Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast has gone mad!!


  • Please log in to reply
6 replies to this topic

#1 doublediamond

doublediamond

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 20 September 2010 - 03:14 PM

Hopefully someone can help me as you have been most useful before

My avast seems to have gone stir crazy. It has been for the past hour apparently detecting trojans and malware threats and deleting/moving hundreds of files, some of which I am sure it is not supposed to be moving! I now can't open adobe acrobat, tray applications, picture manager and a number of other programs. Reinstallation of these programs does not work - I get told there are missing files or installation is already running. I am getting repeated warning messages from these programs which will not go from my screen.
I have run Super antispyware and Spybot search and destroy and Malwarebytes anti malware with no obvious results

I am wondering if I have some sort of virus which has attached itself to avast to make it do this. I went briefly into firefox earlier ( I normally use Google Chrome) and this was when the problems started. I operate Windows XP

I tried copying the virus chest list from avast but it wont let me. The viruses it is alleging are VBS:ExeDropper.gen and Win32:Ramnit-C

Please let me know if you need any further information and advise me of how I can access this

Thank you in advance for any assistance you may be able to offer

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:21 AM

Posted 20 September 2010 - 08:50 PM

Hello, whatever we got here,I feel we need to stop everything.

Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.


If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 21 September 2010 - 12:59 PM

You may want to get a second opinion by submitting samples of some of those files. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the file(s) and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis for boopme to review.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 TimeStamp

TimeStamp

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 21 September 2010 - 08:30 PM

I had / have a similar problem. -- it's a XP Machine that doesn't work with service pack 3, but is otherwise up to date from MS.

Avast reported a trojan -- named ExeDropper-gen -- and alternately, a malware attack -- Ramnit-c

Yesterday it was hitting Firefox.exe .

I ran RKILL from the safe mode and ran SAS-999999999.com from the safe mode --three times. and then I ran SAS from the regular window.

SAS found hundreds of infected files the first time, found 8 bad cookies the second. Then it finally ran clear. I rebooted and reran SAS from regular window and it was clear too.

I restarted AVAST and I had to reinstall Firefox, since it wouldn't work at all.
New Firefox was running fine, when AVAST reported the same Trojan and malware... this time it's attacking IExplore.exe

Obviously SAS isn't finding all the problem, and the other antimalware I use (Spyware Terminator) isn't finding it either. Rather, it IS finding stuff, eliminating it, and still the problem persists,

FYI. I couldn't download either RKILL or SAS on the infected machine. I had to DL on a clean machine and sneaker-net them to the other machine.

I suppose I could just trash it and do a clean install (assuming I can find my restore disks-- LOL), but I'd rather not . Any ideas ??


BTW: I am running AVAST and the WIndoze XP Firewall. Apparantly that's not good enuf. Any suggestions ?

Edited by TimeStamp, 21 September 2010 - 10:25 PM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 22 September 2010 - 08:53 AM

Welcome to BC TimeStamp

If you have an issue or problem you would like to discuss, it is best to start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

However, I'm afraid I have very bad news.

Ramnit-c is the name used by avast for a variant of Win32/Ramnit.A, a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector with IRCBot functionality which infects .exe, .dll and .HTML/HTM files and also opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware. See Understanding virus names.

With this particular infection, which is similar to the Virut virus, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer Ramnit.A remains on a computer, the more files will become infected and corrupt so the degree of infection can vary.

Ramnit.A is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system

Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).



doublediamond seems to be unsure about his infection which is why I have asked him to upload some samples for analysis so we can confirm.

Edited by quietman7, 22 September 2010 - 08:54 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 doublediamond

doublediamond
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 22 September 2010 - 12:53 PM

Thank you quietman

After battling for days and getting nowhere, being unable to access the internet and unable to run programs downloaded onto other computers and copied, I finally gave up and took the pc to the doctor this morning.

He has confirmed your bad news - he, an expert, was unable to remove the virus and so it is being reformated, rebooted and reinstalled as we speak.

Would love to know how I got it in the first place as I am so thorough with anti virus software etc.

Ah well, beans on toast for the next fortnight.

Thank you to everyone for their help

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 22 September 2010 - 01:12 PM

You're welcome and good luck.

Would love to know how I got it in the first place as I am so thorough with anti virus software etc

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection which is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

Please read How Malware Spreads - How did I get infected which explains the most common ways malware is contracted and spread.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users