Author Topic: Avast put my bootcache.playlist in the virus vault and now it won't startup  (Read 4500 times)

0 Members and 1 Guest are viewing this topic.

spikeychris

  • Guest
So I was wondering if there was anyway to access the virus chest and take something out when running in single user mode?  Avast decided to put two of my bootcache files in quarantine and now I can't get my laptop to startup.  Safe mode doesn't work and I have repaired permissions in case it was a permissions file but it's not.

So is there anyway to access the virus chest without fully starting up my computer.  Also I am aware I could reinstall the OS but I want to avoid this as it would be a monumental pain especially considering its mavericks so I have no install disks.  I also know I could try fixing it using target disk mode and a firewire cable between 2 macs but I can't find anyone with a firewire cable anywhere.

Offline krahulik

  • Avast team
  • Sr. Member
  • *
  • Posts: 285
Hello,
  thank you for the notification. Do you think you could attach here or send me with an email (krahulik@avast.com) the bootcache files, so our virus lab could investigate them, please? What is your's OSX version?

1) If the file is considered as infected, it would be chested with a File System Shield again. To disable the File System Shield:
# Make sure the filesystem is mounted in read-write mode:
/sbin/mount -wu /

# Edit filesystem shield to disable it, e.g.:
echo "ENABLED=0" > ''/Library/Application Support/Avast/config/com.avast.fileshield.conf"

2) There's a command-line utility distributed with Avast Antivirus handling chest operations
# List the chested files
"/Library/Application Support/Avast/components/chest/com.avast.chest" -I
2 chest items:
Information about chest item ID=08336D6A
  file path: /Users/krahulik/Mac_test/VirusesNonMaccpy/eicar2.diet
  file size: 2125
  last changed: 2014-03-14 11:59:47
  insertion time: 2014-03-20 11:04:42
  infection: EICAR Test-NOT virus!!!
  comment:

Information about chest item ID=5BF463C5
  file path: /Users/krahulik/Mac_test/VirusesNonMaccpy/eicar.zip
  file size: 186
  last changed: 2014-02-28 13:59:23
  insertion time: 2014-03-20 11:20:48
  infection: EICAR Test-NOT virus!!!
  comment:

# Restore the chested file
"/Library/Application Support/Avast/components/chest/com.avast.chest" -r -x 08336D6A
Chest item '08336D6A' extracted from the chest

Thank you in advance,
Martin
« Last Edit: March 20, 2014, 11:27:03 AM by krahulik »

spikeychris

  • Guest
Hello,

Thanks very much for the reply I have tried what you suggested and managed to get my mac up and running.  Interestingly it wasn't the bootcache.playlist that was the issue although the mac previously got stuck there when trying to start up.  The issue was caused by /usr/lib/libgenkit.dylib which apparently is associated with Genieo something I thought I had removed from my system after it decided to hide itself in another installer but apparently it has its claws into different parts of the system as well.  I'm going to attempt to remove the rest of the crap it left behind.

cheers,
Chris

spikeychris

  • Guest
Ok final solution I have worked out.  The reason why it bricked my computer was it put /usr/lib/libgenkit.dylib in the virus chest but didn't remove /private/etc/launchd.conf.  When my computer was starting up it was trying to launch the process /private/etc/launchd.conf but couldn't find /usr/lib/libgenkit.dylib and so this bricked the computer.
« Last Edit: March 20, 2014, 12:35:41 PM by spikeychris »

Offline krahulik

  • Avast team
  • Sr. Member
  • *
  • Posts: 285
Ok,
  thank you for letting us know. I'm glad that this helped and we will think, how can we prevent such issues in the future. Btw., here is the information about a Genieo malware issue: https://en.wikipedia.org/wiki/Genieo

Best Regards,
  Martin

spikeychris

  • Guest
Ok,
  thank you for letting us know. I'm glad that this helped and we will think, how can we prevent such issues in the future. Btw., here is the information about a Genieo malware issue: https://en.wikipedia.org/wiki/Genieo

Best Regards,
  Martin

Thanks I don't know if its possible but the best solution would be to make sure Avast quartines the library file and the conf file /private/etc/launchd.conf at the same time because if it doesn't do both it will brick the computer.