wondering how I got infected in the first place, because I had avast pro running. Is it because I had a demo version or something?

[Meteora]

I am just about to go on holiday but do the following it should clear the majority

Please save this file to your desktop

THEN

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. 

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.  Please open it with notepad and post the contents here.


FINALLY

Download Combofix from any of the links below. You must rename it before saving  rename it to Gotcha before saving it to your desktop.

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Sorry, I was busy these past days.

I was able to do the first thing, however when I did the second thing, renaming that before downloading it, whenever I double click it, it opens up for like a millisecond then shuts down.

Anyway the Win32Diag report won't fit on here. It's too long. Should I email it to you?

[Tarq57]

Also wondering how I got infected in the first place, because I had avast pro running. Is it because I had a demo version or something?

No. The demo version is the same as the fully subscribed. In the post quoted below:

r.

As for Avast Free not having anti-script or whatever it is called, I think this is also the reason I got infected with "Windows Smart Security" that apparently got made around the time of the infection since I couldn't find one google result complaining about it until the next morning after the infection took place.

Probably vulnerable software was the reason. As you mention below, this was a new infection, not added to the database of most AV scanners. You were one of the lucky first to become infected with it. If you had been using a browser with no scripting, you would have been able to choose not to run the particular script that performed the drive by download (assuming that's what it was.Did you click on anything for the infection to occur? Or just visit the page hosting it?

in the absence of a reply to the contrary, I still think vulnerable software allowed this exploit in. Avast didn't detect it - script blocker or no - because, as you've indicated yourself, it's brand new. (Bad luck, really. And why I surf the web with Firefox and Noscript.)
If you were able to post a HJT log, a determination could be made as to what vulnerabilities might exist (or not) in your setup, but it's really a bit academic at this point. Still, would be interesting.

Did you try any of the other suggestions? Such as slaving the disk? Getting a new DVD/CD drive?

[lloyd3]

Many thanks Meteora and Tarq57!

So..if I'm following correctly, even Avast Pro wouldn't have helped here (simply because it is such a "new" infection)?  Quite disappointing and a bit sobering. 

Should I wait for someone to come out with a newer, better Avast solution or shop the competition? Or, is the "layered" solution the only real answer for something like this?

LM

[Meteora]

Also wondering how I got infected in the first place, because I had avast pro running. Is it because I had a demo version or something?

No. The demo version is the same as the fully subscribed. In the post quoted below:

r.

As for Avast Free not having anti-script or whatever it is called, I think this is also the reason I got infected with "Windows Smart Security" that apparently got made around the time of the infection since I couldn't find one google result complaining about it until the next morning after the infection took place.

Probably vulnerable software was the reason. As you mention below, this was a new infection, not added to the database of most AV scanners. You were one of the lucky first to become infected with it. If you had been using a browser with no scripting, you would have been able to choose not to run the particular script that performed the drive by download (assuming that's what it was.Did you click on anything for the infection to occur? Or just visit the page hosting it?

in the absence of a reply to the contrary, I still think vulnerable software allowed this exploit in. Avast didn't detect it - script blocker or no - because, as you've indicated yourself, it's brand new. (Bad luck, really. And why I surf the web with Firefox and Noscript.)
If you were able to post a HJT log, a determination could be made as to what vulnerabilities might exist (or not) in your setup, but it's really a bit academic at this point. Still, would be interesting.

Did you try any of the other suggestions? Such as slaving the disk? Getting a new DVD/CD drive?

I still don't see what's the difference between script blocking in an AV and script blocking in a browser...isn't it just script blocking? Doesn't that only come from surfing the web?

Also what about IE8, safe also?

Finally what do you mean by slaving the disc? As for getting a new disc drive I will first send it to a guy who's handy with computer to figure out what is the best solution. I can count on him.

[Tarq57]

An AV will block known malicious scripts. Having set permissions in the browser (or a browser add-on) to "prompt" or "deny/disable", all scripting will be blocked.
Now that is a bit of a PITA when regular surfing, as the functionality/display of the site is/can be limited, until the user allows the particular script/s required. So the user can still stuff up. But has overall control, and I'd suggest that the average user probably does not know what scripting is safe to allow or not. Heck, I sure don't! I allow the minimum scripting in any site where it's blocked, to get the site to do what I want, which means, I generally don't allow third party scripts.

Remember, we're talking zero day malware. Stuff your AV already detects should be blocked by it, if encountered.
Personally, I think IE8 is as secure as any, provided the security permissions are tightened up. I don't know about running it with default settings.

Slaving the disk, means taking it out and connecting it to another clean computer. (You need to have someone who knows how to safely do this, so the malware can not get onto the clean computer.) The antimalware apps in the clean computer can then be used to clean the malware off the sick computer. (That's what they do at the shop.)
If you can count on your friend, and he knows how to deal with it, that is great. Hope it all goes well.

lloyd3  You're pretty much correct. And yes, it is a bit sobering. And a reason why most users have experienced a computer infection decide to go for the layered setup.
For every "failure" story of a good AV to detect a new malware, there is also a "success" story. Swings and roundabouts. Might a different AV have blocked this before Avast ? Maybe. Probably.
Do users change AV's because of this sort of event? Yes.
Is that always wise to do? No.
But if the AV kept having repeated failures with new malware, where it transpired (after the event) that a number of other AVs were detecting it, then different options should definitely be looked at.
(Actually, that's how a lot of past users of some other AV's end up installing Avast. It's got a very good reputation in this, and other areas.)

The Pro version of Avast is worth getting for "push" updates, (when a new malware of a certain spread/criticallity is detected, definitions  updates are delivered to the Avast pro customers, immediately. Users of the Home version wait until a routine update check.) and the script blocking, which, as said above, will block known malicious scripts (AFAIK, I'm no expert on how it works.) But in the case of this infection, there were no definitions, unfortunately, at the time it was contracted. (Probably true for other AV's, too.)

An answer is layered protection. A whole different (and fairly big) subject. Which I have mentioned (in tiny part) here, with reference to script blocking.

[Tarq57]

PS, Avast 5 will include a type of behaviour blocking. (I don't know the details.) This will add another layer of protection.
The layers I currently use are in my sig.

[Meteora]

May have answered this but where do I tell if a browser I'm using has script blocking? Where would it say?

Also I was wondering if my XP (not eyes and tongue sticking out :p lol kidding) had an option like my dell inspiron laptop to restore itself to factory condition, so I was wondering what this F8 Advanced Boot option meant: “direct services restore mode (windows domain controllers only)” in F8 of XP. What is this?

Thanks about the script thing, so the main difference is that with an AV they protect against known ones whereas with a browser you can have it prevent everything. This I guess is something the thread maker didn't know about, so even if he had avast pro he may have still gotten infected.

Also if a antivirus has script blocker or not, where would it usually say? And where do I check on a browser of my choice, if it has script blocking like firefox and IE8?