Avast WEBforum
Other => General Topics => Topic started by: dpesios on March 28, 2012, 04:44:52 PM
-
Hello everybody,
I'm experiencing the following problem and would appreciate some help.
I cannot disable AVAST's control shields. The message i get is "You are not allowed to perform this action, please contact your system administrator" and I'm the computer's administrator who installed it.
The program version is 7.0.1426, and my system runs Win XP SP2.
I also try to update my system by installing SP3 but i can't because i get a setup error.
Is AVAST to blame for not being able to install SP3 in any way ?
Is any virus/trojan, that i recently discovered in my system using another AV product (an offline one), to blame for this ?
Thank you in advance.
-
Well, avast should work with XP SP2.
Of course, the installation of a service pack brings a new situation of the OS.
I remember to have installed SP3 with avast running. But this was a long time ago...
Do you have the full SP3 setup or you're installing using Windows Update site?
-
I'm using the full setup of SP3. For a strange reason Automatic Updates doesn't work also.
The icon to install new updates appears in the system tray but whenever I click it nothing happens.
What I suspect is that a virus thoroughly changed the settings of my system. And I can't perform a clear install due to other, not technical, reasons.
Any help appreciated.
-
What I suspect is that a virus thoroughly changed the settings of my system. And I can't perform a clear install due to other, not technical, reasons.
Any help appreciated.
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
-
I followed the instructions of the URL you suggested Asyn and I'm posting 4 log files.
As I already said the offline AV product I used cleared my system but, as I suspect, the settings these malware imposed remained.
Can you from the logs figure out what settings were changed so that I can somehow roll them back ?
Thanks again.
-
I followed the instructions of the URL you suggested Asyn and I'm posting 4 log files.
As I already said the offline AV product I used cleared my system but, as I suspect, the settings these malware imposed remained.
Can you from the logs figure out what settings were changed so that I can somehow roll them back ?
Thanks again.
You're welcome.
As this is in the wrong section, I'll draw some attention to it.
Please be patient, it could take some hours, before you get a reply here.
Good luck,
Asyn
-
Hi have you recently had a zero access infection ?
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- Allow the installation of the recovery console
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
As I said I cannot disable Avast so while ComboFix was running this AV was working at full blast mistakenly detecting it as root-kit. And as far as I know my system didn't have the zero access infection.
I'm including ComboFix.txt in my reply. As how is my computer running now, I have to add that the problems remain.
I recently discovered that ipconfig.exe is not running properly because a .dll is missing.
I'm also deliberately posting the log file of the AV offline product I mentioned above (or I didn't) so that you can see what type of malware my system used to have.
Hoping for help ...
Anyway, thanks for the reply.
-
OK lets check out the registry for the network, when you try to disable the shields what error does Avast come up with
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
It comes up with the error I mentioned in my initial post above ...
Here is the log:
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 10-04-2012 at 10:12:14
Running from "C:\Documents and Settings\Administrator\Desktop"
Microsoft Windows XP Professional Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.
netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.
Firewall Disabled Policy:
==================
System Restore:
============
System Restore Disabled Policy:
========================
Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Windows Update:
============
cryptsvc Service is not running. Checking service configuration:
The start type of cryptsvc service is OK.
The ImagePath of cryptsvc service is OK.
The ServiceDll of cryptsvc service is OK.
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2012-03-21 14:17] - [2006-05-19 15:59] - 0111616 ____A (Microsoft Corporation) EF545E1A4B043DA4C84E230DD471C55F
C:\WINDOWS\system32\Drivers\afd.sys
[2012-03-21 14:17] - [2008-08-14 12:51] - 0138368 ____A (Microsoft Corporation) 55E6E1C51B6D30E54335750955453702
C:\WINDOWS\system32\Drivers\netbt.sys
[2012-03-21 14:17] - [2004-08-04 02:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
C:\WINDOWS\system32\Drivers\tcpip.sys
[2012-03-21 14:17] - [2008-06-20 13:45] - 0360320 ____A (Microsoft Corporation) 2A5554FC5B1E04E131230E3CE035C3F9
C:\WINDOWS\system32\Drivers\ipsec.sys
[2012-03-21 14:17] - [2004-08-04 02:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys
[2012-03-21 14:17] - [2004-08-04 02:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2012-03-21 14:18] - [2004-08-04 03:56] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA
C:\WINDOWS\system32\es.dll
[2004-08-04 03:56] - [2008-04-14 03:11] - 0246272 ____A (Microsoft Corporation) 19A799805B24990867B00C120D300C3A
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe
[2012-03-21 14:17] - [2009-02-06 20:14] - 0110592 ____A (Microsoft Corporation) 37561F8D4160D62DA86D24AE41FAE8DE
Extra List:
=======
aswTdi(8) Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x080000000500000001000000020000000300000004000000080000000600000007000000
IpSec Tag value is correct.
**** End of log ****
-
I think I see the problem
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
Go to step 2 and allow it to run Disc check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture3.gif)
Once that is done then go to step 3 and allow it to run SFC
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.gif)
On the start repairs tab select advanced mode and click start
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif)
Leave the default items selected and tick restart system when finished
-
Nothing happened essexboy.
The application had to terminate unexpectedly on the last step (Start Repairs).
The problems remain ... but thanks anyway.
-
Next step then will be to update to SP3 and that will refresh the files and the registry
-
I also try to update my system by installing SP3 but i can't because i get a setup error.
Very good idea, but I can't update it.
Neither from a full setup file nor from the Windows Update service.
Thanks for your attention. :P
-
I also try to update my system by installing SP3 but i can't because i get a setup error.
Very good idea, but I can't update it.
Neither from a full setup file nor from the Windows Update service.
Thanks for your attention. :P
Will this help ???
http://www.ghacks.net/2008/04/28/official-windows-xp-service-pack-3-download-links/ (http://www.ghacks.net/2008/04/28/official-windows-xp-service-pack-3-download-links/)
-
What error do you get when you try to install the SP
-
Thanks for the intersting link bob3160.
Anyway,I have tried many setup files but none of them do the work.
Please, anyone, be patient and willing to read what I have already posted so that me and others can benefit from this thread.
Any help appreciated.
-
Do you get a specific error when you try to install the SP as that may give me a pointer to the problem area
-
I get the following message:
"Service Pack 3 setup error. Access is denied."
-
OK I will need to search for a way to reset access permissions
-
I get the following message:
"Service Pack 3 setup error. Access is denied."
Will this help:
http://support.microsoft.com/kb/949377 (http://support.microsoft.com/kb/949377)
-
I already have given it a try. :)
I run the fix-it application which basically does what is manually suggested in the article.
-
No you will need to reset the defaults
Could you follow the steps on this page please
http://www.winhelponline.com/blog/reset-the-registry-and-the-file-permissions-in-windows-xp/
Using SubInACL
For Windows XP Home Edition (and Professional Edition), you may use the SubInACL tool to reset the registry and file permissions. Download and then install the Subinacl.exe (~370 KB) from Microsoft. SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, etc.
Download reset.zip, unzip and run the reset.cmd file. This script resets the registry and file permissions in your system.
Reset.cmd Contents
The file reset.cmd contains the following lines:
cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
subinacl /subdirectories %SystemDrive%\ /grant=administrators=f /grant=system=f
-
Okay, sorry but I have to take some back-ups first.
I will give it a try and let you know.
Thanks again :)
-
No problem, in your own time. If you are unsure of anything then shout. ;D
-
Unfortunately nothing happened again. :(
I tried to reset the permissions using SubInACL tool and had 700 or so failures.
Does this tool produce any log file so that I can post it here ?
Anyway, thanks for the help.
-
At this stage I would recommend a backup and then reformat and re-install
If swcalc can not reset the permissions then that is indicative of a deeper system problem