Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ZStorm on April 09, 2008, 11:32:04 PM

Title: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 09, 2008, 11:32:04 PM

Hiya all

For 24 hours now my pc went crazy. After receiving a zip and executing the file which would be a cracker for Kaspersky Internet Security, sent by a friend thro file transfer on Yahoo Messenger (he said he got that cracker on EMule), things went outta control here.

I had for years NIS 2005 running for firewall and AV. Since its registration expired I kept using it only as firewall (no matter if it couldnt be updated) and installed in July 2007 Avast! 4.7 to run for AV. So far so good. Last week I had NIS completely suspended and longer running as it reached the max period for being installed without a renewed registration and couldnt be started anymore. So I proceeded to uninstall it using Control Panel and put Windows Firewall to work.

I thought to be ok and safe having WF + Avast! for AV till i started to realise maybe something was passing thro internet without getting the alarms I was used to with NIS. I decided to install another tool to get safer. I already had KIS 6 downloaded on hard drive along with a supposed ok regkey to use on it, then I tried to install it but it didnt work as the key expired (no wonder, I had it with me since 2006) - so the install of KIS never really happened as it was canceled by time it asked for regkey, being the one i had invalid, the process was aborted.

I didnt sleep much over the matter till this last weekend when I checked Kaspersky site and the version I had was not that outta date, then I thought to try for a new cracker or keygen. Yesterday I made the stupid request for an old friend who was online to give me a hand to search those. He passed me 2 links for regkeys I downloaded myself which didnt work as they were old and unvalid as the one I had here. He tried then on EMule and sent me a zip file (about 700K) which caught my eye for being damn big for a keygen. Once I unzipped and ran the exe, it asked me which file to crack (pretty weird again). I pointed for KIS exe file and it ran a process which gave me an weird error I dont recall and auto aborted the task. Just after that, I left puter connected and went for lunch. As I can see in my logs, pc restarted by itself something like 1-3 minutes after cracker played and for a coincidence I wasnt on my desk.

When I got back from lunch, I found it a bit weird but didnt give it much credit. Anyway, I decided to go ahead and install KIS for the moment being (with activation later) so to try it while looking for an ok cracker. At the moment it started to run the setups it asked many many times in a row about configuring ports and accesses for Flashget and couple more programs, till it prompted on an alert window a program was trying to change Avast INI file and if agreeded with that or not as it could disable real-time scans and some features of Avast!. At first I said NO NO NO NO... that window popped 27398423789432 times in an eternal loop, then i decided to click YES to see it if it would stop. It didnt. It kept prompting the alert and no matter YES or NO or closing the box, it loop didnt stop.

Im not sure now if I ended KIS by killing the process on task manager and then proceeded to uninstall it from Control Panel (which took many attempts till finally working; for 3 previous attempts it gave an error saying some file was missing so the removal was impossible) OR if system froze and I had to force reboot and when back tried to uninstall it as I said above. Either way, while trying to uninstall KIS and realising things went much weird, I tried to scan that cracker with Avast! and nothing happened. Whole system went very slow, Task Manager was prompting for 100% CPU usage no matter what, I had to reboot many times till getting Control Panel to populate add/remove programs and stuff. Also when trying to connect on internet, for times it wasnt recognising modem or giving errors, when connected it didnt show any stability.

On those reboots my icons on the status bar disappeared almost completely. Programs were not being loaded or if they were, they were not showing on bar and if selected manually to run, some would others wouldnt. I got many errors during the start up about files missing and apps not able to start properly. Avast! icon had disappeared as well and trying to run the application was toll frustrated.

By then, occurred to me to RESTORE the system and so there were many attempts without any results besides one - when I asked for the Restore and it came back saying "Your system couldnt be restored and no changes were applied", the system for some reason put back my start up icons working and the speed of pc was almost normal. For that moment Ive noticed 3 things more:

- WF was ALWAYS disabled on Security Center with the message saying "Security Center is not turned on. Restart or select to switch it on" or similar;
- Avast! icon had disappeared for good even if all the others were back and still no use to try to use it or to uninstall it (it wasnt showing on Control Panel either);
- connection to internet started to work again BUT once Internet Explorer was trying to run, it would make the system really crazy, calling many different Prefetch files, taking over CPU usage, creating gradually dummy files like "14979875.exe" running on processes, forcing the system to collapse if left running that way or for me to switch off power so to be able to restart.

By then was more than clear I had a bug messing with the system or maybe some Windows system file was corrupted and I didnt have any AV to scan pc. Some thunderbold stroke me in the head and I tried once more to remove Avast! 4.7 now by running the install file. It worked that way and from that moment on at least system was being started in a more normal way so I could try run the Avast! Cleaner  I had downloaded previously (same version as the available on site) and results were negative (report attached). Second thought was to get a new version of Avast! and scan pc. I found out also even if IE was impossible to run, Firefox was working normally and from there I downloaded Avast! 4.8 and some patch files I searched on MS site for fixing IE7 bugs and stuff. I thought the problem was a bug or corrupted file on system and on IE as when running IE the system started to fetch other programs and files overloading CPU.

Many hours later and many downloads done, I tried to install those files and absolutely NONE worked. The error was the same "not a Win32 application" or "file corrupted". Also not a single online scan worked for me on Firefox (most of them require IE) which would bring a result of infection. By having those messages I came to Avast! forum and I got my chin down when searching for those keywords and getting so many returns. I read lots of topics and downloaded some of the files which were pointed but then again, Im stucked.

Most of applications dont run as they hit on the same wall... "not a Win32 app". The Combo-Fix didn't work as well (report attached) as it crashed the system after prompting it was changing my pc clock (MS Windows report attached). The Symantec solution FXBGLEMO.EXE can't be run as my PC DOESNT ACCEPT TO RUN UNDER SAFE MODE (when I select it, comes a sequel of files like if they were being read or fetched starting with "multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\SYSTEM32\*.*" and then it restarts again and ONLY accepts the normal mode.

I tried also the RegisterBooster and it ran ok. Too bad it gives the result of 747 errors/problems but says it can fix only 15 on trial. When I tried to see the log file, it opened IE and crashed pc as before. I tried from another path from the console and it froze the system. Also I couldnt find the file on my pc so to read it and attach it here.

So, dear new friends, would have someone out there who could have patience to read this novel here and help me out on fixing this? IS THERE A CURE, DOCTOR?  :'(  ???

In advance, Id like to thank anyone who will have patience to read this and even more to the ones who might be interested in helping me.

PS1: Attached goes my pc configuration.
PS2: I downloaded and ran the tool to remove Norton program using SymNRT and it worked ok.
PS3: I have HiJackThis but not installed. I tried to run it but again the same 'not Win32 app' error.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 10, 2008, 04:35:54 AM

I dont know if what Im doing is right but from reading other topics Ive downloaded some tools and finally one worked.

>> Goes attached MAIN and EXTRA log files of Deckards System Scanner (DSS).

SUPERAntiSpyware stucks just after asking for retrieving programs update. It gets CPU usage on the roof and has to be ended on the Task Manager or else it crashes system.

Avast Antirootkit was installed successfully but after 33 minutes, 146.000 objects scanned and 1174 items found, the program crashed and gave it a report to be sent to MS.  :(

NOTE: Files XXX.exe (where X are random numbers) which I saw popping up like a plague on Task Manager while IE was running before (and crashing system) were found by Avast Antirootkit in \WINDOWS\SYSTEM32\DRIVERS\DOWNLD\ folder.

Im completely in the dark here. Please, if somebody can give me a light, Id appreciate. I dont even know if accessing my email or logging in here its safe or not.

Im back on running again antirootkit and other tools, hoping to find at least which malware is it.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: rhuds13 on April 10, 2008, 05:28:06 AM

I would say complete format and reinstall.  And in future stick to Legal software for your security.  Avast Home Free and a Free firewall and a Free Anti-Spyware.  No need to use stolen security software these days when free version are just as good.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: wursti on April 10, 2008, 08:36:58 AM

ZStorm, have you tried to restore the system in Safe Mode...? If not, then I would do that next.
For some reason some systems only perform total restore in Safe Mode, e.g my old desktop...

And if that doesn't help, then I agree with the format and reinstallation.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 10, 2008, 10:11:03 AM

Spyware Terminator was successfully installed and executed the Fast Spyware Scan. More relevant results were about 2 different trojans:

- TROJAN.DOWNLOADER.BAGLE.FG.2
- TROJAN/TOOSRRR.SRR

>> Log from Terminator scan goes attached.
>> Log from Avast Antirootkit crash report to MS (check my previous post) goes attached.

When asked about what to do with malware, I selected all to go to quarantine but one of the infected files with Bagle couldnt be moved and it was recommended to restart and rescan under safe mode.

Quote from: wursti on April 10, 2008, 08:36:58 AM

ZStorm, have you tried to restore the system in Safe Mode...? If not, then I would do that next.

Thing is... I dunno why but SAFE MODE IS NOT WORKING at all. Windows only let me in on normal mode.

If theres anybody there who could tell me how to manage to get into safe mode, Id be pretty much gratefull.

Quote from: rhuds13 on April 10, 2008, 05:28:06 AM

I would say complete format and reinstall.

Quote from: wursti on April 10, 2008, 08:36:58 AM

And if that doesn't help, then I agree with the format and reinstallation.

In fact, my pc needs a rebuilding for 'yesterday' as the last one was done about 4 years ago. Theres a tiny detail which stopped or at the very least not encouraged me at all to do so... the fact that the only option I have since forever for internet connection here is DIAL UP :( . 4 years back was already 'painful' to rebuilt a XP Pro under such speed and took me about a week only to tie up Windows. Go figure about the rest of installs and updates. Was a nightmare before and nowadays files went bigger and stuff... I believe it would take me 2-4 weeks to get system running with my programs adjusted and updated.

That said, I hope you all can understand WHY Im insisting so much on trying to fix whatever is I got here, not only cuz of the long heavy work to rebuilt under dialup but as well I aint comfort about doing a backup at this point as I dont know the level of risks and damages caused to other files (and which files) by those malwares.

rhuds13 and wursti, Id like to thank you both for your time and replies, you were very kind and nice.

I hope there will be other replies not only from you but from others who could give me a hand from this new status Im on now.

PS: Another interesting detail. Avast! 4.8 which was installed previously but wasnt being loaded at all (tho files where installed), after this scan/reboot of Terminator, it appeared back on tray as also running. At the moment its generating VRDB so I can proceed with other tasks when its done later on.

Thank you all and in case you have some procedure or information to help me out on this marathon, it will be very welcomed.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 10, 2008, 10:22:30 AM

Quote from: rhuds13 on April 10, 2008, 05:28:06 AM

And in future stick to Legal software for your security.  Avast Home Free and a Free firewall and a Free Anti-Spyware.  No need to use stolen security software these days when free version are just as good.

rhuds13, I agree with you when you say nowadays theres on the market free and good softwares for security but its a recent reality. Couple years ago, most of products were only for purchase requiring a good $ investiment (for personal use were very expensive indeed) and the free ones didnt have reach the level of competence they achieved today. I aint proud of having had used unlicensed software but it was more a matter of opportunity and necessity rathen than ideological one, not to mention time available to check out for what came out for free usage on this mutable market.

I strongly believe software companies shall be profitable - but not abusive. Behind those softwares there are lots of ppl who work/need/deserve to be well paid for their work but then again, it doesnt give the right for certain companies to get prices on the roof and not affordable for home usage.

I think the Software/IT industry already has been learning to understand the market and its needs/behaviour. Mass range apps cant be expensive and 'stiff' (i.e., Windows x Linux; internet security packs had their prices much lower if compared to 1-2 years ago as the usage of internet and need for security tools increased in an exponential rate; increased access/usage of digital medias also internet access from all kinds and levels of people all over world etc. etc.). The way of life is changing, so I hope the market to keep following it  :)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: Eddy on April 10, 2008, 10:30:51 AM

Couple of things:
- You did NOT uninstall Norton completely and that can give problems
- You where trying to use software illegally
- NEVER put two av's on one system, that is asking for problems.

- Remove nav completely
How to completely remove Norton (Symantec) (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=)
- Remove Kaspersky completely
- Repair Avast! and run a boottime scan
- Stop usig software illegally

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: Tarq57 on April 10, 2008, 11:35:46 AM

You could try downloading and running a full scan with cureit http://www.freedrweb.com/cureit/ (http://www.freedrweb.com/cureit/) if it will run. It's standalone, no install needed, runs from the download location, considered pretty effective. It might give you back enough functionality to make a full fix easier. It's around 9Mb. Run it as soon as it's downloaded- it has no updater.

I guess you've tried the "push f8" trick during reboot to get into safe? If that doesn't work, run msconfig and select "safeboot on the "boot ini" tab. Click OK.Then restart.
I suspect the safe option may have been disabled by the malware.
If you can get into safe, run whatever scan you can, quarantine anything found. If you can install and run HijackThis that would be good.

It's possible the files inserted by Avast into the chest during the VRDB action culd be corrupt, and useless. Don't know that though, but I wouldn't rely on them. If you can get this fixed and the system clean I'd clear the chest and have it rebuild anew, just in case.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: Tarq57 on April 10, 2008, 11:50:28 AM

PS, sometime soon it would be a good idea to run a cleanup utility. Ccleaner if you have it, the inbuilt windows disk cleanup if you don't.
This will just get rid of temporary files etc, and reduce the time for scanning. Might take some malware files with it, by clearing the temp internet files/java cache etc.
It looks like quite a load of malware you've got. All for one keygen. Tsk Tsk. (I have no idea why people do this. Russian roulette.)
Anyway, good luck.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: Maxx_original on April 10, 2008, 12:11:57 PM

it's a Beagle/Bagle infection... oldman and essexboy got a huge skills for a manual removing of this virus... hopefully they can guide you (or you can find another Beagle related threads here)... i must advice you to install a 4.8 version of avast after cleaning, because it is bullet-proof in Beagle case..

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: rhuds13 on April 10, 2008, 05:22:22 PM

A few weeks back I worked on a system with the Beagle and Avast could not remove all traces even in boot scan.  Finally had to reformat.  But now with Avast 4.8 it may be able to kill it.  If you know someone with a high speed connection perhaps they would let you use it to get all your updates. Then use something like Norton Ghost to image your system on DVD for future installs.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: DavidR on April 10, 2008, 05:49:08 PM

It's not so much 4.8 being able to kill bagel/beagle (there will be variants it might not detect), but to stop bagel/beagle killing the AV (avast self-defence module) so that it can still do its work.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 12, 2008, 06:11:42 AM

Hi guys

First of all, thanks to all of you for your attention and posts. All has been of much help.

After my last post, I went running Avast! 4.8 updated (lasted for more than 9 hours) and found away many more malware - all moved to chest. NOTE: this first scan was done on normal mode as well not a boot-time one as I couldnt find where to select that option at first.

Was already late here when it ended and I didnt have any strength to set anything else besides giving a look in here and checking for news. I was very glad to have your replies and those helped and help me on my marathon here. Thanks to information here, I succeeded in running another Avast! scan but this time under safe mode and a boot-time one. Logs attached.

Quote from: Eddy on April 10, 2008, 10:30:51 AM

- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely

I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.

I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.

Quote from: Tarq57 on April 10, 2008, 11:35:46 AM

You could try downloading and running a full scan with cureit.

...run msconfig and select "safeboot on the "boot ini" tab.

... run HijackThis that would be good.

It's possible the files inserted by Avast into the chest during the VRDB action culd be corrupt, and useless. Don't know that though, but I wouldn't rely on them. If you can get this fixed and the system clean I'd clear the chest and have it rebuild anew, just in case.

Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.

Thanks a lot for the hint of MSCONFIG. Safe mode is working that way. :)

Hijackthis was downloaded as well and all times I will get something running/scanning I will get a Hijackthis log after.

Im sorry but Im not sure I got what you meant on your last paragraph. I ran VDRB yesterday morning as soon as I got Avast! 4.8 repaired and updated. Of course it was empty by then. Are you refering to the 3 system files VRDB puts on chest to be corrupted?

Quote from: Tarq57 on April 10, 2008, 11:50:28 AM

PS, sometime soon it would be a good idea to run a cleanup utility. Ccleaner if you have it,

It looks like quite a load of malware you've got. All for one keygen.

CCleaner downloaded and I ran it already  :) . Will do it again on safe mode before and after running the other applications.

Ive searched for info about the Beagle (http://www.symantec.com/security_response/writeup.jsp?docid=2004-031310-3624-99&tabid=2) and from what I read they say its spread by email. If thats right, I didnt get that damn keygen by email but from a file transfer on Yahoo Messenger. Also I scanned the files many times and all results were clear. I wonder then if and how I got this malware and the rest I found so far.  ???  Btw, I only use web-based mails.

Quote from: Maxx_original on April 10, 2008, 12:11:57 PM

it's a Beagle/Bagle infection... oldman and essexboy got a huge skills for a manual removing of this virus... hopefully they can guide you (or you can find another Beagle related threads here)... i must advice you to

Besides Beagle I got other trojans and malware here.  :(  I wonder if they are related somehow.

Yeah, oldman and essexboy seem to be great with Beagle removing. Actually I read some of their posts on other threads even before I registered as a forum member. Thanks to their information (also some from Tech and w0mbat) on other cases I managed to download and run some tools/tasks which let me at least to get system stable enough to run spyware (Spyware Terminator was the blessed tool which was the only that would work when others like Combofix, Super AntiSpyware, Avast! Antirootkit, HijackThis, Deckards System Scanner, Registry Booster were impossible to install or to run without crashing system).

Id love to have those members help but I dunno how to do it as I cant send PMs to anyone (why is that, btw?) and their profiles dont give any option for contact. I would be very thankful if you could give them a nudge about my thread as you are an Avast Team Member.  ;D

Quote from: rhuds13 on April 10, 2008, 05:22:22 PM

A few weeks back I worked on a system with the Beagle and Avast could not remove all traces even in boot scan.  Finally had to reformat.  But now with Avast 4.8 it may be able to kill it. 

Quote from: DavidR on April 10, 2008, 05:49:08 PM

It's not so much 4.8 being able to kill bagel/beagle (there will be variants it might not detect), but to stop bagel/beagle killing the AV (avast self-defence module) so that it can still do its work.

Afterall, can Beagle be killed or not? Does Avast! 4.8 can or not take care of the job?


Attached goes log files from Avast scans plus HijackThis ones so theres information about the malwares found so far.

I have few questions...
- may I uninstall the previous Java updates? I have many old ones on my system, they are huge and take ages to scan. I dunno if they are necessary or not.
- Why IE7 still crashes my system everytime its started, even if offline?
- Is Being connected to internet a threat as I have all those malwares here and any firewall on? Is it safe to access my webmail and even login services, like here on this forum?
- I cant find an option or file containing the reports/logs from Avast! 4.8 scans. Is it only for Pro version?

Ok, thats it for now. Im gonna crawl to my cradle as Im working on this since monday, sleeping less than 5 hours per day and Im quite dead.

By morning I will perform the safe mode scans/tasks and will report them asap.

Have all a great weekend.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 12, 2008, 06:14:21 AM

last HijackThis log of they day and after Ccleaner. after that no further tasks/scans were done.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 12, 2008, 07:40:24 PM

OOPSS! I selected from MSCONFIG to run on SAFE MODE, like Tarq suggested. It worked yesterday when I selected also to run a boot-time scan on Avast! 4.8. It worked fine for the scan and safe mode, as I had to switch back to normal mode when back to windows after boot-time scan.

I performed others tasks after that and before going to sleep set again the MSCONFIG to run next on safe mode. Today when I turned on pc, it didnt allow me to start system on safe, rebooting it and getting me back to the options screen to select which kinda boot to run. Before it would let me select NORMAL and then load system but now it doesnt. I suppose by changing the mode on MSCONFIG makes the boot to keep on loop and not accept the normal.

How can I revert that and log at least on normal mode?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 12, 2008, 08:57:02 PM

Startup SOLVED  ;D (at least now I can startup on normal mode)

I found a thread at another forum (couldnt find any thread about it in here) which was pretty much my issue and the problems the user had I also had here (attrib not accepting more than 1 setting at a time; edit not working at any location etc.). Solution given was perfect for me.

Hoping to help others who might face this problem * START UP NOT WORKING ON SAFE OR NORMAL MODE  * here goes the links for forum thread and MS Support article:

http://forums.majorgeeks.com/showthread.php?t=101952
http://support.microsoft.com/default.aspx?scid=kb;en-us;330184


Now dear fellows, Im back to almost zero... SAFE MODE doesnt start here.

Any suggestions as about what can I do to fix malwares and proceed with other tasks and tools or any other way to get safe mode to work?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: DavidR on April 12, 2008, 10:25:19 PM

The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/ (http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/)
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ (http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/)

Or see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924 (http://forum.avast.com/index.php?topic=26554.msg216924#msg216924), for more links.

Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe (http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 12, 2008, 10:45:41 PM

Guess Im looking at the right places David.  :)

I found Stevens homepage when googling for solutions for the safe mode just after posting my last comment and was about to post again asking if that would be a reliable source.

As you gave your blessing, Im gonna try those and pray for one to work.

Tks a lot and have a great weekend.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: DavidR on April 12, 2008, 11:02:59 PM

You're welcome, good luck.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 13, 2008, 12:47:01 AM

Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.

Please post back if you still have problems.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 14, 2008, 05:47:05 AM

I'm not sure where you are at, but I'm working off of your DSS log.

We'll hit this guy with combofix from safe mode if possible.

Delete the copy of combofix you have now, we'll use a new "special" one. We will also run it differently.

Before we start, please ensure that system restore is turned

on

After you have read the instruction for downloading this copy, please see the end of the post for instructions on how we will start combofix.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

 

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Quote

KillAll::

File::
c:\windows\system32\drivers\srosa.sys

Rootkit::
c:\windows\system32\drivers\srosa.sys

Driver::
srosa

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 14, 2008, 06:30:40 AM

Hi guys

After a long nite and day running scans and stuff, Im back to update you before preparing for another round of scans and tasks.

Quote from: DavidR on April 12, 2008, 10:25:19 PM

The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ (http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/)
Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe (http://www.techsupportforum.com/sectools/sUBs/)

Stevens solution worked great here and finally I got safe mode recovered. Thanks a bunch, DavidR.  :)

Quote from: oldman on April 13, 2008, 12:47:01 AM

Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.

Id like to make a note about the second link as I tried it - sUBs SafeBootKeyRepair-CF.exe... the link is not valid. I searched there for another link but all references to that file pointed to that same invalid link (guess they didnt redirected to new location).

----


Once having the safe mode back, I sticked with previous suggestions.

Quote from: ZStorm on April 12, 2008, 06:11:42 AM

Quote from: Eddy on April 10, 2008, 10:30:51 AM

- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely

I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.

I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.

.: Well, I proceed like I said above but seems it didnt work, at least for Kaspersky. The KIS directory is still there. I guess Norton didnt work as well.  :(

Any suggestions?

Quote from: ZStorm on April 12, 2008, 06:11:42 AM

Quote from: Tarq57 on April 10, 2008, 11:35:46 AM

You could try downloading and running a full scan with cureit.

...run msconfig and select "safeboot on the "boot ini" tab.

... run HijackThis that would be good.

Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.

.: I proceeded like Tarq57 suggested. I did at first a fast scan then after I did a complete one. However, I made a silly mistake when running the complete one... I didnt set the options ok and the log I got from it was 36M sized as it covered all scan actions and files.

Infected or suspicious files were moved all to quarantine. Attached goes the fast scan log and the HijackThis log (20080413 1437).

NOTE: Its not the first scan I do that would get files from fixing tools like ComboFix and DSS considering either infected or suspicious. All of files detected by all tools were moved to quarantine or chest. Should I get them outta there? Are they really infected or are they safe?


......

.: I found another thread where it was suggested to download and run Symantec Fix Tool for Beagle MO (FxBgleMO.exe), which I had previously downloaded and then I decided to run it as I had found already some variations of Beagle on previous scans (wouldnt hurt to try). The tool ran ok and the result was negative. The log goes attached.


......

From other thread I got suggestions from Tech, as follows:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.



.: I started to follow then and so far I performed steps 1 to 3. Avast logs goes attached plus another HijackThis log (20080414 0030).



.: I noticed some files which were not caught on previous scans (even manual ones for specific folder or file) were pointed as infected on those recent scans I performed. I dont understand how come the same file to be scanned many times and to not be detected the infection.

Example: The file I suspect to be the bad guy since the start (the key for KIS) was scanned several times and only at the last boot-time Avast scan it got detected as a rookit.

I wonder how many more scans I will have to do till busting them all and to feel safe enough to get a back up done without fearing to carry on backup infected files which were not detected after more than 1 week of effort and hard work.

......

Well, thats it for now. By morning Im gonna check over here again and then will go on from step 4.

I dont know if Im doing the right things here or not. If any of you have something to add or manifest about the procedures done so far and to be done ahead, please feel free to post. All help and feedback are welcomed and quite needed.

Thank you all again for your attention and efforts on trying to help, as well for your patience.

Have all a great week.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 14, 2008, 06:31:22 AM

last 2 logs...

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 14, 2008, 07:13:33 AM

Hi there oldman

Thanks for your post... You were posting while I was finishing mine with the updates from my situation so I didnt see it till now.

About Combofix, I tried to run it from before. Actually I saw that instruction at another thread and was one the very first things I ran here. It didnt work... the log from that attempt is here:

.................

ComboFix 08-04-08.7 - Storm 2008-04-09 11:58:50.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.447 [GMT -3:00]
Running from: C:\Documents and Settings\Storm\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.................

Another thing is that during the scans I ran after some of them detected files from ComboFix as being infected and they were put on chest. Im not sure if thats the reason I dont see it in Control Panel for being uninstalled.

How should I uninstall it then? Deleting the folder that is?


Id like to thank you very much for your attention and support. Its very late here (past 2am), Im exhausted and needing to sleep or else Id be around for a bit more to wait for you reply.

However, Id like to invite you to read my previous post with the updates, maybe it might help or change the procedures to follow next, as well Id like to ask of you if I should proceed with the steps from Tech after performing the task you just posted me or should I stand by and wait for your reply after I post the logs from ComboFix.[/color]

Another important question.. is it safe to use pc for internet the way it is now infected?

Thanks again and talk soon

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 14, 2008, 08:00:42 AM

Hi, just delete combofix from the desktop. It doesn't have to be uninstalled. The combofix quarantined files are not encrypted, so other scanners will detect and remove them.

I've looked at what you have posted before. A lot of files have been removed. The problem with most removal tools, is they show you what has been removed, but don't log what they scanned. Combofix logs removed files as well as recently created files and folders. It also shows some reg keys and drivers. The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.

The remaining steps in Tech's post are not required at this time. You have done most of them already. You are now in the manual search and destroy portion. Don't worry, we will still use tools. It's now a matter of going through logs and finding, if any,  left overs.

As far as the internet goes, that is difficult to answer. I know you had beagle, but with out a current combofix log, I have no way of knowing if there was anything else.

The method of infections of this type does not just arriv via email. The last two I encountered came from cracked programs. One of them AVG. Sort of a special bonus I suppose.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: Spiritsongs on April 14, 2008, 06:28:28 PM

 :)  Hi ZStorm :

 You asked a couple of days ago about having multiple "Updates" of Sun Java;
 each "Update" is actually a new "version". Therefore, ALL "Update(s)/
 Version(s)" other than the latest SHOULD be uninstalled, to enhance the
 security of a computer ( does not help IF keygens or Cracks are installed ).
 To periodically check as to IF you have the latest "Version", visit
 www.javatester.org/version.html .

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 14, 2008, 11:27:52 PM

Hi Spiritsongs :)

Thanks a bunch for your info. I was almost sure those Java older stuff could be uninstalled but wanted to be sure. Sun could be nice and include a batch to remove previous versions/updates when installing the latest one or at least give a notice after installing that you can do it manually. Oh well...  ::)

Im gonna get rid of that extra weight here... thanks again. :)


.................


Hi oldman :)

Bad news from Brazil land... Combofix didnt work. Again.   :'( :'( :'(

Quote from: oldman on April 14, 2008, 08:00:42 AM

Hi, just delete combofix from the desktop.

The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.

I deleted it how you said... clicked on desktop icon and delete. I installed the new one exactly like you told me to.

About the 1st log, it was incomplete cause happened for the program to be interrupted.

" ... The Combo-Fix didn't work as well (report attached) as it crashed the system after prompting it was changing my pc clock... "    (thats part of my first post on this thread)


Well, the story repeated itself once again. Same thing happened here today when I tried to run Combofix. It loads the program, opens a window saying 'attempt to creat a System Restore Point', ok for that part, then says its scanning and few seconds later prompts a message '... has changed your pc clock...' and BOOM! comes Windows blue screen and system restarts.

From your instructions I got confused if I should run Combofix first and after to move the script file and make it run again OR if I should move the script and run it just once like that. I picked the first option, but in the end would it make any difference as it restarts the system and then I couldnt run one and next the other on a sequel?

Anyway, at both attempts to run Combofix the result was the same. The logs go attached (one for 1st run and one for 2nd with the script moved) as well a HJT one for the moment after i performed the second run and restored the AV/Firewall setups.


NOTE: Combofix doesnt run at all on safe mode. I tried twice and all it does is to show the bar loading it and nothing more happens, no window opens or anything. I checked the Task Manager and the process was there but dead. Then I had no option besides to run it on normal mode.


So, what can we do now?  ??? ??? ???


PS: The idea of cutting my wrists with a spoon is becoming more vivid on my mind as days pass by...  :-X

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 15, 2008, 01:17:32 AM

Forgot to mention... I found out and downloaded at first Combofix and DSS after reading this thread (instructions by essexboy:

http://forum.avast.com/index.php?topic=33127.msg277088;topicseen#msg277088

You think it would be the case to run DSS again? If so, should I uninstall it and install again?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 15, 2008, 01:31:00 AM

The way I wanted combofix ran was with the script. But that okay, we'll leave it for now. Yes a new DSS log would be the way to go. The copy you have will be fine to use. There will only be a main text this tme. Please post that, we may be able to see what is going on.  ;)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 15, 2008, 05:09:58 AM

Quote from: oldman on April 15, 2008, 01:31:00 AM

The way I wanted combofix ran was with the script.

As I got mistaken and you said you wanted the script option only... in addition of the fact Im persistant and wouldnt hurt to try it again... ::)... I repeated the process for Combofix (deleted, downloaded, created script), got into safe mode, dragged the script and... IT WORKED!!! ;D ;D ;D ;D ;D

Attached go the logs for Combofix and HJT.

You people should see the smile on my face  ;)

Looking forward for to your feedback oldman, and never enough to say it again... THANK YOU!  :)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 15, 2008, 08:18:36 AM

Good for you! Are you seeing some improvement?

Theres some kaspersky left that should be uninstalled, we can clean up any left over folder after you uninstall it.

 We have a little repair work to do.

Download RenV from the link below

1. Save it to your Desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Code: [Select]

<pre>
----a-w         4,752,968 2005-12-20 10:33:06  C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the code box above into the new notepad


Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "log.txt" . Using your mouse left button, drag the new file log.txt and drop it on the RENV.exe icon as shown at the bottom of this post. You may have to click the image below to animate it.


When finished, it shall produce a new log for you. Post that log in your next reply.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 15, 2008, 09:11:02 PM

Oh yeah! Lots of improvement!  ;D

Just after Combofix ran I got notices for many Windows updates, mostly security ones and a special one pointed to IE7. Im not sure if you remember but since the malware started the damage here, IE7 was being called to run and if let to run would cause the system to collapse (btw, those files from C:\WINDOWS\SYSTEM32\DOWNLD\ folder which were scanned as malware were created and loaded at those times IE went crazy after infection). Security Center was also compromised and giving an error message since the infection, saying it was unavailable. After the updates download and installation, system rebooted and so I was able to check them and see they working as good as new. I dunno in the end if was ComboFix or the Windows updates the responsible for getting them fixed. System in general appears to be running as good as before the infection.

Quote from: oldman on April 15, 2008, 08:18:36 AM

Theres some kaspersky left that should be uninstalled, we can clean up any left over folder after you uninstall it.

Kaspersky wasnt successfully uninstalled so far. I tried many times the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279), as you can see on my previous posts, ran it as it was supposed to, the program runs but it doesnt give any message or log for the result. What I get is to see the folder KAS still on my HD. I even tried it again today before performing the next task you gave me, but still no good. :(

I also tried again the Norton Removal Tool, it ran like the other times but I have no idea if it really worked or if theres still left overs of Norton here.

Quote from: oldman on April 15, 2008, 08:18:36 AM

 We have a little repair work to do.

Download RenV from the link below

1. Save it to your Desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Code: [Select]

<pre>
----a-w         4,752,968 2005-12-20 10:33:06  C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the code box above into the new notepad

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "log.txt" . Using your mouse left button, drag the new file log.txt and drop it on the RENV.exe icon

Performed as instructed but I got a message in the running window... "could not find C:\Downloads\MsgPlus-362146 - 20051231 .exe"... it took a bit to finish to run and gave me the log.

I found it weird and checked the HD for that path and file... they were there then what was wrong? I took a closer look and saw you typed a SPACE after the files name and before the extension. I fixed the script and ran it again. Both logs go attached. (just in case goes both).


So, whats next master? :)

Can you tell its safe for me to use internet? Do you think the malwares I got here compromised my sensitive data as I use on regular basis internet banking?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 16, 2008, 02:32:11 AM

I didn't type the fix, I used copy and pasted it from the combofix log. It was a vundo infected file that RenV was supposted to fix. RenV now shows no infected file. However it is strange that it "fixed" itself. I'd like you to submit that file to virustotal just to be sure vundo is trying to pull a fast one on us.

When we removed the rootkit, combofix may have repaired some reg key or setting that beagle was blocking or had changed. The security updates probably helped also.

The files in the downld folder where part of the beagle infection. Some probably where calling for reinforcements.

You should be fine for the internet, just be cautious as there may be a little left. Since I don't know what you where infected with before I was involved in this thread, I would advise you not to do any on line banking from this computer until we are finished (soon). Also you should change all your passwords from a known clean computer.

Let's leave the other avs for the moment as they don't be appearing to be causing any problem right now and concentrate on getting your system as clean as possible.

Please test that file, then run this little scanner.

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 16, 2008, 05:24:27 AM

Quote from: oldman on April 16, 2008, 02:32:11 AM

I didn't type the fix, I used copy and pasted it from the combofix log. It was a vundo infected file that RenV was supposted to fix. RenV now shows no infected file. However it is strange that it "fixed" itself. I'd like you to submit that file to virustotal just to be sure vundo is trying to pull a fast one on us.

Is to this file you are talking about to be submitted - C:\Downloads\MsgPlus-362146 - 20051231.exe  ??

If so, the site for Virustotal I found was http://www.virustotal.com/ - hope to be the right one - and the result goes as follows:

http://www.virustotal.com/reanalisis.html?3e4e4f498ca4bf75647e2f3569cac7fc

-----

File MsgPlus-362146_-_20051231.exe received on 06.12.2006 20:15:53 (CET)
Current status: finished
Result: 1/25 (4.00%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
AntiVir    -    -    -
Authentium    -    -    -
Avast    -    -    -
AVG    -    -    -
BitDefender    -    -    -
CAT-QuickHeal    -    -    -
ClamAV    -    -    Suspect.Zip
DrWeb    -    -    -
eTrust-InoculateIT    -    -    -
eTrust-Vet    -    -    -
Ewido    -    -    -
F-Prot    -    -    -
Fortinet    -    -    -
Ikarus    -    -    -
Kaspersky    -    -    -
McAfee    -    -    -
Microsoft    -    -    -
NOD32v2    -    -    -
Norman    -    -    -
Panda    -    -    -
Sophos    -    -    -
Symantec    -    -    -
TheHacker    -    -    -
UNA    -    -    -
VBA32    -    -    -
Additional information
MD5: e9363e91044abffc8740fc6a0fe388d3
SHA1: 8991f72601620d38288c164bd4b6c41ba5347544
SHA256: f17d4388e66d0a0b3a01621d5cd38eeffdd4a05b0bbf6395a36059913faf4471
SHA512: a91654ffe4a6ceade05d94c9fffa9b0e837085e477e8ee3808b756d9207ef7d27d43d536345d090570dea09526180de04b57579bba67f0800749978f049b6476

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

-----


I agree its quite strange file "fixed" itself... however, is it a Vundo or not? No matter yes or no, which are the implications of it?

This new info got me a bit uptight  :o ... another malware?


..........


Concerning Malwarebytes' Anti-Malware scan, Im gonna do it first thing in the morning and as soon as its finished, Im gonna report you back.

Right now its not as late in the nite as it has been for the last week for me to check out puter and perform tasks, but for sure its not an early time. Im quite dead (you can add exhausted and drained after 8-9 days fighting these bugs day and nite). In addition, I like and want to follow up every scan at close look. At the moment, Chip & Dale (my only couple of brain cells left alive) are snoring, so would be wise to wait for the morning.


Thanks a lot and I will report you soon, first thing when I get back from Morpheus embrace.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 16, 2008, 05:36:44 AM

The file loos to be okay. The type of vundo you had , when it infects a file. it add a space. It will add one space each time it gets infected.  I don't think you have anything to worry about regarding that file. I just wanted to be sure. Sorry, I thought you had the link for virustotal.

Get some rest, do the scan. Talk to you later.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 16, 2008, 06:13:05 PM

Hiya oldman

MBAM scan was done and took 13 minutes. I was imagining it to take 13 hours  :D

Nothing but 1 adware was found. Log attached.

The scan covered something like 6% of my objects here. I was wondering if a thorough scan would be appropriated. What do you think about it?


Waiting for your feedback  :)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 17, 2008, 01:45:29 AM

You can do a thourgh scan if you wish, but first we'll clean up the tools you used. We can get them again if needed. Just don't want to have unneccessary detections. I don't know how long the scan will take though.

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.

Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)  by OldTimer.  Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


Post back and we'll look at removing the rest of KAV.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 17, 2008, 04:47:13 AM

Quote from: oldman on April 17, 2008, 01:45:29 AM

You can do a thourgh scan if you wish, but first we'll clean up the tools you used.

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.

Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.
Combo-Fix /u

.:  Agreeded about the thorough scan. If you say it can wait for other procedures, then it is. It was just a thought of mine to run it in the mean time between an instruction and the next.

...............


However, I have to ask you for those:

Quote from: oldman on April 17, 2008, 01:45:29 AM

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)  by OldTimer. 

* Create a new restore point

You must be logged on to an administrator account.

- The link you provided comes as invalid ... Error 404 - Not Found... http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

- Admin "only exists" and shows up when I get into safe mode OR when I boot system getting to run under DOS after CD boot or something. My login options on normal mode are myself and an extra one. Theres no such option to login as Admin besides under the safe mode login or CD system boot.

...............


By morning Im gonna run ComboFix again according to your instructions and will post the log.

I aint sure about the Admin login so to run OTMoveIt as well the link for download is not ok.

Standing by for next instructions.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 17, 2008, 05:02:47 AM

Quote

an administrator account

An account with administrator rights with work. From your DSS log, if this is you, then your account will do the trick.

Storm (admin)


Sorry about the link, it's an old one I didn't get rid of. Here's the correct one. Same program, author renamed it.

* Please downloadOTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

If you want to run the scan and have a nap go ahead.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 17, 2008, 07:52:26 PM

Quote from: oldman on April 17, 2008, 01:45:29 AM

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.

Dunno why but ComboFix doesnt run on normal mode. I took care of disabling Avast! On-Access Protection and Windows Firewall. Those are the only 2 security tools I have for the moment. However, happens the same old thing... when ComboFix gets at the point when it changes pcs clock, it crashes the system, blue Windows screen and reboots.

I ran it on safe mode, which was the only option. As you didnt say anything that I should delete and download again ComboFix, I used the same one I had for the last time (the one with the script added). The log goes attached.

............

Quote from: oldman on April 17, 2008, 01:45:29 AM

Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

Done.

Quote from: oldman on April 17, 2008, 05:02:47 AM

* Please downloadOTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)

Done.


............


Im gonna proceed with the rest of instructions and will post you back.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 17, 2008, 09:37:28 PM

Quote from: oldman on April 17, 2008, 01:45:29 AM

Tools clean up.

* double click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point


* Remove old restore points

.:  OTMoveIt ran here but at any moment it asked for unblocking firewall or the cleanup.txt file to show up. It only prompted on a popup if I wished to reboot so to finish removing files. So I did but nothing much was apparently removed - at least from my desktop area, besides the OTMoveIt icon itself nothing else was unistalled. Combofix, for example, is still there. Is it the way it was supposed to be?



.:  System Restore Point done.


.:  Older Restore Points removed.


.........


Waiting for your next instructions, master :)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 18, 2008, 04:21:43 AM

Combofix log is ok. Not sure why it wouldn't run in normal windows. Unless it was avast 4.8's self protection. Safe mode scan with combofix is fine though.

Otcleanit should have removed everything, except perhaps a renamed copy of combofix. Providing if they had been downloaded to your desktop.

Delete combofix.exe from your desktop. Then open c:\ and delete C:\Qoobox and it's contents, c:\combofix.txt if present. You also had Deckards, it can be deleted also along with C:\Deckards. These programs are not installed, so there is no harm in deletion.

You also had a tool from symantec that can probably be removed.

KAV and symantec don't appear in your HJT log other than a couple of enteries that can be fixed with HJT. If you still have HJT run a system scan and fix these lines. If you need HJT again  Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis)

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

There is one other file, but it's in the Office folder and should pose no problem.

These are the symantec folders that can be deleted

C:\Program Files\Common Files\Symantec Shared


Kav folders/files

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\WINDOWS\system32\drivers\fidbox.dat
C:\WINDOWS\system32\drivers\fidbox2.dat
C:\WINDOWS\system32\drivers\fidbox2.idx
C:\WINDOWS\system32\drivers\fidbox.idx
C:\Program Files\Kaspersky Lab

You can use OTMOVEIT2 for the folder/file removal 
 OTMoveIt2 by OldTimer. (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)


* Your java is up to date, but you may have some older versions still installed.

I believe you have done this part, so skip to the folders part.

go to add/remove programs and unistall anything that says Sun Java, Java JRE, or similar, except Java TM 6 Update 5 , this is the current version.

Next, in windows explorer,  navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain, except, jre1.6.0_05

* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


* Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/)

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 12:53:40 AM

Bad news... something happened during the procedures and I lost my internet connection   (it connects but doesnt let mostly any data to traffic, besides few bytes, so it gets like if there wasnt any connection on; not even 1 application which would require internet connection detects it even if the modem show as connected).

NOTE: Thats not a hardware problem. I got a 3G conex and it doesnt work on pc but does ok on a lappy I got borrowed. The dialup modem also connects but the problem is the same matter as 3G one. Already contacted 3G support and we did wot we could but nothing was found to be the cause of it regarding their company and service.

Mostly it happened after I ran OTMoveit2 to remove the files you pointed. It asked for a reboot but I dont recall now if I did it immediately but I guess I didnt. From the link you provided for instructions about how to clear Java cache, there was a link for cleaning IE cache, and so I followed it, cleaning absolutely everything there on Temp files (including option for deleting browser history + files and settings stored by add-ons).

I believe it was after that I rebooted for OTMoveit. NOTE: I have it downloaded to a subfolder and NOT the desktop, as you didnt leave any speficic instruction about it). When back, I checked for the files which were supposed to have been removed and they were as well the OTMoveit itself from that subfolder.

I decided to get rid of some stuff I didnt use it as the next step was to get a firewall and check Secunia. Things I uninstalled from Control Panel: Crawel Tool Bar, Yahoo Toolbar, Yahoo Internet Mail, Yahoo Photo Easy Upload, Yahoo Photo Print at Home.

I tried to uninstall Acelerador Terra from there too but it gave me an error saying it wasnt a win32 application. For that, I thought of using OTMoveit again as it worked great before. I downloaded it again, this time to Desktop. I clicked by accident on the button for Cleanup! and it brought me some files again. I cant recall if I click to go on with cleaning or if I canceled the operation. I also aint sure but I think for some real stupid reason I might have next downloaded it again to Desktop (overwriting the previous one) then added the folders I wanted to delete next: c:\Acelerador Terra and c:\X-Cript (as both couldnt be removed from Control Panel and were useless). Clicked on MoveIt! then after on CleanIt!. This time tho it didnt ask me to restart system. It gave me the error message "Unable to contact the internet. Cleanup list download failed."

I thought then to restore the files moved, and so I did it and it worked apparently. Again (without rebooting yet), I ran the tool and repeated the procedure. Same error again (I didnt notice if by then the internet traffic had stopped or not). Then I rebooted system to try again for OTMoveit.

When system was loading Avast! gave me 4 error messages for Mail Protection ("Unable to protect outgoing/incoming/news ... Error 10106"). In addition an error message for Acelerador Terra "Unable to load the language resource library". I tried to connect to the internet after that and it wouldnt connect at all, as I explained on top. I tried again for OTMoveit and same errors. I restored again the files (which I already have had restored before) and still the same. I thought it could be my 3G connection, removed the device, rebooted and all happened again about the Avast! errors and all.

I tried then to install again the Acelerador Terra so to uninstall it. No good. Got an error a file UNWISE.EXE was missing. More boots and nothing. I tried dialup and nothing. I tried 3G support and nothing. I tried to recover Restore Point we did on previous task, and still no good (error saying it couldnt be restored and no changes were done). During those boots I tried to connect by disabling Avast! On-Access Protection and/or Windows Firewall but no good too.


Has been 5 hours since the bug started.... Im quite desperated... What happened and how to fix it? Did I do something stupid?  


PS: Acelerador Terra is a program provided by my ex dialup ISP Terra which was used to accelerate the navigation. As I got finally a 3G service few days ago and it was working fine, I cancelled my ISP services. NOTE: Acelerador Terra was loaded at startup always BUT since I got connected on 3G, it wasnt working anymore.

PS2: Since the begining of the infecction, when connecting to internet (then on dialup) I had this popup from Acelerador saying "Another application is using the email port SMTP (25). The functionalities of SMTP email on Acelerador Terra will be disabled on this session. To reactive them, close the the application which is using the port 25 and next restart Acelerador Terra." Then I clicked on OK and it worked ok. DETAIL: I never used any programs or even made setups for emailing from pc. I only used and use webmail. Then how an application to be running and using SMTP port?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 01:00:28 AM

Forgot to mention... theres still C:\Combo-fix folder on my system. You didnt say before to delete it and so I didnt. Ive noticed just above it theres a new folder I never saw before C:\327882R2FWJFW, which content has similar files as Combo-Fix one. In addition, I noticed another new folder C:\InetPub, stuffed with VB scripts mostly pointing to IE. I have no idea if thats normal or not.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 19, 2008, 02:58:09 AM

I'm trying to piece together what you did. Tools are downloaded to the desktop unless specific instructions say otherwise.

C:\combo-fix can be removed. Otmoveit2 will create a folder with the removed files/folders in. Since you placed it in a sub folder otmoveit may have used that path to store the files you removed. The files you tried to remove, where did you find them afterwards. In the otmoveit subfolder or original location?

Nothing we removed should have interfered with your connection. Did you install a third party firewall or did you get that far?

There has been an issue raised with webshield. Try Terminating it, can you browse with webshield off?

System restore will most likely fail, unless you turn off avast's self protection.

C:\InetPub

http://www.karlsforums.com/forums/viewthread.php?tid=25754

The avast mail scanner monier traffic on port 25 and 110.

Tell me more about the contents of C:\327882R2FWJFW. You said it was similar to combo-fix. In what way.

Don't do too much right now other than answer as best as you and try turning webshield off.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: alanrf on April 19, 2008, 03:09:04 AM

As soon as I saw Acelerador Terra I thought "Oh no!".

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: oldman on April 19, 2008, 03:17:07 AM

Quote from: alanrf on April 19, 2008, 03:09:04 AM

As soon as I saw Acelerador Terra I thought "Oh no!".

Hi alanrf. I haven't had a chace to look this up. Mind filling me in please.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 03:23:58 AM

Guys

Im online as the 2 of you are. Im posting a reply for oldman considering his post.

alanrf... you are giving me the creeps now!

oldman... im replying to you next.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: alanrf on April 19, 2008, 03:51:15 AM

Sorry I did not want to spook anyone. 

Oldman - please see my post in the evangelists forum.

Oldman said that some concerns had been raised with the Webshield.  It seems you have an "accelerator" function installed (or halway installed/uninstalled).  We have seen in the past that accelerator software can conflict with the working of the Webshield (and also with the Internet Mail provider too).  Even though the avast team have made no changes to the Webshield in the new avast 4.8 release we are seeing a few more issues in the forum with the Webshield in this release and the forum helpers as well as the avast team are looking into them. 

So sorry for alarming you. Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step. 

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 04:22:43 AM

Quote from: oldman on April 19, 2008, 02:58:09 AM

Otmoveit2 will create a folder with the removed files/folders in. Since you placed it in a sub folder otmoveit may have used that path to store the files you removed. The files you tried to remove, where did you find them afterwards. In the otmoveit subfolder or original location?

Nothing we removed should have interfered with your connection. Did you install a third party firewall or did you get that far?

There has been an issue raised with webshield. Try Terminating it, can you browse with webshield off?

System restore will most likely fail, unless you turn off avast's self protection.

Tell me more about the contents of C:\327882R2FWJFW. You said it was similar to combo-fix. In what way.

Don't do too much right now other than answer as best as you and try turning webshield off.

.:   OTMoveit was in a subfolder but it DID went away after 1st reboot ran - wasnt from the root but it killed itself (already tried to search for files and no result, so it might be clear for that install). As I had it installed back again to remove other files/folders... then it was installed on Desktop... where its still placed... Folder C:\OTMOVEIT. Thats the location Ive got the restore files from - I didnt have to look for them - it was the default location for the Restore option, only containing besides the *.res files, the subfolders for the RP (actually I have here 3 folders but only 2 *.res files - I guess the first folder goes for the first crash and it didnt keep the restoring info - in case if that really happened for me to install OTMoveit one after another without booting as I described before and causing that).


.:   About third parts... NO... was trying to get rid of extra load before installin anything, so no, nothing was installed as firewall or anything, besides an update for Shockwave plugin which was automatic when browsing.


.:   Webshield comes from Crawler when you install SpywareTerminator, right? If thats so, I already had it uninstalled on the Control Panel uninstall Ive mentioned on my post. It was not activated besides for a couple quick connection sessions, so I dont think it would be a prob. Also I searched for any evidences for webshield.* on pc, an nothing shows up, not even on processes running on Task Manager (I ran a dialup connection to test if it would show up if connected, but no positive).


.:   Succeed on System Restore by disabling Avast! protection? I guess I did call for the stopping the On-Access Protection and still the result was the same. Avast! doesnt show on safe mode besides for the icon, no resident protection. If on normal mode, it gave me the no-go result. Right now I disabled the On-Access Protection and tried to restore system. NO GOOD again. Ugh! I cant 'kill' the Avast! processes running on Task Manager... so all I can think of is to UNINSTALL AVAST so that to work... if that will be the only option, lets do it. You guys tell me what to do and I will folllow.


.:   About the contents of

>> C:\327882R2FWJFW... has 4.37M and 92 files, created 20080417 1352. Files on it... C.BAT, COMBOBATCH.BAT, COMBO-FIX.SYS, FIND3M.BAT, QOO.BAT,

>> C:\COMBO-FIX... has 4.99M and 144 files, created 20080417 1335. Files on it... C.BAT, COMBOBATCH.BAT, COMBO-FIX.SYS, FIND3M.BAT, QOO.BAT are there as well.

I think the first folder was a temp, considering time and size, but somehow it wasnt deleted when Combo did the job. Thats only a wild guess as I have nfi of how ComboFix works. I just compared those 2 folders in at first look sight.



......


I aint doing anything before you guys tell me what to do next.

Quote from: oldman on April 19, 2008, 03:17:07 AM

Quote from: alanrf on April 19, 2008, 03:09:04 AM

As soon as I saw Acelerador Terra I thought "Oh no!".

Hi alanrf. I haven't had a chace to look this up. Mind filling me in please.

Seems Acelerador Terra has a lot do with the matter and all I can hope is for you to have faced this kinda problem before and sorta know how to proceed. Actually, Ive got a feeling that program wasnt good news. If not faced before, lets work on what is suppose to be worked. I still have a temporary link with Terra (ISP) and I think I can manage to get tech support if needed.


Looking forward to hear from you


Peace out.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 04:29:59 AM

Quote from: alanrf on April 19, 2008, 03:51:15 AM

Sorry I did not want to spook anyone. 

Oldman - please see my post in the evangelists forum.

Oldman said that some concerns had been raised with the Webshield.
Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step. 

Sorry alanrf but I saw your post after I posted my previous one.

And sorry again but seems Ive made a confusion about the processes as well... guess you were talking about Avast! Webshield and not the Crawlers one.

OK! I tried just again to connect and before disabled the Webshield at Avast! On-Access Protection. Unfortunatelly, no good again. Same as before.


Looking forward to hear from you.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 19, 2008, 05:16:56 AM

You have found the right websield (avast's).

C:\327882R2FWJFW can go.

Did you terminate weshield or just pause it?

We can try this to see if we can repair your connection.

LSPfix

http://www.bleepingcomputer.com/files/lspfix.php

Download it to it's own folder, for example C:\LSPfix

Disconnect from the internet  (unplug the cable)

navigate to where you saved the file and double-click on it to start the application.

Click finish.

If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.


To turn off avast self protection

right click the"a" icon, select program settings, trouble shooting. Check Diasable self protection.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 06:57:24 AM

Quote from: oldman on April 19, 2008, 05:16:56 AM

Did you terminate weshield or just pause it?

We can try this to see if we can repair your connection.

LSPfix
Download it to it's own folder, for example C:\LSPfix
Disconnect from the internet  (unplug the cable)
navigate to where you saved the file and double-click on it to start the application
Click finish.

If possible, before you click finish, please copy the information in the left hand box (keep) and post it here.


To turn off avast self protection

right click the"a" icon, select program settings, trouble shooting. Check Diasable self protection.

.:  Definetely, Avast! Weshield was terminated.

.:  Downloaded and use my MP3 to copy the file from lappy to pc. No worries about being connected... the pc is not connecting at all <hehe>. Application ran ok, printscreen go attached. Clicked on finish. Resulting screen go attached as well.

.:  Avast! Self- Protection disabled as instructed.

.:  Tested with the dialup connection, and WOOHOO! Apparently worked.


............


Im moving my 3G back to pc, will test it and post back.


About that folder, I think it can wait for this connection matter to be solved for good first.


QUESTIONS:  What caused the internet block? If I boot pc, what will happen, I mean, shall I always from now on need to check if the Avast! Self-Protection to be disabled as well its Webshield? Do disabled Avast! items cause any threat concerning security during internet connection/navigation?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 07:06:31 AM

On pc now, connected under 3G and so far so good.


Im afraid to switch off pc now so to rest a bit, wake up in a few hours, turn it on and... a countdown sequence pops up on my screen... and BOOM ME! :P


Standing by for your reply and, once again, THANK YOU.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 07:59:00 AM

Quote from: alanrf on April 19, 2008, 03:51:15 AM

Oldman said that some concerns had been raised with the Webshield.  It seems you have an "accelerator" function installed (or halway installed/uninstalled).  We have seen in the past that accelerator software can conflict with the working of the Webshield (and also with the Internet Mail provider too). 

So sorry for alarming you. Oldman's advice to try turning off the Webshield to see if that restores Web access is the best trouble shooting next step.

Hi alanrf

Sorry for not replying properly earlier.. as you already know I was busy eating my toes.

Id like to say till before 12 hours ago, I never had any kind of problem what so ever concerning Avast! and the ISP 'accelerator'. Even when my infection started almost 2 (yes TWO) weeks ago, one of the first things to pop up was a message for the SMTP port coming from Acelerador Terra. Avast! by then, was 4.7 version and wasnt even running, blocked by malware. So, I aint that sure the issue would be Avast! Webshield x Terra tool, specially cause disabling only Webshield wasnt enough to put internet back on.

Im very grateful for oldmans instructions for installing LSPFix and Avast! setup... at least I could have connection back. Still the matter remains... if I didnt have that 'accelerator' would I have faced that bug? Is Terra 'accelerator' a software that should be reviewed by Terra or maybe should Terra be warned about the conflict, if it does exist? What really happened - was Avast! which conflicted with the 'accelerator' or vice-versa?

No worries about the alarm. It was a quite good one, actually. Many ppl in Latin America (Terra is present in 19 countries total) sign up for Terra services and if their tool doesnt work ok with Avast!, clients and users should be aware of it at the very least. If my thread would be of service for those who might look for reference concerning that conflict so to get a solution or light at the end of the tunnel, its all worthed.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 19, 2008, 08:38:19 AM

There was a bit of misunderstanding. You didn't need to disable avast self protection. I only posted the instructions if you needed to do a system restore.

If you did everything in order, I would say a corrupt accelerator install was the cause of the connection failure. Or possibly a conflict between it and webshield. Lpsfix removed one file reference belonging to Acelerador Terra. This file may have went missing when you removed the program causing a break in the chain.

The original problem may have been a conflict, as both programs may have been  monitoring port 80 traffic. When you partly removed the accelorator program the dll was removed. This would have caused a break as the file wouldn't have been found. Both situations, though different, would have seemed the same.
 
If it was a conflict, this may be one of the things Alwil is trying to address at this time.

Webshield does not become part of the chain. You should be able to re-enable webshield and the self protection. Though I think you should forgo accelerator for now.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 19, 2008, 07:26:14 PM

Quote from: oldman on April 19, 2008, 08:38:19 AM

There was a bit of misunderstanding. You didn't need to disable avast self protection. I only posted the instructions if you needed to do a system restore.

Webshield does not become part of the chain. You should be able to re-enable webshield and the self protection. Though I think you should forgo accelerator for now.

.:  Oh so sorry oldman... I mixed up things yes... got On-Access Protection for Self-Protection ... DUH ME!  :-[ One thing was to disable Webshield on Avast! and other to disable Self-Protection on program settings. I really missed the point about the last being to make System Restore to work. All cleared on my mind here now and Webshield and Self-Protection are enabled again.

.:  C:\327882R2FWJFW and C:\Combo-Fix deleted.

.:  Information about InetPub got and processed. Im gonna keep the folder there for now. No harm.

................


So what now should I do? Can I still remove the remaints of Acelerador Terra and X-Cript so to wrap up OTMoveit? Its still installed here.

In the mean time, Im checking for the firewall options.


Have a great weekend.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 20, 2008, 02:18:54 AM

InetPub shouldn't cause any problems if you leave it.

If the 2 programs have been uninstalled, using OTMOVEIT2 to remove the folders is ok.

When you get the 3rd party firewall, please keep in mind, these three avast files will need internet access. avast.setup- for updates, ashwebsv.exe- webshield, and ashmalsv.exe- mail. Even if you don't use the internet mail provider, (outlook express), the internet mail provider can be a tool to alert you of a spambot infection. The mail icon will appear on your taskbar whenever traffic on port 110 or 25 is detected. If you are not sendding mail, then you will know further investigation is needed.

As Alanrf mentioned, there seems to be an ongoing issue with avast 4.8's webshield and mail provider coupled with any other programs monitoring the same ports. Hopefully Alwil will find the cause/cure shortly.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 21, 2008, 08:14:54 PM

Quote from: oldman on April 20, 2008, 02:18:54 AM

Even if you don't use the internet mail provider, (outlook express), the internet mail provider can be a tool to alert you of a spambot infection. The mail icon will appear on your taskbar whenever traffic on port 110 or 25 is detected. If you are not sendding mail, then you will know further investigation is needed.

Hi there

.:  Sorry for being away for the last couple of days but I was busy updating programs according to Secunia analysis. Everything is up to date now :D

.:  I noticed RenV was still on my desktop and I deleted it as there wasnt any other evidence of it on pc. I suppose it was ok.

.:  Ive read about the firewalls and seems Comodo wins by far on public opinion. I just installed it (with the Defense+ feature) and seems to be all good so far. It asked me tho for a scan at the moment of install and I accepted at first but after 10 minutes I realized it would take hours then I canceled it.

But something odd popped... it pointed 2 files being infected by Trojan.Win32.Patched.m (D:\WINDOWS\$hf_mig$\KB840987\SP1QFE\winlogon.exe and D:\WINDOWS\$hf_mig$\KB841533\SP1QFE\winlogon.exe). Funny thing is Ive scanned many times already my second hard drive and never ever it pointed any threat or malware. Comodo asked for deletion, so it was done. What do you think about that malware pointed by Comodo?

............


So, what happens now? You think Im clear of malware and ready to be happy again?  ::)


Waiting to hear from you.

Have a great week.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 22, 2008, 02:12:34 AM

It was ok to delete Renv. Your logs looked good.

The files that comodo found look to be windows secutiry patches/updates. The path and KB# are legit. Without the files to test or compare sizes, I would say false positive.

Lot of people don't use that feature of comodo. Where the files deleted or quarantined?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 22, 2008, 03:34:21 AM

There wasnt an option for quarantine... I stopped the scan and Comodo just asked if I wanted to delete them. I said NO and then it asked me if I wanted to cure or fix it, cant recall the word used. I said Yes and Comodo said "deleted".  :-\

I searched for it on HDs and no sign (I guess it was purged). Also I couldnt find anything on Comodo features, not even showed at the logs. Maybe I looked at wrong places as Im still not familiar with Comodo.

I have that thought it would be a false positive, but once bitten by a snake I get the creeps if a see a dental floss...

Do you think it would be a problem when running Windows my that HD?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 23, 2008, 05:24:03 AM

I also don't know if comodo has a quarantine feature. 

Regarding running windows from that harddrive. The files that comodo removed where update patches, check if winlogon.exe is present in the system32 folder. You won't be able to log onto windows without it. So if windows starts, you are ok.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 23, 2008, 05:27:12 AM

< deleted >

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: ZStorm on April 23, 2008, 05:31:43 AM

Ok, oldman. Copied for that. Thank you.

Quote from: ZStorm on April 21, 2008, 08:14:54 PM

So, what happens now? You think Im clear of malware and ready to be happy again?  ::)


Waiting to hear from you.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 23, 2008, 05:42:09 AM

Sorry, I thought I covered that

http://forum.avast.com/index.php?topic=34581.msg293308#msg293308

As far as I can tell, you are good to go.  ;D

Unless of course you are still having problems.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 23, 2008, 06:31:00 PM

Wow! Reading that made me happy  ;D

However, just when I read it I noticed something happened here... Regional setups for Numbers and Date, which were customized for Brazilian standards got changed AGAIN. I check my date all the time on my task bar as I getting too old to remember which day is today, specially day of the week.

Format was changed - dunno how and by whom/what - to look like more like American standard for Numbers (here we use "." and "," in the inverse way for decimal and grouping symbols) and for Date it had the format... yyyy-mm-dd, when I use the long format "dddd, d' de 'MMMM' de 'YYYY'.

That thing happened before only once... when I had the malware still running here, before it got detected by Spyware Terminator. It happened between 20080409 2300 and 20080410 0230. I cant recall exactly when I corrected it but it didnt happen again. Until now :(

I already set it up back but Im wondering here if that would be some Windows bug (pretty odd one eh) or some sign of malware or pc being invaded.

Concerning other aspects, system is more like to be stable tho I have crashes now and then, mostly for overloaded CPU (happened lots when I was updating programs couple of days ago after Secunia scans) and many many boots thanks to my new 3G internet connection, which signal insists in not working okay besides requests for uninstall and reinstall of software/device by the provider's tech support. Personally, I think those issues depend more on pc and/or connection demands more than being a sign of malware. However, the change of the Regional Options is not smelling good to me.


What do you think?

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 24, 2008, 05:32:00 AM

Hi, I don't know what may have reset your settings. Do you recall the matware from the first time?

Kep an eye on it and let me know.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 24, 2008, 07:10:56 AM

Hi there :)

Sure thing I know.

I got file infected with malware (and was stupid to run it) on 20080408 between 1200-1400. About noticing the change... for sure it didnt happen after 20080410 0230; it might have happened few hours before - but not that much. By that time - 0230, I wrote down on my hardcopy log about the event but didnt tag it as being the time Ive noticed it OR time I fixed it.

Theres a chance for the change to have happened after reboots done after infection ran wild here and for me to have not noticed it. I was quite in a zone here, trying to catch up with what ever was going on. I cant say for sure it happened along with other bugs caused by malware as I cant say it wasnt. Malware developed in 'funny odd' ways here... bringing up other malwares and not being detected by many tools and scans, blocking and fuzzing my system and most of attempts to install and run tools.

The 'detail' of Region Options to be changed outta blue at 2 different moments - during infection (triggered 17 days ago) and again yesterday, after lots of cleasing - is fishy under my perception. Trojans give space for those to happen; if somebody took over my pc by Bagle/Beagle, it/she/he/they might be still playing around here if it got a backdoor which wasnt detected yet or something like that.


I dunno guys... Im away from being a Security expert but I have confidence in your knowledge about the issue so to help me figuring/fixing this out, as well as the same way many of you, specially mr oldman, have done so far and in such kind nice way.


Im looking forward to your reply. Has been 17 days since I got infected and I barely did anything during all this time besides running scans, installing tools, getting instructions, performing tasks, reporting logs etc. so to clean this pc, trying to get back a sorta 'safe state', enough to access my email and stuff without being paranoid.

Thanks a bunch once more. Peace out.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 24, 2008, 02:59:33 PM

Let's see what we can find with malwarebytes. Do a full scan this time. I think it may take 1-1 1/2 hours.

Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 24, 2008, 11:53:46 PM

Hi there


MBAM full scan was performed and nothing :( ... no malware found. Log goes attached.


What can we do, oldman?  ???

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: oldman on April 25, 2008, 01:36:04 AM

Good, that scan came out clean.  :)

What can we do? Well, if you are not experienciing any problems other than the regional setting being changed earlier, I quess we wait to see if it happens again.. But if there are still some problems, we look again.  ;) Let me know.

Thanks

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! H
Post by: ZStorm on April 25, 2008, 04:44:40 AM

Ok, oldman. I suppose then we are done for the time being  ;D

I will keep eyes open for anything weird showing up and if so, I will let you know.

I have no words enough to thank you and the rest of the team for the patience, support and kindness. If theres anything I can do, just lemme know.

Peace out and many thanks again and again.  :)

Title: Win32 Patched Virus Get Me Crazy Confused
Post by: darrenliew on January 30, 2009, 03:44:43 AM

The Infected Files Are Updated As Shown On Below:
Issas.exe
svchost .exe
winlogon.exe
explorer.exe
Autorun.inf

All The Files Are Infected with Trojan WIN32.Patched CK

Please Help Me!

Title: Re: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
Post by: Tarq57 on January 30, 2009, 03:50:57 AM

DarrenLiew, welcome to the forum, it would be best to start a new thread with your problem, and reference this thread if it is of any relevance.