Author Topic: can't enable shields  (Read 20171 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: can't enable shields
« Reply #30 on: July 09, 2012, 12:28:30 AM »
OK that did not find anything... Maybe we did kill it

How is windows behaving now ?

Offline Devox

  • Jr. Member
  • **
  • Posts: 26
Re: can't enable shields
« Reply #31 on: July 09, 2012, 02:40:20 PM »
I still can't enable the shields

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: can't enable shields
« Reply #32 on: July 09, 2012, 04:13:24 PM »
OK lets try a full re-install

Download the latest version to your desktop from here
Download aswClear from here
Go to Programs and Features > add/remove and uninstall Avast
Reboot back to safe mode and run aswClear (select all versions of Avast ) once for each version, no need to reboot in between
After the last one reboot

Install the updated Avast

Offline Devox

  • Jr. Member
  • **
  • Posts: 26
Re: can't enable shields
« Reply #33 on: July 10, 2012, 04:10:45 PM »
the same, i still can't enable the shields  :-\

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: can't enable shields
« Reply #34 on: July 10, 2012, 04:14:16 PM »
When you try to enable the shields what error do you get ?

Offline Devox

  • Jr. Member
  • **
  • Posts: 26
Re: can't enable shields
« Reply #35 on: July 10, 2012, 04:16:17 PM »
shield unreachable

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: can't enable shields
« Reply #36 on: July 10, 2012, 05:01:13 PM »
Could you run a test for me

Download another AV either Avira or MSES and let me know if that installs OK

Offline Devox

  • Jr. Member
  • **
  • Posts: 26
Re: can't enable shields
« Reply #37 on: July 10, 2012, 09:43:10 PM »
Avira realtime protiction is stoped and i can't start it.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: can't enable shields
« Reply #38 on: July 10, 2012, 10:12:36 PM »
Lets see if GMER can locate it

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.


    Click the image to enlarge it

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    Notes:
    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries 

    -- If you encounter any problems, try running GMER in safe mode.
    -- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning


    Offline Devox

    • Jr. Member
    • **
    • Posts: 26
    Re: can't enable shields
    « Reply #39 on: July 11, 2012, 12:20:45 PM »
    when i start Gmer i got error about a driver then the right pannle has only services, registry and files options but i did the scan anyway.
    also in the safe mode i got the same thing.
    attached is the log

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40631
    • Dragons by Sasha
      • Malware fixes
    Re: can't enable shields
    « Reply #40 on: July 11, 2012, 03:13:45 PM »
    Gotcha

    1. Please download The Avenger by Swandog46 to your Desktop.

    • Right click on the Avenger.zip folder and select "Extract All..."
    • Follow the prompts and extract the avenger folder to your desktop
    2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
    Code: [Select]
    Begin copying here:
    Files to delete:
    C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys

    Drivers to delete:
    syshost32
    Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, open the avenger folder and start The Avenger program by clicking on its icon.


      • Accept the disclaimer


      • Right click on the window under Input script here:, and select Paste.



      • You can also click on this window and  press (Ctrl+V) to paste the contents of the clipboard.
      • Click on Execute

      • Answer "Yes" twice when prompted.
      4. The Avenger will automatically do the following:

      • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
      • On reboot, it will briefly open a black command window on your desktop, this is normal.
      • After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
      • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
      5. Please copy/paste the content of c:\avenger.txt into your reply.

      Offline Devox

      • Jr. Member
      • **
      • Posts: 26
      Re: can't enable shields
      « Reply #41 on: July 12, 2012, 10:56:31 AM »
      Logfile of The Avenger Version 2.0, (c) by Swandog46
      http://swandog46.geekstogo.com

      Platform:  Windows Vista

      *******************

      Script file opened successfully.
      Script file read successfully.

      Backups directory opened successfully at C:\Avenger

      *******************

      Beginning to process script file:

      Rootkit scan active.
      No rootkits found!


      Error:  could not open file "C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys"
      Deletion of file "C:\SystemRoot\System32\Drivers\778b96acd1ec6829.sys" failed!
      Status: 0xc0000022 (STATUS_ACCESS_DENIED)


      Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\syshost32" not found!
      Deletion of driver "syshost32" failed!
      Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
        --> the object does not exist


      Completed script processing.

      *******************

      Finished!  Terminate.

      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40631
      • Dragons by Sasha
        • Malware fixes
      Re: can't enable shields
      « Reply #42 on: July 12, 2012, 04:35:30 PM »
        OK that did not want to go... So are you prepared to work outside of windows

        Download the following three programmes to your desktop :


        1. 
      WiNTobootic
      2.  Windows Vista RC
      3.  Farbar Recovery Scan Tool

      Extract wintoboot to your desktop
      Insert a USB drive of at least 4GB
      Run Wintoboot



      Drag and drop the Windows Vista ISO to the programme in the space indicated
      Tick the Format box and accept the warnings
      Press Do It

      You will see it progressing



      It will let you know when it is done
      Then copy FRST to the same USB




      Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
      Note: If you are not sure how to do that follow the instructions Here

       
      When you reboot you will  see this. Click repair my computer

       
      Select your operating system

       
      Select Command prompt

       
      At the command prompt type the following  :

      notepad and press Enter.
      The notepad opens. Under File menu select Open.
      Select "Computer" and find your flash drive letter and close the notepad.
      In the command window type e:\frst.exe and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
      The tool will start to run.
      When the tool opens click Yes to disclaimer.
      Press Scan button.
      It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
      ]Here[/color][/url]

      Offline Devox

      • Jr. Member
      • **
      • Posts: 26
      Re: can't enable shields
      « Reply #43 on: July 14, 2012, 12:27:55 PM »
      flashing failed. i downloaded WiNToBootic and the iso twice and i got the same result
      sorry for the late reply

      Offline essexboy

      • Malware removal instructor
      • Avast Überevangelist
      • Probably Bot
      • *****
      • Posts: 40631
      • Dragons by Sasha
        • Malware fixes
      Re: can't enable shields
      « Reply #44 on: July 14, 2012, 01:15:06 PM »
      OK I have been doing further research after Avenger failed to kill it..  Avenger works at ring 0 i.e one of the very first elements to run after the post test but there is a proof of concept ring -1 which starts even earlier and is therefore protected before Avenger even loads.. I wil not post the link for this as I do not want it to become common knowledge.  But suffice it to say it appears that you may have this type

      Use of a tool outside of windows may kill it, but it appears that the control of the system is enough to stop an ISO being burnt 

      Therefore I am afraid the only way to kill this is to reformat the drive, an overinstall or re-install of windows will not work..  You need to wipe the drive and start afresh