Another Win32:Malware/Trogan issue

This PC is 9 days old. I have visited a total of 14 trusted websites (2 of which I own) and downloaded 2 freeware programs (VLC and Utorrent) in total. Besides the one Keygen instance which I hold myself completely responsible, I honestly can’t see how this is possible. Avast was the first program installed upon OS boot.

You don’t have to copy/paste the lengthy instructions on how to proceed with the investigation. I can use the other thread on this page to access that information, I’m simply posting to ask if this many fps would be possible from a brand new PC? It’s a HP if that means anything.

I will of course run the files through Virustotal and post the logs here when I get home from work. I just wanted to get the ball rolling before then as this seriously concerns me.

http://i46.tinypic.com/15g4kl5.jpg

Thanks.

Trusted nowadays means very little.

– Every 3.6 seconds a website is infected http://forum.avast.com/index.php?topic=47096.msg396648#msg396648.

First ensure you have the latest VPS Update 091119-1 and scan again.

The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected.

There is one other topic on the dotnetfx.exe being detected, which I presume is the one you are talking about.

First off, let me apologize for that image I posted. I didn’t realize it was unreadable…

http://i45.tinypic.com/2j30jgh.jpg

It appears as if it is indeed the dotnetfx issue.

As far as “trusted” I was simply referring to Nvidia, Microsoft, ect. Of course I don’t really know about this kind of thing in great detail. I will read the thread the thread you linked to.

Thank you.

No problem, glad I could help.

Hopefully this will be quickly resolved, if the dotnetfx.exe isn’t too big you could submit to virustotal and avast as in the other topic.

As for the Infected Restore Points - There really is little benefit in chasing a detection in the system volume information folder. It is only there because it had previously been deleted or moved from the system folders and this is a back-up created by system restore.

  • Worst case scenario it isn’t infected and you delete it, you can’t use that restore point in the future, not much of a loss and the older the restore point is the less of an issue it is.

  • So if there is any suspicion about a restore point then it is best removed from the system volume information folder or it could bite you in the rear at some point in the future when you use system restore if it included that restore point.

Welcome to the forums.

Alright, I had my wife attempt this over the phone and after going through all the steps and creating the C:\Suspect, ect, it turns out the file is too large for VirusTotal.

I’m not really concerned about the Restore files. Infected/not infected, they can be deleted if need be. There’s nothing vital on the PC that I would need this early in the game, anyway. The Keygen, and WinDVD instances were both in a folder I dragged off a friends thumbdrive the day we set up the PC. I had no clue what was even in there, I was just told “Here’s a bunch of stuff you can throw on your PC if you want.” I don’t even need those programs to begin with. So all that’s left is this dotnetfx which by it’s path tells me could be important system information. I suppose I could call HP to verify? Would that help?

I am updated to Update 091119-1 and will scan again when I get home. I have a feeling the Win32:Malwares will be detected yet again, however. Do I just keep moving them to the chest or ignore? Should I install and run Malwarebytes as well?

Thanks again.

Sorry about that I should have mentioned the limit (10MB) rather than just saying if it wasn’t too big (it should say on the site though).

It is worth having MBAM as an on-demand scanner to give a multi-application approach to security, it and avast are fine together and compliments avast detection rate.

I would suggest excluding the file from on-demand scans, Program Settings, Exclusions, e.g. c:\compaq*\dotnetfx.exe the * is a wildcard to save typing the full path. I don’t know if it is important or not (depends on what relies on it as if you have no .net applications it isn’t needed), considering its location it would seem to be compaq specific, it is also an old version of dotnet v2.0.

Well if moved to the chest you shouldn’t subsequently get detections and if there were any errors as a result of the move it would be possible to restore it.

I’m finally home and decided to run the rest of the infected files through VT, Here are the links

Here are the first three from the list above labeled Win32:Malware

http://www.virustotal.com/analisis/a78c3b138122df341a1d4f9d10b45b213afd04d31a9066ba8b6247d7874a436d-1258668688

http://www.virustotal.com/analisis/a78c3b138122df341a1d4f9d10b45b213afd04d31a9066ba8b6247d7874a436d-1258668688

http://www.virustotal.com/analisis/a78c3b138122df341a1d4f9d10b45b213afd04d31a9066ba8b6247d7874a436d-1258668688

This is the 4th one down labeled Win32:Trojan

http://www.virustotal.com/analisis/492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b-1258630948

dotnetfx we aready covered

Keygen…no explanation needed.

Here’s the last one from WinDVD:

http://www.virustotal.com/analisis/492826e1aacd984a00dd67a438386e4de883cc923cb1f25e265525a4cf70ed7b-1258630948

edit: I just realized those first three logs are labeled as “Keygen” and identicle and the last two are identicle as well…?

Here is the MBAM log

Malwarebytes' Anti-Malware 1.41 Database version: 3198 Windows 5.1.2600 Service Pack 3

11/19/2009 6:55:03 PM
mbam-log-2009-11-19 (18-55-03).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 271373
Time elapsed: 40 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Meanwhile, while MBAM was scanning, Avast sounded off twice for the exact same Win32:Malware. ???

It is possible to get multiple detections on what is effectively the same file but in different locations, this is frequently how infected _restore points get there by the removal of infected files from system folders, etc.

All of those should obviously be removed.

Send these (well one of them) to avast for further analysis as they are likely to be FPs:
vcredist_x86.exe.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and false positive in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already in the chest) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

You could also send an FP email (as above) to avast with details about the dotnetfx.exe (without attaching the file because of the size) but give a link to this topic and any other information.

That makes sense, but why are they still popping up once every two days? Also, where is the original Keygen file?? When I first opened the folder that was made from the thumbdrive, Avast alerted me to the issue. When I moved it to the chest, the file (icon) immediately dissapeared from the folder. As you can see, there are only 7 files in that folder and none of them are the original file.

Maybe I’m misunderstanding the way a virus works, but are those restore points infected themselves or did the Keygen infect them? How long can it contine to infect files when it’s already inside the chest? I am I to believe that this Keygen file that I never even opened, but simply sat on my desktop for 2 days has infected a total of 9 different restore points? That’s pretty alarming. Even more so that only 14/40 AVs even consider this to be a virus in the first place!

I will send the “vcredlist” file as you described.

I don’t know why they pop-up every two days, what are you doing at the time they pop-up ?
As the system volume information folder is a windows protected area, so shouldn’t infect themselves.

As I said only system restore places items in the _restore points and that generally is as a result of files being deleted or moved or possibly modified in the system folders, so it is possible that malware in modifying a file in the system folders would cause system restore to create a _restore point.

A keygen would be inert until it was run, when any malicious payload would be delivered, so if it hasn’t been run and when you received it avast alerted then it shouldn’t have run, nor should any payload been deployed.

So if you get an alert you have to investigate then when what you were doing it fresh in your mind (make notes, etc.), but all the ones you have mentioned here were placed in the chest on the 18/19 Nov.

For me when 14 of 40 consider it malware, that is pretty conclusive, when there are only a few detections and if they are generic detections then there is more room for doubt.

Well, the last two popped up during the MBAM scan, ie about 30 seconds after installing a new program. Wouldn’t XP make a restore point after doing so as well as after the reasons you stated?

I think my major question here is, if after running MBAM and finding zero instances of malware and having all “infected” files stored away in the chest, why would I ever be getting more infected files still with Keygen tagged on them?

Well when scanning with other security applications, they have to open files to scan them and guess what a resident anti-virus does, intercepts that call to open the file and scans it.

Well I gave up on system restore many years ago choosing my own solution as it isn’t perfect by any means and you can get unexpected actions over and above what you hoped to achieve by using it. So yes installing a new program, could create a new restore point, but to what degree/depth I don’t know.

Downloading an application to the desktop, like the keygen, as I said should be inert until run (being opened by MBAM to scan, triggered the resident scan of avast, detecting the keygen) and as such shouldn’t create restore points.

I don’t know why as that requires speculation, you will have to monitor the situation and report on detections on what you were doing at the time of the alert, the file name, location and malware name, etc.

So MBAM was scanning these files that were in the Avast chest then? Or perhaps MBAM detected them within the “Suspect” folder?! That would make perfect sense, except that the A0000xxxx was a different from the previously stored instances in the chest/suspect folder.

I don’t want to keep bothering you about this. Perhaps you can just lay out a course of action for me at this point? It would be my guess to delete all instances of infected restore points, restore the WinDVD.exe, and keep the dotnetfx in the chest for a few weeks and rescan to be sure. Are you in agreement here?

Considering MBAM didn’t detect anything, does that mean that my PC is uncompromised? Were all of these detections made in time and moved to the chest before any damage was done? I see posts like “Avast found a virus, how do I remove it?”. Didn’t Avast find a virus on my PC? Why wouldn’t I have to remove it? I think there must be something that distinquishes a virus already on a PC comapred to one caught in time that I’m just not fully understanding maybe. Either that or an “infected file” is simply not a virus yet.

No, it can’t because the chest is a protected area and files in there are encrypted. If you leave copies in the suspect folder after uploading to VT then they would be detected by avast, if accessed (see next paragraph). No security program is going to detect everything, that is why I suggest virustotal with 41 scanners as a means of confirmation.

As I said, the act of opening a file (and I don’t know which one was being opened) by MBAM to scan it will cause avast to lock that file and scan it before allowing MBAM to scan it. A file that is inert, sat there dormant won’t be scanned by a resident/on-access scanner, but once it is accessed then avast will scan it.

You should have already sent the infected restore points to the chest, as your image is that of the chest, so they shouldn’t be detected again in the chest.

If you restore the vcredist_x86.exe (not WinDVD.exe) then avast is going to alert again and you would have to exclude the vcredist_x86.exe file from scans, the easier option is to leave it in the chest and periodically scan it within the chest, when it is no longer detected then restore it.

I simply can’t speculate on the other posts that you mention as I have no information and there are many legitimate reasons why that may be the case and following through on the topic should show why that is the case and what action to take.

I haven’t said anywhere that I think your system is compromised.

That’s what I figured. I simply forgot to delete the “Suspect” folder from the C drive before proceeding with the scan. I was pretty sure that is why they came up again, but the last 4 digits on these newly found files were different from the four you see in my original image, so I was confused.

The post I was reffering to is just a few below this one. The specifics aren’t important, I was just curious as to the difference between Avast catching a virus before it can do damage to one that has already affected other system files. I just wanted to be clear that other than deleting the restore points from my chest, there was no further action on part.

I haven't said anywhere that I think your system is compromised.

No, I know you haven’t. I was just hoping you could confim that it wasn’t! I like to needlessly worry, I was hoping now that you have all the information you needed, you could kindly tell me I don’t have to. :wink:

Shields like the Web, Instant Messenger, P2P and Network Shields all work to try and keep infection out, like an outer layer. These attempt to detect something before it gets saved to or established on your system.

The Standard Shield is like a second line of defence if something happens to get past the outer layer, when something accesses it or it attempts to run then the resident/on-access scan of the Standard Shield should kick in and scan it.

As I said way back in Reply #3, there is little value/benefit in chasing down suspect restore points
when there is little lost even if it were an incorrectly identified detection. So removing them isn’t a problem.

Personally I would just continue using your system normally whilst continuing to monitor it for unusual behaviour or detections, then you do further investigation as required. Life really is to short to be constantly looking over your shoulder. But you should always be prepared and back-up your data regularly and have a recovery strategy.

– SYSTEM BACK-UP & RECOVERY
If you fail to plan, then you plan to fail.
If you have a back-up and recovery plan, you can recover from anything in minutes, not hours or days.

  1. back-up all the things that you don’t want to lose, data files, like documents, spreadsheets, emails, email account details, registration keys, address book, favourites/bookmarks, downloaded files/programs, etc. the list goes on and on but if you don’t want to lose it back it up. There are many back-up programs that can simplify this task and run it every day.

  2. Recovery - re-installing your system really is a poor choice and one of last resort. There are tools (Drive Imaging software) that take exact images of your Partitions or Hard Disks and these images can be restored in minutes if you suffer a major catastrophe and that doesn’t have to be a virus attack.

I do a weekly image of my partitions and save them to my 2nd hard disk, they can also be saved to off-line storage, DVD, USB external hard disk, etc. as part of my weekly system maintenance.

So if the worst comes to the worst at most I lose:
A. 6 days worth of program updates or new installations, but with my daily back-up I can recover most of that.
B. less than one days data files, emails, etc.
None of these is a problem and much quicker than a system reinstall and I don’t have to go on-line to download the myriad of security updates needed to secure my system where there is a chance to get reinfected whilst my system has vulnerabilities because of these missing patches. Not to mention all my system tweaks and program settings are retained and I will have saved myself many hours of work and a huge amount of stress.

Many of these programs cost, there are some free ones, but it will take some research on your part to find these tools and decide on what is best for you from reviews, user feed back, etc. good luck.

Will do.

I appreciate the advise as well as all of your help and quick responses to my questions. Even if everything Avast detected on my machine turned/turns out to FP, I learned quite a bit about the process and viruses themselves. I can honestly say I never gave it much thought in the past. I feel quite a bit more confident that I can help better prevent these kinds of things from happening in the future and how to fight them if they do. I certainly will recomend Avast to anyone looking for a reliable AV software.

Thanks again, David.

You’re welcome.