Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: TB303 on June 27, 2005, 08:59:22 AM
-
Hi people,
I'm using Avast home 4.1 - to try and clean my worm infected computer.
it keeps cleaning the worm and than it comes back...
I'm doing an offline (pre-boot) scan, and it just listed a bunch of files (appears to be my HP printer driver related) as "Error 42125".
What does it mean and should I be concerned about it?
thanks.
-
Hi TB303,
You can find the answer to your question regarding Error 42125 in this thread:
http://forum.avast.com/index.php?topic=13762.0
You will need to ensure that you have a firewall and that your operating system is up to date or the worm will keep coming back.
What is your operating system, and what is the version?
Are you protected by a firewall?
You could do a HijackThis scan and post the log file: this will give us the information we need and we can also check that your system is clean.
Instructions here:
http://www.bleepingcomputer.com/forums/tutorial42.html
-
Thanks very much mate.
I have an XP Sp1 system, with NO firewall.
I used to have Norton 2005 - and I thought it was updated (it was, maybe a weel ago).
I never really had a virus for over two years, than one day my wife sits down and says that my user is trying t send 300 mail messages (the virus) - Luckily, I didn't have outlook configured so it couldn't send it...
Anyway, the Norton said it's a Rootkit virus/worm and he couldn't fix it.
So I tried NOD32, and Avast - which so far seems the most competent.
but it still comes back.
I will do the Hijack this log and post it back here.
thanks for the quick rely!
-
Hi again TB303,
Having more than one anti-virus on your computer at the same time can cause conflicts and errors.
If you decide to stick with avast!, you will need to thoroughly remove the other two. Norton can be tricky to remove completely, but there are removal tools available from Symantec. A quick search of the forum should bring up more information and links.
Rootkits can be tricky.
The new Microsoft Malicious Software Removal Tool will remove some rootkits and many worms. Download it here:
http://www.microsoft.com/security/malwareremove/default.mspx
I would also like you to download the F-Secure rootkit detection tool, run a scan and report what it says:
http://www.f-secure.com/blacklight/
Please turn on the XP firewall straight away:
http://www.geocities.com/dontsurfinthenude/firetut.htm
-
Hi People,
Thanks for the suggestions!
I've booted again and Avast is running so I hope the virus is gone.
Just one troubling thing: I can't update my windows - whenever I point the Explorer to windowsupdate - and it just won't load the page.
If I try to surf elsewhere it works... Sadly it won't let me update windows through the Firefox... ;-))
Here is my HiJack this log file:
(Tried to post it, but it's too long, hope it is attached)
See if that means anything to you.
PS
Thanks for all the help so far!!
-
Quick update:
I ran both MSantispyware tool and F-Secure Rootkit, and none of them found anything suspicious.
1. I ran them in normal user mode, should I have done it in "Safe mode"?
2. The Internet Explorer still can't connect to Windows update,a suspicios sign?
Thank for all the help!!
-
Hi TB303,
The HijackThis! log shows a worm infection.
It seems to an old worm (2002) so avast! should detect it.
Can you please make sure that you have updated avast!'s virus definitions and do a boot time scan?
Right click the avast! globe and select Start avast! Antivirus.
avast! will do a memory scan: if it finds a virus or worm in memory, it will prompt you to do a boot time scan: accept this and reboot.
If avast! doesn't find anything in memory, schedule a boot time scan. (Click the button at the top left of the avast! silver console and select Schedule boot time scan from the drop-down menu.)
If avast! detects a file called ntkrnl.exe, please delete it.
Full HijackThis! log file analysis will follow later today.
Please do not try to update until we have cleaned you computer: installing SP2 on top of malware can cause instability.
-
Frank,
I've done several boot-time runs in Avast and it doesn't discover anything anymore.
I also made sure it is updated.
An old worm seems wierd as this computer was kept in top notch condition, I made sure the windows and NAV are updated...
PS
I by now managed to uninstall NAV and Avast works fine now.
So what should I do now?
thanks!
-
TB303,
According to HijackThis! you have a running process called ntkrnl.exe which is part of the worm CERVIVEC.A.
http://securityresponse.symantec.com/avcenter/venc/data/w32.cervivec.a@mm.html
It's curious that such an old worm would not be detected.
These are the removal instructions from Symantec.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
Kernel Loader %Windows%\System32\ntkrnl.exe -LOADDRIVER=TRUE
5. Click Registry, and click Exit.
6. Shut down the computer, wait thirty seconds and then restart he computer. (Do not skip this step).
Please follow this advice and report what you find.
-
TB303,
According to HijackThis! you have a running process called ntkrnl.exe which is part of the worm CERVIVEC.A.
http://securityresponse.symantec.com/avcenter/venc/data/w32.cervivec.a@mm.html
It's curious that such an old worm would not be detected.
These are the removal instructions from Symantec.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, delete the following value:
Kernel Loader %Windows%\System32\ntkrnl.exe -LOADDRIVER=TRUE
5. Click Registry, and click Exit.
6. Shut down the computer, wait thirty seconds and then restart he computer. (Do not skip this step).
Please follow this advice and report what you find.
Thanks for your suggestions,
I've followed them and couldn't find the value you've mentioned. In fact I've searched for: "ntkrnl.exe" and didn't find it in the whole registry...
Wierd, no?
I'll restart and try again, but I doubt it will show up.
I still can't access the windows update website, but other than that the computer looks and works normally (Avast runing all the time not detecting anything)
PS
ULTRA-MEGA thanks for all the help!!
-
TB303,
Please can you go to Jotti's virus scanner and submit the file:
c:\WINDOWS\system32\ntkrnl.exe
for analysis.
http://virusscan.jotti.org/
If you can find and upload the file, please copy and past the results here.
-
Mate,
I searched for the file: ntkrnl.exe - and I can't find it.
Please find the attached Hijackthis updated log - it does not include ntkrnl.exe in it.
Also I've updated Avast again and ran a pre-boot scan - it found nothing except for a few files that generated: "Error 0XC0000022" - ?
ALso, I still can't access windowsupdate.microsoft.com - what can it possibly be?
thanks for all the help mate!
-
This time actually attached...
-
Hi TB303,
No probs mate!
the error 0xC0000022 means the computer account's password is invalid
http://support.microsoft.com/default.aspx?scid=kb;EN-US;150518
Can you try going to:
Tools>Internet Options>Security>Internet
in IE.
Make sure the security level is set to medium.
Can you update now? Are there any error messages?
-
Mate,
I tried changing the security settins, it says custom settings, but I've resetted them to Medium and then even Low - it still won't update. every other site works well...
Actually except the online virus scanners I tried - maybe it related?
Doesn't give any error message (not even 404) - just remains blank.
Any ideas?
-
Just to ensure that Norton has completely gone could you run SymNRT.exe available here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=
-
I think I have found the real problem now.
Can you please run HijackThis! again and check the tick box for this entry:
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe
Then click the fix it button.
You should be asked to reboot.
Upon rebooting, go to Start>Run and enter cmd
At the command prompt enter:
sc delete netbios helper service
This service is an adserver redirector and must be removed:
http://castlecops.com/o23list-201.html
-
Frank,
Thanks for the ideas...
In the mean time, I thought the computer was working properly, so I tried to turn off the ADSL's connection firewall, thinking that might be blocking Windows update...
A second afterwards Avast started warning against "Msdirectx.sys" worm, after telling it to delete it it popped up again a second later. I disconected, re-instated the firewall, and started doing a pre-boot scan...
So I will try all those ideas the moment it finishes (so far it found one file and deleted it).
Many thanks for your help mate.
Do you work at Avast?
Thanks,
Me.
-
Good luck!
No, I don't work for avast!
I just keep an eye on the forum and try to help anybody with a problem when I have some free time.
-
Damm,
Avast just finished doing the pre-boot scan - found one file, deleted it.
I booted again normally and there it was again!!!
This is driving me nuts.
I've booted into safe mode...
-
What is the exact location?
-
I think the location is C:\windows\system32\msdirectx.sys - it was supposedly removed.
Also, I'm doing another pre-boot scan and so far it hasn't detected anything in drive C.
I dunno, this is starting to get to me... over two days now...
-
OK,
it found the msdirectx.sys file in C:\windows\system32 and supposedly deleted it.
now what?
-
Did you try the MS tool I mentioned earlier: it can remove some rootkit worms?
The new Microsoft Malicious Software Removal Tool will remove some rootkits and many worms. Download it here:
http://www.microsoft.com/security/malwareremove/default.mspx
-
This is a rootkit and will not be so simple to delete. Try the MS tool.
-
I've tried the MS tool, I tried the F-Secure tool,
I've scanned and supposedly deleted it a billion times with AVast...
There must be a solution... please advise...
-
You will have to follow the advice in this article. Be aware that the file msnt.exe may have a different name on your computer.
http://www.antisource.com/article.php/rootkit-msnt-msdirectx
-
This rootkit is called Troj_rootkit.h by Trend Micro. Apparently their Virus Cleanup Engine will remove it.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ROOTKIT.H&VSect=Sn
If you haven't lost heart yet, download the Virus Cleanup Engine and pattern files here:
http://uk.trendmicro-europe.com/enterprise/support/tsc.php
http://uk.trendmicro-europe.com/enterprise/support/pattern.php
You want the engine which is not for Trend Micro customers. Place the pattern file in the same folder as the Trend Micro System Cleaner Package.
-
Thanks mate.
I've followed the instructions in the first link, eventhough I delete msdirectx.sys with attrib -h -r -s before deleting it still comes back. I didn't manage to find the "other" file that keeps bringing it back, I searched fo rthe names mentioned in the article but they don't appear on my computer.
I tried the Trend Micro antivirus before yesterday, It tool ages and didn't find anything.
I might give it a shot again.
To be honest I'm ondering about backing up my documents and just reformating the whole thing.
If I back up files (like outlook .pst and word and excel files) is there a chance that trojan/worm would infect them and follow to teh new installation?
thanks.
-
Hi TB303,
See also Polonus's advice here:
http://forum.avast.com/index.php?topic=14618.from1119896128;topicseen#msg123356
Rootkits are difficult to get rid of, and you might be better off reinstalling your OS: this will guarantee removal of any malware.
At the moment you don't know what the rootkit is hiding! :o
If you try Trend Micro and that doesn't work, the only other program I can suggest is TDS-3, a powerful anti-Trojan program with a free working trial:
http://tds.diamondcs.com.au/
Remember, if you do install, activate the XP firewall as per my link, and visit the Windows update site as soon as you connect to the internet. Update to SP2 (It's much more secure) and download a free firewall- I recommend Kerio, but Zone Alarm and Sygate are also good.
Good luck, and stay virus free!
Scan any files thoroughly before copying them back to your HD. Download Ewido Free and double check your virus scan with that.
-
Oh god!
I've tried following the suggestions in your recent post,
and as I was about to install the software - I booted into safe mode and to my horror discovered that I can't RUN anything!
When I right click on icons I don't have the option of runing them...
I click on a file and it asks me what service opens .exe files! I try to run msconfig or Regedit and it won't let me... the Av also doesn't run...
please help, I won't be able to back up all the files like that!...
-
Hi TB303,
Have you been following Polonus's advice about explorer.exe?
http://www.thetechguide.com/forum/index.php?showtopic=17838&mode=linear
I guess you might have been editing the HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINOWS NT\CURRENTVERSION\WINLOGON\SHELL key and changed the name from Explorer green.exe back to explorer.exe?
You may have misspelled the name explorer.exe and it may not be starting.
Try manually starting explorer.exe this way:
http://blogs.msdn.com/jeffdav/archive/2004/07/22/191636.aspx
-
Frank,
many thanks for your help.
Eventually I tried and succeeded in installing windows to a different partition. #
the computer works like a charm now.
The first thing I did was windows update, enabled teh Windows Firewall and Avast and updated them all.
I wish to thank you very much mate,
you've been very helpful and knowledgable.
The only question I have now is about my old documents, both mine and my wife's (wife's more important ;-)) - are on C, also the rootkit was there and was always discovered in "C:\documents and settings" - so I want to import all those word and excel files, but make shure I don't "import" the trojan too...
Thanks!
-
TB303,
You're welcome!
These rootkit worm/Trojans are very nasty, I'm glad you found a solution.
I don't know anything about partitions. Can you scan the infected partition from the partition you are booting from?
There will be an .exe file in one of the folders, possibly /system32. This will be the nasty which was spawning the rootkit which avast! detected. avast! is not detecting the worm itself yet, but it will probably be added to the virus definitions within a few days. Unfortunately, as the rootkit was disguising the worm we can't learn the name of the worm without finding the malware file.
If you can read files on the partition, you could look for suspicious files: submit any to Jotti's scanner and delete if they are infected.
You should be safe copying documents, but my advice would be to quarantine them for a week or so if possible. By that time the avast!'s virus database should include this worm and protect you.
If you can scan the infected partition from the clean one and find and delete the worm, so much the better.
If you post a new topic, maybe somebody could help you with that question. I think this would be a good idea anyway: as I say, I don't know anything about partitions, but you're sure to get some good advice.
FF