Prevx isn't permanently cleaning

Discussion in 'Prevx Releases' started by enchant, Dec 10, 2009.

Thread Status:
Not open for further replies.
  1. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    My system is infected, but Prevx can't clean it. Here are the symptoms.

    It's regularly popping up a "Malware Blocked" alert telling me that it automatically blocked a High Risk Cloaked Malware infection. The file is always:
    C:\windows\temp\abcd.tmp\svchost.exe
    where "abcd" is some random 4 letters.

    I'll run a scan with Prevx. A couple of times, it's actually found something. I shut down everything and disco from the net, let it finish, reboot and rescan (this time clean). But invariably, the Malware alert pops up again.

    Several times, while scanning, it's hung. Generally at 63%. Right now, it appears to be hung at 98% while Analyzing Scan Results.

    I'm not sure what to do at this point.
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    It's in the windows folder so has to be removed between reboots. Download a freebie like file assassin or unlocker and use it to remove that folder\file. You may have to enable show all files\folders in folder options first.
     
  3. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    This AV is Cloud based you have to be connected to the web why it scans and cleans. This way it can get the info needed to remove the infection. That is also why it is hanging at 63 and 98% It can't connect to its database to figure out how to remove it.
     
  4. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    When it hangs, it actually IS connected. The only time I'm not connected is when Prevx tells me specifically to disconnect before continuing.
     
  5. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    ...use it to remove *which* file/folder?
     
  6. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Might want to try Safemode with Networking enabled. hit F8 before Windows starts to bring up the boot menu. If all else fails maybe Joe (PrevxHelp) knows whats going on.
     
  7. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Thanks, Fajo.

    FWIW, it seems that most of the time that Prevx blocks one of these files and turns red, once I do a scan, it finds nothing and goes green again.

    I've got another machine that I use as a file server. I can connect this drive to it, but it doesn't have Prevx installed. Is there anything I could do using that setup?
     
  8. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    It could be something that Prevx is only seeing the traces of. I really would not connect anything else to the computer your best option is to wait for Joe (PrevxHelp) to log on here. As he could probly take a look at the scan logs and find out whats going on for you. If it happens again Save the scan log and send it to report@prevxresearch.com and pst the subject that you sent it as here. It will make it easy for Joe to take a look and get back to you on it.

    To save scan log go to

    Tools > Save Scan log (Do this when it pops up infected.) Send that off to prevx. Make sure you put something in the title referencing to it.
     
    Last edited by a moderator: Dec 11, 2009
  9. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Yes, good advice.

    While your waiting, you could upload that file here - http://www.virustotal.com/ to see if it's a false positive or not.
     
  10. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Upload which file?

    FWIW, I've noticed that this is happening every five minutes exactly.
     
  11. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    That is definitely no FP! :ninja:

    look at the filename.

    I think it is a Backdoor!


    enchant disconnect you PC from internet!

    Change ALL internet passwords using a clean PC! That is very important!

    Wait for Joe's advices and do not use the infected PC until you are in contact with the PrevX support.
     
  12. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Ok, I've booted up off of another drive.

    Before doing so, I pulled my ethernet cable, and over five minutes went by and no prevx malware warning came up, so it definitely seems internet related.
     
  13. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Keep in mind if you did this why no internet connection was available Prevx cant check against its database.
     
  14. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Are you saying that this is why Prevx wasn't reporting errors?
     
  15. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    If no internet connection is present why Prevx is scanning. It can't check it against its database sense it's purely on there servers.
     
  16. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Also are you using Full scan ? instead of quick scan.
     
  17. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Please pardon my ignorance, but I don't know. When Prevx is up, there's a big blue button at the bottom
    "Scan My PC Now >>"
    I don't see an option for quick or full.

    However...

    Since I'm a bundle of nerves at this point and can't wait for Joe, I needed to do something. I booted up my healthy drive with the infected one mounted. The I loaded the free version of Prevx on it and did a scan. On the infected drive, it DID find an infected file "C:\windows\system32\drivers\atapi.sys". I deleted this file and copied a fresh one from my good drive, then booted up on it.

    It's been over 15 minutes and no problems. But I know this probably means little. Perhaps when the external internet hacker sees that it can't get in, it automatically puts itself on hold for an hour or something. But I'm hopeful.
     
  18. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Well If you have a Paid Licence which I'm assuming you do. You can click Tools> Advance Scan > Full Scan. That will scan everything on the PC both the clean and suspected drive. Also keep internet connected so it can communicate with Prevx servers. As long as you are on the clean drive you should be ok. Just don't do anything on the computer until the full scan completes takes 20-30 min normally.
     
  19. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Yes, I do, and thanks. When I click on Tools/Advanced Scan, "Deep Scan" is what's checked. Does that mean that this is what happens by default? Or is that unrelated?

    Oh, and by the way...

    Thanks, everyone, for all your help. It's a scary thing when your system gets infected, and it's comforting that people are willing to help me through it.
     
  20. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    In all honesty I don't know about that being default. But I do know that's where you select the other options. :D

    And we have all been infected before we know how it is. Most of us are just here to help where we can :)

    Let us know what comes of the Full Scan! ;)
     
  21. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Deep scan is default! See attached!
     

    Attached Files:

  22. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    This is default Deep Scan! :thumb:

    TH
     
  23. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Well, at 11% finished, a warning box popped up saying:
    Your scan exceeded the maximum number of files allowed by your license. Please click OK to upgrade your license or Cancel to abort the scan.

    Not sure how I feel about that...
     
  24. Fajo

    Fajo Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    1,812
    Sigh, That seems to be happening alot lately. This one we will have to wait for PrevxHelp on. You might want to PM Joe (PrevxHelp) your License key so he can extend the amount of files. Also I'm sure he will have more incite on whats going on with this detection. The File Limit is just there to stop virus makers from abusing Prevx or company's using Prevx illegal.
     
  25. enchant

    enchant Registered Member

    Joined:
    Aug 30, 2009
    Posts:
    26
    Oh, so then I should be able to run a normal full scan on my machine?
     
Thread Status:
Not open for further replies.