Malware Still Here After Format

Viruses and worms
1

Earlier tonight I started getting numerous notifications about Win32:Malware-Gen on files all over my computer. Several scans later, piling up in the chest, they’re still coming up. Figured I’d abandon ship and format. After I finished that, first thing I did was re-install Avast and do a full scan, 8 infected files. Moved those 8 to the chest, re-scan, 6 infected.

There are 3 other computers in the house on our network (2 PC’s, 1 Mac), but everyone is sleeping (the 2 PC’s are likely turned off anyways). I disconnected the router and plugged my PC straight into the modem in an attempt to quarantine my PC, though it might be too late.

Really have no idea what I’m dealing with here. It’s the first major problem I’ve ever encountered. Help!

Edit - Just did another scan after directly connecting my PC to the modem, 0 infected. Should also be noted that back before the format, when Avast was detecting all kinds of things, I installed and ran a scan through Avira, which turned up nothing.

Still really concerned.

Edit 2 - Here’s everything it found post-format.

http://i50.tinypic.com/2u6prtw.jpg

Edit 3 - Ran MalwareBytes, found nothing. Re-connected to the network, both scans resulted in 0 infected.

I’d still love some feedback on my whole situation.

2

It appears to be a false positive.

3

Would be a relief if it was just a bunch of FP. What should I do with all the junk in my chest? Leave it there? Delete it?

4

I unplugged my PC from the internet, restored the items in the chest, and then deleted them. Ran MalwareBytes, 0 infected. Went to run an Avast scan, and discovered that all 14 items were back in my chest.

(Sorry for double post)

5

I need you to extract one of the files out of the chest and upload it to VirusTotal or VirScan.org and post the results.

6

Uploaded the first one in the list to VirScan, looks like Avast is the only thing thinking it’s infected…

VirSCAN.org Scanned Report :
Scanned time : 2010/01/30 22:04:28 (PST)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : A0000155.exe
File Size : 9753088 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 014771dc6dd06b59fffc25acd622d0f4
SHA1 : da28e727193c6353a75b819b78dece3230945ea5
Online report : http://virscan.org/report/5a448ee6001a94019867e53d8740f35b.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100130020216 2010-01-30 4.22 -
AhnLab V3 2010.01.31.00 2010.01.31 2010-01-31 1.22 -
AntiVir 8.2.1.154 7.10.3.139 2010-01-29 0.39 -
Antiy 2.0.18 20100126.3756239 2010-01-26 0.12 -
Arcavir 2009 201001300945 2010-01-30 0.22 -
Authentium 5.1.1 201001301405 2010-01-30 4.33 -
AVAST! 4.7.4 100130-1 2010-01-30 0.42 Win32:Malware-gen
AVG 8.5.720 271.1.1/2658 2010-01-31 2.35 -
BitDefender 7.81008.4940876 7.30139 2010-01-31 5.06 -
ClamAV 0.95.3 10344 2010-01-30 2.05 -
Comodo 3.13.579 3409 2010-01-31 1.53 -
CP Secure 1.3.0.5 2010.01.31 2010-01-31 0.82 -
Dr.Web 5.0.1.12222 2010.01.31 2010-01-31 5.39 -
F-Prot 4.4.4.56 20100130 2010-01-30 4.15 -
F-Secure 7.02.73807 2010.01.30.01 2010-01-30 0.26 -
Fortinet 11.440- 11.440 2010-01-30 0.45 -
GData 19.10222/19.715 20100131 2010-01-31 7.19 -
ViRobot 20100130 2010.01.30 2010-01-30 0.43 -
Ikarus T3.1.01.80 2010.01.30.75075 2010-01-30 4.46 -
JiangMin 13.0.900 2010.01.27 2010-01-27 14.99 -
Kaspersky 5.5.10 2010.01.31 2010-01-31 0.12 -
KingSoft 2009.2.5.15 2010.1.31.13 2010-01-31 0.63 -
McAfee 5.3.00 5877 2010-01-30 3.51 -
Microsoft 1.5406 2010.01.31 2010-01-31 6.91 -
Norman 6.01.09 6.01.00 2010-01-16 4.01 -
Panda 9.05.01 2010.01.30 2010-01-30 6.39 -
Trend Micro 9.120-1004 6.814.01 2010-01-30 0.11 -
Quick Heal 10.00 2010.01.30 2010-01-30 32.28 -
Rising 20.0 22.32.06.01 2010-01-31 1.55 -
Sophos 3.04.1 4.50 2010-01-31 2.95 -
Sunbelt 3.9.2396.2 5648 2010-01-30 3.53 -
Symantec 1.3.0.24 20100130.008 2010-01-30 0.33 -
nProtect 20100130.02 7064227 2010-01-30 12.16 -
The Hacker 6.5.1.0 v00173 2010-01-31 1.20 -
VBA32 3.12.12.1 20100129.0902 2010-01-29 3.34 -
VirusBuster 4.5.11.10 10.119.30/2017585 2010-01-30 8.32 -

7

Send the file in a password-protected zip folder to virus@avast.com with False Positive in subject and the password mentioned in the email body.

You can also send the file from the virus chest by right-clicking on the file and select Submit to virus lab.

8

I suppose I should test all the other ones first? Add them all in the zip before sending if they all turn out the same way?

9

No, just one, I think.

10

Better test all if not sure :slight_smile:

11

Tested them all, same result, Avast fail. So I should bundle them up and send them off to Avast? What do I do with them in the mean time? If I turn the scanner back on, it just jams them up in the chest again. Got a bunch of dupes in there now.

12

Submit the files to the virus lab.

13

Right, just tried to email them in a .zip, but Gmail stopped it because it contains .exe’s. Not sure what to fill in on Avast’s submit form inside the chest. Dunno what program it belongs to or any of that.

14

RTHDCPL.exe - Realtek HD Audio Sound Manager.

RTLCPL…exe - Realtek Audio Control Panel.

15

This is becoming a real pain. Did a MalwareBytes scan again just for the hell of it, and Avast rounded up another 13 files, while MalwareBytes came back clean. They’re all those “A000[4 digit number].exe” types again. Considering trashing Avast at this point. >:(

16

Those files with the “A000…” prefix are from system restore points, having them in the chest will do no harm, apart from almost certainly making the system restore points inoperable.

If you right-click each chest entry, is there an option to send them to Alwil? And if so, send them as suspected false positives.
Sorry, I’m using 4.8, so I don’t know exactly what the procedure is relating to 5. (4.8 is still working flawlessly, by the way.)

Alwil are usually very fast at fixing FPs. A post here indicates a possibly related or identical occurrence, and at the time the user posted, it has been put right. Try updating and re-scanning the items inside the chest.

17

Yeah, you can send them by right clicking in the chest, but it requires you to enter the program name, publisher, and version associated with whatever it is you’re sending, which I have no clue about. Can’t send anything until I figure that info out.

Also just re-scanned all the chest items with Avast, still claims they’re Win32:Malware-Gen. I’m up to date as well.

18

What a pain. Try sending the following info regarding each file:

RTHDCPL.exe - Realtek HD Audio Sound Manager.

RTLCPL…exe - Realtek Audio Control Panel.

(Thanks to JTayor83)

Basically, all those files belong to the same publisher. Don’t worry about the version, or type in “unknown” (unless you know it).

Don’t worry about sending the files associated with restore points. We can get you to disable system restore and enable it again once this is sorted, which you might as well do because those restore points are probably borked, anyway.

19

Strange, I tried that earlier with those after JTayor83 posted and it still wouldn’t go through, but it works now.

Aside from those, just ignore all the A000 files for now?

20

Yes, that’s what I’d do. It won’t affect functionality at all, unless you try to use system restore. (Avoid doing that.)