Avast WEBforum
Other => Viruses and worms => Topic started by: Kiddshaw on October 26, 2013, 11:05:00 PM
-
Hello.
I'm having this issue and I don't know what to do.
I just downloaded Avast! Internet Security 2014. I ran a full system scan. I got virus clean but infected by rootkist. I tried to delete them and it said it would in the next boot. I did the restart and checked the history scan result to see if it have worked and it'll still said it would delete the files in the next boot. I choose then "Delete" and it said "Access is denied (5)" then tried Move To Chest and it said "The request is not supported (50)"
I don't know what to do. Am I clean or not?
I run 64 bit system. Windows 7.
-
These files are in the Avast Sandbox.
Try to empty out the Sandbox, in the Sandbox settings.
-
There's nothing in the sandbox :/
-
Please follow these instructions: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
-
Almost done. Posting scan logs in 5
-
1. Adw cleaner log
2. Malwarebytes scan log
3. OTL
4. aswMBR
-
1. Adwcleaner
# AdwCleaner v3.010 - Report created 26/10/2013 at 17:31:19
# Updated 20/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : kiddshaw - kiddshaw
# Running from : C:\Users\kiddshaw\Downloads\adwcleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Program Files (x86)\Mozilla Firefox\user.js
File Found : C:\windows\System32\roboot64.exe
Folder Found C:\Program Files (x86)\MyPC Backup
Folder Found C:\Program Files (x86)\MyPC Backup
Folder Found C:\ProgramData\boost_interprocess
Folder Found C:\Users\kiddshaw\AppData\Roaming\DriverCure
Folder Found C:\Users\kiddshaw\AppData\Roaming\Systweak
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\BabSolution
Key Found : HKCU\Software\ParetoLogic
Key Found : [x64] HKCU\Software\BabSolution
Key Found : [x64] HKCU\Software\ParetoLogic
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\DealsPluginROW_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\DealsPluginROW_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_atube-catcher_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_atube-catcher_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_messenger-plus_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_messenger-plus_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_windows-live-messenger-2009_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_windows-live-messenger-2009_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_youtube-downloader-hd_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_para_youtube-downloader-hd_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Key Found : HKLM\Software\ParetoLogic
Key Found : HKLM\Software\systweak
Key Found : [x64] HKLM\SOFTWARE\IB Updater
Value Found : [x64] HKLM\SOFTWARE\Mozilla\Firefox\Extensions [{336D0C35-8A85-403A-B9D2-65C292C39087}]
***** [ Browsers ] *****
-\\ Internet Explorer v10.0.9200.16720
-\\ Google Chrome v30.0.1599.101
[ File : C:\Users\kiddshaw\AppData\Local\Google\Chrome\User Data\Default\preferences ]
*************************
AdwCleaner[R0].txt - [3111 octets] - [26/10/2013 17:31:19]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3171 octets] ##########
-
2. Malwarebytes
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
Versión de la Base de Datos: v2013.10.26.09
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
kiddshaw :: KIDDSHAW [administrador]
10/26/2013 5:47:01 PM
mbam-log-2013-10-26 (17-47-01).txt
Tipos de Análisis: Análisis Rápido
Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opciones de análisis desactivados: P2P
Objetos examinados: 208178
Tiempo transcurrido: 4 minuto(s), 47 segundo(s)
Procesos en Memoria Detectados: 0
(No se han detectado elementos maliciosos)
Módulos de Memoria Detectados: 0
(No se han detectado elementos maliciosos)
Claves del Registro Detectados: 2
HKCR\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} (PUP.Optional.BrowseFox.A) -> En cuarentena y eliminado con éxito.
HKCU\Software\BabSolution\Updater (PUP.Optional.Babylon.A) -> En cuarentena y eliminado con éxito.
Valores del Registro Detectados: 0
(No se han detectado elementos maliciosos)
Elementos de Datos del Registro Detectados: 0
(No se han detectado elementos maliciosos)
Carpetas Detectadas: 0
(No se han detectado elementos maliciosos)
Archivos Detectados: 1
C:\Users\kiddshaw\Local Settings\Temporary Internet Files\Content.IE5\34LM103D\Setup[1].exe (PUP.Optional.LuckyLeap.A) -> En cuarentena y eliminado con éxito.
fin)
-
3. OTL scan log exceeds the maximun lenght
4. aswMBR
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-10-26 18:14:17
-----------------------------
18:14:17.727 OS Version: Windows x64 6.1.7601 Service Pack 1
18:14:17.727 Number of processors: 4 586 0x2A07
18:14:17.728 ComputerName: kiddshaw UserName:
18:14:19.827 Initialize success
18:14:19.902 AVAST engine defs: 13102602
18:14:30.980 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
18:14:30.983 Disk 0 Vendor: WDC_WD75 03.0 Size: 715404MB BusType: 3
18:14:31.137 Disk 0 MBR read successfully
18:14:31.143 Disk 0 MBR scan
18:14:31.150 Disk 0 Windows 7 default MBR code
18:14:31.156 Disk 0 Partition 1 00 DE Dell Utility DELL 8.0 100 MB offset 2048
18:14:31.168 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
18:14:31.183 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 700302 MB offset 30926848
18:14:31.211 Disk 0 scanning C:\windows\system32\drivers
18:14:40.947 Service scanning
18:15:16.498 Modules scanning
18:15:16.516 Disk 0 trace - called modules:
18:15:16.578 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
18:15:16.592 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005f58060]
18:15:16.603 3 CLASSPNP.SYS[fffff880011b643f] -> nt!IofCallDriver -> [0xfffffa8005bf3800]
18:15:16.609 5 ACPI.sys[fffff88000d5c7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8005bf9050]
18:15:17.958 AVAST engine scan C:\windows
18:15:20.869 AVAST engine scan C:\windows\system32
18:17:33.164 AVAST engine scan C:\windows\system32\drivers
18:17:46.263 AVAST engine scan C:\Users\kiddshaw
18:37:32.943 AVAST engine scan C:\ProgramData
18:43:03.468 Scan finished successfully
18:53:54.648 Disk 0 MBR has been saved successfully to "C:\Users\kiddshaw\Desktop\MBR.dat"
18:53:54.651 The log file has been saved successfully to "C:\Users\kiddshaw\Desktop\aswMBR.txt"
Done
-
3. OTL scan log exceeds the maximun lenght
and that is why the OTL instructions say attach log....
-
Look up, I attached it before...
-
Any solution guys? x_x
-
Under the answer box is an option attachments and other options, attach it there.
-
Hello,
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Hellooo
Here they are!
-
I found no malware in the logs, do you still have detections?
-
Yes :l I did the full system scan again and the rootkits still show up in the results :/
-
It is a False Positive detection, happened to lot people using Avast 2014...
-
I was coming to that conclusion too! Well, thank you very much to all for your help! :) :) :)
-
I have a questioooooooooooonn
I didn't clean up the results from neither adwcleaner and otl. Should I? Or should I leave it like that?
-
We will clean it now :)
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.