HOW TO DEAL WITH: AVAST ENHANCED PROTECTION MODE

[Asyn]

Can post an Image sorry.

You can or you can't..??
If you can't. Why..??

[DBone]

Something smells fishy here..............

[b007]

Something smells fishy here..............

What do u mean?
because I cant post an Image?

cant post cause it's at my sister computer I not near the computer right now...

[DBone]

That might have been helpful info to let us in on. We are all trying to help you and it took 1/2 a dozen posts asking you for a screenshot.

[Asyn]

cant post cause it's at my sister computer I not near the computer right now...

Finally an answer...
Well, how can we help you, if you have no access to the machine...?!?
Post back here, when you're 'near' your sister's computer.

[b007]

cant post cause it's at my sister computer I not near the computer right now...

Finally an answer...
Well, how can we help you, if you have no access to the machine...?!?
Post back here, when you're 'near' your sister's computer.

Do u know this problem?
AVAST ENHANCED PROTECTION MODE

[essexboy]

Avast does not have an enhanced mode

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity

• Under the Custom Scan box paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[Asyn]

I doubt he can do that.

cant post cause it's at my sister computer I not near the computer right now...

[jadinolf]

Sigh

[DBone]

Sigh

 

[DavidR]

I'm having a sneaking suspicion that this may well be a malware attack and the advanced protection mode may be a blocking thing by the malware. So I did a google search for
"AVAST ENHANCED PROTECTION MODE" and found a lots hits (http://www.google.co.uk/search?q=%22AVAST+ENHANCED+PROTECTION+MODE%22), this topic being one and many in Polish, Google translation of one below.

http://forum.dobreprogramy.pl/avast-enhanced-protection-mode-t454336.html

Polish - detected to English translation
Hello, today my computer has become a victim of the Trojan, and as you know after a reboot, kompy świrują and those things, but about the things since his removal, avast is not normal to say is just nei know if this is normal
I get as I click on the icons on the taskbar on Avast
It appears to me to be Enhanced Protection Mode, tell me if it eventually turns off, and Avast will run normally and
Please fast and good answer;)

And I'll add that I fell victim to the famous Flash Player from Facebook who supposedly need to install

So perhaps essexboy is heading in the right direction and this could be a rogue AV that disabled avast perhaps and throws up that avast advanced protection mode to block access.

But we really do need much more information. Also found that there is an Enhanced Protection Mode in Dr Web.

[TecmagDummy]

Okay, this happened to me too (I feel so stupid! I should have not fell for the download.)

Obviously this came from a link, to a fake YouTube, in which includes dummy comments read from friend's lists of sites like Facebook. When you reach the site it says you need to update your flash player (I should have known then but I derped T.T) After that it restarts your comp and you can no longer enter safe mode, or run things such as Avast, or access system restores.

Here is a pick of the UI that replaces Avast, obviously fake and in mal-intent.


I derped for a moment, and now I am scared for my new laptop. I ran OTS by OldTimer, and got this in my files added/updated in the past 7 days:

Code: [Select]

[Processes - Safe List]
ots.exe -> C:\Users\TecmagDiams\Downloads\OTS.exe -> [2011/07/21 22:11:25 | 000,645,120 | ---- | M | MD5 = DB23CFEC16064A74B71B172D2DFA4022] (OldTimer Tools)
l1rezerv.exe -> C:\Windows\l1rezerv.exe -> [2011/07/21 21:58:18 | 000,110,592 | ---- | M | MD5 = 2A8AC31B9148F752B867AA702D6ED9AB] ()
systemup.exe -> C:\Windows\systemup.exe -> [2011/07/21 21:57:16 | 000,114,176 | ---- | M | MD5 = 534584A439DDD80D38915EDDE8D3A0E7] ()
svchost.exe -> C:\Windows\update.2\svchost.exe -> [2011/07/21 21:49:25 | 000,483,328 | ---- | M | MD5 = EFB19E06A994F184B781A3C948E77E6E] ()
sysdriver32.exe -> C:\Windows\sysdriver32.exe -> [2011/07/21 21:45:36 | 000,249,344 | ---- | M | MD5 = 8E34CB26917612324F92A7CCB66DC3F3] ()
svchost.exe -> C:\Windows\update.tray-7-0-lnk\svchost.exe -> [2011/07/21 21:31:06 | 001,167,872 | -H-- | M | MD5 = B20004C36B85012B2D3D34A88CF0E531] ()
svchost.exe -> C:\Windows\update.1\svchost.exe -> [2011/07/21 21:31:06 | 001,167,872 | -H-- | M | MD5 = B20004C36B85012B2D3D34A88CF0E531] ()
googlecrashhandler.exe -> C:\Program Files (x86)\Google\Update\1.3.21.57\GoogleCrashHandler.exe -> [2011/07/11 16:02:35 | 000,140,952 | ---- | M | MD5 = A5F28C8E37B3D4F310F1B52F4DB4B47F] (Google Inc.)
chrome.exe -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe -> [2011/07/08 21:51:19 | 001,012,792 | ---- | M | MD5 = 73708319A8673E43670A1A334B2D96AC] (Google Inc.)
Edit: was able to do a system restore, things SEEM to be normal again, runnig a scan and crossing my fingers. So far nothing, I'm still rather paranoid...

Sorry for being a new account with an odd name, had to have a friend make it for me cause I was not getting the confirmation e-mail, and I want to get as much info on this outt here as I can.

Edit Edit: For those of you who are experts at isolating things, or have a dummy computer, the link I got this virus from is: (In code to prevent someone from accidentely visiting it)

Code: [Select]

http://78.26.166.25/100000490714278

[Rednose]

Wow

Thnx for the info. But just to be clear :

You are not the OP b007 ? Than please start a new ( your own ) topic and post a link to it in your previous post, and we will mention that to Essexboy so he can help you too.

Greetz, Red.

[leong31]

Hi, i have just encounter this problem on one of the laptop, the avast notification is exactly like the one posted above.

The laptop becomes very slow, and it appears that it comes from a facebook link, and after the infection the facebook page can no longer be accessed, other pages are ok, opening facebook using other chrome, firefox and IE all failed, but opening on other com is ok.

i try to open avast via program file, but the folder disappear, i turn on view hidden file still the same. However i am able to see avast in ccleaner.

now i can not do anything to avast, i try to update malwarebyte, but it update few %, then drop back to 0%, then repeat again.

Is this a new virus? How can we remove it?


Thanks a bunch.

[DavidR]

Same answer as above your post you need to start your own new topic so as not to hijack this one as it becomes confused with multiple users trying to receive help in the same topic.