Avast WEBforum
Other => Viruses and worms => Topic started by: wam4 on March 07, 2012, 06:44:47 PM
-
Hi, I really need some help - I'm trying to get rid of some kind of malware that causes Google searches to randomly redirect. I am running Avast and have run scans with it and also Malwarenytes and also the Kaspersy virus removal tool and OTL. I see a lot of infections that it says it's removing, but I don't seem to be making any headway and assume there is a registry fix that needs to be made, but I don't know what to look for.
I've been working on it for three days, but I'm not making progress,,,any assistance would be appreciated.
Bill
-
follow this guide and attach the logs requested
http://forum.avast.com/index.php?topic=53253.0
also attach the kaspersky log
a certified malware remover will then help you
-
Ok, I ran into an additional problem - I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. Now I can only get Windows to load in safe mode. I just re-ran Malwarebytes, but wasn't sure I should do OTL again?
I have attached all the scan logs I got from Malwarebytes just now and the ones from OTL before the blue-screen problem cropped up. If I need to re-run OTL again in safe mode, let me know.
Thanks,
Bill
-
Essexboy is notified and should be online soon......
OBS...i see some symantec/norton files......do you have more the one AV installed ?
-
O1 HOSTS File: ([2012/02/28 17:51:19 | 000,000,884 | RH-- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 87.229.126.50 www.google.com
O1 - Hosts: 87.229.126.51 www.bing.com
DNS-имя: 87.229.126.50
Средний пинг: 117ms
Страна: HUNGARY
Регион: BUDAPEST
Город: BUDAPEST
Fix host file.
And here what is the problem - Alternate Data Streams, wait essexboy.
-
Our corporate server has Symantec enterprise software, but we no longer run the client version on individual desktops.
I overlooked the Kapersky log...it's attached.
-
OTL does not ask to restart the computer after a scan as there is no requirement for that - all it is doing at this stage is analysing
When you try to restart normally do you get a blue screen with some data on it ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Download the attached Fix.txt
Run OTL
Press the run fix button
In the dialogue that comes up navigate to the fix.txt and select it
Press run fix again
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Yes, I do - a blue screen with data flashes for a second but not quickly enough to read...so I'm stuck in safe mode, which does work.
So i assume I can run this fix in safe mode ok?
Thanks!
-
Yes run it in safe mode.. Also can you look in C:\windows\minidumps and see if there are any minidumps there
-
Ok, did as instructed - still only comes up in safe mode for now.
Attached is the log file from the OTL scan after the fix.
Also, I looked and there are about 10 minidumps, the latest from August 2011.
Thanks!
-
Attached are the system event logs, in order, relative to my last attempt to startup Windows normally and then fall back to safe mode. I thought I'd send it in case it shows something that's causing the problem...
Thanks!
-
Are you sure that it was OTL that asked for a reboot ? As I have been unable to replicate that
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
It definitely claimed to be OTL asking to reboot the computer. It was right after I ran the fix. I expected to have to manually reboot it based on your instructions, but it popped up and asked for a restart, so..
Here is the Farbar log: (and THANK YOU so much for helping me with this - I am so grateful)
Farbar Service Scanner Version: 01-03-2012
Ran by billmcclain (administrator) on 07-03-2012 at 17:06:52
Running from "C:\Documents and Settings\billmcclain.FLAGLER\Desktop"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Nerwork
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice: "C:\WINDOWS\system32\srsvc.dll".
sr Service is not running. Checking service configuration:
The start type of sr service is set to Disabled. The default start type is Boot.
The ImagePath of sr: "\SystemRoot\system32\DRIVERS\sr.sys".
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS: "C:\WINDOWS\system32\qmgr.dll".
EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit
Extra List:
=======
aswTdi(9) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000090000000600000007000000
IpSec Tag value is correct.
**** End of log ****
-
I ran OTL (before posting here so without any custom scan instructions), after the scan it asked for a restart of the computer. This is the bit I was enquiring after- as a standard scan will never ask for a reboot
Did you run the AVP tool ?
If so and you still have it
Upload the entire zip file to mediafire and post the sharing link please
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
-
Ok, I found the zip file and I've uploaded it to mediafire, but it's taking a long time to verify. It's also in my Google docs (public link below). I'll keep waiting for mediafire to verify, if Google docs doesn't work for you.
https://docs.google.com/open?id=0B4AQpbhW6h5kUEFQM2J6Tm5RdHV2TGRFbVMwa0YzQQ
I'm running the tool again now using your instructions.
Thanks!
-
Ok, here is the new AVP tool log. I don't think it likes running in safe mode, but it seemed to work.
Mediafire verified this one ok (it's a zip file, so I couldn't attach here).
Thanks!
http://www.mediafire.com/?anqc81w4ioaeneu
-
I've looked everywhere I can think of to try to figure out what's wrong with my startup process...perhaps the virus changed some key files? Before closing down for the night, however, I decided to work on capturing the screen message that pops up so quickly when I try to start Windows normally. I used my iPhone to take a movie of the moment and look back frame by frame - here is what the message says:
"A problem has been detected and Windows has been shut down to prevent damage to your computer If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.
Check with your hardware vendor for any bios updates. Disable bios memory options such as caching or shadowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, and then select safe mode.
Technical information:
***STOP: 0x000000"
Any ideas? Thanks very much for all your help,
Bill
-
Ta got it... Well there is nothing apparent in there that would stop the normal boot, do you have a windows CD as we could try a repair install
-
Ok, sorry for the delay. I have the Windows CD and have the machine booting from CD now. Shall I just run the repair program? As I remember, that won't impact my document files and things...
-
Yes the details on how to do it are here http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/
-
Ok...I just ran the repair process completely, then let the machine restart and that damned blue screen popped up just like before, keeping it from loading Windows normally.
Do you think there's something leftover in my registry?
-
No it sounds very much like a hardware/driver problem
Was a minidump created ?
Could you set your system to generate minidumps - details here http://kb.acronis.com/content/2191
-
Well, Windows won't finish the repair after the reboot (as it says it should). And now it won't even get to safe mode. I did, however, disable the auto-restart on system failure and now I have the complete info on the failure:
*** STOP: 0x0000007e (0xC0000005, 0xF760EA8D, 0xF7A26528, 0xF7A26224)
*** isapnp.sys - Address F760EA8D base at F7607000, Datestamp 3b7d8559
-
Check this out: http://support.microsoft.com/kb/315311 (http://support.microsoft.com/kb/315311)
-
OK now I know where to look - it is a driver problem
- Run OTL.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
/md5start
isapnp.*
/md5stop
Drives
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open a notepad window.
- Attach the log
-
Will OTL run from the prompt at the Recovery Console? That's as far as I can get...it won't get to safe mode, supposedly because of that asipnp.sys related error.
-
So we are now not able to achieve safe mode ?
Follow the destructions at DonZ63's link http://support.microsoft.com/kb/315311
You will need to copy the file from the xp cd
Let me know if you understand what to do - if not let me know where you are stuck and I will walk you through it
-
Ok, working on that now...tried it before, but it won't let me create the expanded file, so some reason. It responds, "Unable to create file isapnp.sys" I can copy the .sy_ version of the file over to the directory but it won't expand.
I am going to expand the file on another machine and copy it to a disc and see if I can get it into place that way.
-
For some reason it won't let me open the disc tray after I boot from the Windows CD. I copied the disk and added the sys file and then it wouldn't stop and recognize the CD and boot from it! It works perfectly on other machines - but only the actaul Windows CD will work.
I'm going to shoot myself in the head. :-)
-
Could you transfer using a USB stick ?
-
I tried, but it didn't seem to recognize the stick.
I'm letting the whole thing reboot and reload Windows Onsole WITH the stick in place during boot....stand by
-
Stick worked and I was able to place the expanded isapnp.sys file into the Windows/system32/drivers directory.
Still boots to the same BSOD, same isapnp.sys stop error:
*** STOP: 0x0000007e (0xC0000005, 0xF760EA8D, 0xF7A26528, 0xF7A26224)
*** isapnp.sys - Address F760EA8D base at F7607000, Datestamp 3b7d8559
Any thoughts?
-
Do you have an AMD processor ?
Method 2
To work around this issue, run the recovery console by using the Windows XP CD. Then, select the recovery option. To run the Recovery Console from the Windows XP startup disk or from the Windows XP CD, follow these steps: 1.Insert the Windows XP startup disk in the floppy disk drive. Or, insert the Windows XP CD in the CD drive. Then, restart the computer.
Note If you are prompted, click to select any options that are required to start the computer from the CD drive.
2.When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3.If you have a dual-boot computer or a multiple-boot computer, select the installation that you want to access from the Recovery Console.
4.When you are prompted, type the administrator password.
Note Press ENTER if the administrator password is blank.
5.At the Recovery Console command prompt, type the following command, and then press ENTER:
disable intelppm
6.To exit the Recovery Console and to restart the computer, type exit at the Recovery Console command prompt, and then press ENTER.
-
I think I have an Itel processor...I'm out of the office for the weekend, but I'll look on Monday morning.
I ran the Windows repair and thought it would work, but when it got to the end of loading all the files and restarted, the same BSOD failure occurred and stopped it from proceeding with the repair.
I guess if worst comes to worst, I could remove the hard drive, plug it into another machine to get all the files off of it and then just reinstall Windows entirely?
-
It is an option - the other would be a parallel install to the same drive
-
Well, if you think of anything else I could try...
Thank you very, very much for all your help. I really do appreciate it.
-
Try the disable command first and see if that rectifies it
-
Ok, definitely will do that.
Thanks again!
-
Hi, Essexboy - I hope you had a nice weekend. I was out of the office yesterday but checked today and I have an Intel 4/Pentium processor...I assume, then, that the disable fix is out?
I can still only get to the Recovery Console (or Windows Repair, which also didn't fix it). Normal boot attempts get to the BSOD with the isapnp.sys stop error.
-
No still try the disable command as my reading so far indicates that the system will run without it
-
Disabled intelppm, but the reboot went the same way as before, whether I tried normal or safe mode.
-
Still with the same error code ?
-
OK a rush of blood to the head - that is one of the files that TDL3 uses when it alters the MBR
What is the make of your computer ?
Does it have a recovery partition or do you have the windows CD
-
My machine was built by our IT guys, but it has an Intel Pentium D processor, an ABIT IL8 Series Motherboard and Maxtor serial ATA hard drive...I have the Windows CD from which I can run recovery.
-
Grand that means I can reset the MBR quite happily
Now reboot to the Windows XP Recovery Console and execute the following commands:
fixmbr \Device\HardDisk0
fixboot c:
exit
-
Ok, done - still has that same error. Should I disable the isapnp.sys file?
-
Yes disable please
-
Ok, when I type "disable isapnp.sys" it says the registry entry for the isapnp.sys service cannot be located...
-
OK let me flash up my XP
-
OK I have exported the registry key for that from my system, I now need to know how much of the key is missing
It looks like whatever you had subborned that key and then either Symantec or Avast killed it without adjusting the registry. That is probably the programme that asked for a reboot
So now we need to run a BartPE disc so that I can access the registry to import the missing key
You will need another computer to burn the CD and a USB to transfer the scan and fix files
This should also allow you internet access from the sick computer
OK next we will work outside of windows then Please print these instruction out so that you know what you are doing- Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Download the attached scan.txt to the USB drive
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
- Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
- Double-click on the OTLPE icon.
- Select the Windows folder of the infected drive if it asks for a location
- When asked "Do you wish to load the remote registry", select Yes
- When asked "Do you wish to load remote user profile(s) for scanning", select Yes
- Ensure the box "Automatically Load All Remaining Users" is checked and press OK
- OTL should now start
- Drag and drop this attached scan.txt into the Custom scans and fixes box, or double click the scan box
- Press Run Scan to start the scan.
- When finished, the file will be saved in drive C:\OTL.txt
- Copy this file to your USB drive if you do not have internet connection on this system
- Right click the file and select send to : select the USB drive.
- Confirm that it has copied to the USB drive by selecting it
- You can backup any files that you wish from this OS
- Please post the contents of the C:\OTL.txt file in your reply.
-
Ok, here is the OTL.txt:
(and thanks for getting me access to my files, too!)
Ok - it said the text was over the character limit for a post, so I've attached it instead.
Thanks again!
Bill
-
OK TDSSKiller took the file out originally and then the image path was removed from the registry start key
Return to the Reatogo desktop and run OTLPE
Download the attached fix.txt to a USB and insert in the sick system
Click Run Fix on OTLPE
Navigate to the fix.txt on the USB
Press run Fix again
Now try to reboot to normal windows
-
Well, applied the fix, but - believe it or not - I'm still getting that SAME error on boot up!
-
OK last resort here - I will try to restore the system to an old restore point. But first I would recommend that you back up all your files as this may not work
For x32 (x86) bit systems download Farbar Recovery Scan Tool (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to a flash drive.
Run the Reatogo desktop again
Locate FRST.exe and run
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
I anticipated I'd be looking at a "last resort" scenario, so I'm working on shuttling all my files off now. :)
-
That is the problem with some of the current malware it really messes the system
-
Finally shuttled all of my important files off of the sick machine...it took me a long time, but I'm relieved to have them safe.
Attached is the result of the Farbar scan. I will be out of town this weekend, so please take your time.
I hope you have a nice weekend and, again, thank you so much for all your help.
Bill
-
Thats blown it I am afraid, no restore points or last known good to use.
You appear to have the right drivers and services in the right place
Alas 'tis a reformat I am afraid. With this I would format the drive as well rather than try a repair install
-
I will do that...I think that will have to be my Monday chore, as I'm ready for a little time away from my PC. You're great to have helped me so much - I owe you quite a few pints!
Have a great weekend,
Bill
-
I'm just sorry we could not resolve this one for you. Still you have your documents back
-
Yes, I do - and that's the important thing. Thanks again!