Hoping to find out why Avast destroyed every program in my computer. Here’s my log files.
More info / details
what happend, any messages from avast, what did they say
and your malwarebytes log is empty
Well, I started getting messages about a svchost.exe file being Win32:Gardih… eventually every application I tried loading Avast would show it as a Win32:Gardih and would refuse to let me open it unless I turned off Avast. Even in some cases turning off Avast it wouldn’t allow me to open it, like applications that used Internet. It was at this point I ran a virus scan, and it deleted most of my executable files, claiming they were trojans, and it even deleted some Avast files claiming it was a trojan. Only a few programs didn’t get touched like TeamSpeak 3 and google chrome. It deleted all my software Drivers, Audio drivers, everything. All from this 1 virus scan. So now I have to reinstall everything. I originally posted in one of the other sections, and they told me to post here with all my log files.
Win32:Gardih = Virus:Win32/Jeefo(Microsoft name)
seems you have a fileinfector … this is like computer cancer, it spread to evry file
this may end with a format/reinstall :-\
i will notify malware expert that will assist you … it may take some time before anyone is online
something to read about file infectors
Miekiemoes - Director of Research @ Malwarebytes
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
Go to your chest, find a file named that and Restore it.Can you then upload the file to www.wikisend.com. I would like to do some research with this Virus.
Thanks,
Michael
Edit: It might REALLY help if you didn’t torrent…
Edit 2: File: C:\Users\Christopher\Desktop\Games\LOLPBE\RADS\projects\lol_game_client\releases\0.0.0.20\deploy\BsSndRpt.exe …
Find that and upload it too www.wikisend.com. Don’t worry about any other files… Someone (Essex most likely) will help you
PS: WHen I say I’ve gotten it, edit the post and wipe the link so people don’t get nailed by this.
Personally I would wipe the computer and start again. However, I will attempt a clean up if you wish
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKLM-x32\...\Winlogon: [Userinit] userinit.exe,c:\users\christopher\desktop\games\private server or game background music\star-sro\mbotloadersrvsrvsrvsrvsrvsrvsrvsrvsrvsrvsrvsrvsrvsrv.exe, [X] AppInit_DLLs-x32: c:\progra~2\browse~1\sprote~1.dll => "c:\progra~2\browse~1\sprote~1.dll" File Not Found AppInit_DLLs-x32: C:\Users\CHRIST~1\Desktop\Games\PRIVAT~1\Star-SRO\detour.dll => "C:\Users\CHRIST~1\Desktop\Games\PRIVAT~1\Star-SRO\detour.dll" File Not Found ProxyServer: [S-1-5-21-635899017-1151857628-4002036535-1000] => http=;ftp=;https=; HKU\S-1-5-21-635899017-1151857628-4002036535-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.speedbit.com/?s=E85aya1 SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=421&systemid=406&sr=0&q={searchTerms} SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=421&systemid=406&sr=0&q={searchTerms} SearchScopes: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> {0120C8DD-F579-40C7-9B30-178A4F6E4ED0} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=2908B223-1595-4748-B4D0-B8526326CC35&apn_sauid=E5E27F45-0A6B-4503-B35F-86B0BFFEE78B SearchScopes: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://rocket-find.com/results.php?f=4&q={searchTerms}&a=ir_14_16_ch&cd=2XzuyEtN2Y1L1QzuyCyE0DyE0D0AyCtCyCyDyCzz0ByEyEyDtN0D0Tzu0SzzyEtDtN1L2XzutBtFtBtBtFtDtFyBtN1L1Czu0R1F1R1J1P2ZtN1L1G1B1V1N2Y1L1Qzu2StAyEyB0CtAyD0FyBtGtDyEtDtCtGyC0E0DzztG0FyByD0EtGyE0E0F0FyC0E0CyD0C0CzyyD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDtDyCtAtDtAyDzztGtDyE0EtCtG0Bzz0AyEtG0CzztCzytGtCtA0B0A0AzzzyyCtA0CzyyC2Q&cr=1441816603&ir= SearchScopes: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={600AE2FD-3D4B-4FE7-AD8A-5AF01178BD7C}&mid=d4464591387447d19988fd087e8499b2-3b7aeb26e31b13a7c13bb44baf336ddb0c9d627e&lang=en&ds=AVG&pr=fr&d=2012-06-14 07:47:27&v=11.1.0.7&sap=dsp&q={searchTerms} BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File Toolbar: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-635899017-1151857628-4002036535-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File CHR StartupUrls: Default -> "hxxp://go.speedbit.com/?s=E85aya1" CHR HKLM\...\Chrome\Extension: [kembfcmnocipgabpfmkeannjggpjaeak] - C:\Users\CHRIST~1\AppData\Local\speedial.crx [Not Found] CHR HKU\S-1-5-21-635899017-1151857628-4002036535-1000\...\Chrome\Extension: [kembfcmnocipgabpfmkeannjggpjaeak] - C:\Users\CHRIST~1\AppData\Local\speedial.crx [Not Found] CHR HKU\S-1-5-21-635899017-1151857628-4002036535-1000\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Christopher\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [Not Found] CHR HKLM-x32\...\Chrome\Extension: [kembfcmnocipgabpfmkeannjggpjaeak] - C:\Users\CHRIST~1\AppData\Local\speedial.crx [Not Found] CHR HKLM-x32\...\Chrome\Extension: [mmlkabjddkpgkgfhdhpimhcbonapngoh] - C:\Users\Christopher\AppData\Local\CRE\mmlkabjddkpgkgfhdhpimhcbonapngoh.crx [Not Found] CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\18.1.0.443\avg.crx [2014-04-27] CHR HKLM-x32\...\Chrome\Extension: [pbmbgangfmfbhnngbdgkplhjnfoaeihd] - C:\Program Files (x86)\i-beta\Extensions\Chrome\i-beta.crx [2013-08-22] R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-11] (AVG Secure Search) S3 X6va005; \??\C:\Users\CHRIST~1\AppData\Local\Temp\005BEF0.tmp [X] S3 X6va008; \??\C:\Windows\SysWOW64\Drivers\X6va008 [X] S3 X6va013; \??\C:\Windows\SysWOW64\Drivers\X6va013 [X] S3 xhunter1; \??\C:\Windows\xhunter1.sys [X] 2015-02-17 03:11 - 2015-02-17 03:11 - 00003056 _____ () C:\Windows\System32\Tasks\{177676FA-6E0B-4D17-B2BD-53C76644FC37} 2015-02-17 02:26 - 2015-02-17 02:26 - 00000000 ____D () C:\ProgramData\APN 2015-02-14 01:07 - 2015-02-14 01:07 - 00000000 ____D () C:\Users\Christopher\AppData\Local\{5A63922A-F833-425C-BFE3-149C11B051E2} 2015-02-13 18:57 - 2015-02-13 18:57 - 00000000 ____D () C:\Users\Christopher\AppData\Local\{E5457E56-6505-47CC-92A4-DE46621DC509} 2015-02-11 13:21 - 2015-02-11 13:21 - 00003270 _____ () C:\Windows\System32\Tasks\{70B45499-04D0-4157-A457-411B6EA7705D} 2015-02-17 22:57 - 2013-08-11 20:29 - 00000000 ____D () C:\ProgramData\sayvensohaore C:\Users\Christopher\jagex_cl_runescape_LIVE.dat C:\Users\Christopher\jagex_cl_speccollect_LIVE.dat C:\Users\Christopher\random.dat C:\Users\Christopher\uid.dat Task: {0724A041-0CE5-4C6E-8933-3DA6C57CD6D2} - System32\Tasks\{A9A9FD64-3294-4660-B73E-01D031633E0B} => Chrome.exe Task: {0A64A260-591D-4AAA-96C5-59FA85A21938} - \BackgroundContainer Startup Task No Task File <==== ATTENTION Task: {0A978661-CFF5-48D3-ADB4-B973F5EEF6AC} - System32\Tasks\{C7EA030C-2632-4646-8ACC-2D76D44BF7F9} => Chrome.exe Task: {4156F755-82B7-4253-AA5F-0FC9D432EE86} - System32\Tasks\SBWUpdateTask_Time_cb5b445-64D4DA616568 => C:\Program Files\Common Files\SpeedBit\SBUpdate\SBUpdate.exe <==== ATTENTION Task: {4E9931DF-E0F5-4938-B477-E41D6E7DC1CB} - System32\Tasks\SBWUpdateTask_Logon_cb5b445-64D4DA616568 => C:\Program Files\Common Files\SpeedBit\SBUpdate\SBUpdate.exe <==== ATTENTION Task: {4FD57B58-9AF4-418C-9CDB-7752B974A54C} - System32\Tasks\Rocket Updater => C:\Users\CHRIST~1\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION Task: C:\Windows\Tasks\Rocket Updater.job => C:\Users\CHRIST~1\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION HKU\S-1-5-21-635899017-1151857628-4002036535-1000\Software\Classes\.exe: exefile => <===== ATTENTION! HKU\S-1-5-21-635899017-1151857628-4002036535-1000\Software\Classes\exefile: <===== ATTENTION! EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Here are the 2 files you asked me to upload.
Other uploads for ComboFix and AdwCleaner
I don’t understand why the Rz file is a “virus”… I see its the same file infector type, but it’s a regular download from a very popular game.
Do you mean BsSndRpt.exe ?
Those files comes from your infected computer, they are now injected with malicious code from the file infector
So I should go delete that entire file. Hahaha. Might be a good idea…
did you read the info link above about file infector?
And read essexboys post again …
What problems are you experiencing at the moment ?
Well at the moment I’m just experiencing occasional lag from explorer.exe. Other than that, nothing is to bad.
I would start all over again if I had the disk to do it, when I ordered my laptop they didn’t include a back up disk. So I’m stuck where I’m at until I can get a disk.
Laptops normally come with a restore partition.
Check if yours has one.
Touche Eddy, Nice catch. Mine does. Didn’t think about that. Would I use the boot application or the recovery application?
I would say restore it to factory default and take it from there.