Where do I look to find out about a virus?

Viruses and worms
1

I was googling about a problem with Internet Explorer 8 and I was notified by Avast about
306062-sims-2-crashing-exception-code-oxc0000005[1].html and the location was c:\User name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2DXQ711E. Googling that exception [from “306062-sims” to the “html”] got me nothing that made sense. Can anyone tell me how to find out about this? I did quarantine it and submitted it to Avast as possible malware. I am afraid to try to submit it to VirusTotal.
npersn31

2

Virus Encyclopedia
http://www.viruslist.com/en/viruses/encyclopedia

Malware Protection Center
http://www.microsoft.com/security/portal/

Welcome to ThreatExpert
http://www.threatexpert.com/default.aspx

I am afraid to try to submit it to VirusTotal.
Why...?
3

Pondus, what I was taking for the virus name is the file name–my mistake. The virus description is HTML:Iframe-inf. I am afraid to do anything with this file due to where I was when alerted to the virus/malware. How can you submit it without it getting into other files on my computer?
inexp2

4

So you got a " HTML:Iframe-inf " warning when surfing?
meaning avast have blocked the infected website before you got infected

If you are afraid you are infected run a full scan with avast and

check your computer for malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button “remove selected” to quarantine anything found and restart

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

come back and post the scan los here

5

Hi inexp2,

You can scan the URL at Website Security Site Unmask Parasites and at Norton Safe Web by giving in the domain name at that online scanner…

polonus

6

I have uploaded the file to Virus Total and the link is: http://www.virustotal.com/analisis/7947d28e10997d9e694e5f95a457c718a73c48e868f54c85034a0a5bee40ce63-1265150891.{Sorry I don’t know how to make it clickable!}.

I think that I understand that if you rename a file it isn’t executable, but could not figure out how to do so. I did get it into the user files part of Chest and from there extracted it to the folder C:\Suspect. The file name did not change when it was moved to user part of Chest.I got it back into Chest by scanning the file in the folder; scanning the folder itself produced nothing. Do not know if this means the file was opened.

I had scanned immediately after the identification of the virus; haven’t rescanned computer after sending to VirusTotal. Those prior scans with the file in the Chest showed tracking cookies and nothing else. Full scan with Avast, SuperAnti-spyware(on demand scanner, free), Malware bytes(on demand scanner), Windows Defender (usually kept disabled to prevent any conflict with Avast), HouseCall 7.1(on demand scanner), SpyBot Search and Destroy(also use Immunization). Will have to repeat testing after this upload to Virus Total. Will have to post the results after I run the tests. Sorry. I hope I haven’t infected my computer by this upload in this manner to Virus Total.
inexp2

7

Here is an abbreviated listing of my Avast log:

Infected files: 2
Total files: 592888
Total folders: 21195
Total size: 69.4 GB

  • Task stopped: Tuesday, February 02, 2010 7:48:47 PM
  • Run-time was 1 hour(s), 30 minute(s), 42 second(s)

C:\Program Files\Alwil Software\Avast4\DATA\chest\306062-sims-2-crashing-exception-code-0xc0000005[1].html [L] HTML:Iframe-inf (0)
File was successfully renamed/moved…
C:\Program Files\Alwil Software\Avast4\DATA\moved\306062-sims-2-crashing-exception-code-0xc0000005[1].html.vir [L] HTML:Iframe-inf (0)
File was successfully renamed/moved…
In the middle of running this, Avast alerted me to viruses two times[I had removed C:\Suspect from exclusion in manual scan in case something was left from upload to VirusTotal] I am attaching entire log. I have a jpg of one of them, but it is too large to show.

I updated SAS and ran a scan. It found nothing but cookie trackers which are now in quarantine.
I updated MBAM and it did not find anything.

8

Looked like SaS log not attached nor Avast log. Avast log has too many KB to attach and mentions every file it could not open due to password protections (SAS quarantines and others). Attaching Sas log. Second attempt. May use Irfanview to make jpg (picture of warning while running Avast manual scan) smaller. Please tell me what to do next.

9

Ok, I hope this picture is small enough to attach. 1st attempt. inexp2

10

Pondus, I see someone has looked at my logs and am wondering what to do next. I have tried to remove false positives (December 3, 2009 false positives) from listing in Avast virus Chest but they are still there. Am wondering if I need to reinstall Avast 4.8. If so, I would have to figure out how to uninstall McAfee site advisor. I am only using one anti-virus. Avast. I had problems posting in last 2 posts and that is why there is more than one reply of mine to other persons’s posts. Some forums only let certain people handle things like this and I do not know what status they would have here.
inexp2

11
I have tried to remove false positives (December 3, 2009 false positives) from listing in Avast virus Chest but they are still there.
Do you mean that you have recovered false positive from the chest and you still see the file in the chest? That is normal, there will be a copy in the chest. When every thing is back to normal you can delete them
Pondus, I see someone has looked at my logs and am wondering what to do next.
Well are you having any problems ? If so you can follow the guid from essexboy and he can look at the OTL log http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
12

Well, what is back to normal? I tried to look at the Chest in safe mode and got errors:“initialization of Chest files: Program will try to load all Chest files from the following server(null): Action was completed with errors!” I tried to run a scan with Avast in safe mode and got a complaint about a virus in the Chest!

I will attempt to attach 2 jpgs of the safe mode problem. I do not know how to remove a virus from chest or if it is safe to do so in this case. Perhaps that is part of the problem? I also have to change a printer cartridge and figure out if OTL is ok to use with Windows Vista SP2.
inexp2 thanks you for your reply!

13

Pondus, I had two printer problems to fix today before I could print the guide from essexboy. Last night, concerned about the way Avast was working, I scheduled a boot scan. This seemed to go without problems, but it did give notice of corruption problems on D:. I do not know how to find that report. My settings in Avast may be producing excessively long reports and each normal mode(not safe mode nor boot scan) produces a report that is added onto already existing report. I am not sure about safe mode and bootscan reports as I don’t know where Avast would put them.

I have downloaded OTL and it did produce OTL.txt and Extras.txt. I am reading essexboy’s guide as requiring the logs to be attached to this reply. If this is incorrect, I beg people in the know to tell me. I want to do the correct thing! Thanks so much for the assistance!
inexp2

14
I have downloaded OTL and it did produce OTL.txt and Extras.txt. I am reading essexboy's guide as requiring the logs to be attached to this reply. If this is incorrect, I beg people in the know to tell me. I want to do the correct thing! Thanks so much for the assistance! inexp2
That is correct, an he will soon look at it
15

Hi from my reading of the thread - You had a webshield detection and it was killed. Once in the chest Avast still alerted on it - which is weird unless you were rescanning it

I can see no sign of a malware infection past or present

Have you decided yet to update to version 5 of Avast ?

If you are still concerned I can run a rootkit scan for you to put your mind at rest ;D

16

How do I get rid of the virus? I have two copies–one with “vir” added to the name and one without. Can they simply be removed by choosing “remove” as action? Or are more drastic messures needed? I would like to run a rootkit scan for peace of mind, but have no experience running any special tool for that purpose. Can you help?

I have not updated to Avast 5 because I have read there are problems with Avast 5. I am uncertain of correct procedure to uninstall Avast 4.8 and install Avast 5. I use on-demand scanners (MBAM, SuperAntiSpyware, HouseCall 7.1) with icons on desktop, Windows Defender is disabled, have SpyBlaster, SpyBot Search & Destroy(immunization is used, Tea timer currently off) and McAfee Site Advisor. My concern is mainly for McAfee Site Advisor which I think must be removed before installing Avast 5. oh, and my firewall is the Windows firewall.

It might be important to know that Internet Explorer 8 is giving me and had given me prior to this current problem wierd messages like “your last browsing session closed unexpectedly” and it isn’t always giving the “do you want to close your current tab or all tabs” message. It is very unpredictable.
inexp2

17

Yes just delete the files from your chest

Avast 5 does have some problems on some systems - probably conflicts with pre installed programmes. It is (at the moment) the luck of the draw as to whether you will be affected. I am running 2 Vista and 1 Windows 7 with no problem

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

Caution
These types of scans can produce false positives. Do NOT take any action on any “<— ROOKIT” entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
[*]Click NO
[*]In the right panel, you will see a bunch of boxes that have been checked … leave everything checked and ensure the Show all box is un-checked.
[*]Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
[]Click OK.
[]GMER will produce a log. Click on the [Save…] button, and in the File name area, type in “GMER.txt
[*]Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

18

I will first attempt to remove the virus(es) (‘es’ as there are 2 copies in the Chest) and restart the computer as I don’t know if they will be removed without this. I definitely will report what happens then.

When I was in Windows Mail this morning, clicking on the link to your post produced a “Internet Explorer has stopped working message”, but second attempt produced no problem. I am not sure if some add-on of Internet Explorer is causing problems or if it is some virus. The first attachment is the list of add-ons I copied from IE8’s copy option; the second is from Event viewer, showing the most recent IE 8 problem this morning.

After removal, I will do the GMER procedure that you wrote out for me. Thanks for your help to this point.
inexp2

19

The main faults are within IE8 compatability mode module

If you go to tools on the menu bar and select compatabilty view settings - you will see this box. Place a tick in view all sites in compatability mode

You do have a lot of addons - I would disable all bar the ones you really need then re-enable others as the need requires. After a while you will find you only really need two or three

20

Thanks essexboy, I will do what you just posted after I finish posting my results.

I feel a bit dumb as I downloaded the zip file to my user desktop (just plain desktop has fewer icons, folders, shortcuts and documents—and I am the administrator with only one account–no guest accounts,no other users) and scanned it with Avast and MBAM,somehow ran it without unzipping it, and when it ran forgot to save the text. I started over with unzipping it to user desktop, selected “run as administrator”,did not change anything ("show everything’ was unchecked as requested),and it ran in normal mode. [Was it supposed to be run in safe mode? You did not mention that if so!] It did not ask for complete scan, but nothing else was showing in the window—like perhaps “finished”. I clicked save, saved it to place where I could find it and clicked ok. The attachment is the text from this run.

If you know that I did that GMER run correctly and nothing more is needed it from it, instructions on how to remove GMER from my computer (and OTL as well) are requested.

Before I forget, I removed both copies of the virus from the Chest using remove option and did the same with the false positives from December 3. The Chest is empty of viruses. Before this in early January 2010, there was something Avast recommended be ignored (c:\Windows\system32\tmcomm.sys) and I could not find it to upload to VirusTotal. I am trying to be complete and precise as possible.
inexp2

Postscript—I do not recall which “menu” in Avast 4.8 I got the information in “description of attack”, but I don’t know what to do about it. This attachment is the text I copied from that “menu”