Avast must have found win32:gamona (trj) to report it. So why is that object not found? Any help will be greatly appreciated.
Sincerely, R. S.
Avast must have found win32:gamona (trj) to report it. So why is that object not found? Any help will be greatly appreciated.
Sincerely, R. S.
Without more information it is impossible to say for certain.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.
Hi David,
The infected file name is: c:\1u0o8bnq.cmd, which I accidentally deleted after trying to move it to the chest and then repair it. My guess is that that file was not actually deleted as it was just reported as an object that could not be found. The boot scan is in progress on my new box, so I don’t want to interrupt it right now, unless you think that is best. The second instance of win32:Gamona is also reported on screen as: C:\System Volume Information
_restore(a really long number here)\rp4\A0000184.cmd. Do you think I should disable restore before I try to move this restore file to the chest? Or should I try to repair it?
I really appreciate your help with this. Thanks.
Disabling system restore will delete the restore points (clean and/or infected ones). If avast moves a file from there to Chest, that particular restore point will be broken (lost) but the others will left behind (the clean ones).
Based on the name alone and its location I would say it is highly suspect (and probably a good detection) and a google search tends to support that, see http://virscan.org/report/919544cb2f1da46544fbda853994331a.html.
It may have been deleted as that is what I believe is the detection in the system volume information _restore point. So avast may have been trying to deal with the newly created _restore point, which system restore may have locked the original file whilst this was going on, this is unfortunately supposition on my part. Hopefully the boot-time scan will confirm if it has indeed gone.
If you have a look at the above link you will see many of the other detections have different aliases I think that there may be other elements to this detection.
Trojans generally can’t be repaired as the complete file is malicious. I think we can leave system restore enabled for the time being.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
[quote author=DavidR link=topic=39094.msg327827#msg327827 date=1222985300]
Based on the name alone and its location I would say it is highly suspect (and probably a good detection) and a google search tends to support that, see http://virscan.org/report/919544cb2f1da46544fbda853994331a.html.
It may have been deleted as that is what I believe is the detection in the system volume information _restore point. So avast may have been trying to deal with the newly created _restore point, which system restore may have locked the original file whilst this was going on, this is unfortunately supposition on my part. Hopefully the boot-time scan will confirm if it has indeed gone.
If you have a look at the above link you will see many of the other detections have different aliases I think that there may be other elements to this detection.
Trojans generally can’t be repaired as the complete file is malicious. I think we can leave system restore enabled for the time being.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Hi David,
After reading the sticky message from whocares, I deleted my restore points, and did a boot scan. I only have one infected file now with maybe two viruses in it. The file is c:\windows\system32\ckvo1.dll. The file could not be repaired. When I tried to move it to the chest, Avast said it was a windows file, and was I SURE I wanted to move it. Well, I wasn’t sure so I didn’t move it. Later, an avast popup said that same file was infected with the Wi root kit. I deleted that Wi root kit, although I did that before, and it came back!
Any idea what I should do now?
Russ
avast will give that warning for any file in the system32 folder, just in case, I would however suggest you allow it to move it to the chest as a) it doesn’t look like a system file but a randomly generated name, b) google tends to support my suspicion, http://www.google.com/search?q=ckvo1.dll.
Also see, http://www.prevx.com/filenames/239564734122857922-X1/CKVO1.DLL.html which also supports my view about possible other elements.
So run the boot-time scan again and move that file to the chest and then run the other programs I suggested from safe mode.
Thanks for that advice, Tech.
Unfortunately, I already turned off restore by the time I read your message. I hope I won’t need those deleted restore points.
Sincerely, Russ
avast will give that warning for any file in the system32 folder, just in case, I would however suggest you allow it to move it to the chest as a) it doesn’t look like a system file but a randomly generated name, b) google tends to support my suspicion, http://www.google.com/search?q=ckvo1.dll.
Also see, http://www.prevx.com/filenames/239564734122857922-X1/CKVO1.DLL.html which also supports my view about possible other elements.
So run the boot-time scan again and move that file to the chest and then run the other programs I suggested from safe mode.
Thanks for all your help, David.
Deleting the Wi root kit detected by Avast cleared my system of all badies, according to Avast.
After that, the malwarebytes program found Hijack.System.Hidden in my registry. After deleting that my box scanned clean.
Do you have any suggestions as to what progies I might install to protect my system in the future?, as prevention is 9 tenths of the cure.
Sincerely, Russ
You’re welcome.
I would certainly leave MBAM on there and periodically update it and run a scan.
You didn’t post anything about the superantispyware scan, so I assume you have yet to do it, that too is another program I would leave on my system for periodic scans in the same way as MBAM.
Well prevention is usually considered to mean resident protection like avast, so having a resident anti-spyware, like one of the above (never have more than one resident anti-spyware). However, to get resident protection on either of those you would have to pay for the pro version or there is Spyware Terminator which also provides resident protection in the free version. If you choose that don’t install the toolbar or crawler or the anti-virus module.
Do you have any suggestions as to what progies I might install to protect my system in the future?
avast and a firewall.
Maybe you can have others for on-demand scanning: MalwareBytes Antimalware, SuperAntispyware, SpywareTerminator.
Which browser do you use?
Oh… sorry, David posted before 8)
You’re welcome.
I would certainly leave MBAM on there and periodically update it and run a scan.
You didn’t post anything about the superantispyware scan, so I assume you have yet to do it, that too is another program I would leave on my system for periodic scans in the same way as MBAM.
Well prevention is usually considered to mean resident protection like avast, so having a resident anti-spyware, like one of the above (never have more than one resident anti-spyware). However, to get resident protection on either of those you would have to pay for the pro version or there is Spyware Terminator which also provides resident protection in the free version. If you choose that don’t install the toolbar or crawler or the anti-virus module.
Hi David,
I did run the superantispyware scan, which reported one cookie and one file. I couldn’t figure out what they were, so I assumed they were from google, so I left them. I guess I should have cleaned them out, so I will go do that now, just in case that was a wrong assumption on my part.
I noticed you are running sp3 on your box. I’m running xp pro on pentium 4. Would you recommend sp3 for me? The eula for sp3 seems a bit heavy-handed. It sorta sounds like spyware.
Russ
I didn’t read the EULA ;D for SP3 or SP2 for that matter, it isn’t written in a language that I’m familiar with ‘gobble dee gook.’
I got a friend to download the complete 316MB for me and I installed it off-line on my old system. On this new system it came pre installed with XP-Pro SP3 so I didn’t get to read any eula in any case.
There are many on the forums that have it installed and it provides just a little more than a collation of security updates since SP2 so I would say it is worth while. There are however some that experienced a problem but they are a very small minority.