I am probably infected.

Viruses and worms
1

Oh hey all, got a question, I was on not-so-safe websites and Ive got a trojan warning from avast, but the thing is, it crashed AVAST. So I’m pretty sure I am infected. I restarted the computer half a second after windows told me AVAST crashed. What should I do to remove the threat?

thanks

2

Could you follow the instructions on this thread and post the relevant logs please http://forum.avast.com/index.php?topic=53253.0

3

and by post, he means attach the logs :wink:

lower left corner: additional options > attach

4

Ooops :-[

5

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mathieu :: MATHIEU-PC [administrator]

Protection: Enabled

2012-01-20 20:52:09
mbam-log-2012-01-20 (20-52-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201968
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKCR\batfile\shell\open\command| (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” %) → Quarantined and repaired successfully.
HKCR\comfile\shell\open\command| (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” %) → Quarantined and repaired successfully.
HKCR\piffile\shell\open\command| (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” %*) → Quarantined and repaired successfully.
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) → Bad: (NOTEPAD.EXE %1) Good: (“%1” /S) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

6

extras.txt

7

otl.txt

8

ASWMRB.EXE crash while scanning or cannot complete his scan.

Also, looking the antivirus report up there, seems I had some kind of keylogger, should I reset ALL my passwords?

Stopping there for tonight, should I try rogue tomorrow?

9

Hi it is always prudent to reset passwords from a clean computer

Could you right click aswMBR
Select rename
Call it explorer and retry it

THEN

Do the following:

[*]Click on the Start button and then choose Control Panel.
[*]Click on the System and Security link.

Note: If you’re viewing the Large icons or Small icons view of Control Panel, you won’t see this link so just click on the Administrative Tools icon and skip to Step 4.
[*]In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
[*]In the Administrative Tools window, double-click on the Computer Management icon.
[*]When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don’t see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

10

I hope you have good knownledge of the french language. :-X

Its basicly saying that they are ‘‘healthy’’ or ‘‘sain’’ if thats what you are looking for…

It crashed again btw.

11

OK it is just that the latest TDL causes aswMBR to crash and it has a small partition all to itself. But you look clean

I saw no apparent malware markers on the OTL log

The MBAM removals are not really infections they are just a possible hijack point… I have my reg files set to open in notepad and MBAM kills that every time I run it

Are you experiencing any problems ?

12

Nope, just making sure everything was clean and safe, since AVAST crashed during a trojan attack, and it never happenned before.

Thanks for the help! :smiley:

13

Is Avast OK now and everything working as normal ?

14

Ya, the PUP scan was turned off, turned that on and it caught another spyware, other than that, everything seem normal.

15

I think we have a problem!

16
The PMB.exe process is Pando Media Booster, which is a downloader utility used by games online to download updates directly, rather than from the game company's server. It also enables your computer to get high downloading speed or streaming speed of very large files such as high-quality HDTV video, or giant games. Although the process has CPU issues sometimes, it is safe to users without malicious files. It can be removed through ‘add/remove programs’ in the Control Panel.

Do you have Pando Media Booster ?

17

Yes, I do. I guess I can allow that safely, can I?

18

If you wish to use it, then sure however I am always dubious about this sort of programme

19

Read a little bit about it, and deleted it, it came with league of legends, and it serve no purpose for me. Thanks! <3

20

My pleasure ;D