How do I figure out where this possibly infected file is?

Viruses and worms
1

Recently when I was setting up internet at another house I had installed Windstream’s program from their site (definitely safe) and while I was doing it Avast popped up saying that a hidden file showed evidence of a rootkit infection. At the time I just figured it was detecting Windstream so I just told it to ignore it. Even now I’m not noticing any signs of infection (no horrible slowdowns, adware, etc.) so I’m pretty sure nothing is wrong. Even so, I was still wondering if I could submit whatever files it found to the virus lab, but I can’t seem to find it anywhere in my Real Time Shield events. Is there someplace I’m missing where I could find this information, or am I dead in the water?

2

run a scan with aswMBR and attach the log here

http://forum.avast.com/index.php?topic=53253.0

3

Well all it found was a component of combofix (big surprise), so I’m guessing that maybe recent updates have made Avast and aswMBR a little trigger happy? :confused:

Log attached.

I need to go properly uninstall CF… >_>

Also since you didn’t really answer my question, I’ll just assume that’s a no. Either way, if Avast caught it in the first place I’d guess it would catch it again if it did anything. Since it hasn’t, I suppose maybe windstream cleaned up after itself and the weird files aren’t there anymore. Or maybe avast updated it’s detections and won’t catch it anymore. Idunno.

Edit: Well I tried to uninstall combofix via “Run: Combofix /u” but it told me it couldn’t be found. So I submitted the file to virustotal and your threat labs. Though I still think it was just left behind by accident. Outside of the odd “suspicious file” detection from eSafe it seems fine:
https://www.virustotal.com/file/ae0f5cc54e4b133df66a54572a7ce52faff11f8fd0caeab088aad3699d6ec924/analysis/1354871496/

It also says it was created on my machine in September, to which I’m pretty sure was when I last ran ComboFix.

4

The combofix uninstall command has changed

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Are you noticing any problems at all since the detection ?

5
Outside of the odd "suspicious file" detection from eSafe it seems fine:

First seen by VirusTotal
2011-07-01 15:14:26 UTC ( 1 år, 5 måneder ago )

yepp…fp from esafe

6

That method said it couldn’t find combofix either. Your labs are also claiming it’s a rootkit (automated response?). Performance wise, I’m not noticing squat, as I said earlier. It’s not as if that file is running and even if it tried to Avast would catch it. Looking at the CPU and memory usage I’m not seeing anything out of the ordinary.

Using “Add” from the virus chest creates a copy instead of quarantining the file. I did not know that. Had me confused for a second there.

Seems the same thing happened earlier this year as well: http://forum.avast.com/index.php?topic=91668.0

I’m a tad surprised if the labs are getting it wrong. No system is perfect though I guess.

7

Run TMC this should remove all of combofix plus itself

[]Download OTC to your desktop and run it
[]Click Yes to beginning the Cleanup process and remove these components, including this application.
[*]You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

8

Ran it. Guess that did the trick. This all didn’t really give me answers for my original question though. Oh well. :confused:

9

Was the hidden file pev.exe ?

10

No, PEV.exe wasn’t even hidden. There were two files which appeared when Avast caught them, they haven’t appeared again since. I should have written down the names of the files at the time, but I was too busy to think about it. Again, I’m pretty sure it was detecting a part of Windstream’s installer at the time, I just wanted to see if I could find and submit them to be absolutely certain.

11

If what you want is Avast! logs and reports to look for that alert that you ignored, look here:

Windows 2000, Windows XP
C:\Documents And Settings\All Users\Application Data\AVAST Software\Avast\Log/Report

Vista and Win 7
C:\Program Data\AVAST Software\Avast\Log/Report

12

This is the most relevant stuff I could find. I think I’ll submit scan and submit some of these. I have started noticing lately that the space on my hard drive has been fluxing quite a bit, at one point it was down below 100GB, so I uninstalled some things, which brought it up 128GB, which then steadily dropped, then I moved some files and it went back up to where it was, later I go back to check and it’s 134GB. Now it’s 130 and declining. Weird.

12/4/2012 4:39:56 PM Modification of: \REGISTRY\USER\S-1-5-21-4159443991-512847242-1124234837-1001\Software\Microsoft\Windows\CurrentVersion\Run
By: C:\Windows\Installer\MSI6498.tmp
Via: C:\Windows\syswow64\MsiExec.exe
→ Action allowed
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Tuesday, December 04, 2012 4:56:11 PM

12/4/2012 5:05:10 PM Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MRESP50a64
By: C:\Users\Owner\AppData\Local\Temp\nsd6A19.tmp\NSISPlugin.dll
Via: C:\Windows\System32\services.exe
→ Action allowed
12/4/2012 5:05:17 PM Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MRESP50a64
By: C:\Program Files\Common Files\Motive\InstallHelper.exe
Via: C:\Windows\System32\services.exe
→ Action allowed
12/4/2012 5:05:22 PM Modification of: \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\McciCMService64
By: C:\Program Files\Common Files\Motive\McciCMService.exe
Via: C:\Windows\System32\services.exe
→ Action allowed
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Tuesday, December 04, 2012 5:17:36 PM
13

That may have just been a cautionary warning whilst the software was installing… I.e. the behaviour was that of a rootkit whilst installing but once installed it proved benign

14

Windstream and Motive are actually in different locations, but the manner in which they work together is definitely suspicious looking. Comodo Firewall doesn’t seem to like it either. As for the space on my drive fluxing, I cannot be sure, but it seems to relate to Steam updates, which shouldn’t take up that much space, but that’s all I can really think of. Maybe the drive isn’t measuring the space correctly?

15

I assume that windstream is part of your ISP

16

Windstream is the local ISP here in Iowa. I suppose it’s no surprise that Avast doesn’t like it, seeing as Iowa doesn’t even show up on the user map. I’m not sure how many people in this state are even all that smart about their web security. :stuck_out_tongue:

So yeah it’s a part of my ISP. I’m probably going to uninstall this though, seeing as it’s uses are limited outside of setting up the modem.

17

I must admit I never use ISP software unless I really have to