Consumer Products > Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier)
Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!
oldman:
I'm not sure where you are at, but I'm working off of your DSS log.
We'll hit this guy with combofix from safe mode if possible.
Delete the copy of combofix you have now, we'll use a new "special" one. We will also run it differently.
Before we start, please ensure that system restore is turned on
After you have read the instruction for downloading this copy, please see the end of the post for instructions on how we will start combofix.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files".
[*]During the download, rename Combofix to Combo-Fix as follows:
[/list]
[*]It is important you rename Combofix during the download, but not after.
[*]Please do not rename Combofix to other names, but only to the one indicated.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix[/list]
-----------------------------------------------------------[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
-----------------------------------------------------------[/list]
[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
[/list]
-----------------------------------------------------------
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
[/list]
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
--- Quote ---KillAll::
File::
c:\windows\system32\drivers\srosa.sys
Rootkit::
c:\windows\system32\drivers\srosa.sys
Driver::
srosa
--- End quote ---
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
ZStorm:
Hi guys
After a long nite and day running scans and stuff, Im back to update you before preparing for another round of scans and tasks.
--- Quote from: DavidR on April 12, 2008, 10:25:19 PM ---The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
--- End quote ---
Stevens solution worked great here and finally I got safe mode recovered. Thanks a bunch, DavidR. :)
--- Quote from: oldman on April 13, 2008, 12:47:01 AM ---Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.
--- End quote ---
Id like to make a note about the second link as I tried it - sUBs SafeBootKeyRepair-CF.exe... the link is not valid. I searched there for another link but all references to that file pointed to that same invalid link (guess they didnt redirected to new location).
----
Once having the safe mode back, I sticked with previous suggestions.
--- Quote from: ZStorm on April 12, 2008, 06:11:42 AM ---
--- Quote from: Eddy on April 10, 2008, 10:30:51 AM ---- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely
--- End quote ---
I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.
I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.
--- End quote ---
.: Well, I proceed like I said above but seems it didnt work, at least for Kaspersky. The KIS directory is still there. I guess Norton didnt work as well. :(
Any suggestions?
--- Quote from: ZStorm on April 12, 2008, 06:11:42 AM ---
--- Quote from: Tarq57 on April 10, 2008, 11:35:46 AM ---You could try downloading and running a full scan with cureit.
...run msconfig and select "safeboot on the "boot ini" tab.
... run HijackThis that would be good.
--- End quote ---
Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.
--- End quote ---
.: I proceeded like Tarq57 suggested. I did at first a fast scan then after I did a complete one. However, I made a silly mistake when running the complete one... I didnt set the options ok and the log I got from it was 36M sized as it covered all scan actions and files.
Infected or suspicious files were moved all to quarantine. Attached goes the fast scan log and the HijackThis log (20080413 1437).
NOTE: Its not the first scan I do that would get files from fixing tools like ComboFix and DSS considering either infected or suspicious. All of files detected by all tools were moved to quarantine or chest. Should I get them outta there? Are they really infected or are they safe?
......
.: I found another thread where it was suggested to download and run Symantec Fix Tool for Beagle MO (FxBgleMO.exe), which I had previously downloaded and then I decided to run it as I had found already some variations of Beagle on previous scans (wouldnt hurt to try). The tool ran ok and the result was negative. The log goes attached.
......
From other thread I got suggestions from Tech, as follows:
1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
.: I started to follow then and so far I performed steps 1 to 3. Avast logs goes attached plus another HijackThis log (20080414 0030).
.: I noticed some files which were not caught on previous scans (even manual ones for specific folder or file) were pointed as infected on those recent scans I performed. I dont understand how come the same file to be scanned many times and to not be detected the infection.
Example: The file I suspect to be the bad guy since the start (the key for KIS) was scanned several times and only at the last boot-time Avast scan it got detected as a rookit.
I wonder how many more scans I will have to do till busting them all and to feel safe enough to get a back up done without fearing to carry on backup infected files which were not detected after more than 1 week of effort and hard work.
......
Well, thats it for now. By morning Im gonna check over here again and then will go on from step 4.
I dont know if Im doing the right things here or not. If any of you have something to add or manifest about the procedures done so far and to be done ahead, please feel free to post. All help and feedback are welcomed and quite needed.
Thank you all again for your attention and efforts on trying to help, as well for your patience.
Have all a great week.
ZStorm:
last 2 logs...
ZStorm:
Hi there oldman
Thanks for your post... You were posting while I was finishing mine with the updates from my situation so I didnt see it till now.
About Combofix, I tried to run it from before. Actually I saw that instruction at another thread and was one the very first things I ran here. It didnt work... the log from that attempt is here:
.................
ComboFix 08-04-08.7 - Storm 2008-04-09 11:58:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447 [GMT -3:00]
Running from: C:\Documents and Settings\Storm\Desktop\Combo-Fix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.................
Another thing is that during the scans I ran after some of them detected files from ComboFix as being infected and they were put on chest. Im not sure if thats the reason I dont see it in Control Panel for being uninstalled.
How should I uninstall it then? Deleting the folder that is?
Id like to thank you very much for your attention and support. Its very late here (past 2am), Im exhausted and needing to sleep or else Id be around for a bit more to wait for you reply.
However, Id like to invite you to read my previous post with the updates, maybe it might help or change the procedures to follow next, as well Id like to ask of you if I should proceed with the steps from Tech after performing the task you just posted me or should I stand by and wait for your reply after I post the logs from ComboFix.[/color]
Another important question.. is it safe to use pc for internet the way it is now infected?
Thanks again and talk soon
oldman:
Hi, just delete combofix from the desktop. It doesn't have to be uninstalled. The combofix quarantined files are not encrypted, so other scanners will detect and remove them.
I've looked at what you have posted before. A lot of files have been removed. The problem with most removal tools, is they show you what has been removed, but don't log what they scanned. Combofix logs removed files as well as recently created files and folders. It also shows some reg keys and drivers. The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.
The remaining steps in Tech's post are not required at this time. You have done most of them already. You are now in the manual search and destroy portion. Don't worry, we will still use tools. It's now a matter of going through logs and finding, if any, left overs.
As far as the internet goes, that is difficult to answer. I know you had beagle, but with out a current combofix log, I have no way of knowing if there was anything else.
The method of infections of this type does not just arriv via email. The last two I encountered came from cracked programs. One of them AVG. Sort of a special bonus I suppose.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version