Author Topic: Boot scan operation  (Read 8506 times)

0 Members and 1 Guest are viewing this topic.

SRU1X

  • Guest
Boot scan operation
« on: October 12, 2010, 12:02:58 PM »
I'm having trouble getting rid of an infection but I'm also having trouble understanding the operation of the Boot scan. Each time I schedule one it seems to find just one object (e.g. something like Win32:Ups [Cryp]) then presents me with numbered options to choose from. These options typically appear when the scan progress is only at 1% or 2%, yet if I select option 4 (move all to chest) the scan screen then terminates immediately and the PC starts to boot normally. This doesn't seem right - how would we expect the boot scan to proceed? Surely it doesn't halt the scan while it waits for the user to select an option as it finds each nasty? I have attached my log file for the last boot scan.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Boot scan operation
« Reply #1 on: October 12, 2010, 02:07:32 PM »
Something is wrong...
Hope the programmers could take a look.
The scanning should go on.
The best things in life are free.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Boot scan operation
« Reply #2 on: October 12, 2010, 02:19:06 PM »
Quote
I'm having trouble getting rid of an infection
Have you tried this ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Boot scan operation
« Reply #3 on: October 12, 2010, 05:27:51 PM »
According to the log, a problem has indeed occurred in the code and the process was terminated. Unfortunatelly, there's no information about where exactly the problem occurred in the log. I can extend the logged information a bit, but it might take a few days before the new version makes it to the virus database update.

If you were able to replace the file in avast! folder (which includes disabling the self-defense and stopping avast! service), I could send you the modified file earlier. However, it won't really fix your problem, just logs a bit more so that we might find out why the scanner crashes.
« Last Edit: October 12, 2010, 05:52:51 PM by igor »

SRU1X

  • Guest
Re: Boot scan operation
« Reply #4 on: October 12, 2010, 07:34:24 PM »
Quote
I'm having trouble getting rid of an infection
Have you tried this ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

This is weird. I did as you say and downloaded, updated and ran a full scan of Malwarebytes' Anti-Malware 1.46 and it reports no malicious items deteceted. However, if I follow up with an Avast! boot scan I get just one detection (as per my OP). I've looped round this a couple of times and get the same result. I'm pretty sure there's something nasty running still as the system is cranky. For example, on loading up Thunderbird it gave a security warning about a request from my mail server. Also Java was throwing security warnings when I tried to run the  Kaspersky WebScanner. It 'feels' as though there's Malware blocking all my attempts to get rid of it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Boot scan operation
« Reply #5 on: October 12, 2010, 07:39:49 PM »
Then i recomend that you let Essexboy have a look.......he enters the forum soon.....

follow this guide and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

SRU1X

  • Guest
Re: Boot scan operation
« Reply #6 on: October 12, 2010, 07:42:32 PM »
According to the log, a problem has indeed occurred in the code and the process was terminated. Unfortunatelly, there's no information about where exactly the problem occurred in the log. I can extend the logged information a bit, but it might take a few days before the new version makes it to the virus database update.

If you were able to replace the file in avast! folder (which includes disabling the self-defense and stopping avast! service), I could send you the modified file earlier. However, it won't really fix your problem, just logs a bit more so that we might find out why the scanner crashes.

Will try anything if it means I can get back to work as before last Friday. Tell me what to do. BTW thanks to all involved here.

SRU1X

  • Guest
Re: Boot scan operation
« Reply #7 on: October 12, 2010, 10:52:24 PM »
Then i recomend that you let Essexboy have a look.......he enters the forum soon.....

follow this guide and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Done, but MBAM came up with nothing (again) and OTL didn't generate an Extras.Txt I followed the instructions in the link you gave assuming the scan.txt attached to the post was the one to download and use (I've seen others elsewhere). Anyhow, here's the logs I did get:

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Boot scan operation
« Reply #8 on: October 12, 2010, 10:58:26 PM »
I see you have run combofix - could I see the log please (attach it)

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No CLSID value found.
    [2010/10/08 11:38:13 | 000,003,908 | ---- | M] () -- Z:\Documents\Adrian\otezudanawoza.reg
    [2010/10/08 11:33:29 | 121,264,302 | ---- | M] () -- Z:\Documents\Adrian\full.reg
    [2010/10/07 22:44:44 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Xleyuqujarowije.dat
    [2010/10/07 09:59:00 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bfufevatepinu.bin

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

SRU1X

  • Guest
Re: Boot scan operation
« Reply #9 on: October 13, 2010, 12:03:11 AM »
Yesterdays combofix and latest OTL Logs Attached as requested...

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Boot scan operation
« Reply #10 on: October 13, 2010, 12:47:36 AM »
OK, regarding the crash, please try the following:
1. Schedule the boot-time scan of the area you want, but don't restart yet
2. Make sure you have the current virus database, which is 10101300 at the moment.
3. Download the file http://public.avast.com/~glucksmann/aswboot.zip
4. Go to avast! settings / Troubleshooting and disable avast! self-defense
5. Go to Control Panel / Administrative Tools / Services and stop the "avast! Antivirus" service, together with its dependencies. If you have avast! Internet Security, stop also the "avast! Firewall" service
6. Supposing you installed avast! into the default folder, go to C:\Program Files\ALWIL Software\Avast5\defs\10101300  (i.e. into the subfolder defs\10101300 of avast! installation folder) and extract the content of the ZIP file (downloaded in point 3) there - overwriting the two files that are already there
7. Reboot the computer - the boot-time scan should start
8. Simulate the problem and boot to Windows
9. Post the content of the file log\aswBoot.log again. For completeness, attach also the file report\aswBoot.txt.

Hopefully the log will narrow down the area where the problem occurred.
Thanks.
« Last Edit: October 13, 2010, 01:10:47 PM by igor »

SRU1X

  • Guest
Re: Boot scan operation
« Reply #11 on: October 13, 2010, 02:01:30 PM »
igor, it was different this time - I scheduled the boot scan exactly as I had done before on several occasions - but this is the first time it appears to have completed. Before it has only taken only a minute or two to come up with the options menu, this time I set it running at around 0850 and it finished at 1214. I had to leave it and when I returned it had booted to the desktop. Files attached as requested. Is over 3 hours to be expected? When Avast scans from the desktop it usually takes around an hour. According to the log there are no infections which suprises me greatly. ???

BTW I don't understand why it keeps reporting that a ZIP archive is corrupted when the file in question isnt't apparently a zip file (or in a zip folder) - unless its some kind of image (it is called userdata.img after all!). Something to do with my Android developer install I think.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Boot scan operation
« Reply #12 on: October 13, 2010, 02:35:59 PM »
Hmm, pity  :-\
Since the previous infections were found inside of Outlook Express mailboxes, maybe you removed some e-mails and/or compressed the folders? That would explain why they aren't found anymore. Or, if you tried to move them to chest previously, maybe there were successfully removed - just the moving to chest crashed later.

The boot-time scan uses a raw disk access, which is not cached by Windows... so yes, it takes longer (but of course, you also have to compare to scans with the same settings - e.g. regarding archives).

As for the MANIFEST.MF file (or rather its parent) - I think it's some java package (possibly embedded inside of the .img file), which actually is a ZIP file, just with some corrupted/missing checksums, or something like that. Don't worry about that.

SRU1X

  • Guest
Re: Boot scan operation
« Reply #13 on: October 13, 2010, 03:07:46 PM »
Hmm, pity  :-\
Since the previous infections were found inside of Outlook Express mailboxes, maybe you removed some e-mails and/or compressed the folders? That would explain why they aren't found anymore. Or, if you tried to move them to chest previously, maybe there were successfully removed - just the moving to chest crashed later.
I think the latter may be the case. I haven't touched my old OE mailboxes, although I could get rid of it all. Thinking about it the only difference between the boot scan I just did and the previous ones was that I unplugged the network cable before starting today (getting paranoid). If I get time I'll try again with the internet connection on. But then the virus defs. have updated since - will the logging stil be of use?

SRU1X

  • Guest
Re: Boot scan operation
« Reply #14 on: October 13, 2010, 04:17:58 PM »
Just did a full scan from the desktop and although it reported zero infections again, it did throw up several files that could not be scanned. Apart from one file (on an old system HD) they were all related to Avast. Thought I'd better check to see if something we did for testing has caused a problem... couldn't find a log reporting the filenames so I've attached a screenshot.