Avast corrupted, doesnt accept reinstall (NOT A WIN32 APP), Windows CRAZY! HELP!

[ZStorm]

Startup SOLVED  (at least now I can startup on normal mode)

I found a thread at another forum (couldnt find any thread about it in here) which was pretty much my issue and the problems the user had I also had here (attrib not accepting more than 1 setting at a time; edit not working at any location etc.). Solution given was perfect for me.

Hoping to help others who might face this problem * START UP NOT WORKING ON SAFE OR NORMAL MODE * here goes the links for forum thread and MS Support article:

http://forums.majorgeeks.com/showthread.php?t=101952
http://support.microsoft.com/default.aspx?scid=kb;en-us;330184


Now dear fellows, Im back to almost zero... SAFE MODE doesnt start here.

Any suggestions as about what can I do to fix malwares and proceed with other tasks and tools or any other way to get safe mode to work?

[DavidR]

The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

Or see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924, for more links.

Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

[ZStorm]

Guess Im looking at the right places David. 

I found Stevens homepage when googling for solutions for the safe mode just after posting my last comment and was about to post again asking if that would be a reliable source.

As you gave your blessing, Im gonna try those and pray for one to work.

Tks a lot and have a great weekend.

[DavidR]

You're welcome, good luck.

[oldman]

Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.

Please post back if you still have problems.

[oldman]

I'm not sure where you are at, but I'm working off of your DSS log.

We'll hit this guy with combofix from safe mode if possible.

Delete the copy of combofix you have now, we'll use a new "special" one. We will also run it differently.

Before we start, please ensure that system restore is turned

on

After you have read the instruction for downloading this copy, please see the end of the post for instructions on how we will start combofix.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

 

• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**



Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

KillAll::

File::
c:\windows\system32\drivers\srosa.sys

Rootkit::
c:\windows\system32\drivers\srosa.sys

Driver::
srosa

This will start ComboFix again.Close  all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

[ZStorm]

Hi guys

After a long nite and day running scans and stuff, Im back to update you before preparing for another round of scans and tasks.

The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
Or - Download & run this tool > SafeBootKeyRepair-CF http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

Stevens solution worked great here and finally I got safe mode recovered. Thanks a bunch, DavidR. 

Hi, DavidR has you off on the right foot. The safe mode fix I usually use is the one by sUBs, no particular reason.

Id like to make a note about the second link as I tried it - sUBs SafeBootKeyRepair-CF.exe... the link is not valid. I searched there for another link but all references to that file pointed to that same invalid link (guess they didnt redirected to new location).

----


Once having the safe mode back, I sticked with previous suggestions.

- You did NOT uninstall Norton completely and that can give problems
- Remove nav completely
- Remove Kaspersky completely

I did ran the Norton Removal Tool (saw it on some other topic here and thought it was a good thing to do) 2 days ago. It downloaded ok, ran ok and said in the end it was removed. But I suppose something didnt work that good as I could see on logs I posted previously remaints of NIS on my system. Following your advice, I downloaded it again and ran it again, getting the same result.

I found the Kaspersky Removal Tool (http://support.kaspersky.com/faq/?qid=193239279) and its instructions ask to run it under SAFE MODE. Then what Im gonna do is to run again Norton but on safe mode as well I will do with Kaspersky.

.: Well, I proceed like I said above but seems it didnt work, at least for Kaspersky. The KIS directory is still there. I guess Norton didnt work as well. 

Any suggestions?

You could try downloading and running a full scan with cureit.

...run msconfig and select "safeboot on the "boot ini" tab.

... run HijackThis that would be good.

Cureit was downloaded and I will run it on safe mode. Next thing on my to-do list.

.: I proceeded like Tarq57 suggested. I did at first a fast scan then after I did a complete one. However, I made a silly mistake when running the complete one... I didnt set the options ok and the log I got from it was 36M sized as it covered all scan actions and files.

Infected or suspicious files were moved all to quarantine. Attached goes the fast scan log and the HijackThis log (20080413 1437).

NOTE: Its not the first scan I do that would get files from fixing tools like ComboFix and DSS considering either infected or suspicious. All of files detected by all tools were moved to quarantine or chest. Should I get them outta there? Are they really infected or are they safe?


......

.: I found another thread where it was suggested to download and run Symantec Fix Tool for Beagle MO (FxBgleMO.exe), which I had previously downloaded and then I decided to run it as I had found already some variations of Beagle on previous scans (wouldnt hurt to try). The tool ran ok and the result was negative. The log goes attached.


......

From other thread I got suggestions from Tech, as follows:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.



.: I started to follow then and so far I performed steps 1 to 3. Avast logs goes attached plus another HijackThis log (20080414 0030).



.: I noticed some files which were not caught on previous scans (even manual ones for specific folder or file) were pointed as infected on those recent scans I performed. I dont understand how come the same file to be scanned many times and to not be detected the infection.

Example: The file I suspect to be the bad guy since the start (the key for KIS) was scanned several times and only at the last boot-time Avast scan it got detected as a rookit.

I wonder how many more scans I will have to do till busting them all and to feel safe enough to get a back up done without fearing to carry on backup infected files which were not detected after more than 1 week of effort and hard work.

......

Well, thats it for now. By morning Im gonna check over here again and then will go on from step 4.

I dont know if Im doing the right things here or not. If any of you have something to add or manifest about the procedures done so far and to be done ahead, please feel free to post. All help and feedback are welcomed and quite needed.

Thank you all again for your attention and efforts on trying to help, as well for your patience.

Have all a great week.

[ZStorm]

last 2 logs...

[ZStorm]

Hi there oldman

Thanks for your post... You were posting while I was finishing mine with the updates from my situation so I didnt see it till now.

About Combofix, I tried to run it from before. Actually I saw that instruction at another thread and was one the very first things I ran here. It didnt work... the log from that attempt is here:

.................

ComboFix 08-04-08.7 - Storm 2008-04-09 11:58:50.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.447 [GMT -3:00]
Running from: C:\Documents and Settings\Storm\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.................

Another thing is that during the scans I ran after some of them detected files from ComboFix as being infected and they were put on chest. Im not sure if thats the reason I dont see it in Control Panel for being uninstalled.

How should I uninstall it then? Deleting the folder that is?


Id like to thank you very much for your attention and support. Its very late here (past 2am), Im exhausted and needing to sleep or else Id be around for a bit more to wait for you reply.

However, Id like to invite you to read my previous post with the updates, maybe it might help or change the procedures to follow next, as well Id like to ask of you if I should proceed with the steps from Tech after performing the task you just posted me or should I stand by and wait for your reply after I post the logs from ComboFix.[/color]

Another important question.. is it safe to use pc for internet the way it is now infected?

Thanks again and talk soon

[oldman]

Hi, just delete combofix from the desktop. It doesn't have to be uninstalled. The combofix quarantined files are not encrypted, so other scanners will detect and remove them.

I've looked at what you have posted before. A lot of files have been removed. The problem with most removal tools, is they show you what has been removed, but don't log what they scanned. Combofix logs removed files as well as recently created files and folders. It also shows some reg keys and drivers. The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.

The remaining steps in Tech's post are not required at this time. You have done most of them already. You are now in the manual search and destroy portion. Don't worry, we will still use tools. It's now a matter of going through logs and finding, if any,  left overs.

As far as the internet goes, that is difficult to answer. I know you had beagle, but with out a current combofix log, I have no way of knowing if there was anything else.

The method of infections of this type does not just arriv via email. The last two I encountered came from cracked programs. One of them AVG. Sort of a special bonus I suppose.

[Spiritsongs]

   Hi ZStorm :

 You asked a couple of days ago about having multiple "Updates" of Sun Java;
 each "Update" is actually a new "version". Therefore, ALL "Update(s)/
 Version(s)" other than the latest SHOULD be uninstalled, to enhance the
 security of a computer ( does not help IF keygens or Cracks are installed ).
 To periodically check as to IF you have the latest "Version", visit
 www.javatester.org/version.html .

[ZStorm]

Hi Spiritsongs

Thanks a bunch for your info. I was almost sure those Java older stuff could be uninstalled but wanted to be sure. Sun could be nice and include a batch to remove previous versions/updates when installing the latest one or at least give a notice after installing that you can do it manually. Oh well... 

Im gonna get rid of that extra weight here... thanks again.


.................


Hi oldman

Bad news from Brazil land... Combofix didnt work. Again.   :'( :'( :'(

Hi, just delete combofix from the desktop.

The combofix log you posted is incomplete. Perhaps it was interupted during the writting of the log.

I deleted it how you said... clicked on desktop icon and delete. I installed the new one exactly like you told me to.

About the 1st log, it was incomplete cause happened for the program to be interrupted.

" ... The Combo-Fix didn't work as well (report attached) as it crashed the system after prompting it was changing my pc clock... "    (thats part of my first post on this thread)


Well, the story repeated itself once again. Same thing happened here today when I tried to run Combofix. It loads the program, opens a window saying 'attempt to creat a System Restore Point', ok for that part, then says its scanning and few seconds later prompts a message '... has changed your pc clock...' and BOOM! comes Windows blue screen and system restarts.

From your instructions I got confused if I should run Combofix first and after to move the script file and make it run again OR if I should move the script and run it just once like that. I picked the first option, but in the end would it make any difference as it restarts the system and then I couldnt run one and next the other on a sequel?

Anyway, at both attempts to run Combofix the result was the same. The logs go attached (one for 1st run and one for 2nd with the script moved) as well a HJT one for the moment after i performed the second run and restored the AV/Firewall setups.


NOTE: Combofix doesnt run at all on safe mode. I tried twice and all it does is to show the bar loading it and nothing more happens, no window opens or anything. I checked the Task Manager and the process was there but dead. Then I had no option besides to run it on normal mode.


So, what can we do now? 


PS: The idea of cutting my wrists with a spoon is becoming more vivid on my mind as days pass by... 

[ZStorm]

Forgot to mention... I found out and downloaded at first Combofix and DSS after reading this thread (instructions by essexboy:

http://forum.avast.com/index.php?topic=33127.msg277088;topicseen#msg277088

You think it would be the case to run DSS again? If so, should I uninstall it and install again?

[oldman]

The way I wanted combofix ran was with the script. But that okay, we'll leave it for now. Yes a new DSS log would be the way to go. The copy you have will be fine to use. There will only be a main text this tme. Please post that, we may be able to see what is going on. 

[ZStorm]

The way I wanted combofix ran was with the script.

As I got mistaken and you said you wanted the script option only... in addition of the fact Im persistant and wouldnt hurt to try it again... ... I repeated the process for Combofix (deleted, downloaded, created script), got into safe mode, dragged the script and... IT WORKED!!!

Attached go the logs for Combofix and HJT.

You people should see the smile on my face 

Looking forward for to your feedback oldman, and never enough to say it again... THANK YOU!