My system was detecting some strange virus etc at random interval … like for instance last detection was like 1/2 hour earlier and the one before that was 5/6days ago and when it happens … avast keeps detecting this/that(mentioned bellow) for a brief period of time … I’m using avast free version(latest update). All previous detections(some were detected multiple times):
Then I scaned with avast+malewarebytes+supertin+rkill+ProcessExplorer+AdwCleaner+BootkitRemoval(bit defender)+MBAR(malewarebytes anti rootkit)+tdsskiller+ UKV(ultra kirus killer … and all results the same … nothing found.
Well so like 5days ago when detections stopped, I thought(hopped) that its gone somehow(stupid iknow) but anyway … today avast detected again … and I’m not getting this at all … I mean the mentioned AV/Security tools above are quite good but they all fail at this … and even Avast can’t seem to detect the cause of this …
I’m no expert on this but from my understanding … something keeps recreating(at random interval) the files that avast detects … and its possibly still in my system (hiding somewhere) … or someone suggested … it could be something like a drive by virus/something similar.
Whatever it maybe … its getting into my system passing all security measures … usually I have avast+malewarebytes+windwos defender active … and as mentioned previously … avast can detect everything(I think) that this specific virus creates … however it or none of the mentioned security tools can detect the “Root” of this issue.
if avast is correct, it seems you have a fileinfector …
this is often bad news, depending on how far it has spread or avast is able to hold it back, this oftens end with a format C / reinstall
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
BHO-x32: No Name -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> No File
BHO-x32: No Name -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> No File
BHO-x32: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO-x32: No Name -> {DA5BCE70-D057-4D63-943D-5F3927EC59F1} -> No File
BHO-x32: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM-x32 - No Name - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No File
2012-05-05 16:49 - 2012-05-05 16:49 - 0005089 _____ () C:\ProgramData\zjyopzph.wxh
AlternateDataStreams: C:\ProgramData\Microsoft:2UoeFqyreECzLAR8QsFQXn2
AlternateDataStreams: C:\ProgramData\Microsoft:pCeSIRJZiJU7JqQJdh0YNmeg
AlternateDataStreams: C:\Users\MARUF\Cookies:ffxfgs0RQYxOgo4lvR0Yks8Wrc
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
I ran both programs as you requested and ComboFix displayed following error on different like 4/5 times before shutting down OS (auto) … screenshot attached.
I don’t see much changes really … performance wise.
About avast detection … it used to happen randomly, as I have mentioned in my first post … last detection was yesterday and the one before that 5/6days ago … I suppose we’ll have to wait and see(will keep you guys posted).
BTW do you have any suggestions on how do we recreate the event(avast detection) as in make the virus active? … I really would like to have this thing removed for good.
I have one question though … I have probably not the best security setup but decent setup or atleast I would like to think so … my question is: how did thing virus or whatever it is … get through?
As they are in the public folders then I would assume it is to do with a website you have
You can scan the folder with Avast and see if they are still there
Usually when they are auto generated … avast detects them., right now no detections.
About the website part … Just wondering …how is it that avast can detect whatever the website creates within public directory and yet not the “root” of the problem itself(the script that keeps recreating those files at random interval)?
Also as I don’t know which site is causing this issue(if infact it is), how do I prevent this from happening again? any suggestions?
Might be worth checking the individual website with zuluscaler http://zulu.zscaler.com/ to see if it can detect anything. By web site I mean ones that you control and update
The public folders are where you put stuff that is shared between computers and websites. I you manage/own/ control a web site that is where you would put stuff
Yes I manage some sites …
Wait are you suggesting that is possibly coming from one of the sites I have admin/ftp/cpanel access to? If yes how to figure out which site is causing the issue?
The issue is back again … avast started detecting since last night … its flooding visrus chest.
As essexboy mentioned it could be something related to my web access I cross examed and created list of sites that I visited before past issues and this time:
I really need this issue resolved and still no AV or other security tool can detect this thing, only avast seem to be able to detect its auto generated files … but still cant detect the root … please help