Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: balls69bc on August 13, 2012, 10:44:40 PM
-
About 10 days ago, AVAST reported 6 files on my laptop representing the 'Win32:Malware-gen threat at a High Severity. As with past such instances, I was given the option of sending them to the virus Chest, which I did. It also suggested that I schedule a Boot-Time scan (which I have also done successfully in the past) but at about the same time, the laptop started behaving strangely. Something was using up serious CPU and Hard drive resources and, within minutes, the pointing device froze and the computer locked up. Knowing that I should be able to safely schedule the Boot-Time scan from Safe Mode, I rebooted to there and clicked on the 'Schedule Now' button and then used the nearby 'Restart Computer' 'link'. Surprisingly, the computer restarted but went straight to Windows, where the aforementioned resource issues reappeared. I have since run full two scans on the laptop with no threats being reported and have tried to Schedule the Boot-time scan several more times with the same results on restart/start (I am fairly sure that there is something 'nasty' in memory causing these problems but, without the Boot-time scan, I can't seem to do anything about it). In the ten or so minutes I have before the laptop locks up again, I have also tried to update the AVAST engine and virus definitions but that just stays stuck in the 'initializing' phase. My registration expires in about 10 days and I am not sure of where to go from here. I have had pretty good success with AVAST Free over the past 5 or so years and would like to be able to continue using it.
Balls
Dell C610 Latitude (512MB), Windows 2000 Professional (Build 2195 SP4), wireless connection
-
start a new post in the virus and worms section and you will get help ...
-
start a new post in the virus and worms section and you will get help ...
Thanks Pondus,
While you are at it, please read: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) Malware specialist will need the logs to help you clean your system. You only have a ten minute window whilst in Safe Mode as well? Some of the work can be done in Safe Mode with Networking or USB transfer of programs and logs from a good, clean computer to the sick one, and vice versa.
-
start a new post in the virus and worms section and you will get help ...
Thanks Pondus,
While you are at it, please read: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) Malware specialist will need the logs to help you clean your system. You only have a ten minute window whilst in Safe Mode as well? Some of the work can be done in Safe Mode with Networking or USB transfer of programs and logs from a good, clean computer to the sick one, and vice versa.
No, thankfully, I am able to stay in Safe Mode and work for as long as I want. I will read the information provided and provide results as soon as time allows.
-
As Pondus says, our (five) volunteer malware specialists look for users who need help over at viruses and worms. But you can also get help here, is not mandatory. We do not even care if you do not have Avast! as your a/v, just so you know. ;)
-
Hmmmm... I thought that I copied this thread to the 'Virus and Worms' forum but now I can't find it over there. In any event, I have now worked my way through the first 3 steps of the "logs to assist in cleaning malware" tretise by essexboy (when I try to run aswMBR.exe, it tells me that it can't comply because it is not a windows32 application - I will keep working on that. What follows is the logs form MalwareBytes:
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.09.03.07
Windows 2000 Service Pack 4 x86 FAT32
Internet Explorer 6.0.2800.1106
Administrator :: B586863B [administrator]
03/09/2012 12:20:11 PM
mbam-log-2012-09-03 (12-20-11).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 139303
Time elapsed: 14 minute(s), 59 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 1
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4 (Worm.AutoRun) -> Quarantined and deleted successfully.
Files Detected: 9
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\krnln.fnr (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\eAPI.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\sock.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\shell.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\internet.fne (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINNT\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\drmgs.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\KBPC080604.log (Trojan.Agent) -> Quarantined and deleted successfully.
(end)
and then I have attached the two logs from OLT.
Looking forward to receiving some input from the experts here so that I can restore my laptop to its former peak performance and get on with many productive items that have been backing up. Any thoughts on how I can get aswMBR.exe to run would be most appreciated.
Hans
-
Any thoughts on how I can get aswMBR.exe to run would be most appreciated.
Try running it in safe mode. Seems you are able to access that, just not able to schedule a boot-time scan.
-
Try running it in safe mode. Seems you are able to access that
Since I required web access to download the malware logging programs, I was fortunately able to 'sneak' those downloads in between freezes of my laptop (no internet access in Safe Mode). I did eventually get aswMBR.exe to run (it helps when one is able to download the ENTIRE program) ;-) but then I noticed the message "Initialize error C0000263 - driver not loaded" in the preamble to actually performing the scan. When I then clicked on the 'Scan' button, the program returned a "Scan error:" message and then 'greyed' out the 'Scan' button. Any thoughts on which driver they are referring to and where I go from here?
-
A malware expert has been notified. Help should be coming soon.
As you may not have any antivirus protection, suggest that you gain access to a second healthy computer for your internet access. Transfer programs and logs to and from to continue with posting, so as to not damage your computer any further than it already is.
Do not worry overmuch about aswMBR.exe not running, there are a multitude of ways to cleanse your system. OTL is the main one, and you've got that one down.
You will be in good hands.
-
Hi this looks like the new zero access
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
As you may not have any antivirus protection, suggest that you gain access to a second healthy computer for your internet access. Transfer programs and logs to and from to continue with posting, so as to not damage your computer any further than it already is.
Had considered doing this earlier but I was worried about transporting whatever this 'thing' is to my healthy (and protected by BitDefender Internet Security) desktop computer via my flash drive. BitDefender does offer me the option of scanning the flash drive for viruses (malware?) as soon as I plug it in to the desktop computer. Do you think that this risk is smaller than that of "damagin(ing) (my) (laptop) computer any further than it already is" if I continue trying to 'hobble along' with internet access on the infected laptop? I still have AVAST Free on the laptop but the virus definitions are not up-to-date (that appears to be one of the things that this malware is preventing) and I have recently received a couple of notices that a new 'program' is available which I haven't yet tried to download - one crisis at a time!
I will await your comments before I take the next step as laid out by essexboy and download and run RogueKiller.
-
Essexboy is qualified malware remover and its recommended to do his steps right away.. :)
-
Hi balls69bc,
With essexboy, a qualified removal expert that had a training by the best and qualifications that are recognized all over the internet by security experts, you are in the best of hands. First thing these experts learn is not to harm your computer and software. There are some bundled automatic removal tools that I would not trust on my computer, but with essexboy and the likes no whim of a doubt..he actually helped me once and did a helluva job...
Let him cleanse, even your jolly fine Bitdefender (a fine product I admit) will be running better after this cleansing routine has been performed...
Remember also this, essexboy may have experienced and cleansed malware in amounts that other normal human beings would not see in five lifetimes,
polonus
-
O.K., so not too sure about the trade-offs here (as mentioned in my previous post) but I decide to try and download RogueKiller on my desktop computer and then transfer it to the infected laptop using a flash drive (after using BitDefender Internet Security to check it for viruses/malware). The downloading went fine, as did the copying of the executable to the flash drive. Started up the laptop in Safe Mode and copied the RogueKiller.exe file to the Windows 2000 desktop. Double-clicked on the icon and got the following: "... is not a valid win32 application", almost exactly the same thing I got earlier with aswMBR.exe. I then removed the flash drive from the laptop, took it back to my desktop computer and, once again, checked it for viruses/malware and then I downloaded RogueKiller again. It came back at exactly the same size as the first download (1.31 MB) so I decided to try a little 'Googling' around 'RogueKiller'. What I found was the RogueKiller is indeed 1.31 MB but it only runs under Windows 7/Vista/XP and, as I wrote earlier and the scan reports show, I am running Windows 2000 Professional. So, now what do we do to restore the use of my laptop?!
-
Sorry just noticed win2k I have never seen that on a laptop before. Unfortunately that severely restricts the tools I can use
Could you tell me exactly the problems that you experience in normal mode. As this will all have to be done manually
-
Could you tell me exactly the problems that you experience in normal mode. As this will all have to be done manually
Dear essexboy,
Sorry, don't really know what else to tell you except what I originally posted on Aug. 13th. The only other things I can think of that have appeared in about the same timeframe are: when the laptop starts up, it doesn't produce a series of beeps which it has been doing ever since I added 256 MB of memory [over a year ago] ('Googling' tells me it has to do with a failing power supply but I don't really believe that). It has also started keeping enabled the PCMCIA card (laptop does not have built-in wireless capability) even though the driver (wirelesscm.exe) has been stopped by an error condition and it has started requesting to check for hard drive consistency every time it boots (in order to maximize my chances of getting something useful done until the laptop eventually 'freezes up', I have been bypassing this). It has also not been going to 'sleep' after a period of inactivity, instead the fan starts running continuously, which tells me that the CPU is working very hard (100% according to Task Manager) and generating lots of heat. Hope this helps you provide me with some guidance.
-
Do you have the ability to burn a CD ?
Please download the following programmes to your desktop:
Dr Web Live CD (http://www.freedrweb.com/livecd/)
ImgBurn (http://www.filehippo.com/download_imgburn/)
Install IMGBurn
- Double click Dr Web
- IMGBurn will open
- Burn the ISO to a cd
- Reboot the infected computer with the CD in the drive
- Ensure that the first boot device is CD - If you are not sure about that then see this page (http://www.hiren.info/pages/bios-boot-cdrom) for instructions
- As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif)
- Use arrow keys to select DrWeb-LiveCD (Default)
- When the system is loaded, check the disks or folders you want to scan, and click on “Start”.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif)
- The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
- Once completed reboot to normal windows
- No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist
-
Do you have the ability to burn a CD ?
I can burn a CD on my uninfected desktop computer but NOT on the infected laptop (only CD drive, no CD-RW). Should I go ahead and download the two programs you suggested to the desktop of my desktop computer and burn the CD, then adjust the laptop Bios for CD to be first boot device and insert the CD in my laptop optical drive and follow the rest of your instructions?
-
Yes it would be better to burn the CD on a different computer, just in case any infection interferes with the burn
-
Yes it would be better to burn the CD on a different computer, just in case any infection interferes with the burn
And, as I said, I don't have the ability to burn a CD on the infected laptop, which has a CD read-only drive.
I see that Dr. Web LiveCD is a 190 MB download and the disc created is an Emergency Recovery disc for systems that have become un-bootable (which point I'm not at yet). While I can access the internet wirelessly from my laptop, I am only on a dial-up connection for my desktop computer, and therefore, a 190 MB download will take a very long time (and may require several attempts to complete). Is it possible that the Dr. Web CureIt! product which, being based on an on-line scanner, would do at least as good a job as Dr. Web LiveCD and won't require such a very large download?
-
Most online virus scans are quite large, this is the smallest I could find
Note: You can use either Internet Explorer or Mozilla FireFox for this Scan.
Vista / 7 users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
Please go here (http://go.eset.com/us/online-scanner/run/) then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif)
If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the following instructions work with either Internet Explorer or Mozilla FireFox.
- Select the option YES, I accept the Terms of Use then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif)
- When prompted allow Add-On/Active X to install.
- Make sure that the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif)
- The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically. The scan may take several hours.
- [color="#FF0000"]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.[/color]
- When completed select Uninstall application on close, make sure you copy the logfile first!
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif)
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
-
Sorry just noticed win2k I have never seen that on a laptop before. Unfortunately that severely restricts the tools I can use
Could you tell me exactly the problems that you experience in normal mode. As this will all have to be done manually
By the way, did the logs I provided earlier from MalwareBytes and OTL not provide at least a hint of what is going on with my infected laptop and/or what to do about it?
Am I right in assuming from your recommendation of the ESET on-line scanner that you prefer it over the Dr. Web CureIt! As far as the on-line scanner goes, I'm not quite sure what you mean about "most on-line scans are quite large" - I thought that one of the benefits of on-line scans is that they don't need to be downloaded to the users' computer. Also, to add another 'wrinkle' to this whole adventure, while I have been running Firefox on the infected laptop for the past couple of years, I am running Chrome on my desktop computer (although I do still have a copy of Internet Explorer 6 on it). Since you don't mention the Chrome browser with respect to ESET and your instructions (and we are trying to stay away from doing this work on the infected machine), what would you suggest that I do?
-
Unfortunately all online scans nowadays will download the full virus definitions
I do prefer Dr Web over Eset but it is bigger
The thing with online scans is that the infected system must be connected to the net to do an effective job
All I am looking for now is any possible file replicators, I do not believe that you have one, but they will mess with safe mode. Otherwise I am seeing no malware signs on the initial logs
-
Unfortunately all online scans nowadays will download the full virus definitions
I do prefer Dr Web over Eset but it is bigger
The thing with online scans is that the infected system must be connected to the net to do an effective job
All I am looking for now is any possible file replicators, I do not believe that you have one, but they will mess with safe mode. Otherwise I am seeing no malware signs on the initial logs
O.K., so with an online scanner, I need to be running it from the infected laptop. As long as I can accomplish it before the laptop freezes up again on me, that would seem to solve the problem with the Eset on-line scanner apparently only working with Firefox or Internet Explorer since Firefox is exactly what I am using on the Dell Latitude C610 laptop. When you say that you "prefer Dr. Web over Eset" are you talking about the Dr. Web LiveCD emergency recovery disk program or the Dr. Web CureIt on-line scanner program or both? Which one should I now attempt to run on the infected laptop connected wirelessly to the internet (fast connection)?
Just to repeat, I don't seem to have any problems while in Safe Mode except that the laptop seems to be running slower - at least it doesn't freeze up on me!
I recognized a file listed in one of the logs, tcpwamlib.exe, which I have had dealings with before and had to send to the AVAST Virus Chest.
-
That is a stopped service, which I can remove for you. With Win2k though there are a lot of older files that are no longer used on XP and beyond
I prefer both versions of Dr Web, the AV itself is only average for detection but the removal tools are good
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
SRV - File not found [Auto | Stopped] -- C:\WINNT\System32\tcpwamclib.exe -- (WamcSvc)
:Commands
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
O.K., so I followed your instructions, starting in 'Safe Mode'. As soon as I began, I received a series of 3 instances of the same error message: "WinMgmt.exe. has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created." After determining which directory this file resides in (C:\WINNT\system32\wben), I found 3 logs which had been updated today and I have attached copies of all three (results to this point). During this effort, I received another 12 notifications regarding the WinMgmt.exe program. When the computer rebooted from OTL, I wasn't fast enough to select 'Safe Mode' so it went to a normal boot. Once re-booted, I started OTL and then clicked the 'Quick Scan' button and the program took off, with a series of file names and Registry entries flashing by in the Status Bar. During this time, another 6 notifications were received regarding the WinMgmt.exe program. Unfortunately, when the OTL 'Quick Scan' was about three-quarters done, the laptop froze (as it has been doing for weeks now).
So, I shut it down and restarted in 'Safe Mode' and re-ran OTL 'Quick Scan'. One thing I noticed was that, although when I first opened OTL, the selection boxes were as shown in your screenshot above, when I clicked on 'Quick Scan', the 'Use Company-Name WhiteList, Skip Microsoft Files, LOP Check and Purity Check all became selected. OTL 'Quick Scan' finished its work (much quicker than the first time I ran it - before the laptop froze) and I have attached the OTL log that it created (it did not create an 'Extras' log file this time). During this time, I received the initial sries of 3 plus 5 more notifications regarding the WinMgmt.exe program.
I have not yet run either the Eset or Dr. Web CureIt! on-line scanners on the infected laptop and I await your comments/further instructions.
-
OK lets cure the winmgmt problem first
What has happened is a system config file has been corrupted...
go to:
C:\WINNT\system32\wbem\Repository
in there you will find a file named:
$WinMgmt.CFG$
DELETE IT... or if you don't want to, rename it to $WinMgmt.CFG.OLD or something...
SHUT DOWN... and Power Back Up again... when you log back in it will give you the same message once... wait till the OK button appears (this should restart WinMgmt.exe)...
CLICK OK... and you should be good to go...
if for some reaspon WinMgmt.exe doesn't automatically start you can double-click it at:
C:\WINNT\system32\wbem\winmgmt.exe
-
Hi essexboy,
In 'Safe Mode', I followed your instructions regarding WinMgmt to the letter (except for the second '$' on the $WinMgmt.CFG file but it has made not difference. Did some looking around on my own and found what I believe is your source for those instructions (techspot.com?) and there is a process further down the page there (#20) that purports to be from the original Microsoft support Knowledge Base article (Q298130) and which involves stopping the WinMgmt service, deleting/renaming all the files in the Repository directory and then re-starting the service. Tomshardware has a forum item which seems to agree with this advice.
I also came across a Knowledge Base article (830075) which deals with excessive use of CPU resources and requires the user to reduce the 'Logging' action of Windows Management Instrumentation (WMI) to 'Errors only'. However, I tried this procedure and was unable to access the 'Logging' tab (clicking on it does nothing) with the following message 'Failed to connect to <local computer> because "WMI: Initialization failure"'. Is it possible that this is what has slowed my laptop down to a crawl, eventually 'freezing' right up and, if so, any ideas on how to fix?
-
There is a batch file here that may solve the problem http://www.pcreview.co.uk/forums/wmi-problems-t1898592.html post 2