Avast WEBforum
Other => Viruses and worms => Topic started by: Aph0tic on September 25, 2011, 12:41:32 AM
-
I got this same virus just like everyone else. I am worried that I won't be able to execute programs on reboot.
What should I do?
(http://img577.imageshack.us/img577/3904/59120356.png)
-
Hi there, this is the exact problem I started with (i.e. SysWOW which avast couldn't find to move to chest. I'm sorry that I don't have any suggestions to offer but am very interested in any replies you might receive. Good luck
-
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.
-
You are a legend! It works beautifully. You've saved my backside. I have just graduated from uni and have the most important interview tomorrow and now I can access my files to support my interview. Once again, thanks so very much
-
Thank you! The CMD line fix WORKED!
Off to find an Avast alternative. Too bad, I really liked it.
-
Thank you! The CMD line fix WORKED!
Off to find an Avast alternative. Too bad, I really liked it.
Why do you need to find an avast alternative? You told it to move/delete a system file and it did.
-
Truly the guyz a hero (chiksa heroine?)
Got my life back.
-
I came down with this same issue early in the morning of Sunday 9/25 after running an Avast! Full Scan. It found the exact same 3 "corrupt" files that you show on your screen shot. I followed Avast! instructions and moved them to the Chest (it wouldn't move the 3rd, probably because it had already done that with its doppleganger, the 1st file)...I then continued following Avast!'s instructions and ran a boot-time scan. The pc rebooted after that and I experienced just what someone else on the Forum mentioned: after the reboot the system (Windows 7) seemed fine but Avast! wouldn't run, most of the applications wouldn't run (my Control Panel was not, however, empty, and seemed to work normally). Virtually all of the rest of my applications were DOA (e.g., Firefox, Word, Excel, Avast!, IE, folders, etc.). Clicking on an icon for, let's say, Ad-Aware, wouldn't move you there. Nothing would happen. The speculation is that this was caused by moving kernel32.dll to the virus Chest...was this a system file? - c:\windows\sysWOW64\kernel32.dll|>[emul]) which was actually NOT infected (a false positive). I used a similar solution to what was suggested: In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. After running the scan (about 25 min) I received a note from Windows saying "Windows Resource Protection found corrupted files and successfully repaired them. Details are included in the CBS.log windr\logs\CBS\CBS.log" After that message I rebooted and ran a new Full Avast! scan: it found no problems. More importantly, the pc appears to be running normally again.
All of this leads me to an overwhelming question: When given a "Threat Alert" after or during an Avast! scan, how does one who is not savvy with computers differentiate between a genuine virus (which needs attending to and needs to either be removed or moved to the virus chest) and a false positive which probably should be left alone?
Thanks.
-
I have a new computer upon which I was installing new software. I figured out I was not getting this virus hit until right after I put LibreOffice on the computer. Other computers with LibreOffice already installed and same version and definitions of Avast, along with same scan type, are showing no alerts.
-
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.
Tried this but got a message "Windows Resource Protection could not start the repair service."
Help???
-
eidolonx's CMD method worked perfectly - Thank you very much! Disappointed that Alwill tech support wouldn't mention this remedy or inform us quickly that there was a vulnerability that we could easily deal with if informed. The reason I use Avast! is because I trusted it and if it says to re-boot, I do so. At least there are helpful people on this forum.
-
I had this same problem with my Windows 7 system. If you choose the default (move to chest) or (delete file) options you remove an essential windows dynamic link library (dll). Namely, c:\windows\sysWOW64\kernel32.dll.
I submitted this file to Joitti (google it) and it tests as clean.
The first avast scan after updating Windows, I had these same three "threats detected". I tried to (move to chest) but was denied, so I selected (delete files). After the reboot and boot scan, I had the same problems that others have had...no virus scanners would work, nor would certain other programs. After restoring computer (from safe mode) to a previous restore point and rescanning with Avast I again found the same three threats (naturally since I had restored the system). This time I selected Avast's (Repair) option and this appears to have fixed the problem. Subsequent scans have not reported these threats.
-
Eidolonx's CMD method worked. I almost launched an AVG Rescue boot (from USB)until I realized that I paid for Avast on this new Dell8300. It would be great if this site could list known/successful fixes to beat the bad guys.
Thanks,
Michael
-
Are any of you guys doing daily on-demand scans ?
The reason I ask is the more frequently you do on-demand scans the greater the possibility you may encounter a false positive detection.
- With a resident on-access antivirus like avast, the need for frequent on-demand scans is much depreciated. For the most part the on-demand scan is going to be scanning files that would be otherwise be dormant or inert. If they were active files then the on-access file system shield would be scanning them before being created, modified, opened or executed.
I have avast set to do a scheduled weekly Quick scan, set at a time and day that I know the computer will be on. If for some reason my system wasn't on, no big deal I will catch up on the next scheduled scan.
-
I must admit as soon as I saw the number of posts on this I did an immediate full scan on my system to check if it was a FP. I received no hits on those files ... Win7 64 bit
-
I'm only doing a weekly quick scan but caught this problem. Can you tell me as a newbie what I should do in the future when avast recommends putting something it's found into the chest? ???
-
Putting it in the chest is preferable to deletion as you have no options left. This gives time to investigate and I would decline the suggestion to do a boot-time scan until you investigate as it is possible to manually schedule a boot-time scan later.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here, post the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.
-
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.
Thank you! Had the same problem, followed your directions and everything worked perfect afterwords.
-
Newest definitions update seems to have fixed the problem for me. Same scans are showing clean, now.
-
I had the same problem a couple hours ago. I found three instances of 'Win32:Cycbot-KI [ trj ]. I decided to let avast do its thing and after restarting my computer I wasn't able to open most .exe applications and avast was disabled. It was a little frustrating but i found a fix for anyone else with the same problem. (On windows 7) Go to Start/Search and type CMD In the Search Results right click Command Prompt and choose Run as Administrator. In the Command Prompt type SFC /Scannow. Once it's finished corrupted files will be repaired and your .exe's will work once again. cheers.
Thank you very much! Computer is working again :)
-
Essexboy noted: I must admit as soon as I saw the number of posts on this I did an immediate full scan on my system to check if it was a FP. I received no hits on those files ... Win7 64 bit
This post is not exactly "new." It was provoked by the three instances of the Win32:Cycbot-KI[trj] "warning" that appeared 3 days ago (I'm using Windows 7, 64 bit.). Actually there were only two instances as the third flagged file was a duplicate of the first, apparently being a systems file that should never have been removed!).
When given a "Threat Alert" after or during an Avast! scan, how does one who is not particularly savvy with computers differentiate between a genuine virus (which needs attending to and should probably be removed, repaired, or moved to the virus chest) and a false positive which probably should be left alone?
I asked this question before at the end of my post but it probably got lost in all the verbiage. Sorry. :(
endofthedream
-
If it is a system file then first select repair, if that fails then I would recommend that you come to the forum and ask the question here
-
I got the same problem, but with Windows XP... I am really stuck and have no clue on what to do because the way that works for windows 7 does not work for me.
-
XP here
http://www.bleepingcomputer.com/forums/topic43051.html
-
If it is a system file then first select repair, if that fails then I would recommend that you come to the forum and ask the question here
Okay.
But - and please forgive my lack of knowledge - how can one tell whether or not the flagged file is a system file? Is the presence of "Sys" in the file name sufficient evidence or is the ".dll" also necessary also (or some other component)? Had I known the answer to this question, I would not have moved the false-positive file under discussion, c:\windows\syswow64\kernel32.dll>[emul], into the Chest.
Thanks for all your help!
-
Essexboy is on holiday now as his last post indicates.
In certain locations the kernel32.dll is a system file, this is also an important system file. The problem being this file is a bit weird as it is a 32bit dll that is why it is nit the syswow64 folder so that 32bit applications can use it.
When executing 32-bit applications, WoW64 transparently redirects 32-bit DLLs to %SystemRoot%\SysWOW64, which contains 32-bit libraries and executables. ...
For some reason the emulation function in the scan considered this infected, I don't know what this reason is.
A bit of speculation on my part after information from another source - In this case if you had ignored the detection and rebooted, then the copy of the file in the syswow64 folder would have been recreated and may not be subsequently detected. So the detections on files in the syswow64 folder are a bit weird as they aren't actually the original file but a copy of it. So I don't know why the emulation element found it strange enough to flag it.
But I don't know what would happen with the other occurrences, which is why following that guide was advised by essexboy.