Avast boot scan not running from Safemode reboot, nothing works! OTS log posted.

[essexboy]

Is there anything important on that login that you need to keep ?

[St.Anger_561_]

I have some data on there I would like to keep.  I have not been using the affected log on but I still have access to the files from the new account.   

[St.Anger_561_]

After rereading your previous posts I went ahead and ran the roguekiller from the account that is actually working, and posted the RK report below.

I then went ahead and ran OTS from the same account and attached the log.  

I am running MBAM and avast scans and may run a boot scan before attempting to log back into the intial problem account, will update any results.  Thank you.

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Hey You [Admin rights]
Mode: Scan -- Date : 06/05/2011 16:14:32

Bad processes: 1
[SUSP PATH] stsystra.exe -- c:\windows\stsystra.exe -> KILLED

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1       localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

[essexboy]

OTS has confirmed that the registry hives for that user are corrupt.  All you can do now is save what data you can and then delete the user - sorry

[St.Anger_561_]

Ok I am sad to hear this but I am concerned still though about malware on this cpu.  Avast does not autoload on the working log on. 

I just finished a boot scan and it found 2 trojans -  JS:Downloader-AQO and WIN32:FakeAlert-NO.   I was able to send the javascript downloader to the chest, but I could not send the win32 trojan to the chest.

When I tried to sent the Win32 to the chest or repair it I got an error message saying the disk was  full (?!)  then when I tried to delete it I got a messasge saying file cannot be opened because share access flags are incompatible, so my only choice was to choose ignore. 

I started avast after logging back on and looked at the scan result.  Now it is telling me that the process cannot access the file because it is being used by another process. 

I don't know how else to get rid of that win32:FakeAlert if I cannot remove it with the bootscan and I am hesitant to try a data backup with the infection lurking. 

Thanks again for your help. 

[essexboy]

Do you have a name and location for the file ?

[St.Anger_561_]

I do its C:\Hiberfil.sys.     I went ahead and used the control panel to turn off hibernate support, so this should have deleted the hiberfil.sys file, to my understanding.

I open the Avast scan log, when I click on move to vault it says "the file cannot be found."  I ran another bootscan, it found no virus so it should be ok, but the avast is still not autoloading.     

Do you think it could be with the bad user account, where I can log on but all  I  get is that box popping asking me what program to use everytime I try to do anything.  Thanks again for trying to help me out

[essexboy]

From a working account have you tried a repair of Avast ?

Run RogueKiller with option 2

[St.Anger_561_]

Good news.  I logged back into the main infected account and was able to open up internet explorer.  From that point I tried to open other programs, was getting the same box.  Being concerned about the security on this user account, I deleted the browsing history/temp files via IE tab, making sure to check off everything.

After this I decided to try to run a program and it ran!  Maybe some remants in temp files were causing an issue?  I have avast and mbam running scans now, then I will try to reboot and see if avast and mbam autoloads and will update. 

[St.Anger_561_]

After doing the scans and reboot avast still does not autoload, although mbam does. 

I ran rogue killer option 2 this time and it found the same registry addition.  I rebooted after running it but then I noticed avast not loading.  I tried to run roguekill again after reboot and it found the same process.  I can hit 2 again and reboot again but I have a feeling it will be the same.

By the way Rougue killer says it is not the current version when I run it. Can I update it from the same site as before?  thanks

[St.Anger_561_]

Here is the rk report:

RogueKiller V5.2.1 [06/02/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Main Admin [Admin rights]
Mode: Scan -- Date : 06/14/2011 02:06:24

Bad processes: 1
[SUSP PATH] stsystra.exe -- c:\windows\stsystra.exe -> KILLED

Registry Entries: 0

HOSTS File:
127.0.0.1       localhost
127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com

[...]


Finished : << \RKreport[7].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt ; RKreport[5].txt ;
RKreport[6].txt ; RKreport[7].txt

[essexboy]

stsystra.exe is not a problem - the latest version is alwways at the same download link

Have you tried a repair of Avast from that user account ?

[St.Anger_561_]

I am not sure how to repair avast, do I have to reinstall it? 

[St.Anger_561_]

I tried and even went through the help file but I cannot see how to repair it.  Should I try to reinstall it, will it give me the option for a repair?  Thanks again.

[DavidR]

Try a repair of avast:
XP - Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow.

You may need to reboot after the repair.