system
August 11, 2009, 4:55pm
1
My wife was searching on some page and a fake “You have a virus click on me to scan, SHE CLICKED!” Its not the first time… grrr.
I decided to run a through scan, when doing so avast came up with C:\Program Files\Alwil Software\Avast4\9B489143d01 (malware type: virus/worm)
I can’t find ANY info on viruses found inside of Avast. It will not let me repair or move to chest.
What should I do>???
system
August 11, 2009, 5:32pm
2
Also it says HTML:Iframe-inf
I really hope someone can help me with this!!!
No Posts yet make me really nervous
Hi.Can you please download malwarebytes http://filehippo.com/download_malwarebytes_anti_malware/
After you have it installed,go to the update tab and click on “check for update”
After that,please run a full scan with it.If it finds any infected item,remove it.If the program ask for you to reboot,please do so.
Then post back a log back from malwarebytes
system
August 11, 2009, 6:30pm
4
I just finished doing a full scan with avast
here is the results
C:\Users\Bryan\AppData\Local\Temp\Patcher\Patcher3324\ZippedStagingArea\PatchFiles.zip\2857\data\database\data\ibdata1 ---- Unable to scan: The file is a decompression bomb
C:\Users\Bryan\AppData\Local\Temp\Patcher\Patcher3324\StagingArea\2857\data\database\data\ibdata1 ---- Unable to scan: The file is a decompression bomb
C:\Program Files\Alwil Software\Avast4\9B489143d01
I will now run the malwarebytes
system
August 11, 2009, 7:11pm
5
The scan is still running, I did some investigating, This is the name of the bad stuff “anti malware secure scan v2” and site that was
DONT CLICK HERE ***********************************************
hxxp://antimalwaresecurescanv2.com/1/?sess=%3DGm19jDwMCZpcD03MS4xOTUuMjAzLjIzNSZ0aW1lPTEyNTcwMAcMNQkM
This is the link to the bad site.
I hope this might help. maybe someone knows this?
Hi.Can you please change the http in the link to hxxp to prevent other users from getting infected if they accidentally clicked on the link
system
August 11, 2009, 7:15pm
7
I did not remove them yet,
should I?
Malwarebytes’ Anti-Malware 1.40
Database version: 2605
Windows 6.0.6001 Service Pack 1
8/11/2009 1:12:26 PM
mbam-log-2009-08-11 (13-12-19).txt
Scan type: Full Scan (C:|D:|)
Objects scanned: 303289
Time elapsed: 37 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Windows/Downloaded Program Files/popcaploader.dll (Adware.PopCap) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\CLSID{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\TypeLib{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) → No action taken.
HKEY_CLASSES_ROOT\Interface{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) → No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) → No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\Downloaded Program Files\popcaploader.dll (Adware.PopCap) → No action taken.
Yes you should remove them
system
August 11, 2009, 7:23pm
9
they are removed and I have rebooted. Now, what?
Why would avast detect something from itself and malwarebytes would not detect.
system
August 11, 2009, 7:25pm
10
I have rescaned the avast virus. it still shows it is there
C:\Program Files\Alwil Software\Avast4\9B489143d01
Could you upload that file to virustotal http://www.virustotal.com/
Then post back your results from the website.
system
August 11, 2009, 7:37pm
12
File 9B489143d01 received on 2009.08.11 19:45:11 (UTC)
Current status: finished
Result: 2/41 (4.88%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
a-squared 4.5.0.24 2009.08.11 -
AhnLab-V3 5.0.0.2 2009.08.11 -
AntiVir 7.9.1.0 2009.08.11 -
Antiy-AVL 2.0.3.7 2009.08.11 -
Authentium 5.1.2.4 2009.08.11 -
Avast 4.8.1335.0 2009.08.10 HTML:Iframe-inf
AVG 8.5.0.406 2009.08.11 -
BitDefender 7.2 2009.08.11 -
CAT-QuickHeal 10.00 2009.08.11 -
ClamAV 0.94.1 2009.08.11 -
Comodo 1945 2009.08.11 -
DrWeb 5.0.0.12182 2009.08.11 -
eSafe 7.0.17.0 2009.08.11 -
eTrust-Vet 31.6.6672 2009.08.11 -
F-Prot 4.4.4.56 2009.08.10 -
F-Secure 8.0.14470.0 2009.08.11 -
Fortinet 3.120.0.0 2009.08.11 -
GData 19 2009.08.11 HTML:Iframe-inf
Ikarus T3.1.1.64.0 2009.08.11 -
Jiangmin 11.0.800 2009.08.11 -
K7AntiVirus 7.10.816 2009.08.11 -
Kaspersky 7.0.0.125 2009.08.11 -
McAfee 5706 2009.08.11 -
McAfee+Artemis 5706 2009.08.11 -
McAfee-GW-Edition 6.8.5 2009.08.11 -
Microsoft 1.4903 2009.08.11 -
NOD32 4326 2009.08.11 -
Norman 6.01.09 2009.08.11 -
nProtect 2009.1.8.0 2009.08.11 -
Panda 10.0.0.14 2009.08.11 -
PCTools 4.4.2.0 2009.08.11 -
Prevx 3.0 2009.08.11 -
Rising 21.42.14.00 2009.08.11 -
Sophos 4.44.0 2009.08.11 -
Sunbelt 3.2.1858.2 2009.08.11 -
Symantec 1.4.4.12 2009.08.11 -
TheHacker 6.3.4.3.380 2009.08.11 -
TrendMicro 8.950.0.1094 2009.08.11 -
VBA32 3.12.10.9 2009.08.10 -
ViRobot 2009.8.11.1879 2009.08.11 -
VirusBuster 4.6.5.0 2009.08.11 -
Additional information
File size: 62116 bytes
MD5 : 3a2abfba4bfc5e5c51172360d7f91126
SHA1 : 19fe693ba6d224718381814050acc4253398e053
SHA256: 95cb58c80bd059fab14673323a917a71a35ac669a1f541c024e9796d1e4c266a
TrID : File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)
ssdeep: 768:ExVCW0BG72tdrXaigt2iNIMuU+b1FBesxdK:ExVC9ce15f15F0su
PEiD : -
RDS : NSRL Reference Data Set
This is likely a false positive.
Right click avast icon in taskbar -->click start avast antivirus -->right click scanner background → click virus chest → navigate to user files → click add files →
right click file -->email to alwil software.
The file will then be sent to the virus lab for analysis next time when the database is updated
system
August 11, 2009, 7:55pm
14
I hope it is!
Thank You thank you!!! You have help oh so much!
No problem.Glad I could help