Author Topic: Infected PC  (Read 15390 times)

0 Members and 1 Guest are viewing this topic.

r.clark

  • Guest
Infected PC
« on: August 20, 2013, 08:47:54 PM »
I'd been redirected to this subforum. I've read through the sticky and have acquired the necessary logs and scanners. They're attached to this post.

This was the original post I made; It was in the wrong section so I'm starting a new thread here with the scan logs:

http://forum.avast.com/index.php?topic=132779.0

Notes:
AdwCleaner did not generate log upon restart. I've included a "before" reboot scan and "after."
I was unable to launch MalwareBytes. After hitting "finish" in the install, the install wizard window remained open and I had to close it with task manager. Running MBAM as administrator did not bring up a window. OTL and aswMBR worked fine.
As I can only upload four attachments, here is a link to my HijackThis log:

http://pastebin.com/uamzXxK9

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #1 on: August 20, 2013, 09:02:26 PM »
OK Kaspersky is still running so we will remove that and do a clean install of Avast and then work from there

Download a fresh copy of Avast and AswClear to your desktop along with the Kaspersky removal tool

Download Uninstall Utility to your Desktop.
Download the correct version of Avast 
Avast Free
Avast Pro
Avast Internet Security
Avast Premier

Download the Kaspersky removal tool from here http://support.kaspersky.com/common/service.aspx?el=1464

Disconnect from the net
Uninstall Avast via control panel

  • Run aswClear
  • It will offer to reboot to safe mode .. Accept that

  • Once it has rebooted to safe mode
  • In the Select Product to Uninstall dropdown choose the version of Avast that is on your system.
  • Press Uninstall
  • Once complete reboot your system to Normal Mode
    ----------

    Run the Kaspersky removal tool
    Reboot
    Install Avast

    Once completed could you let me know what problems you are having

r.clark

  • Guest
Re: Infected PC
« Reply #2 on: August 21, 2013, 08:05:49 PM »
After completing that yesterday I did see a few small improvements after removing Kaspersky, but for the most part all the big problems are still there. Running Avast in safe mode right now because normal mode is unbearable.

Current problems:
Still can't run boot scan; I'm now able to restart the computer under "more details" with avast after scheduling now though.
I'm still seeing "not yet registered, 0 days of protection remaining" right after installing.
When I try to register I get "The AAVM subsystem detected a RPC error"
Update will not throw an error window but doesn't seem to initiate.
Quick scan successfully initiates this morning but last night gave the "no available endpoints" error.

I'm going to try running in normal mode again now (which was working last night) though this morning the login screen was unresponsive the two times I tried.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #3 on: August 21, 2013, 08:34:47 PM »
OK it may be that Kaspersky prevented Avast from installing properly

Lets reinstall Avast

Download Uninstall Utility to your Desktop.
Download the correct version of Avast 
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel

  • Run aswClear
  • It will offer to reboot to safe mode .. Accept that

  • Once it has rebooted to safe mode
  • In the Select Product to Uninstall dropdown choose the version of Avast that is on your system.
  • Press Uninstall
  • Once complete reboot your system to Normal Mode
  • Reinstall Avast
----------

THEN

Run a fresh OTL scan for me please

r.clark

  • Guest
Re: Infected PC
« Reply #4 on: August 22, 2013, 06:30:30 AM »
Well, I got some mixed results. I followed your directions, uninstalled and ran the remover in safe mode, then reinstalled in normal mode. Upon first running Avast I noticed that while still sluggish, the overlay was working. Avast ran a first-time quickscan and updated itself which it hadn't done before. I was also able to register the product. I decided to run a boot scan as I was pretty sure I had malware. The boot scan also worked and found about four infected java files. I opted to send all of them to the chest.

The problems started when I rebooted to normal mode again. I looked in the chest to see nothing. The boot scan wasn't listed under the scan logs. I also noticed a lot of problems I was having before were present again (endpoint mapper error, product has 0 days left of protection left even though I had just registered it for a year, etc).

I will now scan again with OTL and attach the log.

-UPDATE-

I booted into safe mode again to check a few things. Certain problems with Avast are still there, but other problems seem to be gone. For example, I still need to renew my registration ("0 days remaining" at the top), BUT in safe mode I can see the stuff I quarantined in the chest. The boot scan still isn't displayed in my scan logs though, only the startup scan, some quickscans, and a folder scan.

I've attached an image of my virus chest.

« Last Edit: August 22, 2013, 07:38:11 AM by r.clark »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #5 on: August 22, 2013, 08:55:36 PM »
They all appear to be in the java cache bar one

Lets now clear the rest of the dross and see how it behaves on completion

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3072253&SearchSource=2&q="
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\virtualKeyboard@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\linkfilter@kaspersky.ru
O4 - HKLM..\Run: [132.exe] C:\Program Files (x86)\LP\229A\132.exe File not found
O4 - HKLM..\Run: [BKKK88fRZ9] C:\Users\Owner\AppData\Roaming\dwme.exe File not found
O4 - HKLM..\Run: [snnGG5aQH6dWKfL8234A] C:\windows\system32\AV Protection 2011v121.exe File not found
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk = C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft)
[2011/11/11 01:08:04 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\0404A
[2013/08/21 17:46:50 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\A2B04
[2011/11/11 01:07:47 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\c33oonGG4aH6sKf
[2011/11/11 01:21:39 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\cYo
[2011/11/11 01:07:08 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\kWWWJ77dEL8RZhY
[2011/11/18 01:15:39 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\KwwwkUUVrlOtx0y
[2011/11/18 01:15:08 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\OcSS11ibD3onGaH
[2011/11/18 01:14:57 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\OhhhTXXqjUCeIBz
[2011/11/11 01:07:03 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\sPPP0yycS1iD3oF
[2011/11/18 01:15:00 | 000,000,000 | ---D | M] -- C:\Users\Owner\AppData\Roaming\tDD22obF4pmG5Q6

:Files
C:\Program Files (x86)\LP

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

r.clark

  • Guest
Re: Infected PC
« Reply #6 on: August 22, 2013, 11:10:35 PM »
This is the log I received after running the fix and rebooting:

http://pastebin.com/YXHpFX6c

This is the log I received after I ran the quick scan with OTL:

http://pastebin.com/ngDgvvEx

Scans were completed in safe mode. I had to manually reboot. Computer is still slow (especially windows explorer).

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #7 on: August 23, 2013, 02:25:34 PM »
You did have a lot of junk files on the system Total Files Cleaned = 5,583.00 mb
Also disc space is tight, MS recommend at least 15% free space  Drive C: | 272.00 Gb Total Space | 29.72 Gb Free Space | 10.93% Space Free | Partition Type: NTFS

Next could you uninstall any programmes that are no longer used freeing at 10Gb of data and then run the disc defragmenter

Let me know if that improves the speed

r.clark

  • Guest
Re: Infected PC
« Reply #8 on: August 23, 2013, 07:36:22 PM »
Will do, I've been meaning to clean it out before getting hit with these issues. I'll post back when I finish defragmenting, probably in a couple hours if the computer stays responsive. I've had to be very patient with it in normal mode. Would you recommend running Advanced System Care?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #9 on: August 23, 2013, 07:40:21 PM »
In a word ... No in my opinion most programmes like that are just snake oil.  Generally clearing temps running a defrag is all that is needed

r.clark

  • Guest
Re: Infected PC
« Reply #10 on: August 23, 2013, 10:03:43 PM »
Well I'm defragging my C drive now but since my computer has a defrag scheduled weekly things are pretty unfragmented already. I analyzed my C drive prior to defragging and it said it was about 1% fragmented.

r.clark

  • Guest
Re: Infected PC
« Reply #11 on: August 23, 2013, 10:18:54 PM »
It's still pretty sluggish. The most noticeable stuff would be launching chrome and the windows start menu. Though using the control panel to uninstall programs was fine, markedly improved from a few days ago when I was trying to use it to uninstall Avast.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #12 on: August 23, 2013, 10:24:23 PM »
In your case it is not so much the amount of fragmentation but the lack of space to shift files around on the disc.  Did you manage to free some space

r.clark

  • Guest
Re: Infected PC
« Reply #13 on: August 23, 2013, 10:29:36 PM »
yes, I have about 90 gigabytes of free space now. Did some cleaning up in my steam library. :)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infected PC
« Reply #14 on: August 23, 2013, 10:31:39 PM »
So we are looking at slow Chrome and the start menu with most other bits working OK ?