An Avast! notofier popped up saying it had detected malware on my system, and making suggestions on how to handle it.
Before I could read it properly, I hit a key accidentally, and the window disappeared. How do I get it back?
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
Most importantly having accidentally hit a key, what key might that have been as the usual default highlighted option is to Move to Chest. If you did that then the file will be residing in the avast chest.
Thanks. The log shows
04/12/2009 10:33:42 SYSTEM 1588 Sign of “Win32:Alureon-EM [Rtk]” has been found in “C:\WINDOWS\system32\drivers\iastor.sys” file.
That file is not in the chest. Should I put it there?
I don’t know what might have been the detection method as you didn’t hang around to gather information, which is invaluable in helping us to help you.
So I think it is possible that this might have been the anti-rootkit scan 8 minutes after boot, does this time frame after boot roughly coincide with the alert ?
Did the alert text look like this (excluding the colour I used to highlight) ? - “A suspicious file has been detected (using a heuristic method). This may be a sign of malware infection. Please allow the file to be submitted to our virus lab for analysis.”. Also see image below, did that match ?
This one if the detection is correct (see ~~~~ below) is a right royal pain in the rear as it is a rootkit, if established is difficult to get rid of.
This file is also Related to iaStor.sys Intel Matrix Storage Manager driver - ia32, so does that ring any bells ?
See http://www.file.net/process/iastor.sys.html.
If it is an anti-rootkit alert the main thing is that it is saying it is Suspicious not confirmed so should be sent to avast for further analysis. So for the time being the option would be Ignore (the default option) until confirmed. If this really was an Win32:Alureon-EM [Rtk] detection I believe you would be seeing much more activity, so it needs further investigation…
You could also check the offending/suspect file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here[/b] the URL in the Address bar of the VT results page.I don’t believe that was the text I saw. It was something along the lines of “Malware has been detected on your system, but don’t panic. Follow the suggestions given to isolate the problem.” I didn’t see anything about posting the file for further analysis.
VirusTotal doesn’t find anything in the file.
Thanks for your help
The alert has reappeared.
The infection is Win32:Alureon-EM rootkit as you suspected, and the recommended action was “move to chest”, which I’ve now done
OK, now its in the chest where it can do no harm, but this particular rootkit family Win32:Alureon has proven to be very tough to remove in the past and to see it roll over so easily make me wonder about the detection.
Given what I said earlier this file name is a legit file name (which means nothing, it can be faked) so you need to confirm the detection.
So when you uploaded it to virustotal, didn’t even avast detect it ?
This would be strange and leads me to think that you just got a message this file has been previously scanned (or words to that effect) and you should always have it rescanned for the latest results. That is one reason I asked for the URL link of the results of the scan.
This is important as you don’t want what may be an important file in the chest or worse still deleted (which fortunately you didn’t do).
If a fresh VT scan doesn't find anything then as I first suspected it might be a false positive detection (and this is what all this palaver is about) as the Alureon rootkit isn't this easy to detect or remove. So any false positive needs to be reported and corrected.Unfortunately, since I quarantined the file, I haven’t been able to boot the machine. It blue-screens with the “Windows has detected a problem and is shutting down to avoid damaging your system” message.
I’m trying to find my installation disks to recover it, or maybe get it from the Dell website.
Isn’t computing fun!
Yes you will need the installation/recovery disks to recover it, unfortunately that could also set you back to factory installation.
I believe this could possibly be the same problem even in safe mode, but you can try it and see if you can boot that way. If so you may be able to back-up some of your important data files before implementing any factory restore/installation disk actions.
Unfortunately even in safe mode you won’t be able to access the chest to try and restore the file as windows safe mode stops many drivers.services from running and that stops you being able to get into the chest to restore the file.