Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: zeratrix on September 08, 2012, 07:56:51 AM
-
I got avast because my computer was acting odd, so I ran a deep scan, good idea, found thirteen infected files, deleted all except one, it was a specific trojan patch file and it was located in my services.exe file. I tried to do as the internet said by running task manager and ending any suspicious looking processes, but my windows blocked me at every turned saying 'access denied' (And i'm the admin!) so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring (I'm pretty sure it can just come back if I restored the system). Any help would be appreciated.
-
so I ran a deep scan, good idea, found thirteen infected files, deleted all except one
never delete as first option....you have none left
Clean, Quarantine, or Delete? http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm
so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring (I'm pretty sure it can just come back if I restored the system). Any help would be appreciated.
start a topic in the virus and worms section and you will get help removing it
-
Hi zeratrix,
...found thirteen infected files, deleted all except one, it was a specific trojan patch file and it was located in my services.exe file. I tried to do as the internet said by running task manager and ending any suspicious looking processes, but my windows blocked me at every turned saying 'access denied' (And i'm the admin!) so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring...
Deleting services.exe will kill your system deader than dead, just so you know. System files should never be deleted even if infected. This requires expert help to fix the services.exe file.
Here: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
Attach the the logs from these three programs: Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.
-
This is a zero access infection .. Monitoring
-
Here: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
Attach the the logs from these three programs: Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.
I don't have any of those programs, so I don't have logs from said programs sorry, I do need expert help and if it will kill my system then i'm in big trouble, I just got back on my laptop today and after MSN loads up my computer stops responding period. I had to load my laptop up in safe mode with networking just so I could get on the internet today.
-
Here: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
Attach the the logs from these three programs: Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.
I don't have any of those programs, so I don't have logs from said programs sorry, I do need expert help and if it will kill my system then i'm in big trouble, I just got back on my laptop today and after MSN loads up my computer stops responding period. I had to load my laptop up in safe mode with networking just so I could get on the internet today.
Hi:
Follow the 'link' and subsequent direction that mchain has supplied in his response. ;)
-
I don't want to download additional software though, can spybot search and destroy be used as a substitute, I'm not sure but it might have logs, i'm not positive though
-
No Spybot is not man enough for the job. I will need to use at least two specialist tools to clear this
-
*sighs* alright spybot always caught malware that malwarebytes didn't, the programs I have for these sorts of things are: Advanced Systemcare 4, Spybot Search & Destroy, and Avast Antivirus. The computer started to seriously lag when I downloaded avast, so I'm extremely wary of downloading new software.
-
*sighs* alright spybot always caught malware that malwarebytes didn't
you mean tracking cookies or some adware .....spybot once a good program in the old days of spyware cant handle todays tuff malware
also they release a small update a week ....malwarebytes may have 10 in one day
The computer started to seriously lag when I downloaded avast, so I'm extremely wary of downloading new software.
EssexBoy can't fix this unless he is allowed to use his tools
it's like saying to the car mechanic, fix my car but you can only use the sissors in the clove compartment
he will remove all tools when done, you can trust him he does several cases like this every day....just surf the virus and worms section and see
so he need logs from AdwCleaner / Malwarebytes / OTL / aswMBR http://forum.avast.com/index.php?topic=53253.0
-
I see what you mean, the crazy thing is (and now I feel dumb) is that I HAD malwarebytes on my computer, but since the scans were coming up negative and yet spybot would find the problems instead I uninstalled it, now I reinstalled it, here's the log from malwarebytes (I am an amateur user so I have NO IDEA what any of this stuff means)
Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org
Database version: v2012.09.11.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nathan :: NATHAN-PC [administrator]
9/11/2012 8:55:24 PM
mbam-log-2012-09-11 (20-55-24).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206509
Time elapsed: 6 minute(s), 45 second(s)
Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2800 -> Delete on reboot.
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
(end)
I'll send in the logs for adwarecleaner and stuff when I'm told what this gobbledygook means (as you can tell i'm pretty dumb when it comes to tech, part of the reason why i'm in this mess in the first place)
-
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
This is the problem, and if you run malwarebytes it will be there again as malwarebytes is not strong enough either
So with the OTL scan I will be able to determine the trigger delte that and then look at removing the bad boy
-
alright i'll download otl but among the programs you suggested that one looks the most complicated to use.
-
Ok got the OTL downloaded and is scanning, no idea how the save file format thing is supposed to work but since I can simply attach the logs as is under 'attachments and other options' this shouldn't be a problem, hopefully we'll be able to find a solution to this problem it's actually starting to scare me a little.
Also the OTL and all the files somehow ended up under the downloads area of my computer *shrugs* as long as it works.
-
New problem now, windows won't let me use OTL, it says and quote 'OTL can't be run from a temporary folder, to use OTL please download it to your desktop' I know the answer says to save it to your desktop but I don't know how to do that, how do you save otl to your desktop, here's what happens when I click on it
pop up appears at the bottom asking if I want to run, save or cancel the usage of the software
I click run, a new popup shows up saying it can't be verified and if I still want to run the software I click 'yes'
otl refuses to load because apparently the file is running from a location other then the desktop.
Here's what I want to know, I'm sure now that I have to click on save but once I do that what do I do next?
Move OTL from the download folder to the desktop. - Right-click the OTL file in "Downloads" if using Firefox (inside My Documents)
- or "My Documents" if using Internet Explorer and select/click "Cut" option.
- Move your mouse to any place on the desktop and right-click.
- A drop-down menu will appear.
- Select/click "Paste".
OTL will move from the download folder or My Documents to the desktop. If winds up in the middle of the desktop, that is ok.
You should now be able to scan using OTL and produce the needed log for essexboy to read and craft the specialized fix your system needs to run as it should again. There is more work ahead, as essexboy said, the OTL fix will disable the malware; he will then be able to kill it with your help. Disabling it comes first, removal of the actual malware comes later.
Do not worry, you are in good hands with essexboy.
-
Got it and modified my reply to reflect it see above but the scan took a lot longer then indicated now I need to wait for essexboy to see both files, I know where they're at on my laptop NOW I just need to hit the save as feature and change the coding to ANSI coding, since i've done that now I guess we move on to step three....
-
Use attachments and other options below to attach your OTL files in your next reply. Click "Browse" button below and a new window should appear, likely the Desktop window. Select OTL first, by highlighting it, and click "Open". A second line will appear for another attachment. Hit Browse again and select OTL Extras. Click open once again. You should now have two attachments in the Attach area.
Post your reply when all is ready to go.
As essexboy lives in England, may be a bit of a wait for an answer due to time zone differences.
-
but I already attached the files on the previous page, nevermind i'll attach them on this page too.
-
Hi,
Aplogies are in order here. Did not know you had modified post number twelve made earlier than the later post I made. Sorry about that.
-
No big deal, apparently being a newb also means I can also only delete personal messages and not send any myself....whatever, why can't you delete posts? it seems a bit odd in my opinion.
-
Once you reach 20 posts, then you can PM if you wish. It is similar to using CAPTCHA for the first three posts when brand-new. We all have to go through this so-called probation period.
You will find this is a great forum; all expert fixes are provided gratis by volunteer malware experts. There never is a service charge for the work done, so.... this is work that would cost a pretty pence elsewhere. All one needs to do is believe and follow directions exactly. Any questions, ask first.
Support is always free here.
-
right anyways I'll have to wait until tomorrow for a response, it's 12:15 AM over on my end (I'm a bit of a night owl) so might not be watching the replies as much until tomorrow heh.
-
Hi you look to have a double infection so lets try and get it all in one
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-2140486129-4243796177-4229979698-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
[2012/09/11 21:07:44 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\svchost.exe
:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
:Files
C:\Windows\Installer\{b53105a8-4b6b-54da-ff04-6f7c09282ade}
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\{b53105a8-4b6b-54da-ff04-6f7c09282ade}
C:\Windows\System32\config\systemprofile\AppData\Local\{b53105a8-4b6b-54da-ff04-6f7c09282ade}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
FINALLY
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
I notice you helpfully included a link to TDSSkiller but not combofix, can you send me a link to combofix? I won't be able to do everything like you suggested properly otherwise.
Edit:nevermind I must be half-blind, downloading and running now.
Ok scan finished I didn't understand much on what was being shown but one thing WAS shown that made me REALLY happy when combofix was going on
"A file on the system has been infected!!!
attempting to restore windows:/service.exe
...file restored (smiley face)"
Combofix did....what none of the other programs could do, it quite possibly got rid of one of my most persistant and insidious trojans....or maybe just one of them but still.
As for how my computer is running *shrugs* it's running the same as it was before, granted that trojan is PROBABLY going to try to rear it's ugly head again since it's gotten off the internet (so much malware it's annoying) the files come onto the computer straight off of all the sites I visit (including believe it or not my own homepage! unbelievable!) one odd thing I noticed, I couldn't access my internet browsers when the log was being made, to top things off my computer restarted when the scan finished, and blue screened of deathed the first time when combo fix finished stage_3, I'm going to have to recreate the internet explorer shortcut now....small price to pay for getting rid of a trojan well honestly I don't know if it's gone...yet. I still need to run a malwarebytes scan to be sure that the file is gone for good. Though given what combofix told me i'm hoping it is.
Double edit: Nevermind, still on here, should've been given a clue when the performance didn't change one iota, but you can always hope right?
The file below is the log created from combofix, it simply said log.txt so that's what I named it when i saved it.
-
Have you run TDSSKiller ? As this is still evident c:\\.\globalroot\systemroot\svchost.exe
-
Yes I did, problem is the report thing won't let me copy and paste the report (I tried right clicking on it, that does nothing, I also tried highlighting the entire selection, again nothing) I did cure that same rootkit that was on there but as I said the program won't let me copy and paste the report and I don't know how to do it so I could use some immediate instructions from anyone familiar with this program. I can't give a report on something that refuses to acknowledge my mouses right clicks. If there's a control key for it I don't know what it is.
Edit: Nevermind about copying and pasting the current report, we found the rootkit and cured it and now it doesn't show up but does that mean i should run combofix again? Because both trojans are still there...and I still want to figure out how to use the control keys to copy and paste, for future reference.
-
The log will be located at C:\TDSSKiller date time could you attach that
-
Ok found it, somehow the log ended up on the computer but the tdsskiller ended up in the downloads, I'm going to attach every scan that I had, just tell me what to do after that though, there's around three records. Two of them had cure on reboot, after that the file....disappeared.
Edit: Forum won't let me attach the other two files, they're all 100 kb in size and the attachment limit is under 200kb (you should fix that, I have three logs and if this won't let me post all of them then we'll have problems determining what happened.
-
Edit: Forum won't let me attach the other two files, they're all 100 kb in size and the attachment limit is under 200kb (you should fix that, I have three logs and if this won't let me post all of them then we'll have problems determining what happened.
Sorry you're having problems.
Workaround is to attach each log in a separate reply. Can't do much about the Avast! forum rules as a user, so... Once your logs are clean, they should be a lot smaller in size.
-
OK could you re-run TDSSKiller with the same parameters
When you reach this element select delete :
\Device\Harddisk0\DR0 ( TDSS File System )
Once done could you let me know what problems remain. Avast will alert as the files are moved
-
Just ran a new scan apparently that one file is attached to several other files now in quarentine, deleted it, the only other file left is a single suspicious one, I have noticed that my startup is running a lot more quickly and smoothly now. Attaching the recent log report.
-
Nice going! :)
Once you are satisfied with the progress made, let essexboy know.
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Actually, considering how unbelievably helpful combofix has been I think i'll keep that
Ran malwarebytes one last time to be on the safe side, sure enough there are now no more trojans, it...was hard....(and took a few weeks to fix) i'll keep this hardware on my computer just in case another trojan manages to slip through the cracks.
-
Congrats on a successful outcome so far.
Combofix is a very powerful program, and one that if used improperly, can kill your system. Thus, it is best to use it only under trained guidance.
If you do keep the version you have now, in less than a week from now, the version you have will be out of date. Combofix is updated by its authors frequently, sometimes hourly, so any recent version can soon become obsolete.
Just be glad it is there if you should ever (hopefully not) need it again, and be glad it was of use for this time as well.
You can have a look at the type of training people like essexboy and others undertake to fight malware here: http://www.uniteagainstmalware.com/ (http://www.uniteagainstmalware.com/) There are other schools like this elsewhere on the web as well.
You might also want to have a look at this (off topic somewhat): http://secunia.com/advisories/50626/ (http://secunia.com/advisories/50626/) Best to avoid use of IE for now.