Avast WEBforum
Other => General Topics => Topic started by: dzenan on July 11, 2011, 12:28:44 PM
-
Please someone, anybody.. Have headache because off that..
-
???
-
My avast (free edition) notice me constatly about detecting infection LNK Runner.. If anyone has a solution..
-
Which shield..?
Can you post a screenshot..?
-
Possibly a stuxnet infection. This happens if you have not updated your windows.
First use this tool: http://www.malwarecity.com/community/index.php?app=downloads&showfile=12 and click options > select full system scan and remove the malware found, if required restart.
Do a full system scan using avast. If anything is found, move it to chest.
Then, update your windows by going to http://windowsupdate.microsoft.com/
-
tnx.. will try.
-
Possibly a stuxnet infection. This happens if you have not updated your windows.
First use this tool: http://www.malwarecity.com/community/index.php?app=downloads&showfile=12 and click options > select full system scan and remove the malware found, if required restart.
Do a full system scan using avast. If anything is found, move it to chest.
Then, update your windows by going to http://windowsupdate.microsoft.com/
Didn't help..
Avast constatly notice me : "Malwere blocked"... Infection: LNK:Runner..
Full scan in safe mode detected win32.sality.gr, moved in chest..
But again, there is notification :"Malwere blocked"... Infection: LNK:Runner..
But, thanks anyway.. ;-)
I've had enough of this
Seems that format is only option
-
If someone have idea for resolve my problem, before i start formating? Realy hate that..
-
If someone have idea for resolve my problem, before i start formating? Realy hate that..
Avast version..??
OS..??
Did you run a boot time scan with avast! yet..??
-
If someone have idea for resolve my problem, before i start formating? Realy hate that..
Avast version..??
OS..??
Did you run a boot time scan with avast! yet..??
Yes, I did.. Nothing detect.. But first, i had run full scan with avast in the safe mode.. Found over 90 Win32.Sality-gr, moved to chest and after that i was run boot time scan and found nothing.. i hoped that is it..
But no.. When I started windows in normal mode, after few minutes, avast blocked malwer..Again! Show infection LNK:Runner..
Sorry, my english is so bad.. :)
-
Do you want to dig deeper..??
If so, I'll ask essexboy to join this topic.
-
Do you want to dig deeper..??
If so, I'll ask essexboy to join this topic.
ok
-
Do you want to dig deeper..??
If so, I'll ask essexboy to join this topic.
ok
Ok, he is informed.
Good luck..!
-
OK lets see what is hiding
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 567KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
???
-
???
Ex, Spammer on forum spam listing, will be history shortly.
-
???
Sorry, I was busy..
-
If it isn't to late.. But i'll be very happy if it is..:)
aswMBR version 0.9.7.777 Copyright(c) 2011 AVAST Software
Run date: 2011-07-18 08:09:48
-----------------------------
08:09:48.296 OS Version: Windows 5.1.2600 Service Pack 3
08:09:48.296 Number of processors: 2 586 0x605
08:09:48.296 ComputerName: RUDNIK UserName:
08:09:48.781 Initialize success
08:09:49.515 AVAST engine defs: 11071702
08:10:00.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
08:10:00.812 Disk 0 Vendor: WDC_WD2500KS-00MJB0 02.01C03 Size: 238475MB BusType: 3
08:10:00.828 Disk 0 MBR read successfully
08:10:00.828 Disk 0 MBR scan
08:10:00.828 Disk 0 Windows XP default MBR code
08:10:00.828 Disk 0 scanning sectors +488376000
08:10:00.906 Disk 0 scanning C:\WINDOWS\system32\drivers
08:10:11.234 Service scanning
08:10:12.281 Disk 0 trace - called modules:
08:10:12.296 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
08:10:12.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87307ab8]
08:10:12.296 3 CLASSPNP.SYS[f74effd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x87309b00]
08:10:12.468 AVAST engine scan C:\WINDOWS
08:10:15.203 AVAST engine scan C:\WINDOWS\system32
08:11:11.484 AVAST engine scan C:\WINDOWS\system32\drivers
08:11:18.796 AVAST engine scan C:\Documents and Settings\Administrator
08:14:40.531 AVAST engine scan C:\Documents and Settings\All Users
08:15:06.265 Scan finished successfully
08:15:33.703 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
08:15:33.703 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
-
Here we go again!
Avast just detected LNK infection..
-
one for example..
Infection Details
URL: file://C:\Documents and Settings\All Users\Documents\DIREKTNI SPORAZUM-ROBE.rtf.lnk
Process: PID 4
Infection: lnk:Runner
-
or this one.. with malwarebyte's scan..
URL: file://C:\Documents and Settings\All Users\Documents\afjru.tmp
Process: file://C:\Program Files\Malwarebytes%27 Anti-Malware\mbam.exe
Infection: win32:Sality-GR
-
I see you have thrown everything bar the kitchen sink at this
Could you attach the latest combofix log please and also as you have AVP onboard could you run an analysis scan
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] -> [Reg Error: Key error.]
< File Associations - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = exefile] -> Reg Error: Key error.
[Files - No Company Name]
NY -> 3029913drv.spi -> C:\WINDOWS\3029913drv.spi
NY -> mtbjfghn.xbe -> C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
THEN
Now an analysis scan
Run AVP tool
Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip
(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg)
-
thanks essexboy for help and your time..
All Processes Killed
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
Registry key HKEY_CURRENT_USER\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\exefile\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\shell\open\exefile\\'' updated successfully.
[Files - No Company Name]
C:\WINDOWS\3029913drv.spi moved successfully.
C:\Documents and Settings\All Users\Application Data\mtbjfghn.xbe moved successfully.
[Empty Temp Folders]
User: Administrator
->Temp folder emptied: 20231995 bytes
->Temporary Internet Files folder emptied: 229966 bytes
->Java cache emptied: 118545 bytes
->FireFox cache emptied: 321924678 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1931171 bytes
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes
User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41 bytes
User: LocalService
->Temp folder emptied: 65716 bytes
->Temporary Internet Files folder emptied: 32902 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 49286 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 329.00 mb
[EMPTYFLASH]
User: Administrator
->Flash cache emptied: 0 bytes
User: All Users
User: Default User
->Flash cache emptied: 0 bytes
User: Guest
->Flash cache emptied: 0 bytes
User: LocalService
User: NetworkService
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07192011_081735
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
-
Can't attach zip file from AVP tool.. But, I had full scan with AVP tool, it's detected and deleted 10 infections.. win32.sality..
For now (about one our), no new notification from avast about LNK infection..
Maybe, job is done.. Or not... Will see..
-
..and here we go again!!
-
For the AVP zip file - You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
-
As there are reports of Sality
Programme here (http://www.kaspersky.com/support/viruses/solutions?qid=208279889)
Step 1. Preparation to disinfection:
Download the file Sality_off.rar
Unpack the file Sality_off.rar
Run the file Sality_off.exe with the key -m
To do this select run from the start menu.
Select browse and locate sality_off.exe click once.
The file will now appear in the run box.
Using the mouse double left click in the box and the cursor will then appear after the .exe part. now press the spacebar and type in -m then select OK
Step 2. Signs of a disinfected/ clean computer
when restarted, the utility sality_off.exe –m does not detect any signs of infection (the line "infected thread terminated" is missing)
Your Anti-Virus is running and works in normal mode
full computer scan does not detect infected objects on the computer
Step 3. Cleaning the registry of infected computers in the domain network:
download the file Sality_RegKeys.zip ( link on the same page)
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip
Click Yes to confirm adding the information to the registry
-
As there are reports of Sality
Programme here (http://www.kaspersky.com/support/viruses/solutions?qid=208279889)
Step 1. Preparation to disinfection:
Download the file Sality_off.rar
Unpack the file Sality_off.rar
Run the file Sality_off.exe with the key -m
To do this select run from the start menu.
Select browse and locate sality_off.exe click once.
The file will now appear in the run box.
Using the mouse double left click in the box and the cursor will then appear after the .exe part. now press the spacebar and type in -m then select OK
Step 2. Signs of a disinfected/ clean computer
when restarted, the utility sality_off.exe –m does not detect any signs of infection (the line "infected thread terminated" is missing)
Your Anti-Virus is running and works in normal mode
full computer scan does not detect infected objects on the computer
Step 3. Cleaning the registry of infected computers in the domain network:
download the file Sality_RegKeys.zip ( link on the same page)
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip
Click Yes to confirm adding the information to the registry
It's done..
One more time, avast detected LNK infection, but after quck scan with malwarebyt, and full scan with avast, sality-gr is deleted..
For now, everizhin is ok.. we'll see..
Thanks again ;)
-
Once you are happy let me know and I will remove my tools
-
Same here, I am experiencing the deletion and the RETURN of LNK:runner.
I am done with the cmd> attrib -h -r -s /s /d diskname\*.*... an autorun appears and I deleted it. After deleting the file it will return after I format it (unable to format).
-
Same here, I am experiencing the deletion and the RETURN of LNK:runner.
I am done with the cmd> attrib -h -r -s /s /d diskname\*.*... an autorun appears and I deleted it. After deleting the file it will return after I format it (unable to format).
You are posting in a topic from 2011
if you have malware problems use Viruses and worms section
at top in that section you find a sticky post with instructions to follow for getting help
-
Same here, I am experiencing the deletion and the RETURN of LNK:runner.
I am done with the cmd> attrib -h -r -s /s /d diskname\*.*... an autorun appears and I deleted it. After deleting the file it will return after I format it (unable to format).
Best to start a new topic here: https://forum.avast.com/index.php?board=4.0 (https://forum.avast.com/index.php?board=4.0)
Go to sticky topic here and download diagnostic tools: https://forum.avast.com/index.php?topic=194892.0 (https://forum.avast.com/index.php?topic=194892.0)
Please be patient, a malware removal expert will be along asap.