Avast WEBforum
Other => Viruses and worms => Topic started by: javiervalero on May 14, 2013, 09:07:19 AM
-
Avast no logra remover el Win32:BitCoinMiner-CA. Solo lo bloquea.
Objeto: dentro del user.... /AppData/Local/Temp/iswizard/iswizard.7z | wuaudit.exe
Infección: Win32:BitCoinMiner-CA (Trj)
Proceso: c:/Windows/SysWOW64/rundll32.exe
-
Reporte de adwcleaner
-
Reportes de OTL
-
post in english, as that is the language the removal experts use. ;)
and the log you posted above marked Malwarebytes is from AdwCleaner
also attach malwarebytes log
malware removers are notified, it may take hours before they arrive so be patient
-
Hi,
Step#1
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
******************************
Step#2
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
standardsearch;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Hola Javier.
Si necesitas ayuda en algo que no entiendas estare atento. Por los momentos sigue las instrucciones de magna86.
Translation of magna86's instructons.
Paso #1
1.) Descarga ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) a tu escritorio. Combofix tiene que ejecutarse desde el escritorio.
2.) Desactiva el modulo de defensa y los escudos de Avast!.
a.) Abre Avast! > Opciones > Solucion de problemas > desmarca "Activar el modulo de defensa de avast!" > Aceptar.
b.) Click derecho al icono de Avast! en tu barra de tareas > Control de los escudos de avast! > Desactivar permanentemente.
3.) Ejecuta ComboFix y clickea "I agree". Clickea "Yes" a todo lo que Combofix pregunte. Puede que instale una nueva version y lo mas seguro instalara una consola de recuperacion.
Mientras ComboFix se ejecuta o esta haciendo el analisis no muevas el raton o clickees nada .
Si te sale una alerta con "Illegal operation attempted on a registry key that has been marked for deletion" solo reinicia tu ordenador y hazlo saber aqui lo que paso.
4.) Cuando Combofix termine genera un reporte comummente en C:\ComboFix.txt . Por favor anexa el reporte en tu respuesta.
Paso # 2
1.) Descarga Zoek (http://home.kpn.nl/stefsmeenk/zoek.exe/) y guardalo en tu escritorio.
2.) Desactiva Avast! como lo hicistes arriba si los escudos o tu lo volvieron a activar y asegurate que los navegadores o el explorador de Windows esten cerrados.
3.) Ejecuta zoek.exe. Espera a que abra.
4.) Copia el codigo de abajo y pegalo en la caja o el espacio vacio de zoek.exe.
standardsearch;
5.) Clickea donde dice " RUN SCRIPT ". Cuando termine puede que pida reiniciar el ordenado y te dara un reporte "zoek-results.log". De cualquier forma salva el reporte para despues anexarlo en tu respuesta con el reporte de combofix. Si no genera el reporte automaticamente, lo puedes conseguir en C:\zoek\zoek-results.log.
-
Malwarebytes - Anti-Malware Report
-
Iroc9555:
Gracias por tu respuesta
Yo vengo ejecutando como habrás visto, el proceso propuesto por essexboy, AdwCleaner/MBAM/OTL/aswMBR...
pero aswMBR no pudo completar el scan, y aparece:
avast! Antirootkit dejó de funcionar
El programa dejó de funcionar correctamente por un problema. Windows cerrará el programa y le notificará si existe una solución.
AHÍ QUEDÉ.
Ahora, abandono todo este plan de ataque, y ejecuto las instrucciones de magna86?
El plan de magna, es para terminar con el virus, o es básicamente para estudiar los reportes y buscar la solución?
Al momento tengo prendido avast y ahora quedó el MBAM. Ambos avisan cada tanto que han bloqueado al virus.
Un dato: luego de una inactividad de mouse de 3min., cuando uno vuelve ya se encuentra con el aviso de avast y de MBAM.
-
COMBOFIX report
combofix se ejecutó, pidió restart, y finalizó con el reporte. Abro my documents, y saltó el error "illegal operation attempted on a registry key that has been...."
, reinicié y vuelve a estar todo operativo.
Veo que:
en ....user/AppData/Local/Temp/ la carpeta iswizar, donde estaban el wuaudit.exe y el dwm.exe, que bloqueaban avast y mbam, ha sido eliminada por ComboFix.
El combofix se ejecutó con el avast desactivado, pero olvidé desactivar el mbam. Espero que eso no haya interferido en este scan. Pareciera que no.
-
Zoek Report
-
Hi,
I practically have no idea what you're saying ( ;D) but I understand this part.
"illegal operation attempted on a registry key that has been...."
Reboot / restart your computer will fix the problem.
------------------------------------
Open notepad and copy/paste all text present inside the code box below:
FileLook::
c:\windows\system32\roboot64.exe
KillAll::
ClearJavaCache::
File::
F:\Usuarios\Javier V\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions\torntv@torntv.com.xpi
F:\Usuarios\Javier V\AppData\Roaming\SpecialSavings\SpecialSavings.crx
F:\Usuarios\Javier V\AppData\Local\CRE\iibmmjhgclhlahmjniokmhleigemjpbh.crx
F:\Usuarios\JAVIER~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\bfcpnihmbfoaeoakalclfalkdepgiaje]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\iibmmjhgclhlahmjniokmhleigemjpbh]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\nbmafkdmkkckhggblphicnnhlgljnoje]
[-HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf]
[-HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\apdfllckaahabafndbhieahigkjlhalf]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
"Start Default_Page_URL"="http://www.google.com"
"Default_Search_URL"="http://www.google.com"
"Search Bar"="http://www.google.com"
"Search Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
"Start Default_Page_URL"="http://www.google.com"
"Default_Search_URL"="http://www.google.com"
"Search Bar"="http://www.google.com"
"Search Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchURI]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchURI]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\SearchURI]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Software\Microsoft\Internet Explorer\SearchURI]
"(Default)"="http://www.google.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURI]
"(Default)"="http://www.google.com"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Software\Microsoft\Internet Explorer\Search]
"Start Page"="http://www.google.com"
"Start Default_Page_URL"="http://www.google.com"
"Default_Search_URL"="http://www.google.com"
"Search Bar"="http://www.google.com"
"Search Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Software\Microsoft\Internet Explorer\Search]
"Start Page"="http://www.google.com"
"Start Default_Page_URL"="http://www.google.com"
"Default_Search_URL"="http://www.google.com"
"Search Bar"="http://www.google.com"
"Search Page"="http://www.google.com"
DirLook::
f:\usuarios\Javier V\AppData\Local\Iteral_Group_Ltd
c:\program files (x86)\Bit Coin Miner Removal Tool
c:\program files (x86)\IDroo
c:\programdata\IObit
f:\usuarios\Javier V\AppData\Roaming\IObit
c:\program files (x86)\IObit
c:\program files\CCleaner
f:\usuarios\Javier V\AppData\Roaming\PlusWinks
c:\programdata\regid.1991-06.com.microsoft
c:\program files\Microsoft Office 15
c:\programdata\FARO
c:\windows\SysWow64\searchplugins
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
!! Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
******************************
Re-run zoek.exe as you did before but use this script:
standardsearch;
roboot64.exe;z
installedprogs;
Click on RunScript and attach here fresh zoek.exe log.
-
@ Magna86
Javier deactivated Avast! but forgot to deactivate MBAM.
@ Javier
No importa que te haya salido esa advertencia. Como te dije arriba solo reinicia y reportalo aqui como lo hicistes.
magna86 quiere que copies ese codigo en bloc de notas y lo salves como CFScript.txt. Despues lo arrastras hacia el icono de Combofix. Supuestamente se ejecutara y salva el reporte y lo anexas a tu siguiente respuesta.
Tambien con zoek.exe copia/pega su codigo nuevo y correlo pinchando "run script". El reporte lo anexas a tu respuesta con el de Combofix
-
Iroc9555:
Gracias por tu respuesta
Yo vengo ejecutando como habrás visto, el proceso propuesto por essexboy, AdwCleaner/MBAM/OTL/aswMBR...
pero aswMBR no pudo completar el scan, y aparece:
avast! Antirootkit dejó de funcionar
El programa dejó de funcionar correctamente por un problema. Windows cerrará el programa y le notificará si existe una solución.
AHÍ QUEDÉ.
Ahora, abandono todo este plan de ataque, y ejecuto las instrucciones de magna86?
El plan de magna, es para terminar con el virus, o es básicamente para estudiar los reportes y buscar la solución?
Al momento tengo prendido avast y ahora quedó el MBAM. Ambos avisan cada tanto que han bloqueado al virus.
Un dato: luego de una inactividad de mouse de 3min., cuando uno vuelve ya se encuentra con el aviso de avast y de MBAM.
Tranquilo. Magna ya localizo la infeccion. Los nuevos codigos que tienes que copiar son para eliminarla y resetear tus sitios y conecciones para terminar con las redirecciones. Tambien esta limpiando otra basura que encuentra.
-
Iroc:
gracias
no me traduzcas. Entiendo perfecto a la lectura, no he querido explicar el problema en inglés, porque sería para mí doble problema. Entonces, un problema menos para vos. Gracias.
Espero entonces un poco, o voy aplicando lo instruído?
-
Iroc:
gracias
no me traduzcas. Entiendo perfecto a la lectura, no he querido explicar el problema en inglés, porque sería para mí doble problema. Entonces, un problema menos para vos. Gracias.
Espero entonces un poco, o voy aplicando lo instruído?
Ok. De nada, pero ve haciendo esto: http://forum.avast.com/index.php?topic=124018.msg940751#msg940751
y ten los reportes listos. Magna puede que ya este en cama ya que el vive en Croasia o Servia.
-
Replay #12 - COMPLETED
ComboFix.txt too large, I can´t attach it. 728kb
-
Replay #12 - COMPLETED
ComboFix.txt too large, I can´t attach it. 728kb
Try to attach ComboFix log on this site:
http://pastebin.com/
Paste content of Combofix.txt log on that site, and click submit.
Attach URL log here.
Or you can upload Combofix.txt on http://www.wikisend.com and send to me download link. ;)
I will review logs tomorrow.
-
http://pastebin.com/index.php?e=1
Magna, thanks
-
http://www.wikisend.com/download/148852/ComboFix.txt
the same file off the post before.
after combofix and zoek, with all magna instructions, still remains in F:\Usuarios\Javier V\AppData\Local\Temp\iswizard a compressed file iswizrd.7z and wuaudit.exe and dwm.exe, all the files detected by avast and the other ones.
I could see during all these process how these files disappear and appear.
here you are, in english now. Be patient with me. Thanks.
-
IROC:
Intento en inglés a partir de ahora. Si ves algo mal expresado que pueda confundir a Magna, por favor intercede.
Necesito que nos sigas.
Gracias.
-
We need to use tool with more power.
Step#1
- Please download BlitzBlank (http://download1.emsisoft.com/BlitzBlank.exe) by emsisoft and save it to your desktop.
- Open Blitzblank.exe by double click on it.
- Click OK at the warning (and take note of it, this is a VERY powerful tool!).
- Click the Script tab and copy/paste the following text there:
DeleteFile:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard\dwm.exe
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard\dwm.exe
DeleteFolder:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard
- Click Execute Now. Your computer will need to reboot in order to replace the files.
- When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\
***************************
Step#2
Open notepad and copy/paste the text present inside the code box below:
Folder::
f:\usuarios\Javier V\AppData\Local\Temp\iswizard
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard
c:\program files (x86)\Bit Coin Miner Removal Tool
f:\usuarios\Javier V\AppData\Roaming\PlusWinks
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
***************************
Step#3
1. Delete old zoek.exe and download new, fresh one.
2. Re-run zoek.exe as you did before but use this script:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard;f
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard;f
C:\Program Files (x86)\Bit Coin Miner Removal Tool;f
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\anvisoft;v
C:\ProgramData\Anvisoft;v
C:\ProgramData\RegRun;v
dwm.exe;z
dwm.exe;a
iswizard;z
iswizard;a
Torntv;ff
F:\Usuarios\Javier V\AppData\Roaming\Mozilla\Firefox\Profiles\0\extensions\torntv@torntv.com.xpi;f
bfcpnihmbfoaeoakalclfalkdepgiaje;chr
F:\Usuarios\Javier V\AppData\Roaming\SpecialSavings;fs
doicodjkmhpcdodnbhbcpocidcdlolgk;chr
iibmmjhgclhlahmjniokmhleigemjpbh;chr
F:\Usuarios\Javier V\AppData\Local\CRE\iibmmjhgclhlahmjniokmhleigemjpbh.crx;f
mocblcnaofikinigmceddfghppkkjbog;chr
F:\Usuarios\Javier V\AppData\Roaming\PlusWinks;fs
nbmafkdmkkckhggblphicnnhlgljnoje;chr
apdfllckaahabafndbhieahigkjlhalf;chr
F:\Usuarios\JAVIER~1\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx;f
iibmmjhgclhlahmjniokmhleigemjpbh;chr
F:\Usuarios\Javier V\AppData\Local\CRE\iibmmjhgclhlahmjniokmhleigemjpbh.crx;f
niapdbllcanepiiimjjndipklodoedlc;chr
FFdefaults;
chrdefaults;
emptyclsid;
emptyrecycle.bin;
emptyalltemp;
autoclean;
Click on RunScript button and attach here fresh zoek.exe log.
-
some stuff:
before running this solution:
i needed to reinstall cutepdf writer, now running well.
internet explorer: when you call a site: blank screen. it doesn´t work.
chrome: running well.
could be some of the scripts you fixed in the last phases?
thanks.
-
MAGNA:
At the first step, Blitz Blank returns: Syntax error in line 5, Invalid folder path.
f:\usuarios\Javier V\AppData\Local\Temp\iswizard
F:\Usuarios\Javier V\AppData\Local\Temp\iswizard (pasted from the explorer) it´s the same!!! Not case sensitive, because, in line 2 and 3, the path for the deleting files seems ok.
-
Hi,
BB tool and his script is very sensitive. In case of BB script error, BB wants to say that the file or folder doesn't exist.
Try to run this BB script:
DeleteFile:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard\dwm.exe
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard\dwm.exe
DeleteFolder:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard
or just this one:
DeleteFile:
f:\usuarios\Javier V\AppData\Local\Temp\iswizard\dwm.exe
f:\usuarios\JAVIER~1\AppData\Local\Temp\iswizard\dwm.exe
If you fail again, run Combofix via created CFScript.
-
Combofix report:
Impossible with BB
-
Ok, run zoek script too.
-
Second Step, combofix report
-
zoek report
-
Magna:
it looks like nothing works
I backed up all my files
do you want to take more risk? it´s the moment, preserving off course my hardware!!!
i´m ready for a full formating of c and f this week end
-
Hi,
This is new & fresh malware, if you have will, stay little bit on. I just need to find sources ...
1. Read guide for running RogueKiller from >> here (http://forum.avast.com/index.php?topic=53253.0) << and attach here all RK reports.
2. Delete all zoek logs ( delete all C:\zoek-results.log ). I don't want to mix with fresh logs.
3. Then run this zoek script:
{41525333-0076-A76A-76A7-7A786E7484D7};c
c:\program files (x86)\AskPartnerNetwork\Toolbar;fs
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar];r
"{41525333-0076-A76A-76A7-7A786E7484D7}"=-;r
wuaudit.exe;z
wuaudit.exe;a
dwm.exe;z
dwm.exe;a
iswizard;z
startupall;
filesrcm;
firefoxlook;
chromelook;
-
Rogue Killer Reports
Zoek log.
I found that the zoek results goes to f:
It is possible that were mixed this report with the old ones inside the file...
tell me if I must rerun zoek. Now i´m deleting the zoek-result in F
sorry.
-
Leave for now zoek logs, we will delete them later if need be.
1.
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
- Unzip/unrar MBAR in a folder to your Desktop
- Open the folder where the contents were unzipped to run mbar.exe
- Click on Next > then on Update button to download fresh definitions.
- When database updates click Next
- In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
- If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
- The Clean up procedure will be Scheduled for process.
- When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
-----------------------------------
2.Now you need to delete old ComboFix (drag&drop Combofix icon into recycle bin) and download fresh copy from here:
http://www.bleepingcomputer.com/download/combofix/
Run Combofix as you did before and attach here fresh Combofix.txt log
**********************
Tell me now, how is your computer running now?
-
First MBAR scan.
sustem log and mbar log.
-
Second mbar scan:
scan finished: no malware found!
-
ComboFix Report
-
Finally powerfull MBAR got him ... ;D Let's have check that just to be sure.
> Delete now all old zoek logs ( delete all C:\zoek-results.log ) and Re-run zoek.exe using this script:
dwm.exe;z
wuaudit.exe;z
iswizard;z
Attach here fresh zoek log.
----------------------------
Tell me how is your computer running now?
-
all running well
no avast banners at this moment
there was a system crash when I opened a large cad file. This is not the first time during all this process after each cleaning.
I´m going with your next instruction.
-
zoek results:
Come on, Magna, it seems you have it!!!
-
I tested the pc and no more virus messages!!!!! Good job, Magna!!!
I think you must run some final scripts. Don´t you?
I needed to repair-reinstall Revit (cad soft), due to some instabilities. Now seems to work fine.
Internet Explorer now working fine after a configuration restore.
BUT:
Skype, Skydrive, and google drive, don´t start at the windows startup.
In all these cases I check "start with windows startup", I close the dialog box, I open again the dialog box, and it´s uncheked again.
I tried updating skype, and gets this error:
(I hope you understand my english)
-
there was a system crash when I opened a large cad file.
Yeah ... CF is fault for that. :(
Skype, Skydrive, and google drive, don´t start at the windows startup.
Don't know, malware removal tools didn't catche nothing related for that.
.............................
Re-run zoek.exe as you did before with this scrpt:
C:\Windows\Prefetch\DWM.EXE-7C5D1E43.pf;f
autoclean;
Then,
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
**********************
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
**********************
Try to repair windows with this tool;
Please download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html
- Install the program then run.
- Go to Step 2 and allow it to run Disk check
- Once that is done then go to Step 3 and allow it to run SFC
- Go to Step4 and create registry backup and system restore point.
- On the Start Repairs tab => Click the Start
- Click on the Select all button and then click on Start
- Don't use the computer while each scan is in progress!!!
- Restart may be needed to finish the repair procedure.
*********************
How's your computer running now? 8)
-
Magna... wonderful!!!
autostart of skype, skydrive and google drive.... resolved
Revit: opening and closing large cad files, .... seems at this moment to be solved
I'm gonna do a deep test now, and then I'll share the results with you.
Thanks, Thanks, Thanks.
-
:)
-
Magna:
I tested my pc all these days, and all is running fine and quickly.
Except:
when I run an Avast full scan,after 15 minutes or more of initiated, the system crashes with the typical blue screen...
There´s any fix for this?
There´s a lot of updates from windows, waiting for download.
-
Magna:
I tested my pc all these days, and all is running fine and quickly.
There´s a lot of updates from windows, waiting for download.
;)
when I run an Avast full scan,after 15 minutes or more of initiated, the system crashes with the typical blue screen...
There´s any fix for this?
From the software side, BSOD appears at the driver level. What causes it I don't know but we can check.
Download BlueScreenWiew tool from here:
http://www.nirsoft.net/utils/bluescreenview.zip
Double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Attach BSOD.txt here.
-
i haven´t downloaded the windows updates until be sure all is running ok
-
@ javiervalero
BSOD log lists error type that often may couse hardware failure. But one minidump report indicates that the cause of BSOD is aswSP.sys driver, related to avast! Self Protection.
I would test the HDD drive too but this is already beyond the region of the avast forum and this topic.
-
I have a similar issue.
In addition to wuadit.exe and isiwizard.7z there is also dwn.exe under the same TEMP folder
Can you help me?
When I try to do the Malwarebytes Anti Rootkit scan it detects only 1 malware.
Avast no logra remover el Win32:BitCoinMiner-CA. Solo lo bloquea.
Objeto: dentro del user.... /AppData/Local/Temp/iswizard/iswizard.7z | wuaudit.exe
Infección: Win32:BitCoinMiner-CA (Trj)
Proceso: c:/Windows/SysWOW64/rundll32.exe
-
@ locopescado
This is the topic of this user. You need to open a new topic and set the logs to review:
Follow guide from here: http://forum.avast.com/index.php?topic=53253.0
AdwCleaner <-- cleening adware & junkware
Malwarebytes <-- preventive for malware rmeoval
OTL and aswMBR <-- primary diagnostic system and antirootkit tool
-
Thank you, I actually solved it!