Author Topic: Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!  (Read 37664 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Good for you! Are you seeing some improvement?

Theres some kaspersky left that should be uninstalled, we can clean up any left over folder after you uninstall it.

 We have a little repair work to do.

Download RenV from the link below

1. Save it to your Desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Code: [Select]
<pre>
----a-w         4,752,968 2005-12-20 10:33:06  C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>


Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the code box above into the new notepad


Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "log.txt" . Using your mouse left button, drag the new file log.txt and drop it on the RENV.exe icon as shown at the bottom of this post. You may have to click the image below to animate it.


When finished, it shall produce a new log for you. Post that log in your next reply.


Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56
Oh yeah! Lots of improvement!  ;D

Just after Combofix ran I got notices for many Windows updates, mostly security ones and a special one pointed to IE7. Im not sure if you remember but since the malware started the damage here, IE7 was being called to run and if let to run would cause the system to collapse (btw, those files from C:\WINDOWS\SYSTEM32\DOWNLD\ folder which were scanned as malware were created and loaded at those times IE went crazy after infection). Security Center was also compromised and giving an error message since the infection, saying it was unavailable. After the updates download and installation, system rebooted and so I was able to check them and see they working as good as new. I dunno in the end if was ComboFix or the Windows updates the responsible for getting them fixed. System in general appears to be running as good as before the infection.




Theres some kaspersky left that should be uninstalled, we can clean up any left over folder after you uninstall it.



Kaspersky wasnt successfully uninstalled so far. I tried many times the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279), as you can see on my previous posts, ran it as it was supposed to, the program runs but it doesnt give any message or log for the result. What I get is to see the folder KAS still on my HD. I even tried it again today before performing the next task you gave me, but still no good. :(

I also tried again the Norton Removal Tool, it ran like the other times but I have no idea if it really worked or if theres still left overs of Norton here.



 We have a little repair work to do.

Download RenV from the link below

1. Save it to your Desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Code: [Select]
<pre>
----a-w         4,752,968 2005-12-20 10:33:06  C:\Downloads\MsgPlus-362146 - 20051231 .exe
</pre>

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the code box above into the new notepad

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "log.txt" . Using your mouse left button, drag the new file log.txt and drop it on the RENV.exe icon



Performed as instructed but I got a message in the running window... "could not find C:\Downloads\MsgPlus-362146 - 20051231 .exe"... it took a bit to finish to run and gave me the log.

I found it weird and checked the HD for that path and file... they were there then what was wrong? I took a closer look and saw you typed a SPACE after the files name and before the extension. I fixed the script and ran it again. Both logs go attached. (just in case goes both).


So, whats next master? :)

Can you tell its safe for me to use internet? Do you think the malwares I got here compromised my sensitive data as I use on regular basis internet banking?

GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
I didn't type the fix, I used copy and pasted it from the combofix log. It was a vundo infected file that RenV was supposted to fix. RenV now shows no infected file. However it is strange that it "fixed" itself. I'd like you to submit that file to virustotal just to be sure vundo is trying to pull a fast one on us.

When we removed the rootkit, combofix may have repaired some reg key or setting that beagle was blocking or had changed. The security updates probably helped also.

The files in the downld folder where part of the beagle infection. Some probably where calling for reinforcements.

You should be fine for the internet, just be cautious as there may be a little left. Since I don't know what you where infected with before I was involved in this thread, I would advise you not to do any on line banking from this computer until we are finished (soon). Also you should change all your passwords from a known clean computer.

Let's leave the other avs for the moment as they don't be appearing to be causing any problem right now and concentrate on getting your system as clean as possible.

Please test that file, then run this little scanner.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56


I didn't type the fix, I used copy and pasted it from the combofix log. It was a vundo infected file that RenV was supposted to fix. RenV now shows no infected file. However it is strange that it "fixed" itself. I'd like you to submit that file to virustotal just to be sure vundo is trying to pull a fast one on us.



Is to this file you are talking about to be submitted - C:\Downloads\MsgPlus-362146 - 20051231.exe  ??

If so, the site for Virustotal I found was http://www.virustotal.com/ - hope to be the right one - and the result goes as follows:

http://www.virustotal.com/reanalisis.html?3e4e4f498ca4bf75647e2f3569cac7fc

-----

File MsgPlus-362146_-_20051231.exe received on 06.12.2006 20:15:53 (CET)
Current status: finished
Result: 1/25 (4.00%)
Compact Compact
Print results Print results
Antivirus    Version    Last Update    Result
AntiVir    -    -    -
Authentium    -    -    -
Avast    -    -    -
AVG    -    -    -
BitDefender    -    -    -
CAT-QuickHeal    -    -    -
ClamAV    -    -    Suspect.Zip
DrWeb    -    -    -
eTrust-InoculateIT    -    -    -
eTrust-Vet    -    -    -
Ewido    -    -    -
F-Prot    -    -    -
Fortinet    -    -    -
Ikarus    -    -    -
Kaspersky    -    -    -
McAfee    -    -    -
Microsoft    -    -    -
NOD32v2    -    -    -
Norman    -    -    -
Panda    -    -    -
Sophos    -    -    -
Symantec    -    -    -
TheHacker    -    -    -
UNA    -    -    -
VBA32    -    -    -
Additional information
MD5: e9363e91044abffc8740fc6a0fe388d3
SHA1: 8991f72601620d38288c164bd4b6c41ba5347544
SHA256: f17d4388e66d0a0b3a01621d5cd38eeffdd4a05b0bbf6395a36059913faf4471
SHA512: a91654ffe4a6ceade05d94c9fffa9b0e837085e477e8ee3808b756d9207ef7d27d43d536345d090570dea09526180de04b57579bba67f0800749978f049b6476

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

-----


I agree its quite strange file "fixed" itself... however, is it a Vundo or not? No matter yes or no, which are the implications of it?

This new info got me a bit uptight  :o ... another malware?


..........


Concerning Malwarebytes' Anti-Malware scan, Im gonna do it first thing in the morning and as soon as its finished, Im gonna report you back.

Right now its not as late in the nite as it has been for the last week for me to check out puter and perform tasks, but for sure its not an early time. Im quite dead (you can add exhausted and drained after 8-9 days fighting these bugs day and nite). In addition, I like and want to follow up every scan at close look. At the moment, Chip & Dale (my only couple of brain cells left alive) are snoring, so would be wise to wait for the morning.


Thanks a lot and I will report you soon, first thing when I get back from Morpheus embrace.

GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
The file loos to be okay. The type of vundo you had , when it infects a file. it add a space. It will add one space each time it gets infected.  I don't think you have anything to worry about regarding that file. I just wanted to be sure. Sorry, I thought you had the link for virustotal.

Get some rest, do the scan. Talk to you later.

Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56
Hiya oldman

MBAM scan was done and took 13 minutes. I was imagining it to take 13 hours  :D

Nothing but 1 adware was found. Log attached.

The scan covered something like 6% of my objects here. I was wondering if a thorough scan would be appropriated. What do you think about it?


Waiting for your feedback  :)

GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
You can do a thourgh scan if you wish, but first we'll clean up the tools you used. We can get them again if needed. Just don't want to have unneccessary detections. I don't know how long the scan will take though.

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.

Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u

Please download OTMoveIt  by OldTimer.  Save it to your desktop and double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

* Remove old restore points

- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.


Post back and we'll look at removing the rest of KAV.
« Last Edit: April 17, 2008, 02:01:44 AM by oldman »

Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56
You can do a thourgh scan if you wish, but first we'll clean up the tools you used.

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.

Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.
Combo-Fix /u


.:  Agreeded about the thorough scan. If you say it can wait for other procedures, then it is. It was just a thought of mine to run it in the mean time between an instruction and the next.

...............


However, I have to ask you for those:


Please download OTMoveIt  by OldTimer. 

* Create a new restore point

You must be logged on to an administrator account.



- The link you provided comes as invalid ... Error 404 - Not Found... http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

- Admin "only exists" and shows up when I get into safe mode OR when I boot system getting to run under DOS after CD boot or something. My login options on normal mode are myself and an extra one. Theres no such option to login as Admin besides under the safe mode login or CD system boot.

...............


By morning Im gonna run ComboFix again according to your instructions and will post the log.

I aint sure about the Admin login so to run OTMoveIt as well the link for download is not ok.

Standing by for next instructions.

GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Quote
an administrator account

An account with administrator rights with work. From your DSS log, if this is you, then your account will do the trick.

Storm (admin)


Sorry about the link, it's an old one I didn't get rid of. Here's the correct one. Same program, author renamed it.

* Please downloadOTCleanIt

Double click OTCleanIt, click the Clean Up button.

You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

If you want to run the scan and have a nap go ahead.

Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56

But the first thing I'd like you to do, is run combofix again. It should run from ormal windows. Please heed the instructions regarding security programs. Please post that log.



Dunno why but ComboFix doesnt run on normal mode. I took care of disabling Avast! On-Access Protection and Windows Firewall. Those are the only 2 security tools I have for the moment. However, happens the same old thing... when ComboFix gets at the point when it changes pcs clock, it crashes the system, blue Windows screen and reboots.

I ran it on safe mode, which was the only option. As you didnt say anything that I should delete and download again ComboFix, I used the same one I had for the last time (the one with the script added). The log goes attached.

............



Tools clean up.

* Click start button, run, then copy and paste the following line into the box and click ok.

Combo-Fix /u



Done.



* Please downloadOTCleanIt



Done.


............


Im gonna proceed with the rest of instructions and will post you back.

GreetZ from Brazil

Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56

Tools clean up.

* double click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

* Create a new restore point


* Remove old restore points



.:  OTMoveIt ran here but at any moment it asked for unblocking firewall or the cleanup.txt file to show up. It only prompted on a popup if I wished to reboot so to finish removing files. So I did but nothing much was apparently removed - at least from my desktop area, besides the OTMoveIt icon itself nothing else was unistalled. Combofix, for example, is still there. Is it the way it was supposed to be?



.:  System Restore Point done.


.:  Older Restore Points removed.


.........


Waiting for your next instructions, master :)

« Last Edit: April 17, 2008, 10:26:54 PM by ZStorm »
GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Combofix log is ok. Not sure why it wouldn't run in normal windows. Unless it was avast 4.8's self protection. Safe mode scan with combofix is fine though.

Otcleanit should have removed everything, except perhaps a renamed copy of combofix. Providing if they had been downloaded to your desktop.

Delete combofix.exe from your desktop. Then open c:\ and delete C:\Qoobox and it's contents, c:\combofix.txt if present. You also had Deckards, it can be deleted also along with C:\Deckards. These programs are not installed, so there is no harm in deletion.

You also had a tool from symantec that can probably be removed.

KAV and symantec don't appear in your HJT log other than a couple of enteries that can be fixed with HJT. If you still have HJT run a system scan and fix these lines. If you need HJT again  Click here

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab


There is one other file, but it's in the Office folder and should pose no problem.

These are the symantec folders that can be deleted

C:\Program Files\Common Files\Symantec Shared


Kav folders/files

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
C:\WINDOWS\system32\drivers\fidbox.dat
C:\WINDOWS\system32\drivers\fidbox2.dat
C:\WINDOWS\system32\drivers\fidbox2.idx
C:\WINDOWS\system32\drivers\fidbox.idx
C:\Program Files\Kaspersky Lab


You can use OTMOVEIT2 for the folder/file removal 
 OTMoveIt2 by OldTimer.



* Your java is up to date, but you may have some older versions still installed.

I believe you have done this part, so skip to the folders part.

go to add/remove programs and unistall anything that says Sun Java, Java JRE, or similar, except Java TM 6 Update 5 , this is the current version.

Next, in windows explorer,  navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain, except, jre1.6.0_05

* Clear the java cache

http://www.java.com/en/download/help/5000020300.xml

* If you are using windows firewall, please note that it doesn't provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

or

http://forum.avast.com/index.php?topic=33530.0


* Check if you have insecure applications with Secunia Software Inspector


Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56

Bad news... something happened during the procedures and I lost my internet connection (it connects but doesnt let mostly any data to traffic, besides few bytes, so it gets like if there wasnt any connection on; not even 1 application which would require internet connection detects it even if the modem show as connected).

NOTE: Thats not a hardware problem. I got a 3G conex and it doesnt work on pc but does ok on a lappy I got borrowed. The dialup modem also connects but the problem is the same matter as 3G one. Already contacted 3G support and we did wot we could but nothing was found to be the cause of it regarding their company and service.

Mostly it happened after I ran OTMoveit2 to remove the files you pointed. It asked for a reboot but I dont recall now if I did it immediately but I guess I didnt. From the link you provided for instructions about how to clear Java cache, there was a link for cleaning IE cache, and so I followed it, cleaning absolutely everything there on Temp files (including option for deleting browser history + files and settings stored by add-ons).

I believe it was after that I rebooted for OTMoveit. NOTE: I have it downloaded to a subfolder and NOT the desktop, as you didnt leave any speficic instruction about it). When back, I checked for the files which were supposed to have been removed and they were as well the OTMoveit itself from that subfolder.

I decided to get rid of some stuff I didnt use it as the next step was to get a firewall and check Secunia. Things I uninstalled from Control Panel: Crawel Tool Bar, Yahoo Toolbar, Yahoo Internet Mail, Yahoo Photo Easy Upload, Yahoo Photo Print at Home.

I tried to uninstall Acelerador Terra from there too but it gave me an error saying it wasnt a win32 application. For that, I thought of using OTMoveit again as it worked great before. I downloaded it again, this time to Desktop. I clicked by accident on the button for Cleanup! and it brought me some files again. I cant recall if I click to go on with cleaning or if I canceled the operation. I also aint sure but I think for some real stupid reason I might have next downloaded it again to Desktop (overwriting the previous one) then added the folders I wanted to delete next: c:\Acelerador Terra and c:\X-Cript (as both couldnt be removed from Control Panel and were useless). Clicked on MoveIt! then after on CleanIt!. This time tho it didnt ask me to restart system. It gave me the error message "Unable to contact the internet. Cleanup list download failed."

I thought then to restore the files moved, and so I did it and it worked apparently. Again (without rebooting yet), I ran the tool and repeated the procedure. Same error again (I didnt notice if by then the internet traffic had stopped or not). Then I rebooted system to try again for OTMoveit.

When system was loading Avast! gave me 4 error messages for Mail Protection ("Unable to protect outgoing/incoming/news ... Error 10106"). In addition an error message for Acelerador Terra "Unable to load the language resource library". I tried to connect to the internet after that and it wouldnt connect at all, as I explained on top. I tried again for OTMoveit and same errors. I restored again the files (which I already have had restored before) and still the same. I thought it could be my 3G connection, removed the device, rebooted and all happened again about the Avast! errors and all.

I tried then to install again the Acelerador Terra so to uninstall it. No good. Got an error a file UNWISE.EXE was missing. More boots and nothing. I tried dialup and nothing. I tried 3G support and nothing. I tried to recover Restore Point we did on previous task, and still no good (error saying it couldnt be restored and no changes were done). During those boots I tried to connect by disabling Avast! On-Access Protection and/or Windows Firewall but no good too.


Has been 5 hours since the bug started.... Im quite desperated... What happened and how to fix it? Did I do something stupid?


PS: Acelerador Terra is a program provided by my ex dialup ISP Terra which was used to accelerate the navigation. As I got finally a 3G service few days ago and it was working fine, I cancelled my ISP services. NOTE: Acelerador Terra was loaded at startup always BUT since I got connected on 3G, it wasnt working anymore.

PS2: Since the begining of the infecction, when connecting to internet (then on dialup) I had this popup from Acelerador saying "Another application is using the email port SMTP (25). The functionalities of SMTP email on Acelerador Terra will be disabled on this session. To reactive them, close the the application which is using the port 25 and next restart Acelerador Terra." Then I clicked on OK and it worked ok. DETAIL: I never used any programs or even made setups for emailing from pc. I only used and use webmail. Then how an application to be running and using SMTP port?

GreetZ from Brazil

Offline ZStorm

  • Jr. Member
  • **
  • Posts: 56
Forgot to mention... theres still C:\Combo-fix folder on my system. You didnt say before to delete it and so I didnt. Ive noticed just above it theres a new folder I never saw before C:\327882R2FWJFW, which content has similar files as Combo-Fix one. In addition, I noticed another new folder C:\InetPub, stuffed with VB scripts mostly pointing to IE. I have no idea if thats normal or not.

GreetZ from Brazil

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
I'm trying to piece together what you did. Tools are downloaded to the desktop unless specific instructions say otherwise.

C:\combo-fix can be removed. Otmoveit2 will create a folder with the removed files/folders in. Since you placed it in a sub folder otmoveit may have used that path to store the files you removed. The files you tried to remove, where did you find them afterwards. In the otmoveit subfolder or original location?

Nothing we removed should have interfered with your connection. Did you install a third party firewall or did you get that far?

There has been an issue raised with webshield. Try Terminating it, can you browse with webshield off?

System restore will most likely fail, unless you turn off avast's self protection.

C:\InetPub

http://www.karlsforums.com/forums/viewthread.php?tid=25754

The avast mail scanner monier traffic on port 25 and 110.

Tell me more about the contents of C:\327882R2FWJFW. You said it was similar to combo-fix. In what way.

Don't do too much right now other than answer as best as you and try turning webshield off.