So, for the last 6 years or so, neither of my 2 computers had ever gotten a Malware infection.
All of a sudden, I’ve gotten a Malware Buffet.
What is the difference? What changed? Well, it could be coincidence and at this point it is circumstantial evidence, but I MIGHT be getting the Malware from my sister’s computer. We had never E-mailed before. But, she recently moved to another country and thus has been sending photos, which I of course download. The timing of when I started downloading her photos sure does correspond with when the Malware began.
Anyway, on Saturday, avast found and removed a Rootkit.
On Sunday, SUPERAnti-Spyware Portable found 6 Trojans, which I quarantined.
Yesterday avast again found another Rootkit, which I removed … or so I think.
The subsequent Boot Time Scan indicated ZERO Files infected after that.
I then also did a Quick Scan and that too indicated ZERO infections … NO THREATS FOUND.
Today I’m gonna refrain from downloading any photos from my sister.
I’ll perform another avast Scan this evening to see whether another Rootkit has manifested itself.
If I have the time, I’ll also perform another SAS Scan.
MBAM has NOT found anything on 2 occasions during these last couple of days.
Sooo, is there some super duper great Rootkit Scanner / Remover that I should try?
Numbers are worthless as it tells us nothing, so when you say avast detected a rootkit and SAS detected X, we need to know the file names, locations and malware name for the detections. This gives us a better understanding of what is going on.
Also what scan was it that avast found the rootkit on ?
The 2 Rootkits were removed so those obviously I can no longer provide the PATHs of where they were.
As to the 6 Trojans quarantined by SAS Portable?
I tried to find the quarantine area in SAS Portable yesterday, but couldn’t find it.
Can you tell me how I can get to the quarantine area in SAS Portable. I still have it on my Desktop. So, if you can tell me how I can get to that quarantine area, I can at least post here those Trojan PATHs.
If avast again finds a Rootkit this evening, I’ll note down the PATH.
As to the Scan on which avast found the 2 Rootkits?
That was on manual Full Scans.
The 6 Trojans that SAS found were also on Full Scans.
I don’t use SAS Portable, so I can’t say. In the normal version of SAS 5.0 it is under Manage Quarantine. I’m at a loss as to why you use SAS Portable as you have to constantly download the full program to update it.
Look in the avast logs (avastUI, Scan Computer, Scan Logs, look for the Full System Scans. Or if you sent them to the chest look there as the file properties will show the file name and location.
What the … ? Hmmm??? Well, that’s weird.
I went and checked in the avast Scan Logs as you suggested.
Yesterday’s 3 Scans ARE listed there …
The initial Full Scan that I started.
The subsequent Boot Time Scan that ran in its entirety.
And the Quick Scan that I ran in its entirety at the very end.
They ALL 3 indicate “No Virus Found.”
How can that be? The initial Full Scan found the Rootkit at around the 25% or so mark of the Scan. Why would that NOT be reflected in the Scan Log?
Could it be the Full Scan is indicating “No Virus Found” because it never actually finished the Scan? After all, upon having found the Rootkit, I did as prompted and allowed the process to at that point shift into initiating a Boot Time Scan. Still, I would think the Scan Log should reflect the Rootkit that was found.
As to why I use SAS Portable? My Hard Drive is only 10 Gig.
Whatever Apps I can have on my Flash Drive as Portable Apps, I do so.
I’m getting closer to getting my other computer up and running.
I think that one has a 40 Gig Hard Drive.
Grrrrr! This gets more mysterious.
I did now find the SAS Portable Manage Quarantine area.
Well, instead of the 6 Trojans being in there … it’s empty.
Who knows? Maybe SAS Portable doesn’t actually quarantine Malware it finds.
Maybe it just deletes it.
As requested, here is my aswMBR Log.
I’m NOT seeing anything blaring and screaming RED ALERT.
Then again, I don’t remotely know what’s going on.
Hopefully you all see something that points to the solution to my Rootkit Blues.
NOTE: On the 3rd line from the bottom, I edited the end of the PATH with Asterisks so as to conceal a person’s name.
FYI, this was the Quick Scan.
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-06 14:12:32
14:12:32.029 OS Version: Windows 5.1.2600 Service Pack 3
14:12:32.029 Number of processors: 1 586 0x803
14:12:32.039 ComputerName: GRYPHON UserName:
14:12:36.686 Initialize success
14:12:40.211 AVAST engine defs: 11090600
14:13:09.042 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
14:13:09.052 Disk 0 Vendor: ST310212A 3.02 Size: 9768MB BusType: 3
14:13:11.075 Disk 0 MBR read successfully
14:13:11.075 Disk 0 MBR scan
14:13:11.245 Disk 0 Windows XP default MBR code
14:13:11.265 Disk 0 scanning sectors +19988640
14:13:11.436 Disk 0 scanning C:\WINDOWS\system32\drivers
14:13:45.324 Service scanning
14:13:48.809 Modules scanning
14:14:09.409 Disk 0 trace - called modules:
14:14:09.449 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
14:14:09.459 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x81afa030]
14:14:09.459 3 CLASSPNP.SYS[f92a1fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x81b153e8]
14:14:09.749 AVAST engine scan C:\WINDOWS
14:14:26.313 AVAST engine scan C:\WINDOWS\system32
14:19:05.565 AVAST engine scan C:\WINDOWS\system32\drivers
14:19:47.615 AVAST engine scan C:\Documents and Settings***** *********
14:23:14.132 AVAST engine scan C:\Documents and Settings\All Users
14:23:57.194 Scan finished successfully
Hmmm??? The System Restore is disabled?
I went and checked and it indicated – Monitoring.
Granted, I DO periodically disable it and then re-enable it so as to regain some Hard Drive Space.
Remember … I only have a 10 Gig Hard Drive.
I can’t say for sure, but I guess it’s possible that when I ran that OTL Scan, it MIGHT have been disabled. But, by now I could only speculate. But, yeah, currently it IS enabled and monitoring.
Anyway, sooo, you don’t really see anything wrong, Eh?
I already mentioned that last night an avast Full Scan and an MBAM Full Scan gave my system a 2 Thumbs Up CLEAN bill of health. Today I ran a SAS Full Scan. It too indicated that my system was now clean.
I guess with avast finding and removing a Rootkit on Saturday and another one on Monday … and SAS Portable finding and removing 6 Trojans on Sunday … that must have done the trick. After having encountered the 2nd Rootkit, I was worried that it was going to start regenerating itself everyday. :o
Question: Since I ran that OTL Scan, do I now have to Double Click on that OTL Icon again and click on the Cleanup Button? Or is that only for when any actual Fixing / Cleaning was done by OTL?
Anyway, as to any problems? Well, sorta, but they’re probably Windows-related or AOL-related.
Really the biggest problem that’s been really bugging me and I didn’t used to encounter in the past is that now AOL Log Offs more often than not take forever or cause an outright Lock Up and I have to stop the AOL waol process to exit. What helps is if I don’t log off AOL too soon after exiting Opera Browser. If I exit Opera and just give it plenty of time before logging off AOL, I stand a better chance of having a normal AOL Log Off. It didn’t used to be that critical before.
It’s more likely to be some Windows XP File corrupt because I already did reinstall AOL recently to try to fix this problem. Or maybe it could be because Windows XP has too little Free Hard Drive Space in which to maneuver what with my 10 Gig Hard Drive. But, like I mentioned in this thread somewhere, I THINK I’m getting closer to getting my other computer fired up. That one does have wayyy plenty more RAM and wayyy more Hard Drive Space.
