Author Topic: Avast deleted important system files!  (Read 11036 times)

0 Members and 1 Guest are viewing this topic.

Offline ktwo

  • Newbie
  • *
  • Posts: 5
Avast deleted important system files!
« on: March 17, 2004, 11:31:38 PM »
Hi,

I installed Avast home version this we and it immediately discovered the worm Hybris (I use win98). A thourough scan gave something like 40 infected files and I chose to delete them all. After rebooting, windows says the register is damaged and I'm asked to reboot. The registry looks in fact quite damaged, since users and current user are unavailable.  Of course, this message comes back every time, so rebooting doesn't help. When looking a bit deeper into the system, I noticed I had no longer the user.dat file! Nor the msdos.sys. All the backups for these files are also missing. I can still use my computer to some extent, but for example all microsoft applications won't start, the keyboard is screwed up, everytime I want to use winzip I have to reinstall it, ...

I'm not sure I can blame Avast for what's happened, because maybe I should have looked through the files more carefully or have consulted the internet first, but on the other hand it's quite serious if it deletes vital system files. Anyway, someone who has heard about this before? is there a way to get hold of a new user.dat, or are they too personal? Do you agree on that the kernel of the problem is the deleted user.dat? Any other ideas? Just if you are curious, if I had had the possibility to get hold of a windows98 cd, I wouldn't have written this!

Thanks and by for now,

Dag

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
The best things in life are free.

Offline ktwo

  • Newbie
  • *
  • Posts: 5
Re:Avast deleted important system files!
« Reply #2 on: March 18, 2004, 01:10:43 PM »
Thank you for your concern,

I'm not sure how to interprete your reply though. If you're making fun of me, I can just say that there are probably thousands of well known viruses out there. They are well known because anti-virus programs are supposed to handle them. That's why I installed avast in the first place (and because my computer has quite a few users).

If your intention was to be more constructive, my answer is this: since repairing wsock32.dll didn't work, I replaced it from the precopy1.cab. Well, actually Avast deleted it upon rebooting and I replaced it. Still, I can't say I understand how this managed to delete user.dat and its backups (couldn't find it in the cabs or sysbckup either) though.

Well, I'm still waiting for a reply how to replace/recreate/copy user.dat (or to know if it is impossible)!

/Dag

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Avast deleted important system files!
« Reply #3 on: March 18, 2004, 01:29:11 PM »
Thirst of all, you made a wise decission getting and using Avast. Although it is free, it truly is one of the best av software around.

But let me try to help you solve your problem. if it was Avast who removed those files, they really where infected and beyond repair. So that is good, because you don't want a infected system.

How to solve the problems you have now?
Three ways are possible in my opinion.

1) start, run, sfc replace ALL changed files and reboot. (if you still can do this) You need the windows 98 cd.

2) Do a repair of windows 98. Boot from a windows98 bootfloppy, if you don't have one get it from www.bootdisk.com. Choose the option to start/boot with cdrom support. After booting you are getting a command prompt. Put in the windows 98 cd and run setup.exe from it. When the setup asks you where to install, set it to install in the same directory windows is currently in which normally is c:\windows. This will restore windows without you loosing data. You may need to reinstall some drivers after the (re)installation is finished, but that is all. Ofcourse it is advised to backup important data before doing this, just to be safe.

3) if the previous things I mentioned don't work. Backup and do a clean installation of windows98

A little advise. After you have solved the problems. Make sure you have avast installed and that the on-access scanner is running. Also install a firewall (best way is router with build in one) but if you can't afford one or don't want one, www.zonelabs.com has a freeware software one.

Also visit http://windowsupdate.microsft.com to get all security updates/patches for you operating system

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Avast deleted important system files!
« Reply #4 on: March 18, 2004, 02:12:01 PM »
Hi artras,

Just if you are curious, if I had had the possibility to get hold of a windows98 cd, I wouldn't have written this!

@Dag:

so Win still boots to some extent ?
- I don't know if the SFC.exe is present normally on the Win98-system partition; try this first
- if you have/find any more of the CAB files, you migth be able to reinstal/repair from there..
- what about scanreg /restore or similar utilities ?

or try reinstalling the bigger Updates/Servicepacks for Win98

btw: why don't you have a Win98-CD ?

Quote
since repairing wsock32.dll didn't work, I replaced it from the precopy1.cab. Well, actually Avast deleted it upon rebooting and I replaced it.

wsock32.dll is supposed to be the only file that's easily repairable, just by extracting avast's backup copy of it from the Chest.
Other files infected by Hybris are impossible/difficult to repair, according to Symantec (see above)

What does the report say about which files were deleted ?

How did you check that user.dat/da0 and msdos.sys are missing ?

from within WIN, or from DOS-Bootdisk ?
If the latter, did you check/change their attributes (-h-s) , o that DIR will see them ?




« Last Edit: March 18, 2004, 02:18:05 PM by whocares »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31345
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re:Avast deleted important system files!
« Reply #5 on: March 18, 2004, 02:42:05 PM »
Forgot to tell. A windows 98 cd can be bought at a local compuer store. And they are also offered with licenses on sites like ebay. If you buy one, make sure you get one that is legal.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re:Avast deleted important system files!
« Reply #6 on: March 18, 2004, 04:08:36 PM »
I'm not sure how to interprete your reply though. If you're making fun of me

Sorry for leaving a possibility of misunderstanding...
I never fun with nobody in this forum (as you can see I'm not properly a newbie here). I tryed to guide you but, after all, artras and whocares did the work better than I.
Wellcome to forums and avast!  ;)
The best things in life are free.

Offline bassbag

  • Jr. Member
  • **
  • Posts: 98
Re:Avast deleted important system files!
« Reply #7 on: March 18, 2004, 08:14:00 PM »
Maybe worth restoring to a previous registry first.Go to start>shutdow>restart in ms dos mode .
Then type
scanreg /restore

choose a previous registry and see if that restores some stability.
me

Offline ktwo

  • Newbie
  • *
  • Posts: 5
Re:Avast deleted important system files!
« Reply #8 on: March 18, 2004, 11:31:47 PM »
wow, thanx a lot for some good ideas!

I'll try to answer them as accurate as possible without being to long.

< First about the cd. I'm studying in France and I have little hope of finding a swedish cd here. The system seems a bit unstable as it is, so I'm not sure I wanna risk it in the hands of a froggy cd ;-). Anyone with experience from cds with different languages?

< Looking in the chest is a good idea! The problem is I can't open Avast. It asks me for a registration key, but the one I signed up for doesn't work. Although I only used Avast a few days, I'm not able to use the 60 days without registration??? I remember that feature worked before the virus was detected. Maybe I could backup the chest and reinstall Avast?

< Scanreg /fix says the registry is corrupt and won't fix it.
< Scanreg /restore says the registry has been succesfully restored, no matter which backup I choose, and I'm asked to reboot. The problems are still there though.

< The user.da* files aren't there, because attrib -h -r -s or dir /ah can't detect them in the windows folder (done it in boot dos). I found msdos.sys though (in c:, not in the windows directory).

< sfc seems to work (no error messages), but it didn't fix the problem.

< I'm not quite sure how to extract the cabs files to some larger extent (I don't know the folder of half of them). I don't know how many there are supposed to be, but now there are about 50 of them. In particular _user1.cab and _system1.cab, but they are both corrupt! The rest works (except data1.cab).

< I tried a few register fix tools. But they ended up in error messages.

< Technical, no harm done! It's been a busy day, so I maybe overreacted a bit as well. Thanks for the links and for the welcome!

Thanx again and don't hesitate sending me more ideas or answer some of the questions above,

Dag

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re:Avast deleted important system files!
« Reply #9 on: March 19, 2004, 04:41:04 AM »
< First about the cd. I'm studying in France and I have little hope of finding a swedish cd here. The system seems a bit unstable as it is, so I'm not sure I wanna risk it in the hands of a froggy cd ;-). Anyone with experience from cds with different languages?

Probably, it won't work... I tryed into English and Portuguese without success  :-\

< Looking in the chest is a good idea! The problem is I can't open Avast. It asks me for a registration key, but the one I signed up for doesn't work. Although I only used Avast a few days, I'm not able to use the 60 days without registration??? I remember that feature worked before the virus was detected. Maybe I could backup the chest and reinstall Avast?

What is your system time and date? Isn't the year wrong?
Anyway, it will be better to have a Registration key in hand to use the Home version if needed.

< Scanreg /fix says the registry is corrupt and won't fix it.
< Scanreg /restore says the registry has been succesfully restored, no matter which backup I choose, and I'm asked to reboot. The problems are still there though.

Probably the virus activates itself in the 'new' Registry...  :'(

Technical, no harm done! It's been a busy day, so I maybe overreacted a bit as well. Thanks for the links and for the welcome!

Ok, the  :P was for the worm and not for you of course  ;)

I'm doing some research and will post if I found anything relevant  ::)
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re:Avast deleted important system files!
« Reply #10 on: March 19, 2004, 04:50:24 AM »
W32/Hybris-A
Type: Win32 worm
Description: W32/Hybris-A is an internet worm.  
Recovery: Please follow the instructions for removing worms in Windows 95/98/Me:

1. To close the spiral you will have to go into DOS mode and you will need SWEEP for DOS.

2. Either download the Emergency SAV distribution and unzip it, or create a folder 'Sophtemp' and copy the contents of the DOS folder on the CD into it. (http://www.sophos.com/tools/esdz.exe)

3. Go to the Start menu and select Shut Down. Choose the option "Restart the computer in DOS mode". Starting a Command Prompt (a DOS window) is not enough.

4. At the DOS prompt type

C:
CD \
CD SOPHTEMP
SWEEP *: -REMOVEF

5. Say 'Yes' when prompted to delete a file (provided it is a W32/Hybris-B file). Make a note of its name.

6. Reboot to Windows.

7. In the win.ini file, which can be found in the Windows directory, there will be a run= line that points to the file that you deleted above. Delete the file name from that line.

8. You will need to replace WSOCK32.DLL. Copy it from your original installation media or a clean computer.
The best things in life are free.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re:Avast deleted important system files!
« Reply #11 on: March 19, 2004, 04:56:16 AM »
To extract a new copy of the Wsock32.dll file:

This is necessary only if Wsock32.dll cannot be repaired. You must run the Extract command at a command (DOS) prompt. Follow these steps to do this, using the instructions for your operating system.

This information is provided for your convenience. We have provided detailed instructions for Windows 95/98/Me, which are the operating systems most affected by this. These instructions should work for most versions of these operating systems. In most cases, this should not be necessary under Windows 2000/XP, because these systems' File Protection feature should prevent the Wsock32.dll file from being overwritten (unless File Protection was disabled).

The following documents provide general instructions on how to extract files. The exact steps may vary slightly depending on the configuration of your operation system, where the files are located, and so on. For additional information, read the Windows documentation, Help files, or contact Microsoft.
The Microsoft Knowledge base article How to Extract Original Compressed Windows Files (http://support.microsoft.com/directory/article.asp?ID=KB;EN-US;Q129605&), Article ID Q129605, has detailed information for Windows 95/98/Me.
How to extract files in Windows 98 and Windows Me (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001011114021106)


You will need a Windows 98 startup disk. (If you are using Windows 95, you will still need one that was created on a Windows 98 computer). For instructions on how to create one, see the document How to create a Windows Startup disk.
Have the Windows installation CD available.
When typing the command, substitute the appropriate drive letter for your CD-ROM drive for the letter x. For example, if you are using Windows 98, and the CD-ROM drive is the drive D, then you would type

extract /a d:\win98\precopy1.cab wsock32.dll /L c:\windows\system

1. If Windows is installed in a folder other than C:\Windows, then substitute the appropriate path or folder name in the last part of the command that refers to the \Windows\System folder.
For detailed instructions on using the Extract command, see the Microsoft document How to Extract Original Compressed Windows Files, Article ID: Q129605.
As a somewhat easier alternative to the following procedure, if you are using Windows 98, then you can use the System File Checker to restore the file. For information on how to do this, see your Windows documentation.

2. Shut down the computer and turn off the power. Once the computer is off, insert the Windows 98 Startup disk in the floppy disk drive and turn the computer back on. At the menu, select Start with CD-ROM support.
Type the command that applies to your operating system:
If you are using Windows 98, then type the following and press Enter:

extract /a x:\win98\precopy1.cab wsock32.dll /L c:\windows\system

3. If you see an error message of any kind, then repeat step 2, making sure that you typed the correct command for your operating system and that you typed it exactly as shown. Otherwise, type exit and then press Enter.
« Last Edit: March 19, 2004, 05:07:37 AM by Technical »
The best things in life are free.

Offline ktwo

  • Newbie
  • *
  • Posts: 5
Re:Avast deleted important system files!
« Reply #12 on: March 19, 2004, 11:19:58 AM »
Thanks,

Do you think the virus is still there? Sophos found nothing. The system date is ok. As I mentionned earlier, sfc runs without problems, but it doesn't seem to notice that for example user.dat isn't there. When Avast first deleted wsock32.dll, I got some error messages that it was missing, but since replacing it, windows doesn't complain about that anymore.

I'll try to register for a few more registration keys this evening, as well as looking into the possibility of reinstalling Avast. There are definitely some files in the chest, but since I can't open Avast, I can't see what's inside.

By for now,

Dag

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:Avast deleted important system files!
« Reply #13 on: March 19, 2004, 12:13:40 PM »
Hi,

I wish you good luck..

For next time: there's a small microsoft Tool called ERU/ERD = emergency recovery, which let's you save /backup & restore all critical System files for Win9x

Maybe you even find those backup files (though old) still on your PC somewhere ? especially if the PC was preinstalled

 ;)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67275
Re:Avast deleted important system files!
« Reply #14 on: March 19, 2004, 02:58:19 PM »
Whocares, would you be so kind to post the link for downloading that tool?

Ktwo, probably you're virus free but if you have Windows working, try do uninstall avast! and install it again. An on-line scanning will be good too (TrendMicro for instance).  ;)
The best things in life are free.