Not sure if false positive but funny things happened when intalling AVAST

Not sure if false positive but funny things happened when intalling AVAST

While installing AVAST (latest download) my computer froze up and the keyboard would not work neither would IE8 or Firefox. IE such froze when trying to open. Ran MalwareBytes and found it gave me a BSOD. Checked memory dump and the bug check showed MalwareBytes mbamswissarmy.sys file was at fault.

During system boot up I’ve noticed that the desktop and taskbar will freez for a good 1 minute before it never did this. It could be due to new services from new installed programs which I have installed but I’m not sure.

Can someone take a look at the OTS scan log and let me know if there are any issues ?

Here is the link to the OTS scan log could not attach it would not allow said it was too big.

http://web.ncf.ca/eh936/OTS.Txt

Here is the Malwarebytes log

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6022

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/11/2011 12:18:01 PM
mbam-log-2011-03-11 (12-18-01).txt

Scan type: Quick scan
Objects scanned: 152079
Time elapsed: 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi Victor,

Have you doing avast boot-time scan or run on-demand scan of avast in safemode?

This probably caused by some malware which has infected your memory system and run inside of windows DLL in memory.

This sometimes could happened in our user as well, but after we scan with boot-time scan of avast and found them.

cheers,

The OTS scan log contains autorun worm? Just because I couldn’t open it… ;D

Aye web shield does not like it… I downloaded the file however as it was all spread out I was unable to parse it
Could you upload the entire OTS.txt to Mediafire and post the sharing link.

Thanks for the reply firstly. Secondly yes I ran a boot-time scan of drive C: and D:. But AVAST 6.0x Free Edition found nothing. Did not try running a virus scan in safemode thought a boot time scan would be sufficient. But I will give it a try. BTW I uploaded notepad.exe to www.virustotal.com and got back the following results:

File name:
notepad.exe
Submission date:
2011-03-12 18:09:20 (UTC)
Current status:
queued (#7) queued (#7) analysing finished
Result:
1/ 43 (2.3%)

ntivirus Version Last Update Result
AhnLab-V3 2011.03.12.00 2011.03.11 -
AntiVir 7.11.4.177 2011.03.12 -
Antiy-AVL 2.0.3.7 2011.03.12 -
Avast 4.8.1351.0 2011.03.12 -
Avast5 5.0.677.0 2011.03.12 -
AVG 10.0.0.1190 2011.03.12 -
BitDefender 7.2 2011.03.12 -
CAT-QuickHeal 11.00 2011.03.12 -
ClamAV 0.96.4.0 2011.03.12 -
Commtouch 5.2.11.5 2011.03.12 -
Comodo 7955 2011.03.12 -
DrWeb 5.0.2.03300 2011.03.12 -
Emsisoft 5.1.0.2 2011.03.12 -
eSafe 7.0.17.0 2011.03.10 Win32.Banker
eTrust-Vet 36.1.8211 2011.03.11 -
F-Prot 4.6.2.117 2011.03.12 -
F-Secure 9.0.16440.0 2011.03.12 -
Fortinet 4.2.254.0 2011.03.12 -
GData 21 2011.03.12 -
Ikarus T3.1.1.97.0 2011.03.12 -
Jiangmin 13.0.900 2011.03.12 -
K7AntiVirus 9.93.4087 2011.03.11 -
Kaspersky 7.0.0.125 2011.03.12 -
McAfee 5.400.0.1158 2011.03.12 -
McAfee-GW-Edition 2010.1C 2011.03.12 -
Microsoft 1.6603 2011.03.12 -
NOD32 5948 2011.03.12 -
Norman 6.07.03 2011.03.12 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.11 -
PCTools 7.0.3.5 2011.03.11 -
Prevx 3.0 2011.03.12 -
Rising 23.48.05.03 2011.03.12 -
Sophos 4.63.0 2011.03.12 -
SUPERAntiSpyware 4.40.0.1006 2011.03.12 -
Symantec 20101.3.0.103 2011.03.12 -
TheHacker 6.7.0.1.149 2011.03.12 -
TrendMicro 9.200.0.1012 2011.03.12 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.12 -
VBA32 3.12.14.3 2011.03.12 -
VIPRE 8680 2011.03.12 -
ViRobot 2011.3.12.4354 2011.03.12 -
VirusBuster 13.6.246.3 2011.03.11 -
Additional information
Show all
MD5 : 5e28284f9b5f9097640d58a73d38ad4c
SHA1 : 7a90f8b051bc82cc9cadbcc9ba345ced02891a6c
SHA256: 865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

http://www.virustotal.com/file-scan/report.html?id=865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5-1299953360

Will do shortly and thanks for the help. Victor. BTW I ran a scan of OTS.exe downloaded from here http://oldtimer.geekstogo.com/OTS.exe then ran a scan on www.virustotal.com and received the following results:
File name:
OTS.exe
Submission date:
2011-03-12 18:50:11 (UTC)
Current status:
queued (#2) queued (#2) analysing finished
Result:
5/ 43 (11.6%)

Antivirus Version Last Update Result
AhnLab-V3 2011.03.12.00 2011.03.11 -
AntiVir 7.11.4.177 2011.03.12 -
Antiy-AVL 2.0.3.7 2011.03.12 -
Avast 4.8.1351.0 2011.03.12 -
Avast5 5.0.677.0 2011.03.12 -
AVG 10.0.0.1190 2011.03.12 -
BitDefender 7.2 2011.03.12 -
CAT-QuickHeal 11.00 2011.03.12 (Suspicious) - DNAScan
ClamAV 0.96.4.0 2011.03.12 PUA.Packed.PECompact-1
Commtouch 5.2.11.5 2011.03.12 -
Comodo 7955 2011.03.12 -
DrWeb 5.0.2.03300 2011.03.12 Trojan.Siggen2.23542
Emsisoft 5.1.0.2 2011.03.12 -
eSafe 7.0.17.0 2011.03.10 -
eTrust-Vet 36.1.8211 2011.03.11 -
F-Prot 4.6.2.117 2011.03.12 -
F-Secure 9.0.16440.0 2011.03.12 -
Fortinet 4.2.254.0 2011.03.12 -
GData 21 2011.03.12 -
Ikarus T3.1.1.97.0 2011.03.12 -
Jiangmin 13.0.900 2011.03.12 -
K7AntiVirus 9.93.4087 2011.03.11 -
Kaspersky 7.0.0.125 2011.03.12 -
McAfee 5.400.0.1158 2011.03.12 Artemis!AF5A3E595583
McAfee-GW-Edition 2010.1C 2011.03.12 Artemis!AF5A3E595583
Microsoft 1.6603 2011.03.12 -
NOD32 5948 2011.03.12 -
Norman 6.07.03 2011.03.12 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.03.12 -
PCTools 7.0.3.5 2011.03.11 -
Prevx 3.0 2011.03.12 -
Rising 23.48.05.03 2011.03.12 -
Sophos 4.63.0 2011.03.12 -
SUPERAntiSpyware 4.40.0.1006 2011.03.12 -
Symantec 20101.3.0.103 2011.03.12 -
TheHacker 6.7.0.1.149 2011.03.12 -
TrendMicro 9.200.0.1012 2011.03.12 -
TrendMicro-HouseCall 9.200.0.1012 2011.03.12 -
VBA32 3.12.14.3 2011.03.12 -
VIPRE 8681 2011.03.12 -
ViRobot 2011.3.12.4354 2011.03.12 -
VirusBuster 13.6.246.3 2011.03.11 -
Additional information
Show all
MD5 : af5a3e59558352ff5867cfa60a096a5e
SHA1 : 093378c42999b54cfefeff363ce00135c2129f95
SHA256: 2379538b3b70f7dcde076a71099cb61978fae436404d11931e4e671660c4115e

If you got it from the geektogo link or the ITX link it is good. Due to the capabilities of the programme it could be classified as a pup (potentially unwanted programme) but no more than that

Thanks for the reply. In the meantime I’m upgrading my hard drive to a 80GB up from a 40GB since I ran out of room. I’m getting low disk space messages at the bottom right hand corner. There is about 30GB of files and folders under the C:\Windows directory mostly in the System32 folder. The OTS.exe run was taking so long while it was scanning for files created in the last 30 days. It was scanning the C:\Windows\System32 directory for ever. I tried running OTS in a sandbox but the Sandbox directory started to take up alot of disk space over 1GB of files. I was using Sandboxie only because of what VirusTotal reported the 5 virus detections. Anyhow I will have to let OTS.exe run to its end on the new hard drive. It may take a while so please be patient as I deleted the old OTS.log file because of the worm you both had mentioned. So I’m running a fresh run of OTS.exe again. Sorry if this has caused any inconvenience to anyone.

Ok this is what has happened. The 40GB drive ran out of space. Only 1.6MB of space. I had no choice but to mirror an older backup image back onto the 80GB drive. Right now the 40GB is setup on the secondary channel as master. It still shows 1.6MB of free space. How can I run a scan OTS.exe on this drive now or perhaps another scanner that someone can suggest ? I can put back the drive as master on the primary channel but things weren’t looking too good when running Windows XP with hardly no space. Funny thing I freed up over 1GB of space by uninstalling programs but that space was quickly used up by some process. I don’t mind going back to the master channel if that the best option for me. I am open to ideas ? anyone ?

OK if you have the ability to burn a disc we can work outside of windows which will get around the space problem for now… Also when you imaged the 40Gb onto the 80Gb drive did you expand the 40Gb partition to use the entire drive ?

I was not able to expand the 80GB drive to display 80GB of space. It still showed 40GB total capacity with about 1.6MB of available space after booting back into Windows following the re-imaging onto the larger drive. Thats when things got worse and I could not do anything like run OTS or any other anti-malware software or uninstall more software. So I put a clean image onto the 80GB drive which is now being displayed correctly by Windows and have the 40GB virus infected drive setup as Secondary Master. I’ve deleted some files off the 40GB drive like my SQL Server 2005 folder which I could not entirely uninstall when the drive was the Primary Master with little or no available space to allow it to uninstall. I do remember running Combofix before coming to this forum for help and it found only one infection which it cleaned. It was a ntfs.sys file. I ended up replacing Notepad.exe from the Windows disk to all locations on the 40GB drive. Since the Primary Master is a clean installation is it possible to install any program from there and then run a scan on the 40GB which is setup as a Secondary Master ? Does the Bart CD work better if booting from the CD ? I’ve got it downloaded right now. Ready to burn if required.

Please let me know what to do next and thanks for the help. Its much appreciated.

Victor

So the master is displaying and using the full 80Gb. Could you take a screenshot of it. I have included a screenshot of mine so that you can see what it looks like

Click Start, click Run, type compmgmt.msc, and then click OK.
In the console tree, click Disk Management.
The Disk Management window appears.
Your disks and volumes appear in a graphical view and list view.

Yes the master is displaying correctly but keep in mind that its a clean install from a backed up ghost image I had. There should be no viruses on the master drive. Would you like for me to place the virus infected 40GB drive as the Master ? I can do that if it would make things easier when running further scans or OTS or other program ?
My only concern is that the virus(s) will use up all the available space on that drive making it difficult to run any scanning utility/software.

Thanks very much for the help.

Yes make it the master please as that is where all my scans are geared for

If you have at least 6 Mb of space on that drive OTS should run

Done but Firefox is giving me problems. Firstly every time I click on a link the download window opens and instead of opening the page it downloads it to the download folder. Secondly could not type in the google.com search box. Had to paste text copied from the Start->Run box. IE8 seems to be working fine right now. I’ve done what you have asked made the virus infected 40GB drive the master drive in the system. It booted up a bit slow but over all its running fine.

I’m running a OTS scan right now. I’m sure it will take awhile since the C:\Windows directory has over 30GB of files. Thank alot for your help. Just a side note when the 40GB virus infected drive was master in the beginning I was able to run a virus scan using DR. Web Eset Scanner and AVAST 6 (boot time) along with running Malwarebytes
SuperAntiSpyware and SpyBot Search and Destroy. Spybot found a single suspicious registry entry. I have the log if you would like for me to upload it to MediaFire I can.

Victor

If you could run OTS and attach the generated text file I will then be able to see where the problems are

Here is the log file OTS.exe created. It went faster then I expected. Hope it helps. Thanks for the help. Victor.

http://www.mediafire.com/download.php?ituimgo9h1l9jl0

Well the good news is that there is no apparent malware there, so it is a space problem. This fix may take a little longer than normal as I am going to flush all your temporary files and restore points and remove some empty folders

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [User Folders] > -> 
YN -> No name found   -> C:\Documents and Settings\vmehta\Application Data\Mozilla\Firefox\Profiles\oqwk810k.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
YY -> ~EmptyValue -> C:\Documents and Settings\vmehta\Application Data\Mozilla\Firefox\Profiles\oqwk810k.default\extensions\Access Privileges Test
YY -> ~EmptyValue -> C:\Documents and Settings\vmehta\Application Data\Mozilla\Firefox\Profiles\oqwk810k.default\extensions\Access Privileges Test-1
YY -> ~EmptyValue -> C:\Documents and Settings\vmehta\Application Data\Mozilla\Firefox\Profiles\oqwk810k.default\extensions\Access Privileges Test-2
YY -> ~EmptyValue -> C:\Documents and Settings\vmehta\Application Data\Mozilla\Firefox\Profiles\oqwk810k.default\extensions\staged-xpis
[Files/Folders - Created Within 30 Days]
NY ->  DoctorWeb -> C:\Documents and Settings\vmehta\DoctorWeb
NY ->  Greatis -> C:\Program Files\Greatis
NY ->  ESET -> C:\Documents and Settings\vmehta\Local Settings\Application Data\ESET
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Thanks for the help. I copy and pasted the fix into the OTS.exe but there was no log file of the fixes. It did ask me to reboot the computer following the completion of the fixes. Got back to the deskop and the only log file was the original scan.

My firefox still is playing games with me. Now when I click on a link in google.com or on any web page it opens the link in a seperate tab. Still cannot type anything in the Search box at google.com. Nor can I type anything in the address box where you type in a URL in firefox.

Right now I’ve got 1.8GB of free space on the 40GB drive.

Should I run the fix again ? Thanks again.

Victor

UPDATE: Found under the C:_OTS directory a log file which I believe is of all the fixes. I’ve attached here for your review. Thanks again for your help.

Good news about Firefox it seems to be working fine right now after uninstalling AVAST 6 Pro Trial. I think it was some sort of incompatibility with BufferZone my security software that runs all browsers in a Sandbox. AVAST Pro I believe has a similar technology. Love that technology. Would you know what has caused the C:\Windows folder to exceed 30GB of space ?

Thanks for all your help. Victor.

P.S. Would you mind if you can recommend any resource on how to interpret the log files generated by OTS. I’d like to learn on troubleshooting these types of issues if I can on my own. Thanks.

Further I was luckily able to find out why there was so little disk space on this 40GB drive. Under the C:\Windows directory there was a single called Procmon.pmb which was taking up a whopping 28GB of space. I found out that its for boot logging if its enabled. We now have over 30GB of free space free.