Malware infected PC and not detected by AV(Avira Internet Security 2012)

Discussion in 'Windows XP / Older OS' started by gabris[LT], Nov 13, 2011.

  1. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    Hello, my notebook was infected by a stupid malware, well, how stupid :D I thought it was real and checked with hirens BCD and all hardware seemed to be fine... no recently software installs, AV is Avira Internet Security 2012, database is up to date... So, symptoms were:
    1.Empty start menu(it was disabled, except turn off/log off buttons).
    2.Empty desktop, sometimes black sometimes grey wallpaper.(it disabled desktop)
    3.Disabled task manager.
    4.a lot of messages saying that my hardware seems to fail by software called "system restore", if you look at the photo in lower left corner you'll see button "press to buy".
    5.and of course, all files were hidden, so my docs, and local disk's were empty... it also reported that my hard drive is full... it actually had 3gb out of 40gb.

    So be aware of that malware! I'm attaching screen shots I made.

    Virus is 2 .exe files located in All Users/App Data and boot entry.
    No fresh software installations were made.


    So, I deleted virus, but still encountering few problems:
    1. skype goes off(process gets killed after 10s it gets connected).
    2. sometimes receiving "Write file delayed in windows".
    I have scanned PC with AV, no viruses at all. and checked AV with keygen, it detected it :D
    I still have one virus process saved in PC, but I zipped it.
     

    Attached Files:

  2. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. stevengw

    stevengw MDL Novice

    Mar 10, 2011
    7
    0
    0
    programs for security can only find malware or virus that are listed in their database! if it not there its not detected...
     
  4. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    #4 gabris[LT], Nov 14, 2011
    Last edited: Nov 14, 2011
    (OP)
    thanks for help, because of spybot my system won't boot anymore(because of BSOD), oh and yes spybot found only 1 virus, "Disabled Help in start menu". second time I use spybot, second time it gets my system to unrecoverable BSOD :)
     
  5. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    #5 gabris[LT], Nov 14, 2011
    Last edited: Nov 14, 2011
    (OP)
    I can do partitioning form windows text mode setup :)

    So failure caused by a347bus.sys.
     
  6. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    spybot alone won't BSOD your machine... there's something else wrong somewhere then... did you use malwarebytes???

    and @stevengw, just because something isn't in a program's database does not mean it won't be found. there are technically very few, hardly any in fact, totally new viruses. most are edits and reconstructions of already known and old ones and yes programs will and do often find them because they so closely resemble the ones they are made from...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    #7 gabris[LT], Nov 14, 2011
    Last edited: Nov 14, 2011
    (OP)
    Yes, I have used malwarebytes. recovered system from recovery console... with chkdsk /r, getting "delayed write failed" on firefox and AV temporary files. Will check smart diagnostics online using speedfan. So.. you suspect virus is in my MBR? :) as long as I remember there was Avira DOS MBR checking utility...
    Also, some viruses like to use System Restore, so I will say before the question will be asked, its off from the time windows installed :)

    And some unknown resource is using internet explorer, and malwarebytes blocks access to that IP because it suspects it as malware. Other processes seems to be normal, nothing abnormal in autostart list.
    Oh, and some stuff blocked malwarebytes.

    Using process explorer found interesting thing.. Svchost.exe(not a virus, directory system32)-> IEXPLORE.EXE and wmiprvse.exe services runnig if I stop IEXPLORE it relaunches after minute...
    and malwarebytes is blocked only realtime protection.

    HDD physically is O.K.
    Delayed write failed became more rare.
     
  8. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    Yup, I really don't have backup.
    Firewall is included in my Avira AV :)
     
  9. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    I can see a lot of pink space in my future... :ball2:

    if you don't understand right click on local disk in xp and select properties :D
    But... you're right it will be fresh and clean and almost genuine(I'm using image written to usb) install :D
     
  10. 911medic

    911medic MDL Guru

    Aug 13, 2008
    5,778
    490
    180
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. double_kill

    double_kill MDL Member

    Oct 10, 2011
    100
    4
    10
    Get avast! its kills all virus's. or get win 7 and then avast!.;)
     
  12. burfadel

    burfadel MDL EXE>MSP/CAB

    Aug 19, 2009
    2,628
    3,839
    90
    Fully wiping in your disk, in terms of Microsoft supplied applications, is achieved by using the 'clean all' command in diskpart. Use with caution though, if you select the wrong disk using 'select disk' (list of disks can be viewed by typing 'list disk'), you will lose all the data on that drive and it is NOT!! recoverable using any means. The 'clean all' command zero's all parts of the disk, including partition, boot, and data area.

    Of course, since it is a disk based command and not a partition based command, you will lose any data on any other partitions on the same physical disk. Other disks in you system, if present, may be infected and can therefore reinfect the main partition after a reinstall.

    Malwarebytes, Spybot, SuperAntiSpyware etc are anti-malware programs, malware is different to a virus but can be just as intrusive or harmful (or be almost or completely 'harmless').

    Some people insist on not running an antivirus because 'they've never been infected'. How would they know? As soon as you get an external source to your computer you're at risk, whether its LAN, wireless connection, Bluetooth, flash drives, a CD/DVD someone burned etc. You could visit only perfectly safe websites, but the ads linked in those websites may contain a virus or other code, and this has happen many times before. Simply having an IP address, which in most cases these days is redirected to a virtual IP address (192.168.x.x such as connecting to a wireless network, even through a home router) you are open to attack.

    Another common mistake is people having antiviruses, but having the on-access protection (or internet protection) etc disabled. Yes, it does slow things down a tiny bit, because its doing its job! Typically most viruses are picked up using on-access protection, but this does not mean to say you shouldn't run the occasionally full scan on your computer. Keeping virus definitions and software (anti-viruses, Windows, 'file openers' like Office or Acrobat Reader etc up to date is vitally important.
     
  13. burfadel

    burfadel MDL EXE>MSP/CAB

    Aug 19, 2009
    2,628
    3,839
    90
    Avast and Avira are both really good, if you have Avira IS 2012, stick with it :) just ensure updatedness, on-access protection etc.
     
  14. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    I'm using Avira for almost 2 years, and its first problem, I will stick with avira. I will use HDD manufacturers low level format utility. Wow, recomendations about W7 killed me, I even haven't told pc specs.
    HP/Compaq NC6000
    Intel P4 1.7/Dothan
    1GB DDR333.
     
  15. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    Avira is good, but they are supporting third party garbageware these days so i don't recommend them at all anymore. i use avast, but i only let it install file system shield, web shield, and behavior shield because the rest of the stuff only slows things down and is completely unneeded...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    with those specs i would use Thin PC--i have an install that uses only 348mb at idle in vmware, that's with unused services disabled of course.

    my home premium uses 600-800mb at idle (again with unused services disabled) and if you only have 1GB of RAM, using something like Avast will kill your performance running a full 7 setup, it won't be enjoyable...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    #17 gabris[LT], Nov 16, 2011
    Last edited: Nov 16, 2011
    (OP)
    what version are you using? free or paid?
    I would agree... and avira IS 2012 doesn't need high resources, full internet security, and dont have any performance problems :)

    I don't know about RAM usage, but it will be about 150mb, my page file is 2.5gb. :) unneeded stuff like services are off or uninstalled.
     
  18. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    which do you mean? i use avast free, will never use avira again, whether free or paid. and there is never any reason to use a paid security program, that is not until there are no more decent free ones available which i don't think is going to happen any time soon.

    and i was talking about OS RAM usage, not the virus program. you said you only had one 1GB RAM, and regardless your virtual memory size, 1GB is barely enough to run 7 and a good AV like Avast (that is if you install the whole program and have all parts working all the time). Avira won't slow it down with only 1GB of RAM because when that's all i had that's what i used and it was fine, but still it was not enjoyable because the OS was still slow with only 1GB of actual RAM regardless what size my virtual RAM was...

    but 7 Thin PC uses much less RAM at idle and when using several apps, and if you were going to use something good like Avast (all or some of it) then this would be a wiser OS to use in my opinion / experience if you wanted to upgrade from XP and didn't want to deal with any high usage of your low RAM availability...

    or you can just use XP, whichever is up to you, but i think you would like Thin PC. personally if i still only had 1GB of RAM i would use 7 Thin PC over full 7 or XP--but to each his own. i do love XP but i can honestly say that after using 7 for so long now, i wouldn't go back. other that being buggy, 7 way surpasses Vista and it's way prettier and sleeker styled than XP is capable of being even with fake aero themes...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. gabris[LT]

    gabris[LT] MDL Senior Member

    Nov 6, 2010
    434
    243
    10
    #19 gabris[LT], Nov 16, 2011
    Last edited: Nov 16, 2011
    (OP)
    OK. I will check in google for this thin PC :D how much RAM/CPU thin PC uses at idle?


    Installed, configured seems great, performance almost like XP, Disabled unneeded services, installed AV, Skype, Firefox. At idle with firefox, skype and full AV on, 600mb RAM/680Virtual RAM, stable, great performance :D even in youtube loads 720p without any problems. :D
    And the only question... ACTIVATION.
     
  20. stayboogy

    stayboogy MDL Addicted

    May 1, 2011
    710
    116
    30
    #20 stayboogy, Nov 16, 2011
    Last edited: Nov 16, 2011
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...