Avast WEBforum

Other => Viruses and worms => Topic started by: wio on December 28, 2012, 01:30:54 AM

Title: need some help please
Post by: wio on December 28, 2012, 01:30:54 AM
Avast's scan came up with something  and sice  the action button is unawilable (no option to quarantine /del)

in OTL scan I had no option of 64bit scan & it came up with only one log ( no extras.txt)

asw at first attempt got insight of something red and i got sistems failure-autorestart-blues screen -Safe Mode ( did open regular)
second round came up with log attached.

i did Roguekiller before asw but have no option to attach


ty guys
Title: Re: need some help please
Post by: Pondus on December 28, 2012, 01:43:08 AM
Quote
Avast's scan came up with something  and sice  the action button is unawilable (no option to quarantine /del)
what was detected....as this usually indicate not infected....or detection in memory


your OTL log show that you have multiple AV programs installed

Quote
PRC - [2012/08/21 11:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 11:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/08/17 20:43:06 | 000,218,880 | ---- | M] (Kaspersky Lab ZAO) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe
PRC - [2012/07/12 17:32:22 | 001,239,952 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
PRC - [2012/07/12 17:32:18 | 018,832,264 | ---- | M] (Lavasoft Limited) -- C:\Program Files\Ad-Aware Antivirus\AdAware.exe
PRC - [2011/12/19 12:20:06 | 003,289,032 | ---- | M] (GFI Software) -- C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe

never install more then one AV as this will give you a slower machine, mysterious windows errors and false detections
you need to uninstall the one you dont use, and the run the vendors removal tools to clear all leftover files that may conflict
you find the removal tools here  http://singularlabs.com/uninstallers/security-software/


Title: Re: need some help please
Post by: wio on December 28, 2012, 02:22:03 AM
Quote
what was detected

 in attachment ( those are password protected and growing. would  love to del-them)

Quote
your OTL log show that you have multiple AV programs installed
never install more then one AV as this will give you a slower machine, mysterious windows errors and false detections
you need to uninstall the one you dont use, and the run the vendors removal tools to clear all leftover files that may conflict
you find the removal tools here  http://singularlabs.com/uninstallers/security-software/

i know... but couldnt resist. only Avast came up with that. & so much THX for the link  :)

got the Rouge attached


ty so much
Title: Re: need some help please
Post by: Pondus on December 28, 2012, 02:29:28 AM
is it polish?....
it seems like detections in AVG and SpyBot files, so seems to be conflict

anyway the removal specialists are notified. it may take hours before one arrive so be patient
Title: Re: need some help please
Post by: wio on December 28, 2012, 02:44:38 AM
is it polish?....

yes it is :)

it seems like detections in AVG and SpyBot files, so seems to be conflict

 SbS&D started to make those logs not long time ago, end are multiplying. & bluescreen is so rare for me freeked me out

anyway the removal specialists are notified. it may take hours before one arrive so be patient

anyway.... a Big Thx for so fast response Pondus
have a gr8 shift
(i got myself extra cleaning tomorrow)
Title: Re: need some help please
Post by: wio on December 28, 2012, 03:00:11 AM


hmmm
Title: Re: need some help please
Post by: essexboy on December 28, 2012, 11:25:26 AM
The aswMBR locked files are part of Kaspersky so they will need removing, Spybot quarantine holds a lot of bad stuff that will need to be removed

Basically you have gone for overkill

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
SRV - File not found [Auto | Running] -- C:\Program Files\Spybot -- (SBSDWSCService)
SRV - [2012/11/19 21:27:41 | 000,711,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe -- (vToolbarUpdater13.2.0)
SRV - [2012/08/17 20:43:06 | 000,218,880 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe -- (AVP)
SRV - [2012/07/12 17:32:22 | 001,239,952 | ---- | M] (Lavasoft Limited) [Auto | Running] -- C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe -- (Ad-Aware Service)
SRV - [2011/12/19 12:20:06 | 003,289,032 | ---- | M] (GFI Software) [Auto | Running] -- C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe -- (SBAMSvc)
DRV - [2012/11/19 21:27:43 | 000,026,984 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
DRV - [2012/08/13 17:24:12 | 000,587,096 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2012/08/13 15:49:44 | 000,144,344 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kneps.sys -- (kneps)
DRV - [2012/08/02 14:09:30 | 000,024,408 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- C:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2012/07/25 13:53:48 | 000,025,944 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2012/06/19 16:28:12 | 000,136,024 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\kl1.sys -- (kl1)
DRV - [2012/06/08 10:38:12 | 000,043,608 | ---- | M] (Kaspersky Lab) [Kernel | System | Running] -- C:\Windows\System32\drivers\kltdi.sys -- (kltdi)
DRV - [2012/05/25 18:38:48 | 000,025,432 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\klkbdflt.sys -- (klkbdflt)
DRV - [2011/12/19 11:44:24 | 000,093,816 | ---- | M] (GFI Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\sbhips.sys -- (sbhips)
DRV - [2011/11/29 05:59:52 | 000,077,816 | ---- | M] (GFI Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\sbapifs.sys -- (sbapifs)
DRV - [2011/10/26 13:23:40 | 000,101,112 | ---- | M] (GFI Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\SBREDrv.sys -- (SBRE)
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\url_advisor@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\url_advisor@kaspersky.com [2012/09/11 03:12:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtual_keyboard@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\virtual_keyboard@kaspersky.com [2012/09/11 03:12:51 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\content_blocker@kaspersky.com: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\FFExt\content_blocker@kaspersky.com [2012/09/11 03:12:04 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
[2010/03/16 00:02:37 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Users\USER\AppData\Roaming\mozilla\Firefox\Profiles\zpkzyjca.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2012/04/22 00:32:52 | 000,000,000 | ---D | M] (DVDVideoSoftTB Toolbar) -- C:\Users\USER\AppData\Roaming\mozilla\Firefox\Profiles\zpkzyjca.default\extensions\{872b5b88-9db5-4310-bdd0-ac189557e5f5}
[2011/12/24 23:28:36 | 000,000,000 | ---D | M] (Kaspersky URL Advisor) -- C:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Content Blocker Plugin) - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\ContentBlocker\ie_content_blocker_plugin.dll (Kaspersky Lab ZAO)
O2 - BHO: (Virtual Keyboard Plugin) - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll (Kaspersky Lab ZAO)
O2 - BHO: (URL Advisor Plugin) - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\IEExt\UrlAdvisor\klwtbbho.dll (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [Ad-Aware Antivirus] C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher.exe (Lavasoft Limited)
O4 - HKLM..\Run: [Ad-Aware Browsing Protection] C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe (Lavasoft)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2013\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [ROC_roc_ssl_v12] "C:\Program Files\AVG Secure Search\ROC_roc_ssl_v12.exe" / /PROMPT /CMPID=roc_ssl_v12 File not found
O4 - HKLM..\Run: [SBRegRebootCleaner] C:\Program Files\Ad-Aware Antivirus\SBRC.exe (GFI Software)
O4 - HKLM..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe" File not found
O4 - HKU\S-1-5-21-770305187-3020679099-2410195673-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
[2012/12/27 07:31:42 | 000,001,830 | ---- | M] () -- C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk


:Files
C:\Program Files\Common Files\AVG Secure Search
C:\Program Files\Kaspersky Lab
C:\Program Files\Ad-Aware Antivirus
C:\Program Files\ESET
C:\ProgramData\Ad-Aware Browsing Protection

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: need some help please
Post by: wio on December 31, 2012, 09:18:59 PM
done






ps.Happy NY 2all
Title: Re: need some help please
Post by: essexboy on December 31, 2012, 11:08:11 PM
You still need to remove Kaspersky http://support.kaspersky.com/1464

How is the computer behaving now ?
Title: Re: need some help please
Post by: wio on December 31, 2012, 11:36:48 PM
How is the computer behaving now ?

we'll wait &see
thx
still memory usage does not seem right. any advice on that topic?
Title: Re: need some help please
Post by: essexboy on January 01, 2013, 12:34:05 PM
Yes uninstall Kaspersky
Title: Re: need some help please
Post by: wio on January 03, 2013, 08:22:19 AM
Yes uninstall Kaspersky
did. after that had icons missing from my desktop (got back with a brush of a mouse)
SbS&D & emWave are still generating files that are suspected by Avast. wanted to del but.."perform" button not available. had to do it manual

 sistem malfuncions - new "there was problem sending command to the program" ->windows office is offline
  old - cant make back to restore point or recovery
        - after serious cleaning still dont like it (lot of memo usage)
Title: Re: need some help please
Post by: essexboy on January 03, 2013, 03:26:15 PM
Have you run the Kaspersky tool though, as there are (or were)  still a lot of drivers running

Download and run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
Title: Re: need some help please
Post by: wio on January 14, 2013, 06:49:52 PM
done
Title: Re: need some help please
Post by: essexboy on January 14, 2013, 07:15:00 PM
OK lets try a general repair now

Download  Windows Repair (all in one)  from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)

Install the programme then run

(https://dl.dropbox.com/u/73555776/waio%20start.JPG)

Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)


On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)

Select the following  items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
Title: Re: need some help please
Post by: wio on January 20, 2013, 10:50:06 PM
done
all the logs have the same mesg. (Attachment no.2)
 still  problems with office
if i can get pass the blocade on recovery i will manage
Title: Re: need some help please
Post by: essexboy on January 20, 2013, 11:41:08 PM
What is the exact problem with office ?
Title: Re: need some help please
Post by: wio on January 23, 2013, 02:27:01 PM

msg: there was a problem sending messags to the program.
( i can open them with Wordpad only )
Title: Re: need some help please
Post by: essexboy on January 23, 2013, 03:34:21 PM
Are you able to re-install office at all ? What version is it
Title: Re: need some help please
Post by: wio on March 04, 2013, 10:16:57 AM
1.restored system (word- back on line)
2.cleand other antiwiruses
(meantime mesed other things, no browser for a while- fun, but for now seems ok)(next time no mercy-install disc)
4.run Av-got clean
3.scans attached (mbam seems to get some)
Title: Re: need some help please
Post by: essexboy on March 04, 2013, 03:17:27 PM
You are now showing three antivirus programmes .. McAfee, Avast and AdAware

How is the computer behaving 
Title: Re: need some help please
Post by: wio on March 04, 2013, 08:07:13 PM
wold office lost again. at least browser is working.

Adaware gone, macaffe need to go2

asw is running now

and what are those?
blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
Title: Re: need some help please
Post by: essexboy on March 04, 2013, 08:28:31 PM
Those are Chrome folders which is why it is so difficult to determine what is bad in there as they are random

Have you patched your user32.dll file ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: need some help please
Post by: wio on March 05, 2013, 06:26:42 AM
meantime duble power-on stoped
word office still off
Combo marked Avast for delete
log atached
Title: Re: need some help please
Post by: essexboy on March 05, 2013, 04:23:37 PM
OK lets replace the user32

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 
Quote

FCopy::
c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll|c:\windows\System32\user32.dll
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif) 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.