Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: manjil on October 22, 2007, 03:50:06 AM
-
Hello all gurus!!
My computer is infected with unknown virus which avast can't detect..
The symptoms are
it makes a new copy of itself by known name.(the exe file has folder icon)
it doesn't allow to run msconfig regedit.
it doesn't allow to install new program.
As per as my knowledge it got spread from the camera memory stick.
I tried to remove the startup entry but couldn't succeed.
Please help me to remove it.
-
Can you run a full computer on-line scanning?
Kaspersky (http://www.kaspersky.com/virusscanner) (very good detection rates)
ESET NOD32 (http://www.eset.com/onlinescan/)
Trendmicro housecall (http://www.trendmicro.com/hc_intro/default.asp)
AVGas (http://www.ewido.net/en/onlinescan/) (does not necessary if you have AVG antispyware installed)
F-Secure (http://support.f-secure.com/enu/home/ols.shtml)
BitDefender (http://www.bitdefender.com/scan8/ie.html) (free removal of the malware)
HitmanPro (http://oms.hitmanpro.nl/) (multiply scanners)
-
Yes i can full scan the computer..
-
Yes i can full scan the computer..
So, I suggest Kaspersky and BitDefender.
Oh, after that, if you can isolate a file, don't forget to send to avast for analysis. This will help to improve detection.
-
can you tell me any way to delete the startup entry.
The virus is also active in safe mode.
-
Welcome to the forum.
I must tell you this may be out of my league, but I can get you started. :)
Did you do the online scan at Kaspersky as suggest by Tech? If so what where the results?
1. Down load and run CleanUp (http://www.stevengould.org/downloads/cleanup/)
2. Download superantispyware (http://www.superantispyware.com/) to your desktop.
Start superantispy, click on update.
Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.
Under Scanner Options make sure the following are checked
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantine.
leave the others unchecked.
Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.
Under Complete Scan, choose Perform Complete Scan.
ยท Click Next to start the scan.
When the scan is done, quarentine everthing found . Reboot if asked.
Post that log, Start superantispyware, the log will be under Preferences, Statistics/Logs tab in the scanner logs.
3. Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
You may have to split the logs into muliple posts.
-
can you tell me any way to delete the startup entry.
The virus is also active in safe mode.
Try and find msconfig.exe and make a copy in a folder new (C:\TempUtil will do), rename that to msconfig1.exe, this should avoid the redirect that has been applied to the mscongif.exe file.
You can do the same (make copies and rename the copy) for regedit.exe, rename to regedit.com and also taskmgr.exe, rename taskmgr1.exe. This should allow you to run regedit and task manager.
There is a little program that will do this for you called EmergencyUtils, http://www.dougknox.com/xp/utils/xp_emerutils.htm (http://www.dougknox.com/xp/utils/xp_emerutils.htm). I don't know if you would be able to run this based on your problem with new programs, but this is not an installation as such.
This small VB 6 utility will create a usable backup copy of Taskmgr.exe, MSConfig.exe and Regedit.EXE in a new folder, called C:\EmergencyUtils. The new copies will be named Copy_of_Taskmgr.exe, Copy_of_MSConfig.exe and Copy_of_Regedit.com.
-
I have some experience with some viruses with the same symptoms that you have said...
A variant of Brontok works like that...Worm/VB variants also works similarly...Variants of TR/Autoit also functions like that but it still allows new installations...
I suggest Avira PersonalEdition Classic and you can get it for FREE at www.free-av.com. THEN you start your PC in safe mode (by pressing F8 on while booting) and install Avira while on safe mode...If you still can't run the installer even on safe mode, THEN try installing PC Tools Threatfire (formerly Cyberhawk) because if I'm not mistaken, the installer of Threatfire is immune from attacks of these viruses...AND it will catch these viruses upon startup using behavioral analysis...
-
You would need to uninstall avast if considering avira as it is a resident scanner and you shouldn't have two resident on-access scanners installed at the same time.
We also don't know what the original posters OS is if win9x or winME he is out of luk as avira doesn't support them any longer.