Download ComboFix from Here or Here to your Desktop.
[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall
yes avast detects the infected files… I moved them to the chest, and deleted them, but they come up again the next time I scan, and I still have problems on my computer
Firstly @ mattrex0220 - Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate.
Secondly - avast clearly detected it as it was found during a thorough scan and the malware names appear to be ones allocated by avast- So there is little point in sending a sample which is detected by avast, unless you suspect that the detection is incorrect (see below)
@ sparkkconnection
What version of avast are you using Home or Pro ?
When avast detects and infection (home version) it asks for user input, what action it should take, what did you choose ?
Where were the infected files found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner I feel virustotal is the better option as it uses the windows version of avast (more packers supported) and there are currently 30 different scanners.
Or Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. Whichever scanner you use, you can’t do this with the file in the chest, you will need to move it out.
Report the findings here if required, e.g. only avast detected it, etc.
It is also possible that System Restore is replacing the file (if you are using WinXP/ME) after Avast deletes it, but will be easyier to know what is going on if you provided the directory location of the file (as stated in DavidR’s step 4)
C:\windows\system32\mi1.exe
C:\PSGuardInstall.exe
and idk the other one, I deleted it off the chest thing
and I’m using home version
the action I took was to move them to the chest… one of them said it was too big to store in the chest and I had to delete it… which is why I’m scanning again right now
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them. This allows you to investigate as you still have a sample, obviously slightly different as there appear to be other elements at work restoring the file.
I suspect the one that was to big was the psguardinstall.exe you can increase the size of the file and chest to accept larger files, Program Settings, Chest. You need to run ComboxFix as essexboy suggests.
The avast ‘a’ icon should be on the bottom right of your screen on the system tray.
here is what showed up in the log viewer… under description
Sign of “Win32:Adware-gen. [Adw]” has been found in "C:\Program Files\SoftwareRevenue.org\2r_sa…
Sign of “Win32: Adware-gen. [Adw]” has been found in “C:\PSGuardInstall.exe” file.
Sign of “Win32:DCom-F [Expl]” has been found in “C:\WINDOWS\MEMORY.DMP” file.
Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\SYSTEM32\mi1.exe” file.
Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\Program Files\Alwil Software\Avast4\2r_samba.exe” file.
Sign of “Win32:Adware-gen. [Adw]” has been found in “C:\System Volume Information_restore{C7FFBD4B-78A9-410A-A221-694121A75D93}\RP805\A0202515.exe” file.
[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
