Solved AVG finds virus after format

[Resolved] AVG finds virus after format

Hello,
I recently reformatted my friends pc & reinstalled XP, with help from this forum, it seems to have been successful.
I connected online straight after & installed all windows updates plus SP2,
I then downloaded AVG free edition, updated it & scanned,

Problem is, its found several instances of win32/virut, which the pc had before reformat.
But, all of the files it found the virus on should no longer be on the PC.
They are not in Add/remove programs but are in the program files folder.
Can I safely delete the folders .
The pc is working fine and microsoft malicious software removal tool doesnt find anything but has it in its database.

AVG has moved some to the vault but not all, can I click "Remove all unhealed infections "


Grateful for any advice

thanks

 

virut is a real nasty. Are you quite sure you formatted rather than do a re-install or repair install? A complete format should indeed remove all traces of the infection.

Another possibility would be the virus was re-introduced via a backup or removable media, such as a usb stick. Have you scanned those?

 

Thankyou for your reply,
I have run several virus scans & the problem is only being detected now in C:\System Volume Information\_restore{C81etc.....

I think I must have only done a repair instead of full format.

I ran DrWeb CureIt (In safe mode with system restore turned off) & it found & cured several, all in the above folder.

I then turned System restore back on after rebooting

I have just ran BitDefender & it found 5 cases, all in the same place (with different names) it said it deleted them.

I have now turned off system restore & rebooted.

Any Advice? should I run them both again?

By the way, the PC is working fine up to now

thanks , David

 

If you actually turn system restore off, all restore points are deleted. If anything infected is found in system restore after turning it back on, it means there is an infected file still on your computer that is being backed up into system restore.

To be sure, below is how to clean out restore points.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply to turn System Restore back on. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.


Recommend you scan with Kaspersky too.

Please scan with Kaspersky WebScanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and a fresh HijackThis log to this topic.

 

Thankyou very much.
I,m doing as you ask, I'll post back when finished

David

 

Here is the Kaspersky log,
looks like it was locked, took about 1 hour though,
please advise, I followed all above instructions.

Doing hijackthis now, log to follow

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 05, 2008 12:32:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/07/2008
Kaspersky Anti-Virus database records: 915351
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52332
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:07:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea563f5ed0b8ea72081a19b9b561dd25_85d959a8-2be4-46a0-8e24-b52ae23d90d4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgsrm.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Windows Defender\Support\MPLog-07042008-061246.log Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{0FFE426F-BD7C-4713-A4E3-42134B37EDEC} Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Temp\hsperfdata_Owner\1200 Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.D-GSSZN12CX8ETJ\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{83B8277C-8A38-4B65-B9E3-C332754D5895}\RP1\change.log Object is locked skipped
C:\System Volume Information\_restore{C81B72E3-B3A1-48F4-85EC-A2BA1C7F4906}\RP1\A0003249.exe Object is locked skipped
C:\System Volume Information\_restore{C81B72E3-B3A1-48F4-85EC-A2BA1C7F4906}\RP1\A0004255.exe Object is locked skipped
C:\System Volume Information\_restore{C81B72E3-B3A1-48F4-85EC-A2BA1C7F4906}\RP1\A0004447.exe Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0C341C44-F1E4-47C6-B129-6207AEE81D49}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

 

Here is the HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:00 PM, on 7/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe "
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214948914546
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 4644 bytes

 

Looks great. It's not at all uncommon for objects to be locked. Just means they were in use and inaccessible to the scanner. You can see also in the scan results that there is now only 1 System Restore point.

C:\System Volume Information\_restore{C81B72E3-B3A1-48F4-85EC-A2BA1C7F4906}\RP1

The only way to get an RP1 is to remove them all and set a new one, which means the above procedure was successful. Keep an eye on things and post back if AVG again finds virut.

 

Thanks for your help, much appreciated,
While Kaspersky was scanning "System volume information" AVG popped up with a warning about virut in the files, said "found on opening" I clicked remove threat, but it said it could not heal, this also happened last night when windows defender was running a scheduled scan (defender also found nothing)

Could this just be an AVG thing?

 

Very odd.

Recommend you boot to safe mode and run a full system scan with AVG. If it reports anything as infected, see if you're able to get specifics.

 

Just to be sure, download and run the AVG Virut removal tool as well.

http://free.avg.com/ww.virus-removal.ndi-67762

 

Thanks
In safe mode, AVG brings up "command line composer" It gives you scan options but I cant see a way of actually starting the scan, I'll have a google on my laptop & see if I can figure it out.

 

Hello,
Still cant work out how to run AVG in safe mode,
ran the removal tool, no threats found,
But when windows defender was doing scheduled scan AVG popped up with this:

Win32\Virut
C:\System volume information\_restore{C81B72E3-B3A1-48F4-85EC-A2BA1C7F4906}\RP1\A0003249.exe

I clicked on "move to vault "

It looks like its hiding somewhere & jumps into system restore when you turn it on.

Theres a lot of these nasties in the AVG vault now, is there any way they could be executing from there?

 

Let's see if we can see what's getting backed up in System Restore that isn't being found in the Operating system. Download GMER

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for "˜Show All’.
Click on Scan.
When the scan has completed, click Copy and paste the results (if any) into this topic.

 

So that you know, some info regarding safe mode scanning with AVG.

http://free.avg.com/ww.faq.num-1305#faq_1305

From the manual, which can be downloaded here (pdf),

 

Scanning with GMER now
will post when finished

thanks

 

GMER Log:

I turned off system restore for a while & ran win defender scan to see if AVG popped up (it did'nt)
I turned it on again before I ran GMER



GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-07-06 16:31:31
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.14 ----

Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.14 ----

 

Lets have a look at the files AVG keeps quarantining.

First, create a new folder on your desktop named infected

• Open the AVG interface, then click Tools>Advanced Settings
• Select Resident Shield in the left pane tree
• In the main window, uncheck Enable Resident Shield
• Click Apply then OK
• Click History>Virus Vault
• Select several of the quarantined items then click Restore As
• Browse to and select the infected folder then click OK
• Click OK to exit the vault
• Minimize AVG then right click the infected folder on your desktop and select Send To>Compressed (Zipped) Folder
• This will create infected.zip on your desktop
• Please upload that zip file to my submission channel for analysis. Leave a link back to this topic.
• Once submitted, bring AVG back up and re-enable the Resident Shield

 

Oh, I also meant to say;

Once uploaded, you can delete the infected folder and zip, then empty the recycle bin.

 

Ok,
File submitted for analysis