Author Topic: Have I got infected?  (Read 14345 times)

0 Members and 1 Guest are viewing this topic.

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #15 on: November 07, 2010, 02:49:33 PM »
When I go to move the file to the chest I get error 4211- the operation is not supported  for this type of archive!

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #16 on: November 07, 2010, 02:58:10 PM »
Tried to quarantine it but I get " Error 4211'- the operation is not supported for this type of archive". Help!

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1661
  • I wish I could write longer personal text!!
    • Omid's Site
Re: Have I got infected?
« Reply #17 on: November 07, 2010, 03:27:05 PM »
Rodny78, unless you come with us step by step, we will not be able to help you.

CCleaner and MBAM and avast! boot scan did not help, so are you still avoiding reply my questions?
I don't know what's your reason...

I guess that detection might be a False Positive, by you may try another scanner and see what it says:
http://www.omidfarhang.com/computer/security/avira-rescuecd

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #18 on: November 07, 2010, 04:01:33 PM »
Omit I'm not quite sure were your coming from.  I have carried out every scan that has been suggested, except for a HT log.  So saying that "if I don't come with us step by step" doesn't make much sense.

In addition to that, saying that Avast scan hasn't found anything when the boot time scan has found something when it has, also confuses me.

I'd really like to know how I can check what the boot time scan has found is a false positive?

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1661
  • I wish I could write longer personal text!!
    • Omid's Site
Re: Have I got infected?
« Reply #19 on: November 07, 2010, 04:05:31 PM »
Omit I'm not quite sure were your coming from.  I have carried out every scan that has been suggested, except for a HT log.  So saying that "if I don't come with us step by step" doesn't make much sense.
Sorry, I did not mean to offend you, if I said that in a wrong word, Excuse Me!  :-[
You just ignored that log file, which is most important for me to see an overall of your system without your personal info.

I'd really like to know how I can check what the boot time scan has found is a false positive?
Can you again find that file? In the Report/Logs or if you rmember file path, Find it and upload the file to http://www.virustotal.com/ and see the result, it would be nice if you share the link to result here too.

In addition to that, saying that Avast scan hasn't found anything when the boot time scan has found something when it has, also confuses me.
Some time it happen, because of running malware or similar problem, or Rootkits.
« Last Edit: November 07, 2010, 04:07:26 PM by Omid Farhang »

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #20 on: November 07, 2010, 06:12:45 PM »
No worries dude 8)

Ok, I had to run a 2nd boot scan to find the folder path ( C:\WINDOWS\Installer\d44d761.msp|>PCW_CAB_H15317_1|>EXCEL.EXE )

I submitted to virus total

http://www.virustotal.com/file-scan/report.html?id=f457907d05a4d2dd71efb2890434fbdc7738a3b9f1ff1518811dd2d7ec1653ab-1289149572

and after analysis, Avast, Avast5, G Data identified it as Win32:Adware-gen.

Avast will not move it to the chest for some reason.  Would it be OK to delete this file and would it cause me any problems and would it come back?
« Last Edit: November 07, 2010, 06:15:16 PM by Rodney78 »

Offline DigiDis

  • Newbie
  • *
  • Posts: 15
Re: Have I got infected?
« Reply #21 on: November 07, 2010, 07:07:15 PM »
Can you move the file? To me it seems you can just delete that file, but to be sure try to rename it and even put it in some other location and restart your computer. If all seems fine then just delete it.

If for some reason you can't rename it, move it or delete it, download a linux Ubuntu ISO and burn it to disk and start Ubuntu in LiveCD mode and then you can delete it from the Ubuntu file browser. And this live CD will come in very handy for many other things, especially since you can always boot to it and it has a web browser already to go.

 

Offline mag

  • Advanced Poster
  • **
  • Posts: 742
Re: Have I got infected?
« Reply #22 on: November 07, 2010, 07:46:23 PM »
G data uses avast engine I believe, so I would be inclined to submit to avast first before doing anything else to the file. It may be an FP (rare with avast, but not unknown) if nothing else is detecting it.

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #23 on: November 07, 2010, 07:54:33 PM »
I was thinking of submittting to Avast.  I've copied the file from the Windows installer folder to another folder in the C drive which I've labled suspect.

How do I upload it to Avast?

Offline mag

  • Advanced Poster
  • **
  • Posts: 742
Re: Have I got infected?
« Reply #24 on: November 07, 2010, 08:57:09 PM »
Never had to do it! ;D

This is what it says on the avast site.

If you've sent the virus to the ’Virus Chest’ , open the ’Virus Chest’, right-click on the entry for the virus, and select 'Email to AVAST Software'. Alternatively, you can send it in a password-protected zip file to virus@avast.com making sure the password is included in the body of the email.

Offline Omid Farhang

  • Malware Hunter
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1661
  • I wish I could write longer personal text!!
    • Omid's Site
Re: Have I got infected?
« Reply #25 on: November 07, 2010, 09:01:12 PM »
I was thinking of submittting to Avast.  I've copied the file from the Windows installer folder to another folder in the C drive which I've labled suspect.

How do I upload it to Avast?

You can compress this file password protected using WinRAR, 7Zip or WinZIP. attach it to an email (Don't forget to write password in email body) send to virus@ avast.com (without space)


But, did you notice you still did not give us an overview of your computer? like your installed programs and their version, your windows and...? ;)
« Last Edit: November 07, 2010, 09:06:42 PM by Omid Farhang »

Offline DigiDis

  • Newbie
  • *
  • Posts: 15
Re: Have I got infected?
« Reply #26 on: November 07, 2010, 09:01:49 PM »
Does your computer seem back to normal?

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #27 on: November 08, 2010, 01:23:27 PM »
Nope my computer isn't back to normal.

When I get home I'm going to submit file to Avast and carry out a HT log.

Thanks for all the replies so far 8)

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #28 on: November 08, 2010, 08:25:12 PM »
Ok, so I submitted the file to Avast to see what they think.

Offline Rodney78

  • Jr. Member
  • **
  • Posts: 36
Re: Have I got infected?
« Reply #29 on: November 08, 2010, 08:26:28 PM »
Here is my HJT log:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - HKLM\..\Run: [Monitor] "C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {22945A69-1191-4DCF-9E6F-409BDE94D101} - http://louk.solidworks.com/htdocs/pdownload/edrawings/e2009sp01/cab/eModelsStandard.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1194638823500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1194639021109
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - Unknown owner - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe