I use avast 4.8 home version. A couple days ago, while I was parked on a supposedly safe web page with Firefox, I got infected with AntiSpywareMaster. It seems extremely nasty and has caused avast to complain about multiple virus and trojan (and I’m not sure what else) on my PC. It’s so bad I had to stop using the PC and have disconnected it from my router to keep it away from the Internet and away from my other PC. I’m doing this post on a very old G3 Mac Powerbook that can navigate some web pages but certainly not all. Anyway…
avast claimed to find some viruses (and trojans) in several places including one virus in the system restore area. I thought I might do a system restore and go back a few days but all the restore points except one are gone! The only one there is called something like “Last known good system” and was created a few minutes after the infection happened. So I don’t trust it.
My question is: Did avast’s action (moving the infected sys restore file) to the “chest” cause all the restore points to go away?
Was the “Last known good system” restore point created by avast and can be trusted?
Barring a breakthru in being able to remove the viruses and trojans, I’m considereing a full system disk restore from a Ghost image taken a few days before the infection.
IF AVAST scanned system restore files and IF it detected a threat and IF it asked to move the file in the “chest”, then the system restore file don’t work any more simply because it was moved to another location. You go looking in the “chest” and see what is there.
I guess AVAST ask to move the whole “container-file” to the “chest” when it is not able to “extract” the virus from it. You can either move the “container” in the chest, ignore or exclude the “container” type/location from scanning, given that it is not a problem till you don’t execute anything out of it.
The “chest” feature goal is to save the infected files in some sort of “trashcan” instead of simply erasing them. In theory you could move those files back in the original position but there is also the possibility that when the “chest” reaches its size limit some of those files are deleted anyway.
AntispywareMaster is an almost new rogue application. http://www.google.co.nz/search?hl=en&q=AntiSpywareMaster&btnG=Search&meta= http://www.spyware-techie.com/how-to-remove-antispywaremaster/ http://www.2-spyware.com/remove-antispywaremaster.html http://www.symantec.com/security_response/writeup.jsp?docid=2008-043011-0026-99&tabid=3
Your system restore is now useless. As part of the cleanup, you should turn it off.
Last known good has nothing much to do with system restore, it’s just the last configuration that you were successfully able to boot/logon. And not useful in this case.
It would certainly be an interesting exercise to go through the removal process (I recommend the third link, not through any experience with this malware, but from having used a Smitfraud Fix tool for a similar problem in the past.)
But if you have any doubts at all, or are simply not willing to try, restoring from image probably is absolutely the best bet.
You might want to submit the samples to Avast prior to the restore.
Be interested to know how you get on, and how effective the image restore is, in these circumstances. Good luck.
Since it’s been over two weeks since I got infected, and I couldn’t sit around with an essentially useless PC, I did do the full disk restore from the Ghost image on April 29. Worked perfectly.
There seems to be some conflicting opinions about how avast can impact the system restore facility. Here is a scan log from when the infection was still active.
4/26/2008 12:33:40 PM SYSTEM 1584 Sign of “Win32:Adware-gen [Adw]” has been found in “F:\IE Cache\Temporary Internet Files\Content.IE5\DYRQJLGF\yazzsnet[1].exe” file.
4/26/2008 1:00:25 PM SYSTEM 1584 Sign of “Win32:Trojano-2873 [trj]” has been found in “C:\WINDOWS\system32\b1\cbwa3ui.exe” file.
4/26/2008 1:00:51 PM SYSTEM 1584 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\DOCUME~1\Owner\LOCALS~1\Temp\yazzsnet.exe” file.
4/26/2008 1:00:57 PM SYSTEM 1584 Sign of “Win32:Trojan-gen {VC}” has been found in “C:\WINDOWS\system32\wTMP\idevdpll.exe” file.
4/26/2008 1:42:44 PM Owner 1548 Sign of “Win32:Trojano-2873 [trj]” has been found in “C:\System Volume Information_restore{83EDAE07-21AD-43D5-9DDB-76266B708F73}\RP689\A0043688.exe” file.
The last entry is the one that looks like it is system restore related and indeed I had that file moved to the “chest”. I think the others were moved there too. The first entry above names a file in the cache of IE, which I don’t use, but was started up (multiple times) by something while the infection was active.
My original post mentioned that there was a single remaining system restore point named something like “Last known good system”. This is different than the option when you are booting that lets you boot from the last known good system. Since that system restore point was made about the time of the infection I didn’t trust it and did not use it.
Since I did a full restore of the system disk, I don’t have any of the files that were in the avast chest and can’t submit them for analysis. Is it possible to make a copy of the avast chest with the nasty files in it? Is that safe to do? If I had known it was safe to do so I could have saved a copy on another disk.
If anyone thinks there is other useful info I might provide, please ask.
I had done several Google searches and had investigated several of the removal descriptions. They all looked pretty complicated and they didn’t seem to totally agree with each other. Also when I looked around on my system I didn’t see some of the things they mentioned but saw some other things that were clearly part of the infection (especially in the registry). I figured that the method of infection was changing over time making it harder to write a description of how to remove it. None of this gave me a warm, fuzzy feeling about being able to remove it (and its friends) from my system. That’s another reason I did the full disk restore from the disk image.
I agree. I don’t know a whole lot about this stuff (that being my first infection ever) I figured that these files got downloaded automatically via the viruses or trojans or whatever was messing with my system.
What really gets me is that I have no idea how the whole mess started. As far as I know I did not visit a bad web site or click on any strange links or… However, when I returned from lunch I saw that a new tab had been opened in Firefox (I think the site was something like fubar.com) – I hadn’t opened it. And IE was started (I hadn’t started it) and was failing at opening some site related to advertising. And I couldn’t get to my home page anymore even though the Firefox options listed it correctly. Clicking on the home page icon, or typing in the homepage URL, resulted in a blank page.
I also noted that when I tried to go to a page in Firefox, IE would start up with a URL to some adware place and the url would include the url of the page I was trying to go to in Firefox.
There were also a lot of new dll’s and other files in the C:\Windows folder and the System32 folder.
It sounds like you were possibly the victim of a drive by download… where a kosher webpage is hijacked/hacked with code that may execute on some machines, for that to happen there was almost certainly a vulnerability somewhere. Could’ve been an out of date application. Any number of them. Java and Macromedia (Flash player) are possible suspects, because in my experience the updaters for same are remarkably slack at their job, and if you do update them, old and vulnerable versions aren’t removed. They have to be manually uninstalled first.
That’s one likely possibility out of several, which to tell the truth I don’t have the knowledge to comment much on. Another obvious possibility is that someone else opened a bad link while you were away from the PC. It may not have been malicious.
Do you use Noscript with Firefox? Good idea.
It does sound quite likely that the quarantining of certain restore point items would invalidate restore points. I’ve had this happen, too, and actually don’t mind, because the last thing I want is a latent infection in a restore point to be restored.
I use a cool free application called Secunia PSI, which examines all the recognized software on a system, and measures against a very up to date online database to warn of any vulnerability/end of life status of same. In one case, it let me know about a critical Windows update before the Windows updater did. Examines a wide range of software, and works well. Recommend.