AVAST Flagging everything starting as INFECTED

Hello

I had been using AVAST for the last 4 years and never had such headaches ,as being faced since Start of using AVAST 5 Edition(FREE) about three months ago.

Since yesterday,As soon as I start any APP,there is a pop up from AVAST saying it is infected(Although these APPS have been in use for years without any problem).

Typical POP UP Message reads

Malicious URL Blocked
Avast Network Shield has blocked a threat.No further action is required
Object: tigiporon.cc/e.exe
Infector URL:Mal
Action Blocked
Process (the path of the blocked app is mentioned)

The Threat was detected and blocked just before connecting to the URL

And this has been going on for all the apps started since yesterday.
I have since done scans with AVAST(quick and boot time)Hitman pro,Spybot S&D,
Super Antispyware,Malware BYTEs.TDSS KILL etc - the usual security utilities I have
at diposal,but All scans are coming clean and the problem continues

Otherwise the PC is working fine-there are no slowdowns,no excessive CPU/Memory consumtion noticed,no suspicious process in Task Manager List and all The APPS after start are working as usual-THE ONLY IRRITATING ISSUE IS THAT ALL APPS ARE BEING FLAGGED INFECTED BY AVAST POP UPS(I have even uploaded the virus chest to AVAST-thinking maybe false positive issues but even after latest update ,AVAST still flags all apps as infected)

Iam pasting here some portions of the AVAST LOGS

avast! Antirootkit, version 1.0
Scan started: Thursday, August 19, 2010 10:48:08 PM

Scan finished: Thursday, August 19, 2010 10:48:11 PM
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0


nshield log

15.08.2010 13:58:18 Network Shield: blocked access to malicious site tigiporon.cc/f.exe [ E:\APP LAUNCHER FOLDER NEW\PASSIVE USEFUL APPS\TEXT MAGICIAN-UTILITY FOR TEXT FILES-PORTABLE\Text Magician\uninstall.exe ( 2032 ) ]
18.08.2010 01:41:02 Network Shield: blocked access to malicious site tigiporon.cc/f.exe [ E:\META FOLDER-DOWNLOADS\DJVU Viewer\DjVuLibre\djview.exe ( 3344 ) ]
18.08.2010 06:00:42 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\PORTABLE APPS\SWEEP RAM-ram optimizer-STANDALONE\SweepRAM.exe ( 936 ) ]
18.08.2010 06:25:50 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ ??\C:\WINDOWS\system32\winlogon.exe ( 460 ) ]
18.08.2010 06:30:54 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 1552 ) ]
18.08.2010 06:32:22 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ ??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 06:38:26 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ ??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 06:40:50 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ ??\C:\WINDOWS\system32\winlogon.exe ( 468 ) ]
18.08.2010 07:11:39 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 720 ) ]
18.08.2010 07:29:36 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe ( 2036 ) ]
18.08.2010 07:31:24 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\WORD DOC PROCESSOR-JARTE-PORTABLE\Jarte.exe ( 1412 ) ]
18.08.2010 08:11:54 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\MP3 FILES MERGER-MERGEMP3-PORTABLE\MergeMP3.exe ( 2240 ) ]
18.08.2010 08:16:54 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\MP3 FILES MERGER-MERGEMP3-PORTABLE\MergeMP3.exe ( 3460 ) ]
18.08.2010 08:30:04 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\WORD DOC PROCESSOR-JARTE-PORTABLE\Jarte.exe ( 4040 ) ]

19.08.2010 15:37:42 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\7 zip-Portable\7-ZipPortable\App\7-Zip\7zFM.exe ( 2064 ) ]
19.08.2010 16:07:20 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 360 ) ]
19.08.2010 16:13:31 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\FOOBAR MEDIA PLAYER-PORTABLE VERSION\foobar2000\foobar2000.exe ( 2256 ) ]
19.08.2010 18:29:07 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\EVERYTHING STABLE VERSION\Everything-1.2.1.371.exe ( 3804 ) ]
19.08.2010 20:35:41 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe ( 2576 ) ]
19.08.2010 21:40:24 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\ACTIVE DOWNLOADS\SpywareBlaster\SpywareBlaster\spywareblaster.exe ( 2988 ) ]
19.08.2010 21:50:50 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\CCLEANER-PORTABLE\CCleaner.exe ( 4068 ) ]
19.08.2010 22:42:13 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\PORTABLE APPS\FIREFOX-OLD STABLE\FirefoxPortable\App\firefox\firefox.exe ( 1632 ) ]
19.08.2010 22:43:32 Network Shield: blocked access to malicious site tigiporon.cc/e.exe [ E:\USEFUL CRUCIAL UTILITIES FOLDER\uTORRENT\utorrent.exe ( 1400 ) ]

avast! Real-time Shield Scan Report

  • This file is generated automatically
  • Started on: Thursday, August 19, 2010 1:26:23 AM

8/19/2010 9:41:59 PM C:\Documents and Settings\Daksh\Local Settings\Temporary Internet Files\Content.IE5\2HOZGBE1\e[1].exe [L] Win32:Malware-gen (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
8/19/2010 9:42:00 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\xxxxx [L] Win32:Malware-gen (0)
File was successfully moved to chest…
8/19/2010 9:42:49 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\lllll [L] Win32:Malware-gen (0)
File was successfully moved to chest…
8/19/2010 9:43:07 PM C:\DOCUME~1\Daksh\LOCALS~1\Temp\rrrrr [L] Win32:Malware-gen (0)
File was successfully moved to chest…
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically

I have done the usual ESSEX BOY protocol of downloading Combofix,TDSS killer and OTS.exe and that too,is not resolving the issue

So here it is a request for one and all to suggest ways to tackle this irritant,failing which,I guess there is no option,but to Re-Install the windows(sadly so)

Hoping for an earliest reply

Q2NA

Hi qrius2noall,

Domain matching tigiporon.cc were found in our database.

62 other active domains were found on 35 IP(s) for AS12695 (DINET)

Show the report for AS12695 (DINET)

A dangerous site: http://www.urlvoid.com/scan/tigiporon.cc
http://www.threatlog.com/search/tigiporon.cc
2010-04-08 tigiporon.cc/f.exe online Executable EXE defe9ed144978a0b2d2146bfd0fa2b8b 230’400 Anubis report report Wepawet report n/a 28/39 (71.79%) - win32.Katusha kind of malware, avast detects as Win32:Malware-gen
Also see:
http://support.clean-mx.de/clean-mx/viruses.php?domain=tigiporon.cc&sort=id%20desc
http://anubis.iseclab.org/?action=result&task_id=160fea1ee4a6d11546d5ea18b5a8e8ccc

polonus

Thanks Polonus for your quick reply,although what you have replied is like LATIN to me-What Iam Supposed to do now? Is PC infected or not? what Shall Be done Next

The Links Posted by You in Reply-What To do with these? Please reply as if replying for a NEWBIE

Thanks and Waiting for tour reply

Q2NA

Hi qrius2noall.

You should let the avast shields do their work, they protect you from getting malscript onto your computer.
They will prevent you from connecting to suspicious sites. Not only avast found the malicious javascript on the site you tried to visit, google’s unmasked parasites found it also. Avast is the best av solution to find these. If you have been disabling avast shields to still go there (unwise action!) then fully scan your computer with MBAM: http://malwarebytes.org/mbam-download.php
and give us a scan report as an attached txt file. Trust avast it is good on finding reputable websites that have become hacked and injected with malware, this injection of malcode via various exploit vectors happens in a rate of one site per 3.6 seconds,

Stay safe and secure,

polonus

Thanks a lot Polonus,for your reply

Apparently there is some confusion ,either in my description ,or in your understanding of the situation,so here we go again:

Even starting my usual desktop applications(i have not started or visited any site yet)like text or wordpad editor,MP3 player,desktop searchtool etc.-in short any APP(which I have been using for years without any trouble) are being flagged as
INFECTED and being moved to chest- Iam not disabling or stopping any shield or any other function of AVAST-But at the same time how can Everything be corrupted inspite of AVAST (always current & Updated) running-So all I want to know is:

1.Whether these flagging pop ups of AVAST are Benign false positives-in that case I neednot worry(although it is irritating to continously get these pop ups) or THE PC IS INFECTED WITH SOMETHING -in that case I want to know what needs to be done

As written in my previous post-PC otherwise is working OK(except these AVAST POP UPS)and INITIAL QUICK SCANS done by AVAST and many other SPYWARE MALWARE SCANNERS are clean,although I won’t mind DOING DETAILED FULL SCANS if AVAST EVANGELIST so desire and post the logs here for your perusal-So please suggest what exactly needs to be done

The AVAST SHIELD logs posted in the 1st post here-What these suggest to you? Is there any GENUINE THREAT TO PC or not? Avast is moving everything to chest and in last 2 days only the size of chest has grown to almost 200 MB,so what to do about this ISSUE?

Also the object mentioned in the log tigiporon.cc/e.exe ,how this object is related to my PC since I don’t remember having visited that domain ever,so HOW IS THAT
AVAST is blocking that URL,I just start my portable firefox browser(without clicking any sit or any address)-AVAST POPUP comes just on starting this browser

The situation is really confusing as there are so many posts similar to that and we don’t even know WHAT NEED OR NEEDN’T BE DONE - SO ALL EVANGELISTS.PLEASE COME TO THE RESCUE OF AVAST LOVERS

Waiting earnestly for your suggestions

Q2NA

  1. Run a boot time scan with avast. (32bit only)
  2. Run free Mbam, as polonus said, post your results here…!
    asyn

@ qrius2noall

Please go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like Asyn’s signature and my signature about your system just like my signature so that the helpers can offer pertinent advice.

C:\WINDOWS\system32\winlogon.exe this may well be infected

http://www.geekstogo.com/misc/guide_icons/OTLI.gif
OTL - Download or alternative link here and here to your desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lnk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Desktop*.exe
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
winlogon.exe
explorer.exe
/md5stop

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please attach both logs .