Threat: Win32:Downloader-MOG [Trj]

[hellflame]

Hi, i am having problems with a virus detected by Avast when i ran a custom scan with System drive, memory, auto start and auto start programs checked. The scan detected an infected file.

It came up as process 1004 [svchost.exe], memory block 0x0000000001EA0000, block size 315392.
Threat: Win32:Downloader-MOG [Trj]. There wasn't any action that was available to be taken against this file, so i am at a loss as to what i should do.

I scan my computer regularly, both full and quick scans, either one of the scans at least once per day, but there were never any detections until today when Avast Webshield blocked a malicious ad popup on mediafire. Being paranoid, i decided to scan my computer and i created a custom scan which included memory scan. This then came up.

I've also ran scans using MBAM at least twice a week, both full and quick scans, but nothing came up as well.

Being paranoid, i downloaded and ran Spybot Search and destroy, but that too didn't come up with anything.

Data on my computer is divided into two portions, my OS is run on a solid state drive while my media data is stored on a mechanical hard drive. I'd like to know what i should do in this situation and whether my drives are infected, or if it's the memory RAM that's infected. Thank you very much. I'm attaching the scan log of mBam below. Any help is appreciated, thanks.


Edit: After uninstalling spybot (i was worried that it might interfere with Avast and mBam) and restarting, i ran the custom scan again and this time nothing came up. I ran a quick scan with mBam again as well and nothing came up too. I'll attach the 2nd log as well.

[true indian]

http://forum.avast.com/index.php?topic=53253.0

follow the guide...link above..

attach all the logs..

Please give the location of svchost.exe that is detected?

Did u do that scan immediately after the web shield detection?

can u scan again and see if it is still detecting it?

Final advice:Never use memory scan option it causes weird issues...

Essexboy notified...

[Pondus]

It came up as process 1004 [svchost.exe], memory block 0x0000000001EA0000, block size 315392.
Threat: Win32:Downloader-MOG [Trj]. There wasn't any action that was available to be taken against this file, so i am at a loss as to what i should do.

bc it is a process and not a file....you can`t move a process to chest  

Being paranoid, i decided to scan my computer and i created a custom scan which included memory scan. This then came up.

and this i where you did wrong......the "scan memory" setting will give some strange results if used...the forum is full if you search


DO NOT use the "scan memory" setting. If you don`t know the result of changing the scan settings, then don`t do it
use the default quick/full scan with default settings and scan again, if you then detect anything....tell us


OBS: and if/when you attach logs, they must be saved as ANSI so we can read them.....now it is chinese 

[hellflame]

Thanks to both of you for your speedy replies. I scanned my computer using the default quick scan functions of mBAm and avast after the block by web shield, and followed it up with full scan function for avast. There were no detections by both softwares. I quick scanned again using both mbam and avast again after I rebooted and nothing came up either.  I'll do another scan when I get home tonight and post the logs just to be sure. Once again, thanks a lot for your help, it is much appreciated.

[hellflame]

Hi, i have followed Pondus' advice to do a scan with the default settings for Avast. I restored Avast to it's factory settings just to be sure and did both quick and full scans after rebooting. Nothing was detected. I also did a quick scan with mBam and nothing came up as well. I'll attach the logs from yesterday and now just to be sure.

Also, i am not sure as to what the process 1004 [svchost.exe], memory block 0x0000000001EA0000, block size 315392 is as it did not come up again the memory scan i did yesterday after i rebooted, should i be worried about it? Thanks for the help.

I am not sure if this is of any help, but previous scans before this particular memory scan which picked up the svchost.exe virus, both full and quick on mBam and avast have not detected anything until the custom scan picked up this virus yesterday.

Lastly,will checking the "Test whole file" option, turning on scan PUP and increasing the heuristics sensitivity and the scan priority of both the default quick and full scan to the max affect the scan results in a negative way? (Sorry for being so terribly long winded, this were the changes i made to the built in scans on Avast before i restored it to the default factory settings, so i was worried it might have affected the scan results negatively.)

[hellflame]

Just did a full scan with mbam as well, attaching log.

[Pondus]

Lastly,will checking the "Test whole file" option, turning on scan PUP and increasing the heuristics sensitivity and the scan priority of both the default quick and full scan to the max affect the scan results in a negative way? (Sorry for being so terribly long winded, this were the changes i made to the built in scans on Avast before i restored it to the default factory settings, so i was worried it might have affected the scan results negatively.)

In a computer there are lots of files that are not necessary to scan.....so if you turn on every thing and scan every thing, the scan will be slow as molasses and take a week to finish
also a antivirus with real time protection like avast is scanning every file that moves in the computer when you use it.....it is working in the background all time

the guys at avast have played with malware 24/7 for 20 years.....they know how this works.
So unless you have some special needs...and know what you do, leave it at default settings



OBS: and PUP is not virus. it is a warning that you have (if detected) a program that can be used for good or bad (like a commercial key logger)

PUP (potentially unwanted program) http://searchsecurity.techtarget.com/definition/PUP

[hellflame]

Okay, thanks a lot for the heads up pondus
With regards to my logs and the detection, i suppose i have to wait for Essexboy then?

[Pondus]

well the detection in memory i would not worry about.....reason explained above
and your mbam logs are clean..


but if you want Essexboy to have a look inside...he is the Malware terminator expert
then follow this guide, and attach the OTL log`s
http://forum.avast.com/index.php?topic=53253.0

[hellflame]

I've dl-ed OTL from the link you've given me, but avast identifies it as a potentially unsafe software and advises me to open it up in the avast sandbox. Do i run it in the sandbox or do run it normally? Windows will tell me that it cannot access the file if i select cancel opening. Thanks for your help.

[Pondus]

you run it Normally.....no sandbox

[hellflame]

Alright, i've ran OTL. Attaching the logs. Thanks for helping!

[essexboy]

The log looks clean are you experiencing any problems

[hellflame]

Nope, there doesn't seem to be any problems with my computer. The quick and full scans by Avast and mbam are not detecting anything. The scans have not picked up anything for quite a period of time now and it's only the memory scan yesterday that picked up the process. Is it safe to say that it's a false positive then?

[essexboy]

Yes, you will get that when you do a memory scan

Run OTL and press the cleanup button to remove it