I have a multiuser “family” licence for Avast 4.8 Professional.
We developed a malware infection on my daughter’s computer. I don’t know how it was originally installed, but by the time I became aware of it, it was generating fake “attack” and “infection” messages.
My daughter was savvy enough not to respond to the prompts to remove the infection.
Eventually, it began opening IE windows to porn sites.
(Firefox is our default browser.)
Avast was able to detect the infection on boot, but was not able to remove it, despite repeated attempts.
I received notification from Avast of “Win32: Spyware-gen [Spy]”.
The infected file was reportedly windows\system32\iehelper.dll, but this file does not even appear on in this folder.
I requested both quarantine & deletion from Avast, but with no success. I also ran a complete system scan. No success.
Here is the log of Avast Warnings:
11/8/2009 9:33:14 PM SYSTEM 536 AAVM - scanning warning: x_AavmCheckFileDirectEx: http://suggestqueries.google.com/complete/search?hl=en&client=youtube&hjson=t&ds=yt&jsonp=window.yt.www.suggest.handleResponse&q=otgir\\\&cp=8 (C:\TEMP_avast4_\unp45164974.tmp) returning error, 0000A413.
11/9/2009 7:46:07 PM SYSTEM 536 Sign of “JS:Downloader-FT [Trj]” has been found in “http://nokipaka.com/documents/?s=57” file.
11/9/2009 8:16:40 PM SYSTEM 536 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 8:16:40 PM SYSTEM 536 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 9:48:41 PM Natalie 656 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 9:56:38 PM Natalie 320 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/9/2009 11:28:58 PM Natalie 320 Sign of “HTML:Script-inf” has been found in “http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes” file.
11/9/2009 11:29:22 PM Natalie 320 Sign of “HTML:Script-inf” has been found in “http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes” file.
11/9/2009 11:32:13 PM Natalie 320 AAVM - scanning warning: x_AavmCheckFileDirectEx: a script started by C:\Program Files\AIM6\aim6.exe (C:\Temp_avast4_\unp76299626.tmp) returning error, 0000A413.
11/9/2009 11:35:16 PM Natalie 592 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
11/10/2009 12:27:02 AM Natalie 592 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP911\A0055033.dll” file.
11/10/2009 1:00:31 AM Natalie 548 Sign of “Win32:Spyware-gen [Spy]” has been found in “C:\WINDOWS\system32\iehelper.dll” file.
I successfully used Malwarebytes to remove a similar infection a year ago.
So I downloaded a current version of Malwarebytes, and again was able to identify and successfully remove the infection.
I don’t know whether to be disappointed in Avast or not, at this point… but my inclination is to be disappointed.
I know that during the removal process, I inadvertently began installing more malware. While trying to download an update of Malwarebytes, my browser download window was hijacked to another site. I stupidly began installation of the downloaded file, without realizing that it wasn’t Malwarebytes, but a bogus antivirus program (Tiger something-or-other; It looked very slick and realistic). I eventually terminated the installation, after the program was already installed… So at least one of the infections listed below may be related to that error.
I know that Avast cannot protect against user stupidity, but it seems to me that some degree of recognition or removal capability was/is lacking.
Here is the log from Malwarebytes:
Malwarebytes’ Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
11/10/2009 12:56:50 AM
mbam-log-2009-11-10 (00-56-50).txt
Scan type: Full Scan (C:|)
Objects scanned: 256899
Time elapsed: 1 hour(s), 8 minute(s), 0 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP911\A0055033.dll (Trojan.BHO) → Quarantined and deleted successfully.
C:\WINDOWS\system32\dmns.cfg (Rogue.AntiVirusPro) → Quarantined and deleted successfully.
C:\WINDOWS\system\cmd (Malware.Trace) → Quarantined and deleted successfully.