Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: JSmit156 on March 18, 2012, 04:00:38 PM
-
Hello,
When Avast ran boot scan I pressed the option "2-Delete All" , and 30 infected files have been deleted,not only the virus files.
My question is, How do I find which files were deleted and is there anything I can do about it, or the deletetion of these files can risk the operation of my Windows 7 Home Premium? the virus was mazebat or tazebama or something.
Please help me it's a new pc and some 1 else used it before I even installed an antivirus.
Thanks.
-
Are you able to use the computer at the moment ?
If so then follow the steps in this thread and post the logs here http://forum.avast.com/index.php?topic=53253.0
-
Thanks for quick reply,
I am able to use the computer
MBAM deleted 1 infected file,
Is it now safe to use the computer or is there still a worm/virus?
And what happened to the files Avast! deleted on the boot scan ? Will it affect Windows 7?
-
Could you continue and do the OTL and aswMBR scans please to confirm that there is nothing left
Also could you open Avast
Go to Maintenance
Open the virus chest and note what files have been quarantined
-
Thanks again
OK I did the OTL and aswMBR and nothing is said to be left.
But my question now is, when Avast! did the boot scan I saw that 30 files were deleted, for example the Windows Solitaire game, so maybe something else more imporant than Solitaire was deleted when Avast! removed the infected files? How can I know that?
-
Both of those tools are analysis tools - and unless you know how to read them they will give you no meaning full data
What was the virus name that avast reported ?
Could you attach the OTL and aswMBR logs please
-
When Avast ran boot scan I pressed the option "2-Delete All"
Just a suggestion...the prudent thing to do if/when a suspected virus/malware is found is to quarantine in the virus chest until you can confirm whether the threat is real or a false positive.
-
When Avast ran boot scan I pressed the option "2-Delete All"
Just a suggestion...the prudent thing to do if/when a suspected virus/malware is found is to quarantine in the virus chest until you can confirm whether the threat is real or a false positive.
I know it was stupid but I did that because I saw in google tazebama is a sure virus.
So, did I damage my Windows beyond reapir ( I havent set backup yet ) ? or the 30 files I saw removed at the boot scan werent necessary (Like the Solitaire I mentioned)
-
Untill I can look at the logs then I am unable to say
-
This is the aswMBR log:
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 17:49:41
-----------------------------
17:49:41.906 OS Version: Windows 6.1.7601 Service Pack 1
17:49:41.906 Number of processors: 4 586 0x2A07
17:49:41.908 ComputerName: USER-PC UserName: user
17:50:17.424 Initialize success
17:50:18.300 AVAST engine defs: 12031800
17:50:36.648 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3
17:50:36.650 Disk 0 Vendor: ST500DM002-1BD142 KC44 Size: 476940MB BusType: 3
17:50:36.684 Disk 0 MBR read successfully
17:50:36.685 Disk 0 MBR scan
17:50:36.689 Disk 0 Windows 7 default MBR code
17:50:36.712 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:50:36.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 239900 MB offset 206848
17:50:36.768 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 236938 MB offset 491522048
17:50:36.794 Disk 0 scanning sectors +976771072
17:50:36.978 Disk 0 scanning C:\Windows\system32\drivers
17:51:06.763 Service scanning
17:52:00.406 Modules scanning
17:52:30.904 Disk 0 trace - called modules:
17:52:31.267
17:53:02.538 AVAST engine scan C:\Windows
17:53:41.607 AVAST engine scan C:\Windows\system32
17:58:45.197 AVAST engine scan C:\Windows\system32\drivers
17:59:06.391 AVAST engine scan C:\Users\user
18:02:00.916 AVAST engine scan C:\ProgramData
18:02:16.914 Scan finished successfully
18:08:31.171 Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\MBR.dat"
18:08:31.175 The log file has been saved successfully to "C:\Users\user\Documents\aswMBR.txt"
-
The MBAM log when found the file:(That was after Avast! deleted the 30 files, so there was still something left?!)
Memory Processes Infected: 0
(No malicious items detected)
Memory Modules Infected: 0
(No malicious items detected)
Registry Keys Infected: 0
(No malicious items detected)
Registry Values Infected: 0
(No malicious items detected)
Registry Data Items Infected
(No malicious items detected)
Folders Infected: 0
(No malicious items detected)
Files Infected: 1
C:\Users\user\AppData\Roaming\tazebama\zPharaoh.dat (Worm.Mabezat) -> Quarantined and deleted successfully.
(end)
-
Could you attach the OTL log please as you did have a worm
-
the OTL are attached
-
Looks like everything was killed
To check your system files run an elevated command prompt
Go Start > All Programs > Accessories
Right click Command prompt and select run as Administrator
In the black box that opens type the following command and press Enter
sfc /scannow
That should repair any damaged files
For getting solitaire etc.. back, go to Control Panel > Programs and Features
Select turn windows features on and off
Then in the next box that opens re-tick the ones that are missing
EDIT: I also see AVG search toolbar, that is a total waste of space so I would recommend that you uninstall it
-
Thanks alot for your support and patience, you really helped.
I did the sfc /scannow and it told me "Windows Resource Protection found corrupt files but was unable to fix some of them.
btw, besides the games deleted, are you sure no important windows files have been removed ?
*about the AVG toolbar, it was mistakely installed with other program I installed ;D ->Removed
Thanks again.
-
Usually the ones that sfc is unable to fix are ini files but they are of no import
How is the computer behaving any problems ?
-
Havent noticed any problems yet, I hope there wont be because I got my windows without any installation disc and I havent set backup prior to the virus :'(
*should I post the sfc log?
-
The first thing you need to do then is create a repair disc
Create a Windows 7 System Repair Disc
Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.
- Click on Start(Windows 7 Orb) >> Run...(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:
recdisc.exe
- Allow the UAC(User Account Control) prompt via selecting Yes.
- You should now see a menu like the below:-
(http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD1.gif)
- Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
- Note: If a AutoPlay window pops up, just close it.
- When the SRD has been created you will see the below:-
(http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD2.gif)
- Now click on Close >> OK.
- You now have a Windows 7 System Repair Disc.
THEN
Read this page on how to create a backup.. http://www.howtogeek.com/howto/4241/how-to-create-a-system-image-in-windows-7/
I would recommend that you put the backup on a seperate external drive
-
Should I backup even though I had a virus?
Btw, do you think that if antivirus and malware (Avast and MBAM) full scans find no threats it really means there are no more threats? or the virus/worm I had earlier may still be on the computer and it is not safe for me to log in to websites with personal information such as facebook, bank , as my accounts are at risk of being revealed by the trojan/worm/virus?
*If I can restore my system to a point before the virus, should I do that?
-
The probability is that if both programmes can find nothing you are probably safe, there was nothing untowards showing in the logs.
That is an option - do you have a restore point prior to the infection ?
-
I restored my pc to an older point and the virus file was there again, but now I downloaded MBAM before Avast! and it found 2 files , a virus and a worm and I quarantined and deleted them both, is it enough or should I do the thing with OTL again?
*I am currently running Avast! full scan after MBAM deleted the virus and the worm and it is now showing 65 infected files.
I now have the list of the infected files that Avast! removed earlier, and now after the restoring, I moved them to chest, should I post the infected files so you tell me if its safe to delete them again?
-
OK you restored back to a time when the malware was active not a good move as system restore backed up the malware at that time as well
Post the list of files that Avast quarantined - this will give me an idea of the infection type
-
I removed the files again, I didn't save the list.
Should I restore back again to have the malware so I will have the list of infected files again?
I have another question, if I restored to an older point and the malware was still there, does it mean that at the date of restoring the malware was exist, or the malware itself is from a newer date but is able to copy itself to the system restore option? - I am asking that because I restored the system to a date where the computer was still at the company I bought it from, so maybe they did something and not a member of my family who used the pc before I installed an antivirus?
Thanks.
-
It means that at the date of the restore the malware was active on the system
There should be a list of files in the virus chest, could you note a few from the there along with the infection name
-
I deleted all the files from the chest :-\ , but I remember the virus had some names such as zPharaoh.exe, mazebat.dll,tazebama.dll, autorun.inf , and some of the application .exe files were removed. should I restore back to when the virus was active, download avast and have the full list of files again?
*So you are telling that the virus was on the pc before it was given to me? (You sure the virus didnt copy itself to the restore point?)
-
It is extremely rare for malware to deliberately plant itself in system restore - I have only seen one or two instances of this
The infection you had was a worm, so it could have come from an infected USB drive
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Thanks for your care ;D I will try to do what you said.
You also said only one or two type of worms that plant themselves in system restore, so maybe the one I had is one of them just to be sure?
The worm and virus I had , used a few names I remember: tazebama,mazebat,zPharaoh. maybe this worm is able to plant itself in restore?
By the way, I remember that after I used the system restore a message appeared saying my files were saved, so maybe the virus is newer than the restore date but it won't be deleted anyway as system restore doesnt delete files?( I need to know that because at the date of the restore the computer was at the company I bought it from so I want to know if they entered a usb drive or something or some 1 from my family did that before I installed antivirus. )
Thanks.
-
As we have deleted all restore points it should no longer be a problem, none of those files are know to insert themselves in system restore
-
oh no after I did the OTL thing Fix now the computer is moving so slowly are you sure OTL is not a virus or trojan horse or something?
-
I think I can categorically state that it is totally malware free..
Have you done the remaining removal bits
If so I would follow that up with a disc defrag then let me know how it is behaving, as all OTL did was empty your temporary files