Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus after format and rebuild


  • Please log in to reply
5 replies to this topic

#1 Keithuk

Keithuk

  • Members
  • 951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 21 October 2009 - 04:02 AM

Hi guys.

WinXP 2002 SP2.

I had a virus a couple of weeks ago so I did a format and rebuild. Now after I install all the normal drivers, sound card and graphics card I do a full scan and the lastest Avast picks up on Soundman.exe and Alcmtr.exe which are Realtek sound drivers. Now these drivers come from the Gigabyte CD that came with the computer (2 months old) and I'm not connected to the web. Now I've done a few formats and rebuilds for various problems over the last couple of weeks. Sometimes it picks up on these files and sometimes it doesn't. After one rebuild it picked up on ALL Windows installed exe's in Windows and System32 folders. I write programs in VB and these were made a few years ago so they aren't fresh builds. It picks up an a virus in all these. I've tried quick formats and full and it makes no difference, just the full takes about 50 minutes on a 500GB drive.

Now correct me if I'm wrong but I thought a format would wipe the drive of any existing files. I know you can get BIOS or boot viruses but how do you detect and remove these?

Any suggestions would be appreciated, thanks. :thumbsup:

Keith

Windows ME (spare computer)
Windows XP 2002 Professional SP3 (desktop computer)
Windows 7 Professional SP1 32bit (laptop computer)

Windows 8 64bit spare drive for laptop computer


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 21 October 2009 - 09:34 AM

RejZoR, avast! Evangelist at the avast forum posted these instructions for suspected FP's.

If you encounter alert for which you think that it's a false positive, do the following:

Check the file with this service:
http://virusscan.jotti.org
http://www.virustotal.com

- if file is detected by any other antivirus too (like Kaspersky), than its most probably not a false positive. Treat it with caution.
- false positive files are usually detected as: Win32:Trojan-Gen
(this usually happens because of generic detection)
- if scan still shows that only avast! detects the file, then it could be a virus detected only by avast!. If you think that it's still a false positive,then follow the next step:

Pack the "infected" file into ZIP archive and lock it with password "virus" (without quotes) and attach it to e-mail.
Write the same password inside mail body, so Alwil virus analysts will know the password right away without guessing.
You can also add web address to that file (or webpage of the file/program) if it's on the internet.
Add your own note on why do you think that it's a false positive. Every info helps Alwil staff.
Send the mail to: virus@avast.com

You'll probably get a reply mail about file info (if it was really a false positve) after some time.
If not, check the file with Explorer extension when new VPS is released.
This way you'll know if the false positive was fixed.

Until then, you can add the "false positive" file into exclusions:...

avast forum [Mini Sticky] False Positives
avast forum: Tutorial For False detection

You should also contact and advise the vendor that their program is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.

After one rebuild it picked up on ALL Windows installed exe's in Windows and System32 folders

Picked up as what? What type(s) of threat were the files detected as?

Now correct me if I'm wrong but I thought a format would wipe the drive of any existing files.

Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything. However, you can easily reinfect the system by restoring infected files that you may have backed up. Did you backup and restore files after doing your reformat.

Bios virus's are very rare but have been found in older Windows versions like 9x/NT. These types of virus's do not actually infect the BIOS. Instead they erase the BIOS of flashable BIOS's resulting in a machine that will not boot properly. On certain chip sets, the virus was reported to flash the BIOS. I am not aware of any that affect NT based machines such as Windows 2000 and above in this manner.

BIOS-level rootkit attack scary, but hard to pull off
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Keithuk

Keithuk
  • Topic Starter

  • Members
  • 951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 22 October 2009 - 07:15 AM

Thanks for the reply quiteman.

I understand what false positives are what I don't understand is why are these being picked up from genuine Gigabyte software that came with the computer. I'm not connected to the web while I setup Windows initially because I have to setup the Realtek Ethernet drives and sound drivers of the same disk. I install Avast! Home Edition 4.8.1356 and do a full scan without updating the database at first. It picks up on Soundman.exe and Alcmtr.exe which are Realtek sound drivers. I'm a member of the Avast forum and I've posted on there but no one has come back with a useful suggestion.

After one rebuild it picked up on ALL Windows installed exe's in Windows and System32 folders

Picked up as what? What type(s) of threat were the files detected as?


Wiping your drive, reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything. However, you can easily reinfect the system by restoring infected files that you may have backed up. Did you backup and restore files after doing your reformat.


So you recon a format should remove all traces of previous files?

I don't remember the infection name exactly I think its something like W32/Virut.gen all of them. The strange thing is if you stop the scan because you know that file is good and you goto that exe to check the file properties and date there is no normal exe icon and no properties show as though its an old DOS file. I'm told that Avast doesn't rewrite the file because its a virus.

Now I've done a few formats and rebuilds and its only the past couple of weeks that these files have been picked up.

I wondered if its a glitch with Avast so I formatted and installed the normal Gigabyte drivers. I downloaded AVG 8.0 to a flash pen at work. Installed it and did a full scan and it picked up on the same files.

I backup all important files and install files to flash drives. I've taken these drives to work and scan them with McAfee 8.5. There have been the odd virus on them which McAfee has cleaned. Every file I download of the web gets a virus scan if anything is detected it gets deleted.

I also use Malwarebytes Anti-Malware 1.41 and that picks up on infected files and registry. I disconnect the web clean all files, do a restart and a full scan again and some of these files come back again.

At the moment I don't have a virus checker I know its bad but hate clicking Ignore on all files that I know are good. :thumbsup:

Keith

Windows ME (spare computer)
Windows XP 2002 Professional SP3 (desktop computer)
Windows 7 Professional SP1 32bit (laptop computer)

Windows 8 64bit spare drive for laptop computer


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 22 October 2009 - 08:42 AM

I don't understand is why are these being picked up from genuine Gigabyte software that came with the computer.

Unless the files themselves have actually been infected by malware, then only avast can answer that and I see they are addressing your questions

However, in the past many security tools were alerting users to alcmtr.exe.

Realtek AC97 Audio - Event Monitor. "Sypware" file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but it is being used by Realtek to gather data about customers.

Alcmtr.exe

There are some types of malware that use the same name as soundman.exe as shown here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Keithuk

Keithuk
  • Topic Starter

  • Members
  • 951 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:28 PM

Posted 23 October 2009 - 07:39 AM

I don't understand is why are these being picked up from genuine Gigabyte software that came with the computer.

Unless the files themselves have actually been infected by malware, then only avast can answer that and I see they are addressing your questions


But I don't see how they can get effected only Windows is installed there is no web connection. These are installed from the Gigabyte CD.

However, in the past many security tools were alerting users to alcmtr.exe.

There are some types of malware that use the same name as soundman.exe as shown here.


I did a search for these files but I didn't see any obvious answers.

I even bought WinXP SP3 this week as I've had problems installing SP3 update. It would install then restart but wouldn't startup. I have to start in Safe Mode and uninstall SP3 then it will startup.

I formatted and installed WinXP SP3, no problem. I installed Avast, did a restart and a full scan no problem. I installed my Gigabyte drivers and a full scan again, no problem. I connected to the web so I could update Avast database. I did a full scan again and it picked up on the normal files, alcmtr.exe and soundman.exe. I installed the programs that I had made did a scan and they were all infected. Now there is some in here that detecting a web connection but I don't know where from. :thumbsup:

Thanks quiteman.

Keith

Windows ME (spare computer)
Windows XP 2002 Professional SP3 (desktop computer)
Windows 7 Professional SP1 32bit (laptop computer)

Windows 8 64bit spare drive for laptop computer


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:28 AM

Posted 23 October 2009 - 07:58 AM

I connected to the web so I could update Avast database. I did a full scan again and it picked up on the normal files, alcmtr.exe and soundman.exe.

That suggests somewhere along the way, avast included them for detection in their definition updates.

I installed the programs that I had made did a scan and they were all infected.

Infected with what?

Many anti-virus programs utilize optional heuristic scanning engine features to detect brand new viruses, based on behaviors and coding patterns that infections commonly use.

Heuristic analysis is the ability of an anti-virus program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. Heuristic scanning methods vary depending on the vendor. Some claim to allow emulation of the file's activities in a virtual sandbox. Others scan the file more intensively, searching line by line inspecting the code in a file to see if it contains virus-like characteristics. If the number of these characteristics/instructions exceeds a pre-defined threshold, the file is flagged as a possible virus.

The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as malicious. With heuristics, there is always a potential risk for a "False Positive" when the heuristic analysis flags a file as suspicious or infected that contains no malware. Reducing the detection sensitivity will minimize the risk but then that increases the possibility for new malware to infect your system.

Get a second opinion, by submitting some of the files to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

Edited by quietman7, 23 October 2009 - 07:58 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users