Hi
Avast rocks. I use 3d applications extensively and over the years I found Avast which has a reputation for non obtrusive protection. The web shield is excellent and I don’t know what I would do without it.
A search here would not let me get info on the issue of autostarting.
Win 7 pro
Uninstall Avast 7.0 and choose repair. Get a notification that avast will start at computer startup, doesn’t happen.
Scanned comp with Avast, Malwarebytes, Spybot with system backup disabled. I believe I recently had a desktop.ini virus but thought I killed it.
Any help appreciated.
Malware associated with desktop.ini have been shown to require specialist cleaning, see #### below.
There is no autostart as such since avast is a resident application it should start on boot. Whilst spybot shouldn’t be an issue, it does have issues in relation to startup items, namely the avast tray icon (avastUI.exe), but that isn’t the main avast service (avastSvc.exe). Are either of these running in task manager ?
That said personally I would uninstall spybot and replace it with malwarebytes antimalware (MBAM).
This is likely to need further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
MBAM found a trojan called random. I included the scans asked for in the log primer. If you want me to post over at the virus and worms forum let me know. Anything I missed on the scans regarding file format or anything I missed please let me know.
Here is the extras file. It was too big to send with the others.
After a restart Avast still isnt auto starting. Manual start results in an auto update which is good news. Avast warned me that Flash 10 was sent to quarantine. That was the source of the trojan I believe. I had uninstalled it but I think it is still active. further warnings:
Gpqoqu.exe (no google info) I found a BBMS_EXCEPTIONS.txt which appears to be a virus a smily and a usb.inf in C:\users\computername\appdata\roaming
I have not deleted these as I am awaiting your advice according to the log primer info.
I also noticed that the System Volume Information folder stays locked on my C drive, even after disengaging system restore. I cant take ownership of it an its a nice place for the viruses to hide. Also the same folder on my external drive will not be deleted.
I wouldn’t do too much on your own as some of these infections if not correctly removed could have a serious impact on the system.
The system volume information folder/s being part of system restore are likely to be protected, so I don’t know if you can take control/ownership of them.
In the meantime, whilst waiting for a malware removal specialist send the following files to avast for analysis:
C:\Users\kanga\AppData\Roaming\263452.exe and the Gpqoqu.exe you mentioned.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
Now run MBAM again and this time remove the C:\Users\kanga\AppData\Roaming\263452.exe detection.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Looking at the log on restart it looks like the instructions you gave OTL knocked the nasties on the head. Avast started itself up quite nicely on boot. There is still a System Volume Information folder containing a MountPointManagerRemoteDatabase Systemfile and tracking.log text file on my external HD. Both of those are locked and cannot be deleted. I can unlock the volume folder they are in but not delete it. On the C drive there is a locked $Recycle.Bin, MSOCache, Recovery and a System Volume Information folder all of which are locked. System restore is out on all drives so these volumes should not be locked and a number of the folder I can see should not be there I think. What is your opinion?
Yes I have system restore of when scanning for viruses and malware as I thought that is a place for them to hide. Usually switching restore off unlocks the folder for scanning. Things might have changed however. The recycle bin folder and system volume folder on my external drive look suspicious but it could be because I can see everything now.