Avast found 100 infected files, now what?

avast found 100 infected files. roughly 90 were called win32:parite and located in c:\system volume information/_restore…

another was called win32:trojan-gen and that was in c:\windows\system32

another few called HTML:Malware-gen

and a few others.

I moved them all to the chest because REPAIR would not work. Avast then said move to Chest so i did.

i originally used CalmWin Virus protection and they found all these as well. i removed Clamwin program to use Avast and Avast found them to.

Now what? do let them sit in the chest? do i remove them all?

i am totally new at this. thanks so much.

vast found 100 infected files. roughly 90 were called win32:parite and located in c:\system volume information/_restore…
WE are not concerned with things in RESTORE
but I am concerned on how they got there and is the installer still around somewhere

another was called win32:trojan-gen and that was in c:\windows\system32

another few called HTML:Malware-gen

If these are in the Chest
Could you create a folder “Suspect”
C:\suspect
go to avast and exclude C:\suspect so avast will not find it
then go to the chest and export the -gen detections
then go online to “virustotal”
and navigate to C:\suspect and upload the detections to virus total
post the links to the results

and a few others.

I moved them all to the chest because REPAIR would not work. Avast then said move to Chest so i did.

i originally used CalmWin Virus protection and they found all these as well. i removed Clamwin program to use Avast and Avast found them to.

Now what? do let them sit in the chest? do i remove them all?
NO LEAVE THEM IN THE CHEST THEY ARE SAFE THERE

i am totally new at this. thanks so much.

Step two
download from Malwarebytes.org products page update and run ROGUE REMOVER FREE
post the log if it finds anything
then install update and run MALWAREBYTES ANTI-MALWARE (FREE) update- scan
Check any hits
THEN CLICK
REMOVE SELECTED a backup will be made
post the log

step three
download update and scan and clean with SuperAntiSpyware
quarantine do not delete/remove
post the log

let’s see what we have here

Win32:parite should be covered by avast! cleaner (Variants A-C only).

I need to you avast! warning log.

YOU ARE AWESOME.

here are the links i got back for the non win32:parite files

http://www.virustotal.com/analisis/df6b00fc1489f1ab58b840ae13c902f6

http://www.virustotal.com/analisis/eaf029aba406f37e0849e44a986f3163

http://www.virustotal.com/analisis/54149bcd78b516bcaf4a4f4c748b659b

http://www.virustotal.com/analisis/310debd00fef1c96b2f9e7941bb81d7b

http://www.virustotal.com/analisis/8b3a13db68ab0216e26206926586d44a

http://www.virustotal.com/analisis/76602570109cfde5b0e2c85dc9111113

http://www.virustotal.com/analisis/e4da7819a6c45689f34ed93a33c3b342

Disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After disabling you can enable it again. To use System Restoration it’s necessary to disable avast! self-protection: avast! settings > Troubleshooting > Disable avast! self-defence module then start a System Restore.

Let them into Chest for further analysis… wait a week or two… be sure you’re clean first.
I suggest:

  1. Clean your temporary files.
  2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
  6. Immunize your system with SpywareBlaster or Windows Advanced Care.
  7. Check if you have insecure applications with Secunia Software Inspector.

here are the links i got back for the non win32:parite files
CHECK YOUR LOG WHAT VERSION win32:parite?
you can upload it also to virus total for an id

many removers including Avasts do not work on some of the more obscure versions of win32-parity
we just went through this with another poster
here is one that has been recently updated
http://www.softpedia.com/get/Antivirus/Win32-Parite-Remover.shtml
if we had an id we’d have a better shot

plenty of things to do
http://www.virustotal.com/analisis/df6b00fc1489f1ab58b840ae13c902f6
is
http://www.spyware-techie.com/iedefender-removal-guide/
will require SMITFRAUDFIX we will do this later

http://www.virustotal.com/analisis/eaf029aba406f37e0849e44a986f3163
may also be IE Defender

http://www.virustotal.com/analisis/54149bcd78b516bcaf4a4f4c748b659b
Smitfraudfix should help clean up this one

http://www.virustotal.com/analisis/310debd00fef1c96b2f9e7941bb81d7b
is
Win-Fixer
http://www.free-web-browsers.com/support/remove-winfixer.shtml
Downloader.Purityscan

Win-Fixer may also be as symptom of a VUNDO infection
as you can see from this
http://www.spywaredb.com/remove-winfixer/
removing winfixer by had would be a real pain

http://www.virustotal.com/analisis/8b3a13db68ab0216e26206926586d44a
http://www.virustotal.com/analisis/76602570109cfde5b0e2c85dc9111113
http://www.virustotal.com/analisis/e4da7819a6c45689f34ed93a33c3b342
http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.IRC.Zapchast&threatid=43753
http://www.emsisoft.com/en/malware/?Adware.Win32.Backdoor.IRC.Zapchast

Trojan:IRC/WinBot
http://www.castlecops.com/t221696-.html
Trojan.Zapchas.F
http://antivirus.about.com/b/2006/05/21/trojans-masquerade-as-postcard.htm

etc

let’s see how much of this SAS and MBAM can get
I do not mean the files in the chest but the other files, registry entries etc associated with these infections
we may later run VUNDOFIX and smitfraudfix but not till after the general purpose scans

wyrmrider, i appreciate your help greatly but i am not sure what you are asking me to do with your comments under each link i gave.

i am now running the win32/parite remover you suggested and that will take all day as did yesterdays scan, correct? is this a weeklong process to get rid of these things?

once this win32/parite remover is complete, then whats next? i dont really understand what you are saying i need to do below each link i gave.

thanks

See my reply #4.

Tech, i ran avast originally and it found all these infections to begin with. now they are in the Chest as suggested by wyrmrider. now that they are in the Chest, don’t i need to get rid of them? i’m running all these scans and they all say i have a virus. i know how to run the scans, i just don’t know how to remove the files.

There is no rush to get rid of chested files… let them one or two weeks, right click them and rescan. If they continue to be detected as infected, you can delete them. This can avoid deletion of clean files being detected previously as infected (false positives).

First I want you to do what is my post 1 which is similar to the first few items in TECH’s post 4
after you post up the MBAM and SAS logs we’ll see if any of the remnants shown in your Virus total references are still around
We want to get as much as possible with the general purpose scans

Avast has the active agent safely in the chest
there will still be lots of “fragments” or “traces” -CRAPOLA
unfortunately there may still be a Installer lurking

sorry I was not clear but we need to walk before we run
do not run SDFIX, COMBO FIX, VUNDOFIX, Smitfraudfix or any other special fixes till we make sure we have Identified all the problems and do not have an active infection

your work with virus total was spot on as we can now see the various infections you have
and we think that AVast as de-activated them

I’ve never run that partite removal tool- let’s see what it finds
there are about 30 versions of that infection and no tool get’s them all
that’s why I suggested sending your hit to virus total for a positive id

You did a great job by the way
do not be overwhelmed with the findings
some of the google hits I posted last night were for FYI- not a roadmap to start on
start from the first post and work down

keep up the good work

I want to consult with some of the team here before deciding which FIXes are the most appropriate

IF YOU HAVE “RUN ALL THESE SCANS” post up the logs

remember that items in RESTORE are not a concern
also unless you pause avast it will find things when they are unpacked and scanned by the other scanners

ok here are the 3 logs:

Malwarebytes’ RogueRemover
Malwarebytes ©2007 http://www.malwarebytes.org
6290 total fingerprints loaded.

Loading database …
Expanding environmental variables …

Scanning files … [ 100% ].
Scanning folders … [ 100% ].
Scanning registry keys … [ 100% ].
Scanning registry values … [ 100% ].

RogueRemover has detected rogue antispyware components! Results below…

Type: File
Vendor: WinAntiVirus 2006
Location: C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
Selected for removal: No

Type: File
Vendor: WinAntiVirus 2006
Location: C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
Selected for removal: No

Type: File
Vendor: WinAntiVirus 2006
Location: C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
Selected for removal: No

Type: File
Vendor: AntiVirus Golden
Location: C:\Program Files\AV\AntivirusGolden 3.7\AntivirusGolden AntivirusGolden.url
Selected for removal: No

Type: File
Vendor: AntiVirus Golden
Location: C:\Program Files\AV\AntivirusGolden 3.7\Logs\scan_log_04102007-145911.html
Selected for removal: No

Type: File
Vendor: AntiVirus Golden
Location: C:\Program Files\AV\AntivirusGolden 3.7\Logs\scan_log_04102007-145954.html
Selected for removal: No

Type: Folder
Vendor: WinAntiVirus 2006
Location: C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
Selected for removal: No

Type: Folder
Vendor: WinAntiVirus 2006
Location: C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data
Selected for removal: No

Type: Folder
Vendor: AntiVirus Golden
Location: C:\Program Files\AV\AntivirusGolden 3.7
Selected for removal: No

Type: Folder
Vendor: AntiVirus Golden
Location: C:\Program Files\AV\AntivirusGolden 3.7\Logs
Selected for removal: No

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FOPN
Selected for removal: No

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FOPN
Selected for removal: No

RogueRemover has found the objects above.

2nd log

Malwarebytes’ Anti-Malware 1.28
Database version: 1200
Windows 5.1.2600 Service Pack 3

9/23/2008 12:44:47 PM
mbam-log-2008-09-23 (12-44-47).txt

Scan type: Quick Scan
Objects scanned: 63792
Time elapsed: 9 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system\sounds (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\logs (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\download (Backdoor.Bot) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007 (Rogue.WinAntivirus) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data (Rogue.WinAntivirus) → Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr (Rogue.WinAntivirus) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode (Rogue.WinAntivirus) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode (Rogue.WinAntivirus) → Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temp\dat6A.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system\users.ini (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\servers.ini (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\remote.ini (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\mirc.ini (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\mirc.ico (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\control.ini (Backdoor.Bot) → Quarantined and deleted successfully.
C:\WINDOWS\system\aliases.ini (Backdoor.Bot) → Quarantined and deleted successfully.

3rd log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/23/2008 at 01:45 PM

Application Version : 4.21.1004

Core Rules Database Version : 3577
Trace Rules Database Version: 1565

Scan type : Quick Scan
Total Scan Time : 00:45:48

Memory items scanned : 805
Memory threats detected : 0
Registry items scanned : 548
Registry threats detected : 1
File items scanned : 10152
File threats detected : 32

Adware.Tracking Cookie
C:\Documents and Settings\Lou\Cookies\lou@2o7[1].txt
C:\Documents and Settings\Lou\Cookies\lou@specificclick[2].txt
C:\Documents and Settings\Lou\Cookies\lou@ads.pointroll[1].txt
C:\Documents and Settings\Lou\Cookies\lou@bs.serving-sys[1].txt
C:\Documents and Settings\Lou\Cookies\lou@serving-sys[2].txt
C:\Documents and Settings\Lou\Cookies\lou@tacoda[1].txt
C:\Documents and Settings\Lou\Cookies\lou@revsci[1].txt
C:\Documents and Settings\Lou\Cookies\lou@cdn.at.atwola[1].txt
C:\Documents and Settings\Lou\Cookies\lou@at.atwola[1].txt
C:\Documents and Settings\Lou\Cookies\lou@ar.atwola[2].txt
C:\Documents and Settings\Lou\Cookies\lou@autoupdate.windowsmedia[2].txt
C:\Documents and Settings\Lou\Cookies\lou@atwola[1].txt
.atwola.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.edge.ru4.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.atdmt.com [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.tacoda.net [ C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\mdvr2k8g.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3se1p68x.default\cookies.txt ]
.2o7.net [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3se1p68x.default\cookies.txt ]
.atwola.com [ C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3se1p68x.default\cookies.txt ]

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#mav_startupmon [ “C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe” ]
C:\UWA7P\Quar
C:\WINDOWS..\UWA7P

Malware.AntiVirusGolden
C:\Program Files\AV\AntivirusGolden 3.7\AntivirusGolden AntivirusGolden.url
C:\Program Files\AV\AntivirusGolden 3.7\Logs\scan_log_04102007-145911.html
C:\Program Files\AV\AntivirusGolden 3.7\Logs\scan_log_04102007-145954.html
C:\Program Files\AV\AntivirusGolden 3.7\Logs
C:\Program Files\AV\AntivirusGolden 3.7

Trojan.Smitfraud Variant
C:\SUSPECT\A0090869.EXE

UH
Could you run rogue Remover again and remove what it finds
I’ll look closer after lunch
you’ll notcie Smitfraud which is also one of the things found in your Virus total work
post the RR log

here is the new log for the rogue remover. you are awesome by the way and cant thank you enough for getting me thru this.

Malwarebytes’ RogueRemover
Malwarebytes ©2007 http://www.malwarebytes.org
6290 total fingerprints loaded.

Loading database …
Expanding environmental variables …

Scanning files … [ 100% ].
Scanning folders … [ 100% ].
Scanning registry keys … [ 100% ].
Scanning registry values … [ 100% ].

RogueRemover has detected rogue antispyware components! Results below…

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_FOPN
Selected for removal: Yes

Type: Registry Key
Vendor: WinAntiVirus 2006
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FOPN
Selected for removal: Yes

RogueRemover has found the objects above.

Hmmm looks like RR found a couple that MBAM missed not unusual but usually the other way around

you may want to run
www.bleepingcomputer.com/files/smitfraudfix.php
to see if there are any late variants not caught already
follow instructions exactly as this is a powerful tool

then read the sticky at the top of this forum and post a HJT with the smitfraudfix log

i ran smitfraud and it is asking if i want to clean registry? ugghhh

here is the Smitfraud log - i did NOT clean registry when asked if i wanted to.

SmitFraudFix v2.354

Scan done at 11:34:23.04, Wed 09/24/2008
Run from C:\Documents and Settings\Lou\Desktop\Unused Desktop Shortcuts\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri’s WS2Fix: LSP not Found.

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

AntiXPVSTFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 11a/b/g Wireless LAN Mini PCI Express Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip..{47AE49B3-E724-4C00-903F-055EF3F8E75C}: DhcpNameServer=192.168.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning not selected.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

I’m not the smitfraudfix expert perhaps Polonus or other can take a peek at it

we also needed to run VUNDOFIX
http://vundofix.atribune.org/
read all the instructions (scroll down)

ran that and it says NO INFECTED FILES WERE FOUND. yeah baby. am i done?

do i leave those win32:parites in the Chest?

do i dlete that folder i titles SELECT that has/had all the viruses in there early on?

can i delete all those anti-virus programs i instalkled and just use AVAST?

you are a god!

Hang tight
were down to number 4 on tech’s list
rootkit scan and then look at the stickie at the top of this forum and post a hijack this log

really good news about that last scan

did that partite remover find anything?

we’ll clean up later

leave the items in the chest for like a month
did you upload that partie to Virus total?