Avast WEBforum
Other => General Topics => Topic started by: Keter on April 07, 2012, 06:10:36 PM
-
I have a potential disaster on my hands. I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit. The screen that popped up cut off the name and location of the rootkit. I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system...many things no longer worked. I was going to restore, but discovered all of my restore points were wiped out. To reimage would require media I didn't have...I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium. I have a fledgling online business that requires daily attention, so I couldn't be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite). This morning, after using for about an hour, up pops the same rootkit notice, again unreadable. I let it do its thing, and am not yet sure if there's mayhem on this machine, too. I haven't even had time to make the system disks, and this one has no restore partition, so if I've got damage here, too, I may just have gone out of business. I can't find the Avast log files to get more information. The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine with Avast 7 before touching it with this new laptop, and it scanned as clean.
Any clue what I should do next?
-
Update - Trend Micro Housecall just finished running and says everything is clean.
-
Keter.
Essexboy, Avast! specialist to remove malware, has been notified. You can follow this guide and do as much as you can.
http://forum.avast.com/index.php?topic=53253.0
Attach logs for malwarebytes', OTL, and aswMBR.exe. Just Wait.
-
Will do, thanks. Malwarebytes Pro run on the other affected machine showed clean. So far, about 2/3rds finished, Malwarebytes Free is finding nothing on the new machine.
-
Monitoring ;D
-
I was trying to place the post in the correct forum according to the instructions I was given (Viruses) but it now seems to have gone even farther AWOL (no clue how that happened) and is in http://forum.avast.com/index.php?topic=96894.0. I will copy and repaste here with updates.
I have a potential disaster on my hands. I upgraded my desktop (Win 7 Pro x64) to Avast 7 Free a few days ago, and almost immediately, it reported a rootkit. The screen that popped up cut off the name and location of the rootkit. I let it delete and boot time scan, and the boot time scan reported nothing, but there was absolute mayhem on my system...many things no longer worked. I was going to restore, but discovered all of my restore points were wiped out. To reimage would require media I didn't have...I got that machine from Office Depot on sale, and apparently they had upgraded the machine from Home Premium to Pro, and sold it to me as Pro, while what was on the recovery partition was Home Premium. I have a fledgling online business that requires daily attention, so I couldn't be down, and went and bought a brand new laptop (Win 7 Home Premium x64) yesterday and spent all of last night getting it set up, which included installing a paid version of Avast 7 (full suite), other utilities I use, and starting to remove OEM installed crapware.
This morning, after using the new laptop for about an hour, up pops the same rootkit notice, again unreadable. I let Avast do its thing, and am not yet sure if there's mayhem on this machine, too. I haven't even had time to make the system disks, and this one has no restore partition, so if I've got damage here, too, I may just have gone out of business. I can't find the Avast log files to get more information. The single point of contact between these machines is the files in my Dropbox, which I scanned thoroughly using a third machine (Vista, 32-bit, identical access to the Dropbox account) with Avast 7 before touching it with this new laptop, and it scanned as clean.
I had Malwarebytes Pro on the desktop system, and it said everything was clean. I downloaded and ran Malwarebytes (full trial) on the laptop, and it also reports clean (log attached).
Avast does not like OTL. It wants to put it into the sandbox. I forced it to run normally. Logs are attached. Ran aswMBR.exe, log attached.
===
Sorry, I'm not sure what happened... I posted originally in General because I wasn't sure a possible false-positive rootkit issue belonged in with viruses and trojans. Following reading the instructions post you linked me to, I thought I copied, updated and reposted in the viruses forum with the logs attached. Now apparently the post is in the avast! Distributed Network Manager forum... ???confused???
The only new behavior I have to report is that 8 more Windows updates popped up last night and took an astonishing 2 hours to complete and shut down. This is a brand-new Toshiba Satellite L775D-S7132, on which I have installed only Avast, Advanced System Care, Firefox, Pokki (utility toolbar), Skype, Malwarebytes, and the diagnostic utilities mentioned in the instruction email. All but the diagnostic utilities are "old friends" that I use on my other two systems, including the Vista x86 box that has remained unaffected. Sometimes this new laptop runs like a Pentium 2 with 512MB of RAM.
One other symptom: I noticed this morning that some shortcut icons have disappeared, replaced with just the default icon. I noticed this same behavior on my x64 desktop following the "rootkit" removal. The more I think about this, the more I think that there never was a rootkit on either machine and that the new Avast is misidentifying files vital to x64 systems. I hope I am wrong. I've been an Avast user and advocate for many years.
-
I run a win7 64 bit and have received no alerts
This is what Avast was concerned about
20:00:06.557 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 15099 MB offset 1219340288
This is a hidden partition on your hard drive the 17 indicates that is most probably the TDSS file system boot sector. I would like to get a second opinion on it as it is about 100 times larger than normal
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg)
- Click the Start Scan button.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg)
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
-
A couple of other items:
I just ran Kaspersky's TDSS Killer with all options enabled and it found nothing.
I installed a piece of software that I wanted to try (I'm trying to find an easy and relatively competent web site creation program for a friend), EzGenerator 4, on the desktop computer and it would not run...it would start and then mysteriously disappear with no warning before I could do anything with it. I just installed it on this laptop, and guess what? Up pops Avast and kills it. (I got no such warning on the desktop, but the duration between warning and killing the program looks identical). I tried to set it such that it would run in the sandbox, but Avast still killed it. I forced Avast to let it open normally, and the program opened with no problem. SO...it looks like what was making me think I might have had some sort of infection on the desktop actually was Avast killing my programs but failing to put up the popup as it did on the laptop.
-
For clarification, I found TDSS Killer on my own a bit earlier and ran it as shown in your post, Essexboy. :)
-
What can you tell me about that partition - did you hide it ?
Also set the avast autosandbox and behaviour shield to ask, you will then get the choice as to whether to run it or not
Could you attach the TDSSKiller log
-
I have done nothing on either affected machine with partitions. The desktop computer has a D: partition for system recovery, created by HP, the OEM, and I have literally never done anything with it except look at its contents. The laptop, the one I'm currently providing log files from, has no partition at all.
Arrgh..."autodecide" setting not in the main settings configuration. Now I gotta check each module to see what else is hiding.
I couldn't find a log file from the earlier run, but I re-ran it and was able to get a "report" from this run which I copied into a text file. I think this is the same thing. If not, can you give me a hint where to look or what name to look for?
-
Here you go behaviour shield first and then autosandbox
-
And sandbox
-
Thanks. I found the first autosandbox setting on my own, but not the second. Interesting... I can't wait to apply this to my desktop computer to see how much it revives.
-
A lot of the decision making that Avast does is based on the frequency of the programmes use, digital signature, where it came from etc...
So if it is an old programme that very few people use it will be viewed with suspicion until either it has a better handle on it or you confirm it is safe. But remember this is a double edged sword, if you told it that virut was safe, it would still block it but probably not until after some damage was done
-
I'm a very low risk user - I don't surf weird places, I don't do torrents or crack-ware, I'm the only user on the machines I use for business and do not network these computers together such that the only points of contact between machines are Dropbox, Skype, Xmarks and LastPass. But I also have to be very sure that I'm not infected because I provide simple electronic games in standalone .exe files. My intention was to let this laptop be my general use machine so I could dedicate the desktop entirely to production work, isolated from any potential sources of contamination outside of Dropbox. The Vista box is not a candidate because my husband uses it and he's not all that savvy. So my little business is offline until I have a for sure resolution to this.
The hidden partition thing has thrown me for a loop...I have no idea where that might have come from. Right now, I'm poking a stick at Advanced System Care, which also has recent new version with a greatly expanded suite of utilities. Might it have created a partition for its own use? I know it creates restore points that don't seem to show up in the normal system restore points.
-
These are the partitions found by aswMBR
20:00:06.401 Disk 0 Partition 1 80 (A) 27 Hidden NTFS WinRE NTFS 1500 MB offset 2048
20:00:06.525 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 593880 MB offset 3074048
20:00:06.557 Disk 0 Partition 3 00 17 Hidd HPFS/NTFS NTFS 15099 MB offset 1219340288
The first 80 (A) 27 is the active partition and legit. The recovery console of Vista / 7
27 Windows RE hidden partition
On MBR disks, type 0x27. On GPT disks, GUID: DE94BBA4-06D1-4D40-A16A-BFD50179D6AC. A hidden version of a Windows RE type 0x7 partition with NTFS. When this is installed, reboot and press F8 in order to boot into this Recovery Environment.
The second 00 07 is the windows partition that you boot to
07 Windows NT NTFS
Filesystem introduced in Windows NT 3.1.
Now the third one is curious up until now I have only seen this in its hidden form with TDL4, although the normal max size is 10Mb
So do you have either Unix or Linux on this partition
IFS which can be
OS/2's HPFS, Windows NTFS, Advanced Unix or QNX2.X(pre-1988). Type 0x07 is
not hidden and type 0x17 is hidden.
IFS = Installable File System. The best known example is HPFS. OS/2 will only look at partitions with ID 7 for any installed IFS (that's why the EXT2.IFS packet includes a special "Linux partition filter" device driver to fool OS/2 into thinking Linux partitions have ID 07).
-
I don't do anything with Linux or Unix.
-
Are you utilising the backup function in Advanced System Care
Although I cannot find much information about that element
Also what is the make of the laptop ? I can then see if there is a hidden recovery partition - which might fit those parameters
-
I did end up with a Mac file (which I think is a version of Unix?) in my Dropbox over a year ago when a client put one in there, but I disconnected from that shared Dropbox after the project was completed. I don't recall using any programs ported from either of these OSes, with the possible exception of GIMP, which I think started on Linux (not sure, but I first saw GIMP on a friend's Linux machine).
I am using the backup software (can't remember the name, maybe Paragon?) that came with a Western Digital external HD on the desktop. I have not set up backup on the laptop yet as I don't yet have a backup drive for it. I don't use Advanced System Care to do backups, but it does create restore points for many of the things it does, as mentioned previously. The laptop is a Toshiba Satellite L775D-S7132. http://us.toshiba.com/computers/laptops/satellite/L770/L775D-S7132
-
Hmm not a great deal about the recovery partition - apart from it is hard to find and useless
That partition is not active and is just so much spare space at the moment
Could you run Diskmgmt.msc from the run box and see if the partition is showing in disc management
-
Results of Diskmgmt.msc attached.
-
I went into my office and made the changes to Avast to make it ask before blocking stuff. All of a sudden, the problem of mysterious non-loading and non-starting programs vanished, and two programs I thought were corrupted worked.
I then ran TDSS Killer on the desktop x64 that was having the same problems. The only things it found were all "medium risk" unsigned or locked files, and all but 2 I quickly identified as legitimate.
Gsservice.exe - based on info here http://www.sevenforums.com/system-security/177935-strange-block-software-being-auto-installed.html , I copied the file to a thumb drive, deleted it and rebooted. I have not seen any of the malicious behavior described in that post, but better safe than sorry. Everything so far seems to work, so if that wiped out something, it isn't anything I use regularly and I can always reinstall.
sptd.sys - identified as used by Daemon Tools, which I have installed but rarely use. http://www.bleepingcomputer.com/startups/sptd.sys-13477.html
-
As the third partition is showing in disc management and has the correct parameters I believe it is OK. The latest TDL does make us a bit twitchy about unknown partitions. But, as you say better safe than sorry
If you are happy then run OTL and hit the cleanup button that will remove itself and associated files/folders
aswMBR can be just deleted from the desktop
-
Cool, thanks...
Another thing I discovered: Avast was stepping on Malwarebytes, preventing it from starting at boot up as it is supposed to, and again not notifying even though it is now set to ask.
Here's the error message in Malwarebytes: [Shell_NotifyIcon] Failed to perform desired action. Error Code: 1008
Here's the workaround ( http://forums.malwarebytes.org/index.php?showtopic=29099 ):
Under Additional Protection > AutoSandbox > Settings > Files that will be excluded from automatic sandboxing:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys <<<<<<<<<<<< doesn't seem to be in the most recent version of Malwarebytes
C:\Windows\System32\drivers\mbamswissarmy.sys
After making that change, Malwarebytes started normally.
-
@ Keter
I have MBAM Pro on XP Pro and on Win7 and have made zero exclusions for it in avast and it works as expected. The only thing that I have done is add the c:\windows\temp\_avast_ folder (where avast sends/unpacks files that are to be scanned) to the MBAM Ignore List.
So I really don't know what it going on some systems. Do you have the MBAM Pro version (presumable so) ?
Windows Error code 1008 = An attempt was made to reference a token that does not exist. What was it you were doing when this error occurred ?
-
Cool, thanks...
Another thing I discovered: Avast was stepping on Malwarebytes, preventing it from starting at boot up as it is supposed to, and again not notifying even though it is now set to ask.
Here's the error message in Malwarebytes: [Shell_NotifyIcon] Failed to perform desired action. Error Code: 1008
Here's the workaround ( http://forums.malwarebytes.org/index.php?showtopic=29099 ):
Under Additional Protection > AutoSandbox > Settings > Files that will be excluded from automatic sandboxing:
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\ProgramData\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys <<<<<<<<<<<< doesn't seem to be in the most recent version of Malwarebytes
C:\Windows\System32\drivers\mbamswissarmy.sys
After making that change, Malwarebytes started normally.
If you've found yourself to be one of the few that have required exclusions between avast and MBAM Pro then on top of the exclusion DavidR mentioned ( c:\windows\temp\_avast_ folder ) you might want the current exclusions found here in section k http://forums.malwarebytes.org/index.php?act=findpost&pid=417798 the exclusions you posted are from a much older version of MBAM.
-
Malwarebytes Pro is set to start at system startup. I was "doing" nothing other than just starting the computer. The error occurred from the failure of Malwarebytes to start, which started happening AFTER I allowed Avast to make changes to the desktop system. So far, I am not seeing this behavior on the laptop, but because it is a much newer machine, it has a very simple setup without multiple upgrades and the complications that can come from that.
Whichever file was being interfered with to trigger that error apparently was one on the list I provided. Yes, I know it was for an older version, which is why I labeled the file that no longer appears in the current version. Silly me, after four days of no sleep trying to sort this computer mess out and get back to work before what few VCs are watching my project decide I'm too lame to deal with any more, I didn't experiment past the point of getting it to work.
After having run so many tests on these computers, I am convinced that Avast false-positived on something unique to x64 systems. The fact that it threw up the very same malformed rootkit notification (the UI is malformed such that it can't be read) on a brand new laptop as it did on a much older desktop system, and both are x64, while an even older x86 machine that shares a nearly identical setup to the x64 desktop and ALL of the files in common between the x64 desktop and the laptop pretty much proves that there isn't a real infection, or it would have been flagged on the x86 box as well. (I run setups that are as identical as possible on all computers precisely to make maintenance and diagnostic work easier.) The fact that TDSS Killer and all other malware programs I ran all came up clean seems to indicate no problem exists.
After making the settings changes to Avast, both affected systems have calmed down, everything runs as it should, and the desktop system in particular immediately stopped thrashing the hard drive which, along with the malfunctioning programs, I oriiginally believed indicated an active infection. Yet when I set Avast to ask before automatically sandboxing or terminating programs I start, and got through one round of it asking me how to run programs, then added the Malwarebytes file to the whitelist (Avast never asked about Malwarebytes, it just killed it on startup), the last of the bad behavior went away and the machine went back to its normal responsiveness. Even the laptop had slowed to a crawl before I applied these changes and it now is working as expected.
So far, I have not needed to add any Avast exclusions to Malwarebytes on any machine. One reason I have used these two programs together for so many years is that they have a long history of getting along. In fact, when cleaning up other people's computers, I have run both Avast and Malwarebytes together as a "tag team" and watched one flush malware and the other one kill it. I guess those days are over.
I am still considering the fact that this new version of Avast was flagging and stopping some of my game files, but not all of them. They are made with all the same programs and processes and all so far on the same system (desktop x64), and none should be "familiar" to Avast since each is brand new. This inconsistency worries me.
-
Oh, and something even more interesting about that last point regarding my game files. Game files that were flagged and stopped on one machine would often play on another...Avast wasn't flagging the same file every time across different computers, but Avast would consistely stop the same game files on the same system...either it would always run or never run on that particular machine. Yet that same game file, also downloaded from my web site, would run fine on the other system. As I mentioned, I run nearly identical setups and everything is kept synchronized with versions and updates...that inconsistency is really worrying.
-
I upgraded to Avast 7 and within hours my PC was toast. After installation it suggested a full scan. I let it and when it was done having found a few adware items it asked to do a boot scan. I agreed and after that proceeded my computer wouldn't go into windows again other than in safe mode. Avast had moved my restore points into the chest and even restoring them didn't help. I couldn't do a system restore back to any point. My system only came with a restore partition that I can't even use. When I try to restore to original its looking for a disk not the files on my D: drive. I can't restore directly from those files as they are password protected so I can't even access them. I was Running XP Home sp3. I had to install XP Pro I had from a previous PC in order to get my PC working again. When I put Avast 7 on this PC again it hung up and hardlocked my PC on reboot. I'm going to do a clean windows install and I'm sticking with Avast 6 till they get the bugs out of version 7.
-
bryank - did you try disabling the auto-decide sandboxing feature, or could you just not get to it even in safe mode? I didn't have a problem with my XP or Vista systems, but they are 32-bit, and I think the really nasty issues seem to be on 64-bit systems. After I disabled auto-decide sandboxing, my systems came right back to life as if nothing happened, although I am noticing that they run more slowly at times. I ended up taking Avast off of my old reliable netbook because it simply could not keep up with Avast's demands and still run other things.
I agree with you that this new Avast 7 "feature" (bug?) poses a non-trivial issue for some users.
-
The default mode for the autosandbox for avast 7.0.1426 is Ask and not Auto. In an earlier build of avast 7 it was set to Auto, but after a significant number of complaints in the forums that was changed back to Ask.
It is possible, though I don't know, if the user was in at a very early stage of avast7 then they may have been on Auto and I don't know if subsequent program updates from within the UI would have changed that.