Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: bobbyboy on September 20, 2010, 11:30:48 PM

Title: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 20, 2010, 11:30:48 PM

"The specified file is read only" is what it says in the log.Avast found 4 infected files but I can't do anything with them.I need some advise/help here. What do I do?
I've attached the log file.

Title: Re: Can't move infected files to chest or repair or delete
Post by: wonderwrench on September 21, 2010, 05:07:16 AM

You do not want to move these files because they are part of the OS. Avast may be identifying the files as infected when they are not.
Do a complete scan with MBAM free and see what it finds. Update the program once installed the perform a full system scan.
http://www.malwarebytes.org/mbam.php

Title: Re: Can't move infected files to chest or repair or delete
Post by: DavidR on September 21, 2010, 05:33:50 AM

That is a serious infection win32:patched as it infects those system files so you can't just remove then or your system could be toast. You will need the help of a malware removal specialist, which I'm not.

Try a forum search for explorer.exe and or win32:patched and you will get an idea of the procedure required, but you would be advised to wait for the help of a malware removal specialist.

It's after 4:30am here and I'm calling it a night/morning.

Title: Re: Can't move infected files to chest or repair or delete
Post by: Marc57 on September 21, 2010, 06:23:10 AM

As David said, This is a patching virus. You'll have to download the fixes on another computer as any EXE downloaded on the infected computer will be patched by the virus.

What I use with this problem is Dr. Web cureit  live CD.

http://www.freedrweb.com/livecd/

As I stated before, this will HAVE to be downloaded and burned on another computer. What you want to do is CURE the files NOT delete them. Otherwise the computer wont boot and you'll have to do a repair or re-install of Windows.

There's a good video on how to use this.

http://www.youtube.com/watch?v=FGDl-IMOt1g

You can ignore the part about installing Comodo as you already have Avast.

After this run a full or boot time scan with Avast. Then follow wonderwrench s suggestion about Malwarebytes. (Again, don't download anything until after you run Cureit)

This all depends on your tech knowledge. If you're not comfortable doing this then DON'T,  As David said wait for someone like Essexboy to help walk you through this.

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 21, 2010, 07:31:00 AM

I ran an ESET scan and it found and removed 11 infected files.I'm attaching a copy of what it found.Then I ran a full scan with Malwarebytes and it found nothing.I don't know if that means I'm good to go or it just didn't find anything.I am not comfortable doing anymore without more help, so I'll wait for Essexboy's advice..

Title: Re: Can't move infected files to chest or repair or delete
Post by: DavidR on September 21, 2010, 02:48:04 PM

To start with there appears to just be duplication in reporting here with the second half of the report being the same as the first half. Even in these halve there is duplication. So the overall number of detection is much lower. Plus they have now supposedly been dealt with there is little to worry about in regard to them.

####
The adware stuff in the eset log I would say are questionable as they seem to refer to a tool Unlocker. The eBay_shortcuts_1016.exe is also in the Unlocker folder and I can't recall if this ebay shorcuts comes with unlocker. The ones in the System Volume Information folder are from system restore, probably when it was removed from a system folder or simply an .exe file that was removed (not an issue unless you did a system restore to a date that included this restore point.

# Where did you get Unlocker from ?

The Beagle detections are also inert as they have been found in the Spybot S&D Recovery folder (quarantine) area. So this was probably previously detected by S&D

These ones (don't know why they are listed twice, like many others), .dat files store data and as such would also have to have a controlling file/process and I don't see anything (so it may be a remnant of a previous detection).

Quote

C:\Documents and Settings\All Users\Documents\Server\hlp.dat   Win32/Bamital.EA trojan   cleaned by deleting (after the next restart) - quarantined

C:\Documents and Settings\All Users\Documents\Server\hlp.dat   Win32/Bamital.EA trojan   cleaned by deleting (after the next restart) - quarantined

~~~~
So all in all I don't think you are yet good to go, I would suggest that you try uploading some of the files detected by avast to virus total for confirmation.

Check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 21, 2010, 06:16:22 PM

I got the unlocker here...
http://download.cnet.com/Unlocker/3000-2248_4-10493998.html

I am still getting occasional pop ups from Avast that it has blocked winlogon.exe  patched-RP

from starting up.I think it may have referred to winpatrol but it just pops up then disappears.I don't know how to go back and check. Also,I don't know how to follow your suggestion about trying uploading some of the files detected by avast to virus total for confirmation.How do i do that? I thought these infected files were part of the operating system.Can you walk me through step by step how to upload them?I don't even know how to find them.I see the names from the log file but I'm lost after that.

Title: Re: Can't move infected files to chest or repair or delete
Post by: DavidR on September 21, 2010, 07:02:58 PM

Well I have unlocker installed and that is version 1.8.9 and I don't think mine if up to date (now at 1.9), so this may have been an old version, that perhaps the new versions doesn't suffer. Though I rather think that eset may have gone into a paranoid scan mode based on what unlocker can do, unlock files so that they may be deleted, etc.

Create the folder as I said, create the exclusion for the folder. Locate the files using explorer search to find them and copy and paste it to the suspect folder (you may need to pause the file system shield). Now you should be able to upload to virustotal.

Take it a step at a time following the instructions, it isn't complex. If you can capture and post an image you can do this, here's a clue the path to where the explorer.exe and winlogon.exe files are is in your image.

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 21, 2010, 08:08:35 PM

I've really got trouble now.The computer was working fine  and I didn't think I had any problems til I ran the Avast scan. Now I do.When you said the unlocker was not the newest I uninstalled it and then the computer rebooted,but....now it keeps rebooting without finishing.I never get to a welcome screen.I tried safe mode and the same thing happened,same with reboot to last known good configuration.I  get the Hp invent screen with ESC= boot menu and f=Setup and f10=System Recovery on the bottom,,then black,then HP invent again then windows XP screen,then black...endlessly..
What can I do now?I have some CDs that may help.
Bootable PC Doctor Diagnostic
Bootable Diagnostic (this may be the same)
Ubuntu
Maxblast 5
Bootable
I'm using my laptop to send you this so I can follow any advice and also if I need to download something I can.

Title: Re: Can't move infected files to chest or repair or delete
Post by: DavidR on September 21, 2010, 08:59:24 PM

Well all I did was download the latest version and install it over the top of the existing version. So I'm not sure why this has happened on an uninstall, the problem with unlocker is that has hooks into areas to enable it to do its task, so if there was any problem on the uninstall it may have an impact, but I wouldn't have been like that.

However that said, I don't know if there may well have been any hook into the context menu (right click menu), which is called an explorer shell. Because of your original problem relating to explorer.exe I don't know if that has broken explorer.exe functionality a consequence of the win32:patched infection.

What to do about it is the big question, as first you have to find out exactly what has happened, unfortunately that isn't something I'm familiar with. I would have thought either of the Bootable PC Doctor Diagnostic or Bootable Diagnostic CDs would be a start.

I don't know if you have the original OS CD, perhaps you could try running the Repair console (repair install).

Title: Re: Can't move infected files to chest or repair or delete
Post by: essexboy on September 21, 2010, 09:55:36 PM

Please print these instruction out so that you know what you are doing

OTLPENet.exe
Size - 127,313,619 bytes
MD5 - 349C5CE9EDF3818BB233DB2F258536AD

[list=1]

• Download OTLPENet.exe  (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Drag and drop this attached scan.txt into the Custom scans and fixes box
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive. 
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 22, 2010, 02:22:02 AM

I ran the OTLPE scan but I used the 2.65 kb scan.txt file you sent on Sept. 18 by mistake instead of the 1kb .I hope I didn't screw things up.I attached the OTPLE Scan file...

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 22, 2010, 06:20:53 PM

I still need more help,please.After running OTPLE I rebooted and still wind up with a black screen and then it recycles and eventually goes to black.I still can't get into safe mode.What do I do now?Should I use Dr Cureit?

Title: Re: Can't move infected files to chest or repair or delete
Post by: essexboy on September 22, 2010, 09:06:46 PM

Explorer and winlogon are OK run OTLPE again and in the custom scan box type the following

/md5start
userinit.exe
/md5stop

Then press run scan

You may try Dr Web live CD but I feel it is one of the logon files missing or corrupt

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 22, 2010, 09:14:24 PM

I'll try that right now and send you the results.Should I hold off on Dr Web til you see the results? Also,if one of the logon files is missing/corrupt is there no fix?

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 22, 2010, 09:34:29 PM

Here is the OTL file (attached)

Title: Re: Can't move infected files to chest or repair or delete
Post by: essexboy on September 22, 2010, 10:04:23 PM

All login files are reporting the correct MD5 - methinks then that it is more serious than this

Are you happy with running the Dr Web live CD ?

But be aware that you may have to do a re-install/repair install.  So I would suggest that you use Reatogo to back up your important data

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 22, 2010, 10:11:31 PM

I'll give the Dr a try.I've already backed up my files.I'll let you know the result.Thanks for your help so far.I appreciate it.

Title: Re: Can't move infected files to chest or repair or delete
Post by: bobbyboy on September 23, 2010, 06:30:07 PM

I ran the DrWeb Live Cd.I set it to delete infected files and report all else.It ran for 10 hours and then froze.,with no reports.I did hard reboot and my desktop came back.I then ran a full Malwarebytes scan and it found 2 infected files which it deleted.I then disabled System Restore and restarted into Safe mode.Then I ran A full Avast scan and was clean.Finally I ran a hijackthis scan which I am attaching with the Malwarebytes log.
I'm still in safe mode and haven't tried to surf the net til I get some feedback that I'm good to go.My other concern is that I am always connected to the web via my cable,which is why I'm saying in Safe mode for now.
Please let me know what you think