ZStorm, have you tried to restore the system in Safe Mode...? If not, then I would do that next.
I would say complete format and reinstall.
And if that doesn't help, then I agree with the format and reinstallation.
And in future stick to Legal software for your security. Avast Home Free and a Free firewall and a Free Anti-Spyware. No need to use stolen security software these days when free version are just as good.
- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely
You could try downloading and running a full scan with cureit.
...run msconfig and select "safeboot on the "boot ini" tab.
... run HijackThis that would be good.
It's possible the files inserted by Avast into the chest during the VRDB action culd be corrupt, and useless. Don't know that though, but I wouldn't rely on them. If you can get this fixed and the system clean I'd clear the chest and have it rebuild anew, just in case.
PS, sometime soon it would be a good idea to run a cleanup utility. Ccleaner if you have it,
It looks like quite a load of malware you've got. All for one keygen.
it's a Beagle/Bagle infection... oldman and essexboy got a huge skills for a manual removing of this virus... hopefully they can guide you (or you can find another Beagle related threads here)... i must advice you to
A few weeks back I worked on a system with the Beagle and Avast could not remove all traces even in boot scan. Finally had to reformat. But now with Avast 4.8 it may be able to kill it.
It's not so much 4.8 being able to kill bagel/beagle (there will be variants it might not detect), but to stop bagel/beagle killing the AV (avast self-defence module) so that it can still do its work.
KillAll::
File::
c:\windows\system32\drivers\srosa.sys
Rootkit::
c:\windows\system32\drivers\srosa.sys
Driver::
srosa
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ (http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/)
Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe (http://www.techsupportforum.com/sectools/sUBs/)
Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.
- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely
I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.
I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.
You could try downloading and running a full scan with cureit.
...run msconfig and select "safeboot on the "boot ini" tab.
... run HijackThis that would be good.
Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.
Hi, just delete combofix from the desktop.
The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.
The way I wanted combofix ran was with the script.
<pre>
----a-w 4,752,968 2005-12-20 10:33:06 C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>
Theres some kaspersky left that should be uninstalled, we can clean up any left over folder after you uninstall it.
We have a little repair work to do.
Download RenV from the link below
1. Save it to your Desktop.
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exeCode: [Select]<pre>
----a-w 4,752,968 2005-12-20 10:33:06 C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the code box above into the new notepad
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "log.txt" . Using your mouse left button, drag the new file log.txt and drop it on the RENV.exe icon
I didn't type the fix, I used copy and pasted it from the combofix log. It was a vundo infected file that RenV was supposted to fix. RenV now shows no infected file. However it is strange that it "fixed" itself. I'd like you to submit that file to virustotal just to be sure vundo is trying to pull a fast one on us.
You can do a thourgh scan if you wish, but first we'll clean up the tools you used.
But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.
Tools clean up.
* Click start button, run, then copy and paste the following line into the box and click ok.
Combo-Fix /u
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.
* Create a new restore point
You must be logged on to an administrator account.
an administrator account
But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.
Tools clean up.
* Click start button, run, then copy and paste the following line into the box and click ok.
Combo-Fix /u
* Please downloadOTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
Tools clean up.
* double click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
* Create a new restore point
* Remove old restore points
As soon as I saw Acelerador Terra I thought "Oh no!".
Otmoveit2 will create a folder with the removed files/folders in. Since you placed it in a sub folder otmoveit may have used that path to store the files you removed. The files you tried to remove, where did you find them afterwards. In the otmoveit subfolder or original location?
Nothing we removed should have interfered with your connection. Did you install a third party firewall or did you get that far?
There has been an issue raised with webshield. Try Terminating it, can you browse with webshield off?
System restore will most likely fail, unless you turn off avast's self protection.
Tell me more about the contents of C:\327882R2FWJFW. You said it was similar to combo-fix. In what way.
Don't do too much right now other than answer as best as you and try turning webshield off.
As soon as I saw Acelerador Terra I thought "Oh no!".
Hi alanrf. I haven't had a chace to look this up. Mind filling me in please.
Sorry I did not want to spook anyone.
Oldman - please see my post in the evangelists forum.
Oldman said that some concerns had been raised with the Webshield.
Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step.
Did you terminate weshield or just pause it?
We can try this to see if we can repair your connection.
LSPfix
Download it to it's own folder, for example C:\LSPfix
Disconnect from the internet (unplug the cable)
navigate to where you saved the file and double-click on it to start the application
Click finish.
If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.
To turn off avast self protection
right click the"a" icon, select program settings, trouble shooting. Check Diasable self protection.
Oldman said that some concerns had been raised with the Webshield. It seems you have an "accelerator" function installed (or halway installed/uninstalled). We have seen in the past that accelerator software can conflict with the working of the Webshield (and also with the Internet Mail provider too).
So sorry for alarming you. Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step.
There was a bit of misunderstanding. You didn't need to disable avast self protection. I only posted the instructions if you needed to do a system restore.
Webshield does not become part of the chain. You should be able to re-enable webshield and the self protection. Though I think you should forgo accelerator for now.
Even if you don't use the internet mail provider, (outlook express), the internet mail provider can be a tool to alert you of a spambot infection. The mail icon will appear on your taskbar whenever traffic on port 110 or 25 is detected. If you are not sendding mail, then you will know further investigation is needed.
So, what happens now? You think Im clear of malware and ready to be happy again? ::)
Waiting to hear from you.