Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: TheAtomicGoose on March 07, 2014, 10:22:56 PM
-
Hi All,
I recently discovered that I had the virus in the title, and looked up what to do. I downloaded ComboFix and ran it, but I didn't realize that I wasn't supposed to have other programs open while it was running, and it didn't run correctly. In the thread where it said to download ComboFix it also said not to run it again if it doesn't work the first time, but to try to figure out another issue. However, in my case, ComboFix just didn't run correctly, which I know by the fact that ComboFix is supposed to restart the computer when it's done running, but it didn't in my case. What should I do?
Thanks!
-
It can be dangerous to run combofix if you do not know what you are doing
What file is Avast reporting ?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
It is reporting C:\Windows\explorer.exe. Also, I'm slightly reluctant to run the program you suggested, because in the other thread I read you suggested that and the person's internet stopped working. Is that a common problem with that program?
-
OTL does not do anything at first run....it just create a diagnostic log
The fix comes after (if needed) when essexboy have seen that log
-
Oh, ok. Thanks.
-
The other thread was where adwcleaner wrongly reset the proxy settings
What is the Avast update version that you have is it 140307-1
-
Yes, it is.
-
OK I was wondering if it was an FP but I have that VPS and no problems
-
Extras log: http://pastebin.com/G4s80qLy
OTL log: http://pastebin.com/PKvATHhd
-
Have you patched your explorer ?
Are the alerts still appearing
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=SnapdoGOblidooYB&dpid=GOB1&co=US&userid=d0834b7d-d15e-7452-7abe-972cc2d3e3bd&searchtype=ds&installDate={installDate}&q="
O2:64bit: - BHO: (no name) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - No CLSID value found.
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-474631609-1521078636-1054246077-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I don't know what it means to patch your explorer.exe, so I'm assuming I haven't. And if by the alerts you mean avast! telling me that explorer.exe is malicious, yes.
-
Could you run combofix again please
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Ok, but real quick: I realize you said when you run OTL your desktop and icons could disappear, but mine are still gone after reboot...I had to use the task manager to get my browser running. Did you mean the reboot caused by OTL or that you need to reboot after OTL auto-reboots?
-
Here's the log from the quick scan: http://pastebin.com/q3pPsKrs
-
OK, well I ran ComboFix, and the command prompt stopped at step 50 and my internet isn't working.
EDIT: The internet's back, but my desktop is gone again (it had come back).
-
This might be very important. I am experiencing exaclty the same on Windows 7 Home 64. I do have a patched version of explorer, I modified it something like 1 year ago, but what it important is that after replacing it with an old backup (I luckily have Ubuntu installed) the system is back working.
I will test it and see if it comes back with the same problem then cases are two:
1. Everything goes on working as usual - meaning that it was a fp due to the patch or the patch itself did contain a virus which slmehow activated only now or I somehow deleted the virus (I deleted temp and temporary internet files from Ubuntu).
2. At next reboot I get back to the same - then it means that the infection is not a fp and it is not related with patching.
Anyway it is also worth to mention that yesterday Chrome was reporting me a dangerous download, which actually was not but could potentially be as it contained programs related with bioses which anyway I didn't open there since were for another laptop. But the point is that this virus has been probably downloaded by some other malware which xould have been there for a long time...
-
The problem occured for me because I had a patched version of explorer.exe. See here. (http://forum.avast.com/index.php?topic=147308.msg1069779#msg1069779) If you had knowingly modified explorer.exe (with a program such as W7SBC) and trust that program, then you may do as I did and whitelist explorer.exe in Avast for now.
Of course, there is still the chance that explorer.exe is malware. So do it at your own risk.
linking all the threads together:
http://forum.avast.com/index.php?topic=147308
http://forum.avast.com/index.php?topic=147328
http://forum.avast.com/index.php?topic=147333 (this thread)
http://forum.avast.com/index.php?topic=147339
I have also alerted Avast of the file (http://i.imgur.com/AONSYsl.png) (although the last time I did this they took >3 months to reply...)
-
I used exactly W7SBC and as I said backup files created by that program are safe. Then it would really be the first time that I see a malware creating safe backup copies for you...
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs. So I think that the best advice is to possibly unpatch/restore explorer.exe.
-
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs.
Unlikely. This is easily reproducible by anyone with a 64bit W7 machine.
1. Install Avast! & lastest definitions
2. get W7SBC and a random bitmap file for that (plus gaining control over explorer.exe if needed)
3. Once the changes are applied, Avast immediately blocks explorer.exe
4. If the changes are unapplied, it is immediately unblocked and if the changes are reapplied, it is immediately blocked.
-
Could you all upload the patched explorers to Avast as false positives please
-
Thank you very much wowmuchdoge I was planning to do exactly the same thing. So, finally, or we are facing a FP or W7SBC is a malware, the latter being very unlikely in my opinion...Moreover I also confirm that Virustotal finds threats only with Avast .
Can we conclude that we have a false positive?
-
Sorry for the ignorance, but I know neither what an FP is nor what W7SBC is...Could somebody fill me in?
-
Windows 7 start button changer alters the appearance of the start button by modifying explorer.exe this is what Avast is picking up. I have alerted Avast to this problem so hopefully it will be resolved shortly. Could you all ensure you have the latest VPS version 140308-0
-
Sorry for the ignorance, but I know neither what an FP is nor what W7SBC is...Could somebody fill me in?
FP: false positive (http://en.wikipedia.org/wiki/False_positive#Malware)
W7SBC: Windows 7 Start Button Changer (http://www.thewindowsclub.com/windows-7-start-button-changer-released)
Could you all ensure you have the latest VPS version 140308-0
I sure do.
-
Ok my bad, in that case I do have a modified explorer.exe...I didn't realize changing the start button appearance modified explorer.exe. My bad.
-
If it is a false positive, could I just add explorer.exe to the exceptions in Avast and have it work? And yes I do have the lastest VPS version.
-
Yes add it to the exceptions until an update is released, check it every day or so until no virus is reported and then remove the exception
-
Ok my bad, in that case I do have a modified explorer.exe...I didn't realize changing the start button appearance modified explorer.exe. My bad.
Why is it your bad? To modify something doesn't imply to push a malware in it. If you used W7SBC and downloaded it from a trusted source you are definitely safe.
Windows 7 start button changer alters the appearance of the start button by modifying explorer.exe this is what Avast is picking up. I have alerted Avast to this problem so hopefully it will be resolved shortly. Could you all ensure you have the latest VPS version 140308-0
I confirm that I have that version.
-
It seems as though Avast won't let me add single-file exceptions...is that true? And my bad in that earlier I said to essexboy that I hadn't modified explorer.exe.
-
It seems as though Avast won't let me add single-file exceptions...is that true? And my bad in that earlier I said to essexboy that I hadn't modified explorer.exe.
If you have the lastest version you should find it in Settings->Antivirus->Exeptions->File Path...up to translations mistakes since I have italian language for my version...
Anyway another option could be to recover your original exploer.exe. If you used W7SBC you find it in the Windows folder named as explorer_backup_w7sbc.exe. But you should be able to recover it directly via W7SBC...
EDIT: sorry if your question was how to add a single file instead of the whole folder, then just write C:\Windows\explorer.exe
-
It seems as though Avast won't let me add single-file exceptions...is that true? And my bad in that earlier I said to essexboy that I hadn't modified explorer.exe.
open the UI>gear at bottom left>active protection>file system shield gear>exclusions
add C:\Windows\explorer.exe
-
For me it turned out that the exception I actually had to add was explorer_edit_w7sbc.exe, if adding explorer.exe to the exceptions isn't working for anyone.
-
For me it turned out that the exception I actually had to add was explorer_edit_w7sbc.exe, if adding explorer.exe to the exceptions isn't working for anyone.
That file is reported as safe from my Avast...
-
That's odd...