Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: heatherliis on July 31, 2007, 09:06:38 PM
-
I ran Avast trying to get rid of a nasty Trojan that makes my security center pop up every min saying I have spyware. It didn't work, and now my control panel is gone out of the Start Menu. Please help! :'(
-
avast doesn't remove anything without user input and first it must have detected something.
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.
What you are seeing is rogue ware trying to convince you to visit a site or download a patch/software (probably at cost) to resolve the problem. I strongly doubt it has anything to do with the Security Center and control panel may have been disabled by malware.
A new tool RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php), download this and run it, then try one of the others below and report your findings.
If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
If using winXP AVG anti-spyware (formerly Ewido) (http://www.ewido.net/en/download/). Or SUPERantispyware (http://www.superantispyware.com) Or Spyware Terminator (http://www.spywareterminator.com/).
-
Again, heatherliis disappeared...
It's sad when someone asks for help and does not turn back...
-
Oh, I'm here. I didn't know anyone replied. Sorry about that. It's my friend that this happened to, not me. I should of specified. He's really technically challenged. When he ran the scan, it said it could not repair and asked him to delete all or move to chest. I told him delete all because I was thinking they were just viruses, not system files. But there were a few files that asked him if he was sure, and I told him to move to chest. I don't know how many of those files he did move. I'll tell him to come here. He might need special help because he doesn't know jack about computers. I don't think he knows how to move the files back from the chest either. I use a Mac, so I'm useless to him. I don't think he'll know what safe mode is. Heck, I don't even know what that is because I use a Mac.
Thanks for all your help,
Heather
-
When he ran the scan, it said it could not repair and asked him to delete all or move to chest. I told him delete all because I was thinking they were just viruses, not system files.
It's always safer send to Chest before deleting.
I don't think he'll know what safe mode is.
SafeMode info (http://support.microsoft.com/default.aspx?scid=kb;en-us;315222) (repeatedly press F8 while booting).
Heather, maybe your friend should call a technician to fix the computer...
-
Control Panel is in C:/Windows/System32 as control.exe:
(http://donaldbroatch.users.btopenworld.com/control.png)
Is control.exe where it should be? What happens when you click on it?
Have you got 'Display control pane as a link/menu' enabled? (Right click on Start>Properties>Start Menu>Customize>Advanced
(http://donaldbroatch.users.btopenworld.com/customizestart.png)
-
He told me that when he tries to mess with Properties he always gets this message "This operation has been cancelled due to restriction in effect on this computer. Please contact your system administrator."
Same with anything he clicks on in the Start Menu. I wonder if something happened to his administrative setup. Also if one of you could please contact me via email, I can give you his email address. His internet connection is really bad lately so it's hard for him to come on here. He might be able to clarify things better than I can.
Thank you so much,
Heather
-
Try a scan with Spybot Search & Destroy (http://www.safer-networking.org/en/download/index.html): it can detect and remove some changes to the registry made by malware to disable certain features of Windows.
-
I'll go tell him that. Also, I was wrong. It's not everything in his start menu that is giving him that message. It only the add/remove programs, default settings that don't work. And his logitech option on his start menu is gone too.
Thank you so much. He's majorly stressed. Spybot won't delete anything, will it?
Thanks,
Heather
-
Spybot won't delete anything, will it?
It will... but it's a safe application that will try to 'correct' the changes that the virus made.
-
Does he need to disable Avast and any other anti-virus/anti spyware programs he has in order to run Spybot correctly?
Thanks,
Heather
-
Does he need to disable Avast and any other anti-virus/anti spyware programs he has in order to run Spybot correctly?
No.
-
One more question (I hope I'm not annoying you guys), if what you said to do doesn't work, would it be a good idea for me to send over my control.exe file from my Windows XP (I have it at home on my MacBook Pro). Or would he even be able to use it. It sounds like his administer settings are screwed up to me, not his actual control panel. What's weird is that none of this happened until after avast was run. Does malware do that once you try to get rid of viruses?
Thanks,
Heather
-
One more question (I hope I'm not annoying you guys), if what you said to do doesn't work, would it be a good idea for me to send over my control.exe file from my Windows XP (I have it at home on my MacBook Pro). Or would he even be able to use it.
It won't harm...
Also, he can use the command SFC to restore the original Windows files. See Windows Help files.
It sounds like his administer settings are screwed up to me, not his actual control panel.
You're right... things do not smell good.
What's weird is that none of this happened until after avast was run. Does malware do that once you try to get rid of viruses?
Heather, avast could have 'detected' the problem that was already there...
-
Thanks. When he gets on, I'll tell him to try that. If he restores his original files, will it mess up the programs he has on his computer? Will he have to re-install things? I don't know if he has his disks anymore since he moved. I just want to make sure that restoring his original Windows files doesn't create a whole other problem.
Thanks,
Heather
-
Thanks. When he gets on, I'll tell him to try that. If he restores his original files, will it mess up the programs he has on his computer?
No, he needs the original Windows XP CD and will restore only system files.
Will he have to re-install things?
No, it's a repair procedure, not an uninstaller.
I don't know if he has his disks anymore since he moved.
Without the disks, no way.
I just want to make sure that restoring his original Windows files doesn't create a whole other problem.
It shouldn't create any problem, not one I'm aware of. Of course, something could be wrong, but if you don't want to cure (solve) the problem, you won't test any way, you won't move, you'll stay with all the problems...
-
I'm just covering all my bases before I tell him to do anything. :) I'll go have him do the spybot scan. He should be on in a couple hours hopefully. I wonder if Microsoft has the system restore files on their site somewhere. Or if he could borrow my disk. Does it matter if it's from another serial number? Maybe I'll make him a copy of my disk (if it'll let me) so if he ever needs to restore his files again, he'll have them. Otherwise, he might have to spend a lot of money getting a repair guy or get a new computer. And that's going to suck if he can't find any of his program disks for photoshop, etc. His CDrom drive is broken too. It stopped working after a friend of his messed with his Windows trying to get rid of spyware/viruses a couple years ago. And now it won't let him update or anything. It keeps saying his copy isn't legit even though it is.
-
I wonder if Microsoft has the system restore files on their site somewhere.
I never heard about this... I don't think it exist.
Or if he could borrow my disk. Does it matter if it's from another serial number?
I'm not sure... but, maybe. You can test.
His CDrom drive is broken too.
Well... things are becoming difficult... maybe the technician would be faster and safer, maybe buying a new computer or fix the fail hardware before...
And now it won't let him update or anything. It keeps saying his copy isn't legit even though it is.
So, if it's legit... he must have the disks and maybe could start all over again...
-
He finally got his internet up so he could update spybot and run a scan. It got rid of a bunch of things, but he still has the same problems with not being able to modify his computer and that dang spyware alert keeps coming up. He tried to logout and login as the system administrator, but couldn't figure out how to do that. It only shows his normal login and no option for that. He had a repair guy come last week to do an estimate and that guy could do it. Is there a certain thing you need to do to login as the system administrator? My friend just chose logout when he went to shutdown and that didn't work. He's thinking if he can login as the administrator that he can change the settings for his regular login. I also told him to try to update avast and do another scan, but he doesn't trust it now. He still thinks avast caused the problem he has with his control panel and adjusting the properties. :(
-
I was doing a search on his problem with the control panel, etc. and someone said that spybot made their computer do that from some settings in advanced mode:
"
after seeing your posts (and finally twigging onto the idea of what i had done) I opened Spybot search & destroy and went to
"TOOLS"
then
"IE TWEAKS"
(both available in the program's advanced mode)
and unchecked the 3 options of locking the host file..., locking the start page..., and locking the control panel....
all's fine now. "
Does avast have an option like that too? Maybe that's why it did that to my friend after he ran avast. Maybe he just needs to mess with the settings. Is there a setting for that?
-
He tried to logout and login as the system administrator, but couldn't figure out how to do that. It only shows his normal login and no option for that.
Use TweakUI for XP from Microsoft to allow this account.
http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx
-
Heatherliis, your friendship with this guy, and persistence with the problem is impressive. Especially for a Mac user!
I'm not an expert by any stretch, and have no desire to hijack any aspect of the help offered on this thread, but have a bit of (self-inflicted) experience with this sort of thing.
I can tell you that everything that has happened to this computer fits with the description of what several variants of malware can cause; disabling the control panel, disabling his admin rights, and creating the rogue anti-malware popup. (Some of these include the rogue programs SpyDawn, Spylocked, the Vundo trojan...there are plenty.)
I believe that is the most likely explanation, but it is entirely possible that some of the same results could be achieved by having Avast delete important system files. This is much less likely.
The approach to this has to be to disable the malware from running at startup, and then to regain use of the systems required (control panel/admin) and then to clean the malware from the system.
To assist with this, the names and locations of the items found would be beneficial, and also any that are in the chest.
If he can't find his OS disk, and M$ are telling him his installation isn't genuine, his options become rather limited, and the repair more difficult, but it still may be possible.
I urge you to get him to track down that disk- there is a code on it unique to that disk, and therefore his installation - and to yield the info on the names of the files that were identified, exactly. ie: capitalization, locations of files, slashes, complete names, matter.