Author Topic: Root kit hijacking Avast! installed on login  (Read 3942 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Root kit hijacking Avast! installed on login
« on: October 27, 2014, 02:47:06 PM »
Hello.  While I am a technician professionally, picking apart bugs is not my forte.  On my home PC, something has gotten on it with the following characteristics:
- After login, Avast! asks if I'm invoking an installer and asks for my password.  Initially the bug has penetrated Avast!, only after updating the engine did this activity start.
- It appears to be going through Chrome, which is not installed on my system but I see is a bundled piece of software with Avast!.
-- Chrome was running many times in Task Manager
-- Many Chrome installations appeared throughout my \Users\(my name)\AppData directory
- This something was trolling through my Delphi directory, infecting software I've written, through the Interbase module.

To clean up, in safe mode I deleted all those Chrome directories, uninstalled Delphi, run SpyBot, MalwareBytes and ComboFix (which doesn't run correctly) and updated the Avast! engine.  However, I still have this on login, something is trying to modify Avast!.  I've run a full, deep scan overnight with Avast! and it found no root kits but I suspect one is there.

I hope that was all clear.  I attached a screengrab of my current Avast! install's About.  Let me know if there are any logs or other information you need.  I'll check back daily.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Root kit hijacking Avast! installed on login
« Reply #1 on: October 27, 2014, 02:50:04 PM »
Attach your basic logs. (MBAM, FRST and aswMBR..!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Root kit hijacking Avast! installed on login
« Reply #2 on: October 27, 2014, 02:52:39 PM »
Malwarebytes is not designed to be run in safe mode so should only be run in safemode if there is a problem running it
yes it will run but all drivers are not loaded


REDACTED

  • Guest
Re: Root kit hijacking Avast! installed on login
« Reply #3 on: October 27, 2014, 03:49:09 PM »
Here are the logs, including Avast!'s semi-log showing that I ran a scan and it came up clean, last night.

C:\users\mwjp\appdata\local\falloutNV's detection, via aswMBR, has been removed.  That dll was open with the registry service, so I had to reboot and remove it in safe mode.  On restarting normally, Avast! Secure Line tried to open, which I do not have installed.

I do know that MalwareBytes likes to run in normal login, especially inside the context of the user having the problems, but it was necessary to run it in safe mode yesterday.  I'll run the full, normal scan overnight tonight; I need to finish my final today and if I can limp along with Word, I'll be o.k. for now.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Root kit hijacking Avast! installed on login
« Reply #4 on: October 27, 2014, 03:59:07 PM »
OK, now you've to wait a bit...
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Root kit hijacking Avast! installed on login
« Reply #5 on: October 27, 2014, 04:17:20 PM »
Do you have the main FRST.txt please

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Root kit hijacking Avast! installed on login
« Reply #6 on: October 27, 2014, 04:27:56 PM »
avast and Windows defender running at the same time is not a good idea.

REDACTED

  • Guest
Re: Root kit hijacking Avast! installed on login
« Reply #7 on: October 30, 2014, 12:55:21 AM »
Do you have the main FRST.txt please

What main FRST.txt?  I included the only one that was generated.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Root kit hijacking Avast! installed on login
« Reply #8 on: October 30, 2014, 04:09:47 PM »
In that case could you run FRST again and it will generate two text files FRST and additions please attach both

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Re: Root kit hijacking Avast! installed on login
« Reply #9 on: October 30, 2014, 07:43:41 PM »
avast and Windows defender running at the same time is not a good idea.

SpyBot is useless anymore.
http://www.pcmag.com/article2/0,2817,2412372,00.asp
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.