Avast Shield alert: virus or false alarm?

Hello everyone!

I originally posted this in the Spanish forum, but was advised to come to this one instead :slight_smile:

My problem began a few days ago. A friend of mine told me that he was receiving weird messages from my account via Skype. They all where about me supposedly been lucky in a recent investment project and encouraging him to engage in it too by clicking on a provided link and giving his credit card number for identification purposes. I told my friend that those messages were not mine and to not click on the link. Also sent an e-mail to all my contacts warning them about the scam. He sent me a copy of the conversation, but when I logged into Skype I was able to see only his replies (i.e.: “is this you?”, “what are you talking about?”, etc.), but none of my supposed typed messages.

I removed the access control of external programs to Skype and, then, scanned my laptop with different programs (Avast, Norton, Malwarebytes and Eset online) to find the virus or malware causing trouble. With all those combined I found different threats (Bloodhound.Malpe, Trojan.Maljava, a variant of win32/openinstall, etc.) that were luckily removed from my system, as indicated by each anti virus software log.
Now, 48 hours after the cleaning, my friend says he has no longer received any more weird Skype messages, which is good. My laptop goes faster and I have no evident problems.

However, just to make sure, yesterday I performed an additional scan of my laptop with Malwarebytes Anti-rootkit and in the middle of the scan the alert window of the Avast Shield popped up reporting 51 temps as potential threats that were repaired and with no further action needed. It also mentioned win32.Enistery and NIS.exe as part of the alert. The Anti-rootkit came clean.
Then I scanned with Avast in hopes that it would find the mentioned threats and quarantine/erase them, but the scan came out 100% clean. Although, as in the previous case, the alert window popped up in the middle of the scan.

Right now I’m kind of confused. All the programs I ran tell me that my laptop is clean, but at the same time the Avast Shield pops alerts whenever I run a scan. So, what could this be? I will appreciate any help/advice you can provide. Thanks! :slight_smile:

P.S: I attached the logs of Malwarebytes (when infected and now that is -I hope- clean), Eset and OTL. No space to attach the Norton log, but could send it in next reply if needed.[suspicious][/suspicious]

malware experts are notified…check back later today

No space to attach the [b]Norton [/b]log, but could send it in next reply if needed.
does this mean you have more then one AV installed....

EDIT: yes from the OTL log, so it seems…

never install multiple AV as this will give you a slow machine. mysterious windows errors and false detections

so one AV has to go. Uninstall one, then use the vendors removal tool to clear all leftover files that may conflict

tools found here http://singularlabs.com/uninstallers/security-software/
or here http://www.avast.com/en-eu/faq.php?article=AVKB11#artTitle

Hi you have been using an infected USB drive so we will clear that as well

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O33 - MountPoints2\{f2c43a90-8552-11de-8225-001e3dec2b14}\Shell\AutoRun\command - "" = G:\2xjoj035s06BNl.exe
O33 - MountPoints2\{f2c43a90-8552-11de-8225-001e3dec2b14}\Shell\open\Command - "" = G:\2xjoj035s06BNl.exe

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Essexboy, thanks for your prompt reply.

I have two questions before running the programs:
-As Pondus noted, I currently have installed and running: Avast, Norton Internet Security and Microsoft Security Essentials. Would it be ok if I uninstall the last two before proceeding with your instructions?
-I suspected of a usb drive as an infection alert popped up as soon as I plugged it a few weeks ago (because of the alert, I didn’t opened it or any of the files in it). I only have two files in the drive that I don’t really need. Would it be ok if I just discard it? Should I run the MCShield on an external hard drive that I regularly connect via USB to my laptop?

Yes uninstall Norton and MSE prior to running the fixes

No. Run MCShield anyway ( Don’t forget to attach the log ) and keep it. Most regulars here in the Forums use it. It is free. It is very light on systems, and it is great for cleaning all kind of USB divices.

you should have disabled the avast program’s realtime-protection when running the scans… when running scans, it can generate false-positives, if your av-program’s realtime-protection has not been disabled…

@Essexboy, ok. I uninstalled the extra AVs and am downloading the other programs. Will post the logs after running the fixes.

By the way, I think that there might be some time difference between our locations. I mention it just in case there is some too long delay in my responses throughout the cleaning process.

@Essexboy,

Attached you’ll find the logs for the infected USB driver and the AdwCleaner log.[suspicious][/suspicious]

@Essexboy,

Attached you’ll find the OTL logs for before and after reboot. Also, I noticed that in my OTL menu it didn’t appeared the “Include 64 bit scans” option. Not sure if that could make any difference.[suspicious][/suspicious]

iroc9555 and redwolfe_98, thanks for your comments too :slight_smile:

Could you confirm that the alerts have now ceased

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe -- (vToolbarUpdater17.3.0)
DRV - [2013/11/12 15:58:25 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
FF - prefs.js..browser.startup.homepage: "http://mysearch.avg.com/?cid={7BEB4BDC-F1EA-46ED-BB18-1D347CC71880}&mid=a2c1f5f0750243d9bb66d43ed8372200-54932d9664684bfd5f63a2aa595628cc6c60434e&lang=en&ds=sf011&pr=sa&d=2013-09-02 20:35:04&v=15.4.0.5&pid=safeguard&sg=0&sap=hp"
O4 - HKLM..\RunOnceEx: [] File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2014/01/28 20:04:31 | 000,000,000 | ---D | C] -- C:\Users\Ursula\AppData\Roaming\AVG
[2014/01/28 20:03:45 | 000,000,000 | ---D | C] -- C:\Program Files\AVG
[2014/01/28 20:02:01 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG
[2014/01/06 00:52:16 | 000,003,738 | ---- | M] () -- C:\Program Files\Mozilla Firefoxsafeguard-secure-search.xml

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

@Essexboy,

I scanned my laptop with Avast and Malwarebytes Anti-rootkit. The Avast Shield alert didn’t popped during either of the scans.
The only new thing is that, at the end of the Avast scan, it came clean, but mentioned that “Some files couldn’t be analyzed”. Attached you’ll find screen shots of that.[suspicious][/suspicious]

Nothing to worry about, just password protected files that could not be scanned. :wink:

-attachemnt continued-

As Steven said nothing to worry about. Any further problems ?

good to know, thanks! :slight_smile:
other than that, the laptop is running fine so far.

Please find attached the log of the last OTL fix.[suspicious][/suspicious]

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

ok, thanks so much for your help! :slight_smile:

I’ll keep you updated if any issues appear. I did the cleanup and installed crypto.
About Java, I don’t mind uninstalling it, but which would be an alternative software to install?

It depends, if you need java to run programmes or use it for online games then there is no alternative. If that is not the case then I have run my system Java free for nearly a year now