Hello Avast! Tech and evangelist,

I installed Avast!5 yesterday removing 08b7c.tmp malware.
While doing so, the program put Flash.exe into the chest
(original location C:\Program Files\Adobe\Adobe Flash CS4).

I have a doubt that Flash.exe has a virus, since Avast did
not put other CS4 programs (dreamweaver, photoshop, etc which
included in the package) into the chest. From the set, I use
flash the most.

So, I sent the Flash.exe to be analyzed by VirusTotal.com.

http://www.virustotal.com/file-scan/report.html?id=642a613758a4674a08439544cac1b54f6d7f7931a3eb13e4ceb3b73a107a2f33-1284698184#

Antivirus Version Last Update Result
Avast 4.8.1351.0 2010.09.17 Win32:Sality
Avast5 5.0.594.0 2010.09.17 Win32:Sality

MD5 : fff01cc250e9de259bc73d13c57e690f
SHA1 : 28e21e2a84aa5e0a583a4a257c4afdb07a3ae809
SHA256: 642a613758a4674a08439544cac1b54f6d7f7931a3eb13e4ceb3b73a107a2f33
ssdeep: 196608:v0AWXoYtGWWN6SvhVl7HolpizveW1MFtIdfXdR8zFhslf3II4kXh:qWN7Bo6z2W1MFtI
dfXdghsSM
File size : 20370792 bytes
First seen: 2010-09-17 04:36:24
Last seen : 2010-09-17 04:36:24
TrID:
Win32 EXE PECompact compressed (generic) (76.8%)
Win32 Executable Generic (15.7%)
Generic Win/DOS Executable (3.7%)
DOS Executable Generic (3.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher…: Adobe Systems Incorporated.
copyright…: Copyright 1993-2008 Adobe Systems Incorporated. All rights reserved.
product…: Adobe Flash CS4
description…: Adobe Flash CS4
original name: Flash.exe
internal name: Flash
file version.: 10.0.2.566
comments…:
signers…: -
signing date.: -
verified…: Unsigned

This file has never been reviewed by any VT Community member. Be the first one to comment on it!

I do not include the PEInfo: PE structure information since it’s long and contains strings. But if you think it is necessary, I could post it too. Plus, I shorten the list of anti virus showing only Avast. The First Seen and Last Seen were the time and dates I sent the file for online analyzing. So, I am confused. And I cannot work on any flash file since upon restoring them, Avast immediately put another clone file in the chest.

Any advice or help? Thanks.

Sality is a nasty thing.
Follow guide at the start of this thread>>http://forum.avast.com/index.php?topic=53253.0

They usually recomend a format when infected with fileinfector but i am not sure if sality is as bad as vitro/virut,
you can see here http://forum.avast.com/index.php?topic=63980.0

I will send Essexboy a PM so he can look at this, he usually arrives in the forum late UK time

I recomend you follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Thanks for the replies.

I am doing the Mbam now, will take 2hr 30min to complete
Then I will attach the files here.

See you soon 8)

The Mbam’s result is clean. The reports are attached (OTL, Extras, and mbam).
Extra is on the next reply (max attachment size is 200KB)
Thanks!

… and the Extra is attached

Then Essexboy should be here in about 8-10 hours…

no problem

I am not sure that this information below would help.
Yesterday, using Mbam, 12 worm.confickers and 1 worm.P2P were removed.
And cpu was working >90% at all time. And Avast!5.0 once every an hour
alerted me about a system file trying to broadcast to kukutrustnet777.info.

After the worms were removed, and a force delete to hmcencx.DLL, then a
restart, somehow the cpu got back to normal, <10%, and no more broadcast
to kukutrustnet777.info. But still I am not sure whether the main malware
was removed. Avast still jails my flash.exe ;D

Dr Web has a good track record against sality but the scan and cure can take a few hours

Download Dr.Web CureIt to the desktop.

[*]Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[*]Once the short scan has finished, chose the Complete Scan.
[*]Select all drives. A red dot shows which drives have been chosen.
[*]Click the green arrow
http://perplexus.geekstogo.com/drweb_green_arrow.jpg
at the right, and the scan will start.
[*]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[*]When the scan has finished, look and see if you can click the following icon next to the files found:

http://perplexus.geekstogo.com/drweb_check.gif

[*]If so, click it and then click the next icon right below and select Move incurable as you’ll see in next image:

http://perplexus.geekstogo.com/drweb_move.gif

[*]This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can’t be cured. (this in case if we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer to allow files that were in use to be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Hello Essexboy,

DrWeb-CureIt just finished the express scan.
And I clicked Yes to cure 13 files alarmed by it, and they are cured.
Not complaining, but the express scan took 5 hrs and some minutes ;D

Plus right before DrWeb-CureIt about to finish express scan, it detected
a HOSTS file of windows that has an IP address altered. It asked whether
I want to restore to original and save the altered file, and I clicked YES.

A few seconds later, a blue screen showed some Windows explanation, I had
not read it and the laptop restarted by itself.

I check that there are only 2 files in C:\Users\User\DoctorWeb\Quarantine :
description.ion and hosts.

I cut and paste the report from CureIt.txt (35,991KB) :o the biggest txt file
I had seen And I attached the summary. Plus the OTL. I will run the OTL
again after the next scanning.

Now I will do the COMPLETE SCAN, and I will post the result after it finished.

BTW, what about the FLASH.EXE file that is put inside Avast! chest? I dont see
that Dr.Web CureIt scan it. Any input?

Thanks for keeping up with me!

The avast chest is a protected area (encrypted content) so I wouldn’t expect DrWeb to be able to scan it.

The rest I’m afraid you will have to await essexboys return.

Good news it is sality and not virut - the bad news you will need to do the full scan to cure all files and as you know that will take a while.

I will leave the analysis of the OTL log until Dr Web has completed, so if you could do a fresh OTL run on completion please

Some 17hr for the full scan
Happy that it’s over.

I attach the summary of the full scan, I cut-and-paste the cured items.

FYI, before doing the full scan, I moved a restored Flash.EXE to a
folder C:/SUSPECT and it was included in the DrWeb CureIt full scan.

Thanks for reviewing all these logs and giving updates and inputs.
Just let me know what to do next.

And here is the OTL log after the full scan.

Infected: 425 It could have been worse. It looks like the infection came from a flash drive. Once these runs are done (fast ones this time) could you let me know of any problems you are having

First we will clear the infected restore points

To manually create a new Restore Point
[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create
Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete
You are now done

THEN

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {06E58E5E-F8CB-4049-991E-A41C03BD419E} - No CLSID value found. O33 - MountPoints2\{b2844106-2dcf-11df-a77f-001e33c70f70}\Shell\AutoRun\command - "" = F:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe -- File not found O33 - MountPoints2\{b2844106-2dcf-11df-a77f-001e33c70f70}\Shell\open\command - "" = F:\RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe -- File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

I will do your instructions shortly.

FYI, a few days ago, I found a RECYCLER folder in my usb flash disk.
I had it ‘force remove’ already. It’s gone.

The result of OTL Custom Scans/Fixes (with Run Fix) is in 09212010_131603.txt file.
After a reboot, I ran Quick Scan producing a OTL.txt log.

MBAM has completed the scan, and detected 0. And I attach the log too.

Thanks

You should not use that flash drive on any machine again.

In addition, you should disable autorun.inf with something like Panda USB Vaccine - Antimalware and Vaccine for USB devices:
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/.

It will ask you if you want to vaccinate your machine, which means disable autoruns.inf – say “yes/OK.”

Then it will ask you if you want to vaccinate a NEW flash drive (do not use the old/infected one) or all new ones inserted into your machine (in case you forget).

It is a simple software to protect you and if you someday want to enable autorun.inf., all you have to do is unclick the box.

Hi SafeSurf,

Thanks for the info. I havent used that infected flash usb drive since.
Before performing the above scanning and fixing instructed by essexboy
I ‘force’ delete successfully the hidden virus file and the directory.
And there is only 2 Imation files inside the flash drive, like it was
before.

So do you think the flash drive is not clean still? If not, I could use
my second laptop, which has been reformatted since I upgraded the OS
to Win7 and has no other software yet, to format the flash drive. Then
for security, I could just reformat my 2nd laptop Is this ok?

I am new at flash drive protection.

Is there something you need to do with the flash drive prior to Essexboy returning? If so, the Panda USB Vaccine will not erase anything on it, nor will it harm your machine, so it is safe to use.

If you feel more comfortable, you can certainly wait until Essexboy returns for his take on it since he has been involved in your malware removal.