Author Topic: Avast is detecting my safe programs. What should I do?  (Read 17508 times)

0 Members and 1 Guest are viewing this topic.

Offline jalovitrue

  • Newbie
  • *
  • Posts: 11
Avast is detecting my safe programs. What should I do?
« on: April 03, 2011, 09:36:49 AM »
Hello, this is my first time posting in this forum. Just to let you guys know, I'm a newbie.

I installed Avast! antivirus free on my friend's laptop, and it's doing fine. His laptop just get a fresh installation of Windows 7 Ultimate x86, so there are no programs running on it. Then I install many safe programs to his laptop, and after some restarts and shutdowns, his Avast! antivirus is acting up.

It detects .htm/.html files (page files from Firefox) as a malware, and many .exe and .dll from a safe program (like Firefox itself, Adobe Photoshop, Photoscape, Total Video Converter). I am sure this is a false alarm, since they are safe to run on my other friend's laptop. Then I try to install Avast! antivirus free on my laptop too, and later the same problem is happening to me. I'm asking, is this a bug from Avast! or something else?

Our Avast! program's current version is 6.0.1000, and my engine's current version is 110402-1 with 2.720.111 definitions. If needed, I can post the log file of Hijackthis here. I am waiting and thankful for the help of seniors here.  :)

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #1 on: April 03, 2011, 09:41:47 AM »
Read the sticky posts here: http://forum.avast.com/index.php?board=4.0
Attach MBAM and OTS logs.

Offline jalovitrue

  • Newbie
  • *
  • Posts: 11
Re: Avast is detecting my safe programs. What should I do?
« Reply #2 on: April 03, 2011, 10:14:59 AM »
Hello, thank you for the fast reply. I've read that, and here's the MBAM log. I'm using the laptop right now so I can't seem to use the OTS atm.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6253

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

03/04/2011 16:04:40
mbam-log-2011-04-03 (16-04-32).txt

Scan type: Quick scan
Objects scanned: 136134
Time elapsed: 9 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\watermark.exe) Good: (userinit.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\microsoft\watermark.exe (Trojan.Agent) -> No action taken.

It seems that the program I mentioned (like Firefox) is not listed here, instead it listed the registry and file above. I'm sorry, I can't seem to attach the .txt file. Maybe I just don't know how.

Fyi, I ran Avira antivirus before, and it also detects safe programs. And right now I'm using ESET online scanner, and also the same results. Most of them are Win32:Ramnit for .dll/.exe, VBS:ExeDropper-gen [Trj] for .htm files.

Oh yeah, it also detects Irfanview and Locate32. I'm really confused right now, because almost all my programs are not functioning due to Avast! antivirus is moving them to the virus chest.

*edit* And also, I'm still not closing the MBAM window. What am I supposed to do with the 2 detected files? May I remove them?
« Last Edit: April 03, 2011, 10:17:31 AM by jalovitrue »

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #3 on: April 03, 2011, 10:15:55 AM »
We need the OTS log. (Additional options on the left -> Attach)

P.S. Do NOT install anything from your machine on other boxes for more "testing". You are just spreading the infection.  :(
« Last Edit: April 03, 2011, 10:22:13 AM by doktornotor »

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #4 on: April 03, 2011, 10:36:14 AM »
Quote
Fyi, I ran Avira antivirus before, and it also detects safe programs. And right now I'm using ESET online scanner, and also the same results. Most of them are Win32:Ramnit for .dll/.exe, VBS:ExeDropper-gen [Trj] for .htm files.

Well. To sum this up: You got a very nasty file infector that is infecting everything on your and other machines very fast. To not waste more time here my suggestion would be: Go, reformat the disk and reinstall everything from scratch on all infected machines.

Also, whatever source you did use for installing your "fresh" Windows 7 is very likely infected as well. Do NOT use those install files/media again. At least not until you have scanned everything there with multiple AVs and nothing is found.

Offline jalovitrue

  • Newbie
  • *
  • Posts: 11
Re: Avast is detecting my safe programs. What should I do?
« Reply #5 on: April 03, 2011, 10:40:36 AM »
Oh my. I just finished with OTS and I read your post. This is so shocking. Please read the OTS log and give me your reply again. Maybe you could find something there.

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #6 on: April 03, 2011, 10:49:02 AM »
Well, you can wait for essexboy if you wish (he is the guy here for malware removal), but as said, since pretty much everything got infected on your machine...  :-\

Quote
Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.
« Last Edit: April 03, 2011, 10:50:42 AM by doktornotor »

Offline jalovitrue

  • Newbie
  • *
  • Posts: 11
Re: Avast is detecting my safe programs. What should I do?
« Reply #7 on: April 03, 2011, 10:58:45 AM »
I immediately scan the installation media of this Windows 7 with my current Avast and it found nothing. It seems the infection does not come from the installation media, so where does it come from? The installation is new, and I haven't used any USB flashdisk lately. Just my external harddisk which is new, I just bought it recently.

And, after I used the OTS, this desktop.ini is popping everywhere. In my documents, shortcuts to my pictures, music and videos suddenly popped up, and my pictures, my music and my videos folder are suddenly popped up there too and are locked. What's happening?

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #8 on: April 03, 2011, 11:05:14 AM »
Well, no idea where did it come from (I would bet autorun on some removable media - you went, downloaded the install files on that external HD you have recently bought, but alas -  the machine you plugged it into was already infected). Disable autorun on your machines and use Panda USB Vaccine to immunize your drives.

Regardless, the infection is not curable in any reasonable way.  Also, that desktop.ini is the least problem you have here, no point in pursuing that.
« Last Edit: April 03, 2011, 11:07:33 AM by doktornotor »

Offline jalovitrue

  • Newbie
  • *
  • Posts: 11
Re: Avast is detecting my safe programs. What should I do?
« Reply #9 on: April 03, 2011, 11:10:19 AM »
Well, I guess that's it, eh? So now I need to reformat my disk. Well, I haven't formatted my disk before. Do I also have to format the D partition? Or only the C (system)? Is the installation media is safe to use, since Avast didn't found anything? It is out of topic, so do you know any help I could get with this? A guide or tutorial, maybe.

Also, how about the programs installer? If an antivirus does not detect anything, they're still safe to use right?

*edit* Oh yeah, about the autorun, my external HD has an autorun, which is used to change the icon of the external HD in my computer to a WD icon (my external HD is a WD). Is it safe? Avira blocks it, but I thought it's just because it's only an autorun.
« Last Edit: April 03, 2011, 11:14:41 AM by jalovitrue »

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #10 on: April 03, 2011, 11:15:29 AM »
Pretty much, yeah. I would reformat everything (using the full format, not a quick one) and also definitely would not use anything that doesn't come with MS hologram, definitely not the same media that you used to fresh infect your systems. Also, if you plug your external HDD into another machine with autorun enabled, you are almost for sure spreading the infection yet further.

Wrt the procedure - simply boot from a safe Windows 7 install DVD, select custom install or whatever it is called, delete all the partitions there and let the installer format the drive.

Edit: No, it is not safe. You can live without WD icon. Autorun is commonly used for malware distribution and you can browser the drive manually with one additional click.
« Last Edit: April 03, 2011, 11:17:21 AM by doktornotor »

area51

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #11 on: April 03, 2011, 11:17:07 AM »
1. update avast and use the feature "boot scan" - Delete every infected file.
2. MBAM Full Scan- Delete every infected file.
3. disable system restore.
4. update your windows.
5. repeat 1 and 2.
6. download hijackthis and post the logs over here.
Edit: if you have the option to format, go for it, it's probably better   ;)

doktornotor

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #12 on: April 03, 2011, 11:18:32 AM »
Have you really read what I have posted about the virus here?

1. update avast and use the feature "boot scan" - Delete every infected file.

You have an unbootable system once you do this.

4. update your windows.

It is absolutely pointless excercise, whatever you run on the machine will get infected, including the Windows updates.

area51

  • Guest
Re: Avast is detecting my safe programs. What should I do?
« Reply #13 on: April 03, 2011, 11:19:04 AM »
4. update your windows.

Have you really read what I have posted about the virus here? It is absolutely pointless excercise, whatever you run on the machine will get infected, including the Windows updates.

have you really read what i wrote?

Offline Jack 1000

  • Poster
  • *
  • Posts: 619
Re: Avast is detecting my safe programs. What should I do?
« Reply #14 on: April 03, 2011, 11:19:16 AM »
I would recommend a manual update of the Avast Definitions and a Boot Time Scan (With PUPS turned on) as well as a full scan with Malware Bytes.  Move everything to the chest that is found.  What does that show?

Jack
Avast 2014 -Windows XP (SP-3) and Malware Bytes Anti-Malware (Free Version)
1GB RAM