Avast WEBforum
Other => Viruses and worms => Topic started by: Amandamaywhite on August 29, 2011, 12:45:49 AM
-
My computer has some kind of virus on it and it has blocked me from Facebook and running and all of my virus scans and my Avast says that it is in "Virus Enhanced Protection Mode".
-
my Avast says that it is in "Virus Enhanced Protection Mode".
nope...that is a fake message
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log - OTL log - aswMBR log ) save OTL log as ANSI
Essexboy will look at the logs when posted.....he usually logs off about midnight european time so he wont be back untill late tomorrow...
-
I downloading Malwarebytes, did the update, ran the program, and it flashed momentarily and went back to my home screen.
-
probably the malware blocking it from running..... you may try running it in safe mode
post the logs you are able to
-
Monitoring
Rename OTL.exe to OTL.scr if it will not run
-
I tryed to run the malwarebytes in safe mode, but it still shut down about 5 seconds into it. Also my mouse isn't working properly so it takes more time.
-
OK here we go lets use this to kill it for a bit
Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
- Quit all running programs
- For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
- When prompted, type 2 and validate
- The RKreport.txt shall be generated next to the executable.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Bad processes: 2
[HJ NAME] svchost.exe -- \\.\globalroot\device\svchost.exe\svchost.exe -> KILLED [TermProc]
[RESIDUE] svchost.exe -- \\.\globalroot\device\svchost.exe\svchost.exe -> KILLED [TermProc]
Registry Entries: 0
Particular Files / Folders:
HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[...]
Finished : << RKreport[8].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt ; RKreport[8].txt
-
Could you now run OTL please as that should now go
-
I opened OTL, and selected scan all users, and pasted the list in the box, and clicked quick scan and it closed I tryed a few times and it still closed. :-\
-
OK we will go straight for the big boy then
Download and Install Combofix
Download ComboFix from one of the following locations:
When you download it to your desktop rename it to iexplore
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
When I go to run it it comes up with a warning box that says it has detected the following real time scanners to be active : antivirus: avast! Antivirus, and to disable them before scanning. I've checked the bottom right of my screen and it doesn't show it running, and can not find it.
-
And when I click on the Avast icon on my desktop it pops up saying that my computer is in "Enchanced Protection Mode".
-
Yep ignore that warning as Avast has been removed from the start, it is the malware using Avasts name
-
Oka, I went though it and it later on popped up with a window saying that the machine does not have the windows recovery console installed and that "Without it, ComboFix shall not attempt the fixing of some serious infections.
-
Continue and we will get the recovery console on the next run