Hi dear avast community,

Avast found a virus in C:\ProgramData with the name jthvsend.dat and moved it to the virus chest.
My problem is that on the next startup Windows 7 said that jthvsend.dat is missing.
With some serious doubt did I restore the data and nothing happened.

Was that by any means a big mistake?
I’m not sure if that is the problem, but from today on videos from youtube and other sites are not working right now.
My OS: Win 7 U 64bit with avast free antivirus.
Hope you guys can help me and thanks in advance.

Bagdet

what was the message from avast? …what malware name did avast give the file

upload jthvsend.dat to www.virustotal.com and test it…if scanned before, click new scan
post link to scan result here

Are you sure it is jthvsend.dat?
You really did not made a typo in the name?
Google gives zero results on that filename.

If the name is correct, it is only logical that you get the missing file error.
A .dat file does not run at all, it is something else that is trying to use the file.

thanks for your help!

1. avast named it Win32:Rootkit-gen [Rtk]

2. https://www.virustotal.com/en/file/5a6a35b545fca085edb5ddb2e2435f9ade325ecc592e47ecb7c4f048be48260a/analysis/

virustotal link you posted show a file named lol.exe … and scan was done 2014-05-08 ?

thats weird. whats lol.exe?
i just did upload the file…
well i try uploading again

https://www.virustotal.com/en/file/5a6a35b545fca085edb5ddb2e2435f9ade325ecc592e47ecb7c4f048be48260a/analysis/1399716000/

ok after another avast full scan right now i found two “threats”
one called oem-drv86.sys, severity high, Win32Rootkit-gen [Rtk]
and the other being jthvsend.dat

thats weird. whats lol.exe?

Whats important is the SHA256 number you see on top, telling us that the file in first link is the same as the one in second link

Anyway it sure looks infected… but all detections seems to be generic/heuristc detection so chanse of FP is bigger

Follow instructions and attach Malwarebytes / OTL / aswMBR logs http://forum.avast.com/index.php?topic=53253.0

ah ok, just dont know how to proceed further…
i just did a virustotal scan on the other file that was “infected”:
https://www.virustotal.com/en/file/55abdf52735ff3086de2eb41cee5cca27e9d596b172443d2cf4e2a1d357a0ca6/analysis/1399717286/

ok will do that, i have malwarebytes alrdy tho

ok done

Allow Avast to quarantine the file

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-1774388504-1158229226-2952920880-1000..\Run: [jthvsend] C:\Windows\SysWow64\regsvr32.exe (Microsoft Corporation)

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Just some notes:

Windows 7 and IE 9
System is far from up-to-date.
That already is a major problem/security risk.

Using the system with a user account that has admin rights.
Another huge security risk.

Punkbuster installed.
Most likely without the user knowing it and without approval.

ok ive done the checkup with OTL

should i quarantine oem-drv86.sys too?
https://www.virustotal.com/en/file/55abdf52735ff3086de2eb41cee5cca27e9d596b172443d2cf4e2a1d357a0ca6/analysis/1399717286/

Not overly sure about that as :

oem-drv64.sys is filename of the driver running on Microsoft Windows operating system. This driver belongs in most cases to product OEM-SLP2.1 ACPI Patch Driver (HPD64) and is developed by secr9tos company. File version information describes this process as oem-drv.sys is used to provide SLIC2.1 support for OEM activation of WindowsNT6.1 based systems.. Process is in most cases loaded from directory C:\Windows\System32\DRIVERS.

Is Avast alerting on it ? As AswMBR did not call it

VT file info MD5: 36d6cf1281ccf63a9f49b9795803a3a3

CopyrightCopyright © secr9tos Publisher secr9tos Product OEM-SLP2.1 ACPI Patch Driver (HPD86) Original name oem-drv.sys Internal name oem-drv.sys File version 1.2.0.4 built by: WinDDK Description oem-drv.sys is used to privode SLIC2.1 support for OEM activation of WindowsNT6.1 based systems.

Sorry for late reply…
Avast is alerting on it via full scan.

You can quarantine the file but, then upload from the chest as a false positive to the virus labs

How is the computer otherwise ?

Guess everything works.
Thank you guys for the help!
Really appreciate it!

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe