In my friends computer this keeps hapenning at startup, her system is Windows Vista - the following displays appear by the presented order:
1st: ???
Avast warning - win32: trojan-gen
Deleting only keeps it coming back, so Move to chest.
At the same time:
Windows defender warning - win32/Vundo.gen!C
Remove All.
2nd: As I press move to chest… :-\
avast warning - win32: Tiny - II
Once again deleting only keeps it coming back, so Move to chest.
3rd: Again as I press move to chest… :-X
avast warning - win32: Agent-ZIM
4th: and again this one reappears… :
avast warning - win32: Tiny - II
Move to chest.
5th: warnings stop and the computer runs ok. :o
Windows defender says everythings ok after scanning. All updates are done.
After scanning avast also says the same thing. All updates are done, the version is: 4.8.1296
Spybot found these three which were removed: Smithfraud-C ; Virtumonde.prx ; Virtumonde .
I don’t doubt the warnings are real, it has to be detecting on a file and location and you don’t say what they are. You also say it keeps coming back even if moved to the chest, so there is most certainly suspicious activity in recreating these files and win defender isn’t finding that.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Yes looks like much of it came in bursts (in January and early February), probably from visiting a hacked/malicious site.
Provided she let avast send them to the chest it is a good start. She should empty her Temporary Internet Files and remove cookies also.
Does she have a firewall, if so what is it ?
She should also run both the above programs (from safe mode) as a matter of priority.
I think the difference is obvious (but I would) deletion if final/terminal/history/gone to the digital bit bucket/is no more, where sending it to the chest (quarantine) gives you future options, where deletion gives none.
I think you should however, create your own topic so as not to confuse this one, helping two people (one through a third party) is just too complex.
stupid question, but - how do I see what’s her firewall? she only has Spybot, but I’ll help her install the other two tomorrow. I’ll report to you later. oh and must we uninstall spybot before?
The windows firewall is very basic (see below) and doesn’t have additional functionality, other than inbound internet protection. Where other firewalls provide outbound protection and also behavioural blocking, e.g. blocking what it thinks is not normal.
OK the logs look good, SAS detected and removed two files, the tracking cookies I haven’t counted as they really aren’t a serious issue, more a minor privace but not security issue.
MBAM detected one of the same files (in memory), but was able to also unload them from memory and clean the registry entries for them.
So it looks like you are good to go.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.
My concerns are that your friend may not be able to handle a complex firewall as in the early days after installation, it asks a lot of questions about should this process be allowed internet access. This up to a point requires a little knowledge so ideally you need a firewall which is more user friendly, zone alarm does make many of the decisions for the user (but my reservations above).
Comodo can feel somewhat intimidating to inexperienced users, the PC Tools one seems to be a little more user friendly.
She should also run both the above programs (from safe mode) as a matter of priority.
I forgot to tell you this wasn’t possible, Vista said it didn’t found the program to run. so we did it in normal mode, and everything went ok.
My concerns are that your friend may not be able to handle a complex firewall
well , you’re right. she’s not capable of taking any decisions or actions when it comes to her comp security… >:( she doesn’t even scan pen drives…she was about to format again her pc but I told her to wait and try something else, but then I had to do everything she doesn’t understand that it depends a lot on our behaviour and attention when we’re using the internet :-\ I’ll set up something simple.
:o anyway now I’m a bit worried… I only have windows protection also when it comes to the firewall :-[ … I’ll check out the topic you suggested and I’ll choose one for me.
thanks for all your help one more problem solved 8)
This should help to immunise usb flash drives to help combat their becoming infected.
Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
[*] Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.[*] The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.[*] Wait until it has finished scanning and then exit the program.[*] Reboot your computer when done. Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.
thanks for all your help