Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Devox on July 05, 2012, 05:33:55 PM
-
Hi, i am using vista-32 and i used to use Avira free antivirus, but yesterday it stop working so i try fix it and update it but still the real time protection didn't work. so i uninstall it and re-install it again but its also didn't work. so then i tried to use another antivirus so i installed avast free. but also the shields don't work and this time i can't even make update.
I suppose this means that my computer is infected.
So now, what should i do?
attached is a HJT log file, i don't know what is HJT but i found a lot of ppl ask for it and use it to identify the problem so i used it may it help.
Thanks.
-
follow guide: http://forum.avast.com/index.php?topic=53253.0
attach all logs here.. ;)
-
Monitoring - did Avira give any alerts ?
-
Monitoring - did Avira give any alerts ?
Its not activeted the small icon on the buttom right has an X on it but i can't do a scan or anything plus i found that i can't even connect to an acount every time i connect it tell me success but its not actualy connected !!!
-
follow guide: http://forum.avast.com/index.php?topic=53253.0
attach all logs here.. ;)
here is the logs
the aswMBR didn't work but i attached the log anyway
Thanks
-
Thank you for posting your logs. Essexboy will continue to assist you with your malware removal when he comes on the forum, which is usually late UK time zone.
In the meantime, please do not make any changes to your machine since posting these logs. Do not sync anything to the machine and try not to use it. If you are on a network, disconnect this machine from the network. I do see problems in your logs that Essexboy needs to work on with you. Thank you.
-
OK I am not sure if OTL is strong enough to kill this but lets give it a whirl
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
SRV - File not found [Unknown (-1) | Running] -- -- (syshost32)
DRV - File not found [Kernel | Boot | Stopped] -- -- (lhldjq)
DRV - File not found [Unknown (-1) | Unknown (-1) | Unknown] -- -- (syshost32)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-451692780-2006726030-4535673-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\AuTopLay\coMmaND - "" = ubqjor.pif
O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\AutoRun\command - "" = ubqjor.pif
O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\eXploRe\cOmmanD - "" = ubqjor.pif
O33 - MountPoints2\{11b1738b-b1ec-11df-a6eb-f1c0d7e74bc3}\Shell\oPen\cOmMAnd - "" = ubqjor.pif
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
i didn't found combofix log file. there is c:\combofix file but its not .txt its like the computer icon on desktop when i double click it it show me the hard disk drives.
also the windows defender stoped working after reboot from combofix i reboot again as adviced but the problem didn't get solved
i still didn't try to enable the avast shields.
-
Aye OTL lacked the oomph to kill the main driver...
So lets try a different tack.. Delete the current copy of Combofix from your desktop
Download a fresh copy but prior to saving rename as Gotcha and try again... Meanwhile I will look for a stronger tool. I think maybe Avenger next
-
just to be clear you want me to download a fresh combofix but rename before save and call it "Gotcha"?
-
Yes please
-
the same thing happend, but i noticed that the computer didn't restart normaly; the blue screen appeared for a second and then the computer restar
-
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Drivers to delete:
syshost32
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.(https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF)
(https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF)
- Right click on the window under Input script here:, and select Paste.
(https://dl.dropbox.com/u/73555776/Avenger%20run.GIF)
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh OTL log
-
attached is the log of fresh OTL quick scan with no code added
and the avenger log is :
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Driver "syshost32" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
-
OK that killed it ;D
Could you now retry Combofix please
-
sorry my friend the same result.
i downloaded new combofix and saved it with name combofix2 and after restart the C: drive contain a combpfix2 icon but its like the "computer" shortcut ???
-
OK lets run the analysis only part of AVP, you will need to upload the zip file to a file sharing site for me to collect
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://dl.dropbox.com/u/73555776/kas%20manual.JPG)
On completion click the link to locate the zip file to upload and attach to your next post
(http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG)
-
faild to install
error code :-2147024894
!!!
-
Time for the big boy
Please download the following programmes to your desktop:
Dr Web Live CD (http://www.freedrweb.com/livecd/)
ImgBurn (http://www.filehippo.com/download_imgburn/)
Install IMGBurn
- Double click Dr Web
- IMGBurn will open
- Burn the ISO to a cd
- Reboot the infected computer with the CD in the drive
- Ensure that the first boot device is CD - If you are not sure about that then see this page (http://www.hiren.info/pages/bios-boot-cdrom) for instructions
- As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif)
- Use arrow keys to select DrWeb-LiveCD (Default)
- When the system is loaded, check the disks or folders you want to scan, and click on “Start”.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif)
- The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
- Once completed reboot to normal windows
- No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist
-
My CD Drive is broken, i will need to buy a new one. this will take a few days from me. can i do the burning on other computer?
-
i noticed there is Dr.Web LiveUSB can i use it insted of Dr.Web LiveCD ?
-
Yes of course - use the USB version
-
can't find the boot device !!!
i have two OS, windows and Linux, can that affect ?
-
Could you go to the Linux OS and try to run from there
-
you mean to create a bootable usb from the linux or you want me to run the program from linux?
-
You should be able to run Dr Web from Linux as it is a Linux based programme
-
yes but the bootable usb is "bootable" i can't run it as an application, or at least i don't know how.
i will try to extract the LiveCD version of Dr Web which is iso image and run it.
-
i not able to do that. i will download a trial linux version, it suppose to be full and for 30 days
-
Ok
This one is a right pain .. I can see the problem but I cannot see the trigger
-
I scanned only the C drive and the attached screenshot show the result.
-
OK that did not find anything... Maybe we did kill it
How is windows behaving now ?
-
I still can't enable the shields
-
OK lets try a full re-install
Download the latest version to your desktop from here (http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe)
Download aswClear from here (http://files.avast.com/files/eng/aswclear.exe)
Go to Programs and Features > add/remove and uninstall Avast
Reboot back to safe mode and run aswClear (select all versions of Avast ) once for each version, no need to reboot in between
After the last one reboot
Install the updated Avast
-
the same, i still can't enable the shields :-\
-
When you try to enable the shields what error do you get ?
-
shield unreachable
-
Could you run a test for me
Download another AV either Avira or MSES and let me know if that installs OK
-
Avira realtime protiction is stoped and i can't start it.
-
Lets see if GMER can locate it
Scanning with GMER
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
-- If you encounter any problems, try running GMER in safe mode (http://www.computerhope.com/issues/chsafe.htm).
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
-
when i start Gmer i got error about a driver then the right pannle has only services, registry and files options but i did the scan anyway.
also in the safe mode i got the same thing.
attached is the log
-
Gotcha
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger2/download.php) by Swandog46 to your Desktop.
- Right click on the Avenger.zip folder and select "Extract All..."
- Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Begin copying here:
Files to delete:
C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys
Drivers to delete:
syshost32
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, open the avenger folder and start The Avenger program by clicking on its icon.(https://dl.dropbox.com/u/73555776/Avenger%20icon.GIF)
(https://dl.dropbox.com/u/73555776/Avenger%20disclaim.GIF)
- Right click on the window under Input script here:, and select Paste.
(https://dl.dropbox.com/u/73555776/Avenger%20run.GIF)
- You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
- Click on Execute
- Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
- The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.
-
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Error: could not open file "C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys"
Deletion of file "C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)
Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\syshost32" not found!
Deletion of driver "syshost32" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist
Completed script processing.
*******************
Finished! Terminate.
-
OK that did not want to go... So are you prepared to work outside of windows
Download the following three programmes to your desktop :
1.
WiNTobootic (https://skydrive.live.com/?cid=32d8666f4048075b&id=32D8666F4048075B%21117)
2. Windows Vista RC (http://www.forum.probz.net/index.php?/files/file/21-windows-vista-recovery-environment-iso/)
3. Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe)
Extract wintoboot to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot
(http://dl.dropbox.com/u/73555776/wintoboot.JPG)
Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
(http://dl.dropbox.com/u/73555776/usb%20progress.JPG)
It will let you know when it is done
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm)
When you reboot you will see this. Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
]Here[/color][/url]
-
flashing failed. i downloaded WiNToBootic and the iso twice and i got the same result
sorry for the late reply
-
OK I have been doing further research after Avenger failed to kill it.. Avenger works at ring 0 i.e one of the very first elements to run after the post test but there is a proof of concept ring -1 which starts even earlier and is therefore protected before Avenger even loads.. I wil not post the link for this as I do not want it to become common knowledge. But suffice it to say it appears that you may have this type
Use of a tool outside of windows may kill it, but it appears that the control of the system is enough to stop an ISO being burnt
Therefore I am afraid the only way to kill this is to reformat the drive, an overinstall or re-install of windows will not work.. You need to wipe the drive and start afresh
-
can't we try to burn it from linux? or maybe other machine
-
We could try and Burn FRST and recovery console on another system ... That will burn the USB nicely, lets hope we have access to the system via that
-
can i ask what kind of mallware do i have? and how hurmfull can it be? until now i feel nothing just i can't enable antivirus, and the iso burn thing is a new.
-
It is a rootkit and at the moment I have been unable to track down a name for it... If the Avast shields were running I would then have an idea
-
i tried to create the bootable usb on another computer but i got the same problem, flashing failed. is there another tool to use insted of winbootic?
-
We could try OTLPE from a CD
OK next we will work outside of windows
Please print these instruction out so that you know what you are doing
- Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
- Download Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to a flash drive.
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
- Insert the flash drive with FRST on it
- Locate the flash drive and run FSRT
- The tool will start to run.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
[/list]