Author Topic: Avast stopped working, virus?  (Read 93089 times)

0 Members and 2 Guests are viewing this topic.

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #30 on: August 15, 2007, 01:31:55 AM »
Yes, around the time I was downloading scrabble program is when I had the problem. That is what lead me to believe it was a virus. 

Now I have another problem (I am on my computer now, not my wifes PC who has the problem)

I followed your directions and placed the checkmarks next to the lines and clicked fix.

I rebooted the system and now Windows only loads halfway and then stops (the blue moving line just stops after 8 - 10 seconds.  I tried safemode but that didn't work.   We don't have the original XP program (it was a used PC)

I think we are close but now I can't get by the windows load up page!  ???


mauserme

  • Guest
Re: Avast stopped working, virus?
« Reply #31 on: August 15, 2007, 04:43:02 AM »
First a little explanation of what we've done, then some thoughts on what happened and what we can try to fix the boot problem.

ComboFix does many things:  First it very specifically targets certain malware and puts those files it identifies in quarantine.  It did this with the files listed in the "Other Deletions" section of the log you posted.

It also lists files recently created with the idea that it cannot have signatures for every new variant of the malware it targets.  This list must be manually analyzed which is what led me to have you delete trusted.exe. 

Another function is a rootkit check which led to deletion of srosa.sys and hidr.exe (I should have included another file in this list of deletions but neglected to include it in the list - we would have picked this up with the second ComboFix run).  The two we deleted here also appear at the very end of the BlackLight log.

All of the things we deleted are related to a rootkitted version of a bagle trojan that was responsible for killing avast! (rootkit is a term for a program that hides another program), a couple of backdoor trojans, and some spyware.



With one exception the lines we fixed in HijackThis were all registry entries referring to files that were were already gone.  I did this for tidiness - to make it easier to review subsequent logs and just to make things run better.  The single exception was this line

O4 - HKLM\..\Run: [ratmn] C:\WINDOWS\ratmn.exe

Removing this line by "fixing" it simply prevents ratmn.exe from loading when your computer starts.  We did not delete the file yet.  I have not been able to identify this file which in itself makes it suspicious.  It is most definitely not a Windows system file and, since you cannot find it when looking manually, appears to be one of the files the remaining rootkit may be hiding.  I would  still like to scan it at Virus Total before deletion.



I think the boot problem is caused by something, probably malware, corrupting your operating system.   This can be seen in the very first lines of the ComboFix log

Quote
C:\WINDOWS\system32\chkdsk.exe not present

ADS removed - C:\WINDOWS\system32\ntoskrnl.exe: The system cannot find the file specified. 



Although the computer can boot without chkdsk.exe it cannot boot without ntoskrnl.exe.  ComboFix did not remove these files - it reported their absence.  I am somewhat surprised the computer made it though the previous boot. 

In order to fix this we need to replace ntoskrnl.exe and I think we may be able to use any XP installation disk to accomplish this.  Is your computer XP, and do you have the Windows disk for it?
« Last Edit: August 15, 2007, 05:02:32 AM by mauserme »

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #32 on: August 15, 2007, 05:07:01 AM »
I do follow what you are saying but unfortuntaly  :'(  my PC (which also has XP) was built by someone and they did load XP for me but not the software. I do not have any XP discs at all.  I did bring this up to my wife once (that we should get a copy of XP just in case).

Now we need it.......

So is there a way to circumvent by the load page? In safe mode it just keeps recycling over and over prompting me to choose a safe mode version or "last successful" something.

BTW, my computer also has Avast and (before the loading problem) I compared the folders.  I have the exe files for Avast but my wifes computer does not.


mauserme

  • Guest
Re: Avast stopped working, virus?
« Reply #33 on: August 15, 2007, 05:12:38 AM »
In safe mode it just keeps recycling over and over prompting me to choose a safe mode version or "last successful" something.
If one of the options is Last Known Good Configuration (or similar wording) you can try that.

Is it possible to get a Windows CD from the person who built you computer?  You should have been given one.



BTW, my computer also has Avast and (before the loading problem) I compared the folders.  I have the exe files for Avast but my wifes computer does not.
This version of bagle kills avast! and other antivirus programs.  The files will continue to disappear until it is gone.
« Last Edit: August 15, 2007, 05:23:48 AM by mauserme »

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #34 on: August 15, 2007, 05:26:20 AM »
Yes, I tried Last Known Good Configuration but to no avail.  The person who built my PC is long gone, I am not sure why he did not at least give me a copy.  I might be able to get a copy but we are new to the area.  I will try though.....when I do I will post again. 

Thanks again, I know we are close!

mauserme

  • Guest
Re: Avast stopped working, virus?
« Reply #35 on: August 15, 2007, 05:32:08 AM »
Give me some time to think about this - there must be a way ...

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #36 on: August 15, 2007, 06:48:19 AM »
What do you think about this?  Can I download it to disc and use it?



http://www.softpedia.com/progDownload/Boot-Editor-Download-1721.html

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #37 on: August 15, 2007, 07:10:58 AM »
I downloaded the ntoskrnl.exe file from  driverguide.com.  Can I put that on disc?   ???



Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Avast stopped working, virus?
« Reply #38 on: August 15, 2007, 08:00:45 AM »
I spent the last hour or so reading up on this. It seems an xp disk is required so the recovery councel can be accessed. From there the neccessary repair can be made. It looks like any xp disk will work.

I don't think putting the file on a cd will help, 'cause windows will be looking for an xp disk. But I leave that for others to comment on.

If there was some way to get to the command promt, it may be posible to copy/replace the file.

These are just thoughts not suggestions. I'm sure others with more experience with xp will be along shortly.

The only real suggestion is try to find beg, borrow, steal an xp disk.

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #39 on: August 15, 2007, 08:21:35 AM »
Yeah, that's kinda what I thought....I'll find one I'm sure.  My wife has freinds not too far away that might have a copy.  This will be my quest this week....I feel like Sir Galahad now....

mauserme

  • Guest
Re: Avast stopped working, virus?
« Reply #40 on: August 15, 2007, 01:18:19 PM »
I think oldman is right.  The only other possibility I see is to remvove the drive, install it as a data drive in a different computer, and copy the file to it.  But I don't know if this would work and there is a chance of infecting the other pc ...

denial44

  • Guest
Re: Avast stopped working, virus?
« Reply #41 on: August 15, 2007, 03:15:14 PM »
If they don't pricegrabber doesn't have bad prices for xp discs.  It depends on what you want.(although they're $100 discs just take really good care of them.)
xp pro
http://software.pricegrabber.com/windows-family-os/m/4197922/search=windows%20xp/qlty=o
xp home edition
http://software.pricegrabber.com/windows-family-os/m/477483/search=windows%20xp/qlty=o
Just make sure you have a good case for it too because they're oems which means they come in a bubled sleeve with the cd key on a sticker stuck to the sleeve.

Stick with avast too it's the best antivirus i've seen(I've tried both norton and makafee(or however you spell it))Avast is the only one out of the three that stick out(in a good way) and it's free for non-commercial use.
« Last Edit: August 15, 2007, 03:18:43 PM by denial44 »

BJS

  • Guest
Re: Avast stopped working, virus?
« Reply #42 on: August 15, 2007, 04:01:52 PM »
Thanks,
I will either buy a copy or find a copy somehow.  And your right about Avast. It is an excellent prouduct (unless a dopey owner accidently downloads a bagle trojan that kills it)  :-\

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Avast stopped working, virus?
« Reply #43 on: August 15, 2007, 09:18:37 PM »
A bit of good news. An uncorrupted backup copy of the file should be still be on your computer. This file would be compatible with your service pack and patches and would also be the file restored through the recovery councol.

Since you don't have an xp disk to access the concol there are couple of other ways this file might be restored. As mauserme suggested slaving the hard drive and restoring the file. But I share his concern about the possibily of spreading the infection. However the risk may be minimal if done from the command promt.

Another way would be be make a bootable cd that will allow you to view and edit a ntfs partion in dos. This would eliminate the possibility of something spreading. I haven't found a totally free program for this yet, but did find one for a contribution of $4

http://www.bootdisk.com/ntfs.htm

In any of the three cases the comands would dos commands. I or others here can help you with the commands.

Before you try this I'd appreciate mauserme's comments since he's been helping you with your main problem.

mauserme

  • Guest
Re: Avast stopped working, virus?
« Reply #44 on: August 15, 2007, 11:13:48 PM »
This looks very promising to me - nice find.

This should open the door to several possibilities as there might even be two copies of ntoskrnl.exe on the computer - one in the dllcache and one on i386.  So a straight copy or a repair install could be possible if those copies are not infected or not also missing, and a copy from another computer might also work.

Oldman, do you feel comfortable working with BJS on this part?  Its a bit out of my normal area.