Hello, I was running Firefox and it took longer than usual to load the Google homepage. Therefore, I was suspicious of it, so I closed Firefox and tried to restart it. I received an error message that Firefox has not completely closed. I opened the task manager to look for the process and could not find firefox.exe, but I did find GoogleToolbarNotifier. I tried to end the process, and an error message appeared “operation can not be performed”. Therefore, I went to my control panel to uninstall GoogleToolbar, which successfully uninstalled. Furthermore, I continued to uninstall unwanted programs and removed Frostbite. Avast popped up and informed me that it had found potential Malware. It asked what action I wanted to take and asked if I wanted to run a bootscan; thus, I cannot recall what the file was called. However, before the computer restarted, I do remember seeing that the deletion of the potential Malware could not be performed. Avast ran a bootscan and found nothing. I became suspicious of this potential Malware, so I went to a Malware removal forum and found reliable Malware detectors. I used TDSSKiller.exe, which found nothing. Therefore, I used Avast Anti-Rootkit, and Malware was again detected.
Regular Avast antivirus scans find nothing. Also, I must inform you that nothing seems to be wrong with me computer. It seems to run fine. However, please explain to me what the results mean and what I need to do (if I need to do anything). Thank you.
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-05 12:10:28
12:10:28.862 OS Version: Windows x64 6.1.7601 Service Pack 1
12:10:28.862 Number of processors: 2 586 0x170A
12:10:28.864 ComputerName: AARONS-PC UserName: Aarons
12:10:29.885 Initialize success
12:10:30.004 AVAST engine defs: 12040500
12:10:43.736 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
12:10:43.741 Disk 0 Vendor: TOSHIBA_MK2555GSX FG002C Size: 238475MB BusType: 11
12:10:43.829 Disk 0 MBR read successfully
12:10:43.833 Disk 0 MBR scan
12:10:43.839 Disk 0 unknown MBR code
12:10:43.853 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 198 MB offset 2048
12:10:43.866 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 226108 MB offset 407552
12:10:43.901 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 12167 MB offset 463476736
12:10:43.953 Disk 0 scanning C:\Windows\system32\drivers
12:10:53.722 Service scanning
12:11:33.953 Modules scanning
12:11:33.967 Disk 0 trace - called modules:
12:11:34.011 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
12:11:34.022 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004c93060]
12:11:34.031 3 CLASSPNP.SYS[fffff8800113043f] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047b6680]
12:11:34.569 AVAST engine scan C:\Windows
12:11:36.680 AVAST engine scan C:\Windows\system32
12:13:52.580 AVAST engine scan C:\Windows\system32\drivers
12:14:04.537 AVAST engine scan C:\Users\Aarons 12:14:26.927 File: C:\Users\Aarons\AppData\Local\Google\Chrome\Application\18.0.1025.142\Installer\setup.exe INFECTED Win32:Malware-gen
12:19:26.652 AVAST engine scan C:\ProgramData
12:21:18.687 Scan finished successfully
12:21:38.908 Disk 0 MBR has been saved successfully to “C:\Users\Aarons\Documents\MBR.dat”
12:21:38.914 The log file has been saved successfully to “C:\Users\Aarons\Documents\aswMBR.txt”
Regular Avast antivirus scans find nothing. Also, I must inform you that nothing seems to be wrong with me computer. It seems to run fine. However, please explain to me what the results mean and what I need to do (if I need to do anything). Thank you
also [b]attach[/b]...not copy and paste logs from Malwarebytes quick scan and OTL
You should confirm the detection as I suspect that this may be a false positive on C:\Users\Aarons\AppData\Local\Google\Chrome\Application\18.0.1025.142\Installer\setup.exe, if you downloaded it from a reputable source (google, etc.).
upload the C:\Users\Aarons\AppData\Local\Google\Chrome\Application\18.0.1025.142\Installer\setup.exe file to: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to Open the chest and right click on the file and select ‘Extract’ it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
First seen by VirusTotal
2012-03-28 19:58:33 UTC ( 1 uke, 1 dag ago )
Sigcheck
publisher…: Google Inc.
product…: Google Chrome
internal name…: setup
file version…: 18.0.1025.142
signing date…: 4:31 AM 3/27/2012
signers…: Google Inc
VeriSign Class 3 Code Signing 2010 CA
Class 3 Public Primary Certification Authority
copyright…: Copyright (C) 2006-2010 Google Inc. All Rights Reserved.
description…: Google Chrome
It’s strange that Avasts identifies the file as Malware. Therefore, I hope that everything is okay. I am a bit paranoid knowing that Malware can sometimes run undetected. Are there any further ideas or suggestions? If not, I will do the OTL scan and afterward leave it alone for now, for my laptop doesn’t seem to run terribly. I was just curious to know if I had a serious problem. Thanks
I suspected as much, though it is somewhat of a surprise that even avast doesn’t find anything wrong with it, ensure that you have the latest virus definitions. Then try scanning it again on your system (or if in the virus chest, from within the chest) and see if a recent virus definitions or streaming update has corrected the signature ?
I think that you may well have has a hiccup in firefox, on occasion it doesn’t close completely, should that happen again, check task manager and see if it exists and end process if needs be.
I installed the OTL file and tried to run it. Avasts claimed it was a suspicious file and terminated it If, based on what you have seen, there seems to be no threat, I will not fret about it. Take care.
It is a good thing users report back here to get familiar with the scrutiny of the autosandbox. In a lot of cases this means that it alerts in case of doubt also with total secure programs that it is not familiar with. I had a couple of “oldies” being “autosandbox-re-interrogated”. Whenever this happens I checked and double-checked an then decided to finally give the tool or programme the all green. Users that cannot decide by themselves shall use the sandbox, then ask here, and then when provided with a response could give the OK to have it run in a normal fashion.
But whenever there is the slightest doubt here, come to the avast support forums and we will be glad to help you as good as we can and we can provide the necessary feedback to avast. Finally, we should be glad we have this additional protection against the running of probably suspicious or malicious processes with avast autosandbox,