Hello evreone!
I have been using winbdows for over 10 years, so do not be afraid to be tecnial.
Today I was going to test my comodo firewall, and I found Atelier Web Firewall test program, wich mcafee siteadvisor said was safe. So I downloaded it, and avast went crazy when I ran a test!It said that awft.exe was infected! I do not renember the virus name, but I clicked delete. So I launch firefox to get help, and then "comodo panics and I click deny and it tryes to attack windows! I tell avast to do a boot scan and I pull the plug. I plug the pc back in AND AD AWARE 2007 WAS INFECTED!!! The infection was win32- Inject BS Trj. I sucessfuley removed it, however it did not foind the awft.exe!!! I ran F Secure Baclight and Spybot S&d, ( Ad-Aware was damaged) and they found nothing! Please help me ! This is my main machine and I rareley get this nasty of a infection!!!
Thank you for reading this!
Below is my HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:29:17 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Right now, why do you think you’re infected yet?
What are the problems?
Your HJT log seems clean.
I’m not an expert on HijackThis… But you can check the automatic analysis of your HijackThis log here.
You can find more info in the links of the last column of this table.
That info could guide you on the cleaning process.
Anyway, if you have doubts, just post here.
Also, take a careful look at the first column of the table:
If you don’t recognize a legit program in one of the items marked as FIX IF UNKNOWN, please post it back here and maybe we can help you. Or, if you’re sure it’s a malware item, you can remove it as posted bellow.
If you agree with the automatic classification of the infected items marked as FIX (CHECK NOTES!), you can turn back to HijackThis program, check the box of this item and then remove it using the button ‘Fix checked’. Although, in your case, that items seems ok, just a misinterpretation of the automatic process.
Well I have this gut feeling that somthing is wrong. I did not find the virus after the boot scan, so it looks like avast deleted it on restart. I am quite paranoid about things like this!
Guess What!
Windows is now acting liek an antivirus! I downloaded firefox from the oficial homepage, and Windows removed the setup app! My system is really screwy!!!
I have no clue what is going on! I removed all the bad stuff too! Here is my list of open tasks that I think are bad:
guard.exe (New!)
mDSNResponedr.exe (Never Saw That)
avgas.exe (Dont recall seeing that)
wscntfy.exe ( Small memory footprint, never saw it)
nvsc32.exe ( Never saw it, low mem footprint!)
Should I kill these?
Many firewall testers will fall foul of AVs as they are trying to bypass the firewall, something that isn’t usual and under normal circumstances down right malicious. The problem is avast doesn’t know that your testing your firewall, just that there is a file designed to bypass your firewall.
What is the infected/suspect file name/s, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
Was the awft.exe file the one notified that would be downloaded at the site that you went to (it would seem so) ?
I wouldn’t take McAfee’s siteadvisor as gospel, I would rather check the link with DrWeb link checker (firefox extension) at http://online.drweb.com/?url=1 and even then when I downloaded it I would scan it with avast before running it and probably check it at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 32 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive.
I have a couple of firewall test files that avast detects and I keep them in a folder (avast Exclude, original right) that I exclude from scans. That allows me to run the test without alert.
Can a’one help me scan this file… http://www.bossmailer.biz/bossmailer(.)exe I’ve downloaded the file last night then the avast! virus warning pop-out just after the file downloaded process finish. avast! virus warning state there’s Win32:Parite in this app but I really need this file for my job…
You should not put live links to malware on this forum. Some ignorant might click it and gets him- or herself infected. The link is indeed a malware vector according to DrWeb’s hyperlink scanner:
File size: 5809.5K
Well anyway you have a PE infector, and make the link to bosmailer uncklickable for instance by altering . with dot. We do not like links to live malware or virus on this forum.
Once W32/Parite-B has been executed, it will remain in memory, infecting every PE and SCR file on every drive and network share.
The main viral code will be dropped to a randomly named TMP file in the Windows temp directory. The file is 172Kb in size.
You should do a boottime scan in safe mode.
Okies, I’ve corrected my mistake. What do you mean by “Well anyway you have a PE infector,”? avast! Virus Cleaning Tool appear just after the virus have been detected. Nuthin’ there only 4-5 files that could not been scan by avast! Then I’ve run Windows Defender still nuthin’. It won’t satisfy me, then again I ran avast! boot scan ‘til I falled asleep but seem there’s really nuthin’ there. A’thing else that I may missed…?
The virus is a file infector that is composed of two parts: a small stub written in Assembler, appended to the files infected that decrypts the main virus body, also appended to the infected file. The main virus body is a PE file written in Borland C++ that it’s dropped in the Windows\TEMP directory (or whatever location temporary files have on your system).
The virus infects PE files, and searches for files with *.exe and *.scr extensions, on local drives, network drives and network shares on local network. Because the virus appends to every infected file the main body, which is ~180K in size, there should be a visible decrease in free space on your volumes. The virus doesn’t show it’s presence in any way, and does not use email for spreading.
Versions A and B are mostly the same, while version C uses a somewhat tricky method of encrypting the original PE file’s entry point. Infected files have the last section’s name consisting of 3 randomly chosed letters followed by a non-printable character.
If in your exe files the last section name is .jbd or .xgt or something like that, then it’s probably a file infected with Parite.
You may wish to contact the site to see if their system and download file have been infected by the Parite file infector.
If the file is an infected legitimate file, you may get an option to heal or repair the file from avast!, but certainly in its present state you should not run the application because it will harm your PC.
You have a file infector, a form of virus back on the charts again forming 25% of the most recent virus infectors. You read about PE, and what it does here: http://www.securityfocus.com/infocus/1841
This is also a very interesting article for other forum members.
So FwF is 100% right,
Guys, help me with this… I’ve installed avast! to my friend’s laptop. After 1st boot scan of avast! I’ve found W32:Halkagan and I’ve del it all. Then after start-up and updates I’ve try to scan this laptop again but the memory scan stop after it found the memory have been infected by killvbs.vbs Its asked for boot scan once again but the system cannot restart. And more, I can’t access to Registry, the Task Manager is locked and the Folder Options is missing.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:15 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
This HijackThis log after I’ve clicked Fix checked…
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:30 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\killVBS.vbs
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [IntelZeroConfig] “C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe”
O4 - HKLM..\Run: [IntelWireless] “C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe” /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [EOUApp] “C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe”
O4 - HKLM..\Run: [INPROCOMMWireless] C:\Program Files\Atheros\Wireless\Utility\WlanUtil.exe
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip..{AD985E3D-4472-48A3-B3B5-45EAC814CF7D}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
–
End of file - 8122 bytes
The RVHOST.EXE has vanished but the killvbs.vbs and wscript.exe still there. I’ve tried put it into Chest but avst! said it has been used by another application. And I can’t even upload the killvbs.vbs to VirusTotal.