So I let my mother use my computer when I go to bed and next day I find out it has malwares/viruses/trojans/whatever. I check Avast logs and find this:
SYSTEM 1468 Sign of "JS:Illredir-AA [Trj]" has been found in "H:\Documents and Settings\Admin\Local settings\Temporary Internet Files\Content.IE5\YML2X3MJ\en[1].js" file.
SYSTEM 1468 Sign of "JS:Illredir-AA [Trj]" has been found in "H:\Documents and Settings\Admin\Local settings\Temporary Internet Files\Content.IE5\EFB90Z7W\en[1].js" file.
SYSTEM 1468 Sign of "JS:Downloader-OF [Trj]" has been found in "H:\Documents and Settings\Admin\Local settings\Temporary Internet Files\Content.IE5\8A6N7UIS\index[3].htm" file.
SYSTEM 1468 Sign of "JS:Downloader-NM [Trj]" has been found in "H:\Documents and Settings\Admin\Local settings\Temporary Internet Files\Content.IE5\M6MIM9CN\java[1].htm" file.
SYSTEM 1468 Sign of "JS:Pdfka-gen [Expl]" has been found in "H:\Documents and Settings\Admin\Local settings\Temporary Internet Files\Content.IE5\M6MIM9CN\ChangeLog[1].pdf" file.
Then after a minute this follows:
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\aec.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\aec.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "\\127.0.0.1\admin$\system32\drivers\aec.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\asyncmac.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "\\127.0.0.1\admin$\system32\drivers\asyncmac.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\System32\DRIVERS\asyncmac.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\asyncmac.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\atmarpc.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "\\127.0.0.1\admin$\system32\drivers\atmarpc.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\System32\DRIVERS\atmarpc.sys" file.
SYSTEM 1468 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "H:\WINDOWS\system32\drivers\atmarpc.sys" file.
…And this continues for a lot of .sys files. In Windows log book I see that it said it’s reverting it’s official .sys files back to previous state.
What happened? Why didn’t Avast stop this? Googling is useless as it does not help me in any way.
It was Avast 4.8. Latest definitions. It was on “Normal” (all scans). It was probably on IE.
How can I stop this in future? (Yes, I know she should use Firefox. I am going to put it all on high)
These detections are the remains of your mother visiting malcode infected websites (one was infected with gumblar etc.). At that moment avast alerts to close the connection. In that case you will not get infected, but the incidents are still reported in the logs.
There are very, very many normal reputable websites being hacked (1 per every 3.6 secs) by miscreants to perform malware downloads hidden redirects to a malicious site for instance in China go unnoticed by the user, but the avast shields alerts these.
To be protected against this malcode use a browser like Firefox with the NoScript extension installed not to get infected by malware, use a good hosts file to not be able to connect to these sites or pre-scan a link or have WOT installed. Explain all this to your mother and instruct her to safe(r) browsing,
yes, as Polonus said, Avast probably stopped everything as you found that in the logs, and I doubt your mum scanned your system manually, which means these were threats blocked by the resident shield (web shield hopefully) and your PC isn’t infected. this said, you should run a full scan with Avast just in case. Also may be a quick scan with MalwareByte: http://www.malwarebytes.org/
Well apparently Avast did not stop all of it because as you can see from log, some rootkit got in and changed all .sys files. Either way, next day I woke up I found out that I had Security Tool malware and some other unknown files in autostart. I removed it all, checked with rootkitscanner, hijackthis and everything else and became clean - but Avast still could not find any of these that Malwarebytes find (Malwarebytes could’t find one thing, but I removed it manually).
I can not remember now, but is there any other option than blocking connection? Maybe my mother pressed cancel or something? But I doubt it, worst case scenario she left it alone - could that maybe trigger this?
I did a reformat anyway just to be sure because as you can see from log multiple malware/virus got into my PC and I was worried maybe they in turn downloaded other things. Is it possible for the these to follow after a reformat? Also one more thing: I took manual copy backup to my USB, basically I copied pictures, documents, music and maybe something else into my personal USB file. Is it possible they have infected that? I opened it by Exploring and disabled autorun.
malko, we just explained to you that Avast did stop it (probably)… did you read my last post here? did you find something again with a manual scan? do you have anything in the Chest (quarantine folder)?
edit: OK I didn’t read this http://forum.avast.com/index.php?topic=57119.msg481728#msg481728
Can somebody help me with this? I can not remember now, but is there any other option than blocking connection? Maybe my mother pressed cancel or something? But I doubt it, worst case scenario she left it alone - could that maybe trigger this?
I did a reformat anyway just to be sure because as you can see from log multiple malware/virus got into my PC and I was worried maybe they in turn downloaded other things. Is it possible for the these to follow after a reformat? Also one more thing: I took manual copy backup to my USB, basically I copied pictures, documents, music and maybe something else into my personal USB file. Is it possible they have infected that? I opened it by Exploring and disabled autorun.
Also can somebody help me find more information of what I was infected with so I can study it? I can’t find anything.
firstly web shield will block malware from injecting yr system, whereby yr mother would have seen alerts in bottom right hand corner but may be no option as blocked automatically - but will generate entries in logs
second - block may not be automatic and yr mother will be given option to ‘abort connection’ - if she does anything else but abort, and I mean anything because I’ve tested this, no use deleting the page, then the malware will injekt and that looks like what happened to you - and will generate logs
third - not end of story when malware injekts because still has to get past file system shield, which is yr truly resident protection and very hard for these malwares to get past. Looks like yr resident nabbed the injeckted malwares and has sent them to the chest where they are quarantined and you are safe from them - as usual, will generate logs.
however, as Logos says you still need to run a scan to make sure they have been quarantined, and if you find them, then you send them to the chest so you are safe from them.
This is what happens because I fully tested with 4.8. But you have to choose the right options. Could you for now check yr virus chest and see if anything in there.
And I will come back and tell about mbam and spyware, which is a bit different than avast and virus, but the two programs work well together.
And also USB and the rest - btw how come yr system drive is H:
Virus chest - right click avast icon ‘a’ in system tray bottom right hand corner - choose to open avast! antivirus interface, and once through memory test and help page, you will find the virus chest in the scanner module that comes up on yr page.
okay so you reformat so no need to go to chest but good policy to check anyway.
Looks like yr malwares were generic (gen) so they would not have survived reformat, though some say will not kill virut - but surely must remove virut as well (my opinion) - you did not have virut.
and as long as you did reformat and not a repair - with repair, malwares will still survive
Fourth scenario - the reported infections were false positives (false alerts) but you have circumvented that scenario because you have reformatted.
You can plug in yr USB and scan it with the antivirus and see if there are any infections on it. If you are running avast, then alerts should come up immediately that you plug it in, in which case you send the infected files to the chest where you are safe from them, and you can possibly send them to avast so that they can have a look at them.
mbam (malwarebytes) is specifically aimed at spyware, so yr files are queried against all known instances of spyware that have been found - for this reason always update yr mbam before you run scan. (quick scan)
avast also has anti-spyware features but is more a complete antivirus - a complete protection against virus that is best always on and always scanning every move that you make with yr computer for all kinds of infections. Therefore it is also good to have an antispyware like mbam at hand for when you need it because it is a specialist scan and all resources at that company are geared toward catching that specialist target (spyware). For avast to do this as well is to commit too many resources that may reduce resources that are needed to detect viruses that are not spyware, especially really nasty ones like virut that can bork yr computer for once and for all, forever. In comparison, spyware is small fry.
I wish I would have checked the chest earlier! But either way it seems that I was not hurt that much I mean, considering Avast protected at least something! Because as you can see I was infected by a lot of things but I only saw a couple changes in the system.
Do you know exactly what I was infected with so I can look it up on internet? Searching for those is very hard.
I also after scanning with malwarebytes, avast, NOD32, rootkit check, DDS and a lot of other security tools I found my PC clean.
I also did a deep scan (deep heuristics etc) on my USB files to be sure. After that I formatted and did everything above just to be sure.
It seems like I am clean now. I am just very sad why that happened. I mean I still had Security Tool malware on my PC and this unknown file winesm32.exe that I found NOTHING (well ok, 2 -3 things) on the internet!
If anyone has any more info please tell me. PS. What does generic mean?
Okay I see you 've hooked up with Eddy over the ‘winesm32.exe’ malware
I havent read through, but that will be good feedback
Just one thing malko - if you are running avast as antivirus, you should not also run nod32 as antivirus as well because you will likely get conflicts.