system
January 18, 2016, 11:53am
1
I’m wondering why this trojan, that’s been around for a couple of years now is not detected by Avast. Ran a full scan, Avast says everything is A-Ok. I run competitor’s product–one I don’t pay for–and I have 60+ infected system files.
I’ve just spent the past 12 hours researching, getting rid of this thing and reinstalling two systems.
Needless to say, this person is muy mucho not happy-oso. >:(
Avast, what say you?
Oh, and where’s my refund?
Eddy
January 18, 2016, 11:57am
2
Do you have pup detection enabled ?
If not that can be the reason why you are not getting a alert.
Refund for what ?
Did you submit a ticket ?
If so, what is the number ?
system
January 18, 2016, 12:30pm
3
Thanks for the Reply. I haven’t had a chance to submit a ticket because I haven’t had a system until just now. As far as I’m aware all of the features were turned on, but I did a bit of research after your reply and let me see if I get what you’re saying.
Avast Security Suite is a product that does everything from screening your email, securing your DNS transactions, providing Secure VPN, Anti-Theft protection, System Optimization, software and driver updates and a host of other services in addition to Anti-Virus and Malware protection. So the one thing it’s expected to exceed in is providing is malware protection.
Yet here I’m finding that a well known trojan that commonly plagues people’s systems is considered a “potentially unwanted program” and I have to dig into the settings to opt-in to be protected from it? Yet I can download lightweight competitor that does it out of the box, for free.
Like I said, where’s my refund?
Pondus
January 18, 2016, 12:42pm
4
Like I said, where's my refund?
have you submited a ticket?
hi.ru is a browser hijacker, try AdwCleaner http://www.bleepingcomputer.com/download/adwcleaner/
system
January 18, 2016, 1:17pm
5
I will submit a ticket, but it does far more than hijack a browser. It hijacks your machine
Here’s a link to what other’s have been through.
http://www.bleepingcomputer.com/forums/t/563450/hiru-chrome-redirect-all-attemps-to-remove-failed/
Here’s what I’ve just been through on one machine.
http://i1129.photobucket.com/albums/m514/tmckain/160117_avast001.jpg
(the “some files” were personal encrypted files and others were dll’s that were the trojan)
http://i1129.photobucket.com/albums/m514/tmckain/160117_avast002_1.jpg
http://i1129.photobucket.com/albums/m514/tmckain/160117_win7001.jpg
tmckain ::
1/17/2016 6:59:38 PM
9lab-log-2016-01-17 (18-59-38).txt
Scan type: Full
Objects scanned: 46471
Time Elapsed: 14 m 5 s
Registry Values detected: 1
Risk.EnableLUA [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA]
Files detected: 61
[21A5B82CB55BDBC58591D0F6971A14F3] Malware.Win32.Gen.cld [C:\Program Files (x86)\Audacity\Plug-Ins\multivoice_chorus_1201.dll]
[BC560A26AACB3ACDB9E7386283DD5846] Malware.Win32.Gen.cld [C:\Program Files (x86)\IObit\IObit Uninstaller\IU_KillAllFile.exe]
[C6AA10109D7BE3395E3A312C5453DA2C] Malware.Win32.Gen.cld [C:\Program Files (x86)\K-Lite Codec Pack\Filters\DCBass\bass_aac.dll]
[038ED3C6A5343ECAAB5505AD1AAD7C06] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\access\libcdda_plugin.dll]
[A8B51E3A72F050AC676211A50D7C6236] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll]
[EBE90B205F881E1AB69A0D987D63DC0A] Malware.Win32.Gen.cld [C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll]
[70D4262960422D9303222B0A581DB7BE] Malware.Win32.Gen.cs0 [C:\Program Files (x86)\TweakNow PowerPack\App\local\stubexe\0xC3F056786AE7331F\PowerPack.exe]
[6D5DBA957D94E902F5A2C649A361D4CE] Malware.Win32.Gen.cs0 [C:\Users\travin\AppData\Local\atom\app-1.2.1\resources\app\apm\bin\node.exe]
[F92C7457C2FA19DE1E4F1DBAD885FAAA] Malware.Win32.Gen.cld [C:\Windows\Installer$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\amdpcom32.dll]
[A87261EF1546325B559374F5689CF5BC] Malware.Win64.Gen.cs0 [C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdkmd64.sys]
[D45BE8BAED0B82F6BBC9D9421FA8FA1C] Malware.Win64.Gen.cs0 [C:\Windows\System32\Ribbons.scr]
[29C1D5B330B802EFA1A8357373BC97FE] Malware.Win64.Gen.cs0 [C:\Windows\System32\spinstall.exe]
[28F53390A15648FFD403CC4C65A90B27] Malware.Win32.Gen.cld [C:\Windows\SysWOW64\auditpolmsg.dll]
[BDFABEDACD6F18B5EFB14B7529F3ED3E] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\AdapterTroubleshooter.exe]
[02AF9857838C25EC98BBE492271F3E27] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\aecache.dll]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\cmdl32.exe]
[B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\fsutil.exe]
[536020876C0980D49094E7EBB94A00AA] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\hdwwiz.exe]
[F67A64C46DE10425045AF682802F5BA6] Malware.Win32.Gen.cs2 [C:\Windows\SysWOW64\msdt.exe]
[0842FB9AC27460E2B0107F6B3A872FD5] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\raserver.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\unregmp2.exe]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7600.16385_none_019357585ef99a63\amdpcom32.dll]
[3C809EFE1AA6C9355FA3D2CEA29821C0] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\amd64_atiilhag.inf_31bf3856ad364e35_6.1.7601.17514_none_03c46b205be81dfd\amdpcom32.dll]
[A87261EF1546325B559374F5689CF5BC] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_igdlh.inf_31bf3856ad364e35_6.1.7600.16385_none_f3e7064ea3c09a9a\igdkmd64.sys]
[F6FD7F8147A591317E57D9008C8C7541] Malware.Win32.Gen.cld [C:\Windows\SysWOW64\wimserv.exe]
[90499F3163A9F815CF196A205EA3CD5D] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-a…ence-infrastructure_31bf3856ad364e35_6.1.7601.17514_none_3337092d63596104\apphelp.dll]
[784FA3DF338E2E8F5F0389D6FAC428AF] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-cryptbase_31bf3856ad364e35_6.1.7600.16385_none_c15ac71fc7aafddc\cryptbase.dll]
[D45BE8BAED0B82F6BBC9D9421FA8FA1C] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-ribbons_31bf3856ad364e35_6.1.7601.17514_none_e6dae9713e9b7588\Ribbons.scr]
[29C1D5B330B802EFA1A8357373BC97FE] Malware.Win64.Gen.cs0 [C:\Windows\winsxs\amd64_microsoft-windows-servicepackcoordinator_31bf3856ad364e35_6.1.7601.17514_none_92e727843e307e1b\spinstall.exe]
[28F53390A15648FFD403CC4C65A90B27] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-a…olicy-snapin-native_31bf3856ad364e35_6.1.7600.16385_none_a5b522837df19ae3\auditpolmsg.dll]
[98C66B8010CD7B6865F308ABD87C8E86] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-cdosys_31bf3856ad364e35_6.1.7601.17514_none_86c0afe17064a99d\cdosys.dll]
[59DF156711A76BCB993253EC6C9BBF41] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.17514_none_4a5d2c9ecd59afa7\dnsapi.dll]
[76161B9D78A275F8F28DD67436013110] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.18409_none_fc484db2a13f5426\kernel32.dll]
[F67A64C46DE10425045AF682802F5BA6] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-msdt_31bf3856ad364e35_6.1.7600.16385_none_0bcbfdec6b984220\msdt.exe]
[0842FB9AC27460E2B0107F6B3A872FD5] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-r…sistance-dcomserver_31bf3856ad364e35_6.1.7600.16385_none_963d3becc3a475f1\raserver.exe]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7600.16385_none_c569db6aae975591\cmdl32.exe]
[DBB45A0839719312F248351E3FB9A0AE] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_c79aef32ab85d92b\cmdl32.exe]
[A3D9528E228DDD9A404E5EF4295AE35F] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-msinfo32-exe_31bf3856ad364e35_6.1.7600.16385_none_122602d047c011da\msinfo32.exe]
[4C61EA0D3BE4623EC040C4BE3E05AB26] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7600.16385_none_30af1158fb1994f7\WSManHTTPConfig.exe]
[4C61EA0D3BE4623EC040C4BE3E05AB26] Malware.Win32.Gen.cld [C:\Windows\winsxs\wow64_microsoft-windows-w…for-management-core_31bf3856ad364e35_6.1.7601.17514_none_32e02520f8081891\WSManHTTPConfig.exe]
[68B4A549D0B56A4DD9A488751037CF09] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\wow64_microsoft-windows-t…minalservicesclient_31bf3856ad364e35_6.1.7601.17514_none_b656fd566c17dc3a\mstsc.exe]
[BDFABEDACD6F18B5EFB14B7529F3ED3E] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-adaptertroubleshooter_31bf3856ad364e35_6.1.7600.16385_none_d1d79dd7e49a786f\AdapterTroubleshooter.exe]
[622D95520182F6D3D05310D5810CA8B3] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7600.16385_none_d9a3beb1698738d8\SearchIndexer.exe]
[622D95520182F6D3D05310D5810CA8B3] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\wow64_windowssearchengine_31bf3856ad364e35_7.0.7601.17514_none_dbd4d2796675bc72\SearchIndexer.exe]
[B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7601.17577_none_ce2d9fba4e5ca8e7\fsutil.exe]
[536020876C0980D49094E7EBB94A00AA] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_e24a7886a9947ebf\hdwwiz.exe]
[76B39554938CABCC219C7471ADAF3135] Malware.Win32.Gen.cld [C:\Windows\winsxs\x86_microsoft-windows-ie-impexp-extexport_31bf3856ad364e35_8.0.7601.17514_none_4abf71c398c9a7d6\ExtExport.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7600.16385_none_adca1fa537de6f5e\unregmp2.exe]
[7CA00998C1AAF913AC089E29DB746037] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_6.1.7601.17514_none_affb336d34ccf2f8\unregmp2.exe]
[A3D9528E228DDD9A404E5EF4295AE35F] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-msinfo32-exe-common_31bf3856ad364e35_6.1.7600.16385_none_861b553e4c3473c1\msinfo32.exe]
[670205944B0F9D4FE47B86D7F6CC0A16] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7600.16385_none_c718d071d9c10a2d\auditpol.exe]
[670205944B0F9D4FE47B86D7F6CC0A16] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-msauditevtlog_31bf3856ad364e35_6.1.7601.18637_none_c937305dd6bd2876\auditpol.exe]
[02AF9857838C25EC98BBE492271F3E27] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-sysprep-aecache_31bf3856ad364e35_6.1.7600.16385_none_f4906b14fa5f4e62\aecache.dll]
[F6FD7F8147A591317E57D9008C8C7541] Malware.Win32.Gen.cld [C:\Windows\winsxs\x86_microsoft-windows-wimgapi_31bf3856ad364e35_6.1.7601.17514_none_8b030c557320a2c1\wimserv.exe]
[0729A9A1026BEBD625E9F1FAF5113C34] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-sethc_31bf3856ad364e35_6.1.7600.16385_none_6296951cd66ee3c2\sethc.exe]
[E777BD47354F76CACF62FA193E510812] Malware.Win32.Gen.cs2 [C:\Windows\winsxs\x86_microsoft-windows-systemcpl_31bf3856ad364e35_6.1.7600.16385_none_e0abcaa7bf6258b5\systemcpl.dll]
[6DE80F60D7DE9CE6B8C2DDFDF79EF175] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe]
[2540B048D09C391B18E1EDB68EF9460C] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7600.16385_none_beb69dae2443e398\RegSvcs.exe]
Pondus
January 18, 2016, 1:30pm
6
follow instructions here https://forum.avast.com/index.php?topic=53253.0
we need Malwarebytes and Farbar Recovery Scan Tool logs, attach the logs, 3 logs total
see below the box you write in … Attachments and other options
a malware expert will then assist you
system
January 18, 2016, 1:46pm
7
Sorry, m8, not bloody likely. System is wiped. Have to work with what we’ve got, I posted it for your benefit.
I did run Malwarebytes anti-root kit though, nothin. 9-lab was what nabbed it, that’s why I posted it. I followed the process in the bleepingcomputer link I posted above. It just left me with a crippled system, is all so I wiped it.
Thanks for your help, though.
Pondus
January 18, 2016, 1:59pm
8
I followed the process in the bleepingcomputer link I posted above. It just left me with a crippled system
never use fix found online as it is not made for your specific system and may damage your system when run
always post diagnostic logs (FRST) from your system so a fix made for you can be created by a malware expert
Pondus
January 18, 2016, 2:14pm
9
Unless you are hit with a fileinfector, it seems the log you posted above containe lots of False Positives … search MD5 on VT
Like this one
[[b]2540B048D09C391B18E1EDB68EF9460C[/b]] Malware.Win32.Gen.cs0 [C:\Windows\winsxs\x86_regsvcs_b03f5f7f11d50a3a_6.1.7600.16385_none_beb69dae2443e398\RegSvcs.exe]
https://www.virustotal.com/en/file/ec110cfda19394e1a9d065011f3feb275d646a7c6c1ea3e987ac6132ff7a6b9b/analysis/
Copyright© Microsoft Corporation. All rights reserved.
Publisher Microsoft Windows
Product Microsoft® .NET Framework
Original name RegSvcs.exe
Internal name RegSvcs.exe
File version 2.0.50727.4927 (NetFXspW7.050727-4900)
Description Microsoft .NET Services Installation Utility
Comments Flavor=Retail
Signature verification Signed file, verified signature
Signing date 4:17 AM 7/14/2009
Signers
[+] Microsoft Windows
[+] Microsoft Windows Verification PCA
[+] Microsoft Root Certificate Authority
Counter signers
[+] Microsoft Time-Stamp Service
[+] Microsoft Time-Stamp PCA
[+] Microsoft Root Certificate Authority
If you had allowed the programme to remove those files then you would have needed to re-install windows
system
January 18, 2016, 4:55pm
11
Undoubtedly there are some false positives mixed in. A messy business, this.
As for using fixes found online, thanks for the advice, but I’ve been doing this awhile.
C:\Windows\winsxs\x86 is the backup area for windows system files e.g. userinit.exe
So if for some reason the original system files were corrupted then you have no backup for SFC to use
See also https://technet.microsoft.com/en-us/library/cc753059.aspx for [B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\fsutil.exe]
system
January 18, 2016, 6:10pm
14
Though I appreciate both of your efforts, they are, unfortunately, sadly misplaced. As I’ve already mentioned, I’ve already wiped these two systems so there’s no use trying to further diagnose them.
Cheers.
C:\Windows\winsxs\x86 is the backup area for windows system files e.g. userinit.exe
So if for some reason the original system files were corrupted then you have no backup for SFC to use
See also https://technet.microsoft.com/en-us/library/cc753059.aspx for [B4834F08230A2EB7F498DE4E5B6AB814] Malware.Win32.Gen.cs0 [C:\Windows\SysWOW64\fsutil.exe]
Pondus
January 18, 2016, 8:39pm
15
I've already wiped these two systems so there's no use trying to further diagnose them.
So what was the reason fo comming here ???