Author Topic: boot scan stuck after malware detection  (Read 10281 times)

0 Members and 1 Guest are viewing this topic.

Yveline

  • Guest
boot scan stuck after malware detection
« on: July 25, 2013, 01:13:26 PM »
Hi,
Yesterday, Avast gave me a warning when google page opened: "malware lesmecz.info".
I launched a thorough scan, which detected 4 infected files. I could quarantine them.
Then, recommendation was to restart the computer with a boot scan to complete the process, which I did. The laptop is now stuck at 15% (on a screen with white letters on black background). I tried to hit echap or quarantine, but nothing moves.
What should I do?
Thanks for your help.
Yveline

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: boot scan stuck after malware detection
« Reply #1 on: July 25, 2013, 02:02:17 PM »
give it more time.... but if nothing happens, i guess you only have one option... force restart


Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #2 on: July 25, 2013, 08:44:12 PM »
Since nothing had moved, I forced restart.
Windows launched repair, then system restaure and then windows start up screen appeared.
I ran another Avast thorough scan. It came up with 11 infected files instead of 4 on the previous scan.
Since the laptop got stuck when I followed the instructions after that first scan, I'd like to know what I should do.
Thanks for help.
Yveline

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: boot scan stuck after malware detection
« Reply #3 on: July 25, 2013, 08:45:33 PM »
Hi,

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: boot scan stuck after malware detection
« Reply #4 on: July 25, 2013, 08:47:50 PM »
Quote
It came up with 11 infected files instead of 4 on the previous scan.
if you can attach a screenshot of this.... it may help magna to see what was detected


Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #5 on: July 25, 2013, 11:09:03 PM »
Here are the attachments. I assume they are OK even though I hit "run" on dds instead of saving to desktop.
Thanks for your time,
Yveline

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: boot scan stuck after malware detection
« Reply #6 on: July 25, 2013, 11:37:37 PM »
Hi,



Please download zoek.exe () from here or here and save it to your Desktop.
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this instruction.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

emptyclsid;
{00000000-6E41-4FD3-8538-502F5495E5FC};c
{64F56FC1-1272-44CD-BA6E-39723696E350};c
{af6ac4f2-9825-4fb6-a600-92bc5361f209};c
{d2ce3e00-f94a-4740-988e-03dc2f38c34f};c
{D4027C7F-154A-4066-A1AD-4243D8127440};c
{8dcb7100-df86-4384-8842-8fa844297b3f};c
iedefaults;
c:\program files\ask.com;fs
filesrcm;
startupall;
ipconfig /flushdns >> %temp%\log.txt;b
firefoxlook;
chromelook;
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run];r
"EoFlip"=-;r
emptyalltemp;
autoclean;




2. Save notepad as zoekscript.txt




  • Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag zoekscript.txt into zoek.exe.
Zoek will run. When finished, it will produce a zoek-results.log for you.
Note: It will also create a log in the C:\ directory named "zoek-results.log"


>> Please attach it to your reply.





=========== THEN ===========






> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

  • Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.


Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #7 on: July 26, 2013, 09:56:41 AM »
Here are the attachments.
Thanks,
Yveline

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: boot scan stuck after malware detection
« Reply #8 on: July 26, 2013, 11:11:58 PM »
Hi,


Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

SkipFix::

File::
C:\Windows\tasks\Norton Internet Security - Run Full System Scan - Rogine.job
C:\Users\Rogine\AppData\Local\APN\GoogleCRXs\apnorjtoolbar.crx
C:\Users\Rogine\AppData\Roaming\1.crx

Folder::
C:\PROGRA1\NORTON1

KillAll::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\aaaaojmikegpiepcfdkkjaplodkpfmlo]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\belnfaicoodabfeomidiabnfpbkclggl]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

ClearJavaCache::

RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )



========= THEN ==========



- Re-run Zoek.exe, click on Options and select the checkbox for the following options:

Startup Informations
Recently Created
Firefox Look
Chrome Look

- And click on button.

- Please attach here fresh zoek log.



Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #9 on: July 27, 2013, 03:59:22 PM »
Attached are the logs you mentioned.
I had a hickup when proceeding. After running combofix last time, I had re-enabled avast. As combofix was running this time, avast gave a red warning. Later, combofix asked me to disable avast, which I did. It seems the process completed normally, as least to my knowledge.
Thanks again for your time.
Yveline

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: boot scan stuck after malware detection
« Reply #10 on: July 27, 2013, 04:24:46 PM »
Ok this looks good. Last script... re-run zoek.exe as you did before using this script;

Code: [Select]
emptyalltemp;
autoclean;

When Zoek finish his work, attach here fresh Zoek.exe log.


============== THEN ====================


Re-check your system for posible Rootkits.


Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit

    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

  • Unzip/unrar MBAR in a folder to your Desktop
  • Open the folder where the contents were unzipped to run mbar.exe

  • Click on Next > then on Update button to download fresh definitions.
  • When database updates click Next
  • In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"

  • If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
    Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

  • The Clean up procedure will be Scheduled for process.
  • When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.



============THEN ================


Upadate your avast AV and re-try to run avast boot time scan and tell me if something is detected. If so, choose the option to all detects items delete and copying in avast quarantine.

Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #11 on: July 28, 2013, 12:12:42 AM »
I did what you said and the zoek and mbar files are saved. Mbar told me nothing needed to be cleaned.
Then I ran Avast boot scan.
The result is C:\HP\bin\processlooger.exe is infected by Win32.gen [pup]
The closest options to what you said that I have are
2 delete all
4 quarantine all
I am not sure what I should do since you said "delete all" AND "quarantine all". To my understanding, on a black screen like this, I have to choose either 2 OR 4.
Kind of itchy about making a boo-boo...
I am not sending the zoek and mbar files this time since they are saved on the other computer. It is on that black screen right now and I cannot access the files nor the forum with it at the moment.
Thanks again,
Yveline

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: boot scan stuck after malware detection
« Reply #12 on: July 28, 2013, 09:50:22 AM »
Hi,
Quote
The result is C:\HP\bin\processlooger.exe is infected by Win32.gen [pup]
Obviously FP detection here in effect. Let it be, do not remove that.

Please attach here:
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt

Quote
I am not sending the zoek and mbar files this time since they are saved on the other computer. It is on that black screen right now and I cannot access the files nor the forum with it at the moment.

Sorry, didn't understand this. You can access or you can't access in problematic computer in which we work on it above?


Yveline

  • Guest
Re: boot scan stuck after malware detection
« Reply #13 on: July 28, 2013, 02:00:12 PM »
When I last posted, I couldn't access the laptop we worked on because I was unsure of what to do about the options coming during boot scan when finding infection (The result is C:\HP\bin\processlooger.exe is infected by Win32.gen [pup]). I was using another computer.

Since you said "do not remove that", I hit "quarantine" rather than delete.
After that, boot scan resume for a while.
Later, it told me c:\qoobox\quarantine\C\users\rogine\AppData\roaming\1.crx.vir|>unins.js is infected by JS:febipos-DC[Trj]
I hit quarantine again and boot scan resumed.
Later, it got stuck for a long time at 14%.
I forced restart.
Windows launched repair, then sytem restaure, then the start up screen appeared and I am back on posting from that laptop.

I am attaching the files you asked for, except for the avast one, which I didn't find. The path I find is slightly different from what you mentioned: mine is C:\Program Files\Alwil Software\Avast5. Under Avast5, I do not see any "report" folder.

Yveline

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: boot scan stuck after malware detection
« Reply #14 on: July 28, 2013, 02:29:44 PM »
Quote
(The result is C:\HP\bin\processlooger.exe is infected by Win32.gen [pup]).
PUP = not a virus / Possible Unwanted Program a program that can be good ar bad if abused, in Your case a factory installed program from HP


Quote
Later, it told me c:\qoobox\quarantine\C\users\rogine\AppData\roaming\1.crx.vir|>unins.js is infected by JS:febipos-DC[Trj]
this is combofix quarantine folder