So i was browsing through forums when suddenly my avast alert went crazy, i then did a smart scan and came up with 5800+ infected files. I freaked out and noticed that most if not nearly all of my programs don’t open anymore (most likely cause avast thought they are are infected files and put them in quarantine) Currently i have avast shields disabled in order to open internet explorer. PLEASE HELP!!!
-
Put your shields back on as now you are surfing naked in a sea of malware ready to bite you.
-
Open the Avast GUI > Settings > change the maximum size of the Virus Chest to zero > click OK.
-
Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
· Download free http://www.malwarebytes.org/ for an on-demand scanner.
· Double Click mbam-setup.exe to install the application.
· After install, click update so you have latest database before scanning.
· Under Settings:
o General: Automatically Save File After Scan Completes is checked off
o Scanner Settings: Check all boxes
o Updater: Download and install update if available is checked off
· Once the program has loaded, select “Perform FULL Scan”, then click Scan.
· The scan may take some time to finish, so please be patient.
· When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
· Click the “remove selected” button to quarantine anything found. You will find the infection details under the Quarantine tab.
· The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
· Copy & Paste the entire report in your next reply.
just as i turned my avast shields back on, the popup thing started once again and went crazy. saying “malware blocked” but some of them include the software you told me to download “malwarebytes”. Im doing the scan as we speak. Should i run another avast full scan and have everything it says dangerous to my computer quarantined first?
No, give me the MBAM log first. If you have difficulty, you can do this in Safe Mode as well. Just make sure you updated MBAM prior to doing the scan.
With that kind of numbers it sounds like you have been hit by a file infecter.
Try this tool - DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, Virut (infects .exe, .scr, .mp3 & .wmv), more so when used in safe mode. DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf
Can you give some examples of the malware names, file names and locations of the detections ?
Hi, sorry i took so long. I restarted Window xp in safe mode and ran Malwarebytes. Here is the log.
Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org
Database version: 4897
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
20/10/2010 9:01:57 PM
mbam-log-2010-10-20 (21-01-57).txt
Scan type: Full scan (C:|)
Objects scanned: 251258
Time elapsed: 43 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{9f44453e-1e46-4d5c-b57c-112ff2edae82} (Spyware.OnlineGames) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qvodplayer (Adware.Agent) → No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run{0651900a-e0d7-82f7-c0cb-aee22db5dfa1} (Trojan.ZbotR.Gen) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\registrymonitor2 (Malware.Trace) → No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) → Data: c:\program files\microsoft\desktoplayer.exe → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) → Bad: (c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.exe) → No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\QvodPlayer\QvodBand.dll (Spyware.OnlineGames) → No action taken.
C:\Program Files\QvodPlayer\QvodUninst.exe (Adware.Agent) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP173\A0066021.exe (Adware.Casino) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP192\A0075515.exe (Adware.HotBar) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP211\A0103857.exe (Patch.NetworkMagic) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP211\A0103858.exe (Patch.NetworkMagic) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP236\A0144213.exe (Adware.Agent) → No action taken.
C:\System Volume Information_restore{CC029D65-F456-449C-BF6D-EE7CD26572BC}\RP236\A0147670.exe (Adware.Agent) → No action taken.
C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) → No action taken.
C:\WINDOWS\system32\qtplugin.exe (Rootkit.Agent) → No action taken.
You didn’t take any action according to the MBAM log, if you didn’t do it after the production of the log, pun it again and allow MBAM to deal with them.
The examples of some of the detections I asked about were the avast ones ?
Hi
Some useful information in this thread that helped me (might be worth a read)
http://forum.avast.com/index.php?topic=63275.0
good luck
Del
- i already deleted all of the ones i could from the mbam
- there were too many to post all of them so i’ll just list a few perhaps?
-win:32:Ramnit-D 0.12697921282448865.exe C:\Documentsandsettings\Ronald\Localsettings\temp
-win:32:Ramnit-D 0.7306046725451064.exe C:\Documentsandsettings\Ronald\Localsettings\temp
-win:32:Ramnit-D AGM.dll C:\Programfiles\adobe\adobe photoshop cs2
-win:32:Ramnit-D Alcmtr.exe C:\programfiles\realtek\audio\installshield
-win:32:Ramnit-D SC2.exe C:\programfiles\starcraft2\versions\base15405
VBS:exeDropper-gen [Trj] Blizzard Updater Log.html C:\documentsandsettings\allusers\applicationdata\blizz entertainment\logs\worldofwarcraft update\logs
VBS:exeDropper-gen adServer[1].htm C:\documentsandsetting\public\local settings\temporaryinternetfiles\content.ie5\pmejdc92
ther rest are just the same,thousands of files that dont make much sense to me…
I also used DrWeb CureIt, and 5500+ Infected files came up, mostly similar to the ones i see on avast. They were either cured, moved, or deleted.
I could post a log of that up, but that would mean a file with 5500+ lines of infected files…
I think that they will generally follow what was found by avast, perhaps a different alias (malware name as they differ from AV to AV).
So it looks like this is a file infecter which is targeting .exe, .dll and .html files.
Hopefully essexboy will be home from work and come on-line soon to give you some more advice.
Hi could you give me a selection of 10 or 15 lines from the cureit log please
Then :
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.