Avast WEBforum
Other => Viruses and worms => Topic started by: bdp1971 on March 23, 2013, 07:40:29 PM
-
I downloaded Avast the other day to assist me in cleaning up my laptop. Everything went well except for the infamous services.exe error. After reading numerous posts on the net about how to "fix" my problem, I figured it only best to outsource my problems to the team who helped clean up everything else!!! Hopefully once I'm over this hump, I'll be home free!?!
I've followed the steps in http://forum.avast.com/index.php?topic=53253.0 and am attaching the appropriate log files...
-
do you also have the aswMBR log?
-
No not yet because the topic told me not to run it until I post these first. I'm about to do it now. In the meantime, here's the extras file...
-
Hi I see you have combofix on the system .. Please delete that copy
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (McProxy)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\Program Files\mcafee\VirusScan\mcods.exe -- (McODS)
SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (McNASvc)
SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (McNaiAnn)
SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe /McCoreSvc -- (mcmscsvc)
SRV:64bit: - File not found [Auto | Unknown] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe /McCoreSvc -- (McMPFSvc)
SRV - [2012/06/14 13:40:08 | 000,828,032 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Users\Dante\AppData\Local\Temp\0182501363885925mcinst.exe -- (0182501363885925mcinstcleanup)
[2012/09/29 18:15:16 | 000,004,819 | ---- | M] () (No name found) -- C:\Users\Guest\AppData\Roaming\Mozilla\Firefox\Profiles\9enf2adr.default\extensions\rbjqlghgxj@rbjqlghgxj.org.xpi
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
[2013/03/21 23:33:09 | 000,000,000 | ---D | C] -- C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy
:Files
C:\Windows\Installer\{42c209d9-6f64-047c-6a65-ec5986a97d31}
C:\Users\Guest\AppData\Local\{42c209d9-6f64-047c-6a65-ec5986a97d31}
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
OK, I'll give that a shot. Here's the other file you requested...
-
It appears that after carefully following everything you asked me to do, the virus was successfully removed. However, the computer hung on start-up during the automatic reboot while running Combofix. I'm attaching both of the files you requested and will attempt a cold boot now. Hopefully all will be right in my world, and things are back to normal. If not, you've got my log files...haha
-
Let me know the result of the boot please
-
No good!! The only way to get in is through Safe Mode.
-
OK could you run OTL scan from safemode please and I will see if I can locate the problem
Use this script
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT
-
Ok thanks. Should I click "Run Scan" or "Run Fix"?
-
Ok thanks. Should I click "Run Scan" or "Run Fix"?
run scan
the fix is next.....if essexboy find anything in that log. ;)
-
Thanks Pondus. I wasn't sure because he gave me a script to add to the bottom portion but here's the file...
-
no problem...
anyway, essexboy is in bed now so check back tomorrow. ;)
-
Okay will do.
-
It looks as though an ADS has attached itself to the services file after it was cleaned. I will remove that now
< MD5 for: SERVICES.EXE.93A035487F176007 >
[2012/09/29 10:18:19 | 000,328,704 | ---- | M] (Microsoft Corporation) MD5=24ACB7E5BE595468E3B9AA488B9B4FCB -- C:\windows\SysNative\services.exe.93A035487F176007
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
@C:\windows\SysNative\services.exe.93A035487F176007
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here's the OTL log file and I'm sending the other file OTL created as well. Problem still exists. This time, I'm able to move past the login screen but it hangs while trying to enter Windows.
-
OK from safe mode do the following :
Go Start > All Programs > Accessories
Right click Command Prompt and select run as administrator
In the black box type the following :
sfc /scannow
-
Done. It says "Windows Resource Protection did not find any integrity violations."
The boot process now fully brings me into Windows and allows me to see the desktop and my icons but I can't select any of them because it's hanging. Ive waited as long as 30 minutes to see if it allows me to select anything but nothing.
-
Do you have any other ideas on what may be causing this?
-
OK next we will take the safe boot system to main windows, this may be a conflict. Do the following in safe mode and then allow to boot to normal windows
Next we will check for driver conflicts
Step 1: Start MSConfig
Click Start, type msconfig in the Start Search box, and then press ENTER.
If you are prompted for an administrator password or for a confirmation, type the password, or provide confirmation.
Step 2: Configure Selective Startup options
1.In the System Configuration Utility dialog box, click Selective Startup on the General tab.
(https://dl.dropbox.com/u/73555776/Cleanboot1.JPG)
2.Click to clear the Load Startup Items check box.
Note The Use Original Boot.ini check box is unavailable.
3.Click the Services tab.
(https://dl.dropbox.com/u/73555776/cleanboot2.JPG)
4.Click to select the Hide All Microsoft Services check box.
5.Click Disable All, and then click OK.
6. When you are prompted, click Restart.
Once back in windows does the problem still occur ?
-
No, everything appears to be fine now. Of course, now some of my services aren't running. Will I have to start Avast every time I log in to get it to work?
-
Should I pick some to load on startup and get rid of the problem-causer by process of elimination?
-
Yep that was the next stage, this is tedious though
Open MSConfig again and re-enable half of the services and then reboot
If that still works then re-enable half of the remainder reboot etc..
Once we have determined which one is the problem let me know and we will try to resolve that
-
Yeah that's what I thought you were going to say!! I'll do it later and let you know tomorrow because my son's got some homework to do but thanks!! It looks like we're almost home free!!
-
Aye, unfortunately I come across this problem in about one in two or three hundred cases of this >:(
-
So I went back and forth many times to figure out the perpetrator and it looks like "MBAMService" from Malwarebytes Corporation is causing the headache. This company also produces another file on load called "MBAMScheduler" which does work. Also, it took several tries to finally get Avast to "stick". I would select it for enabling but after rebooting it would not.
Should I delete Malwarebytes or is important to keep? If so, do I need the service to load on startup?
Thanks Essexboy!!!
-
What I would recommend here is an uninstall and then re-install of MBAM as part of it may have been damage
Download MBAM clean to your desktop http://downloads.malwarebytes.org/file/mbam_clean
Uninstall MBAM via control panel
Run MBAM clean and reboot
Then re-install MBAM
How is Avast behaving now ?
-
The problem re-arises after rebooting. I deleted/cleaned a second time and the same thing happened. I also went into MSConfig to check the settings and "MBAMService" was deselected and said to have stopped earlier when I did it manually, before running clean and deleting the software?! Weird!!!
As far as Avast is concerned, it's there, service is running but for whatever reason, the icon isn't displaying on the tray. I went to "customize" to make sure it is being displayed and it says it is but I don't see it. The only way to make the tray icon appear is to actually select the program from my desktop, and "X" out once it opens.
-
OK there may be a damaged entry for avast as well
Lets reinstall Avast
Download Uninstall Utility (http://www.avast.com/uninstall-utility) to your Desktop.
Download the correct version of Avast
http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe
http://files.avast.com/iavs5x/avast_pro_antivirus_setup.exe
http://files.avast.com/iavs5x/avast_internet_security_setup.exe
Disconnect from the net
Uninstall Avast via control panel
- Boot to Safe Mode.
- Restart the computer.
- As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
- Use the arrow keys to select the Safe mode with Networking menu item
- Press Enter.
- Run aswClear
- In the Select Product to Uninstall dropdown choose the version of Avast that is on your system.
(https://dl.dropbox.com/u/73555776/aswclear.JPG)
- Press Uninstall
- Once complete reboot your system to Normal Mode
- Reinstall Avast
----------
-
Done!! The icon appears on startup now. I'm okay with downloading/running/deleting MBAM periodically if that's what it'll take to fix this. Everything seems to be running perfectly right now without it. Unless you think the re-installation of Avast may have solved the problem with MBAM?
-
It may be that MBAM just does not like your computer, but if you do download it and it works with no problem then keep it ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Clear Restore Points
Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
(https://dl.dropbox.com/u/73555776/disc%20clean.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave: