Avast/MBAM Won't Run

Viruses and worms
1

After a year, I’m back with yet another problem. And again, its not my computer.
Windows 7 Home Premium, Avast currently installed but not running, same with MBAM.
This is my mother-in-laws computer. She had Avast installed, and wound up getting a rogue antivirus programs.
I don’t know the details exactly, but she managed to stop the fake AV from popping up anymore, but there’s still issues. The registry had been changed to alter where the computer thinks that %appdata% was located, which messed up installing/uninstalling programs. I fixed that issue, but MBAM wont run (I just installed it) and Avast won’t run (service is stopped, cannot manually start it).
If someone is willing to point me in the direction of the right tools to scan this PC, I’ll provide the necessary logs.
Thanks in advance.

2

http://forum.avast.com/index.php?topic=53253.0

follow this guide and post the logs :wink:

3

Cant attach OTL log, its too large.
Pastebin’d
I’ve uninstalled a large amount of random programs.
The girl that also uses this computer…she downloads every fancy-looking game she sees online.
No common sense, no background research on these games.
“Oh, lets download [game you haven’t heard of], that looks cute!”
She’s almost 16 :confused:

4

Hi Atani

im no malware specialist.

but this looks not write to me

O27 - HKLM IFEO\avastSvc.exe: Debugger - C:\Windows\SysWow64\svchost.exe (Microsoft Corporation)
O27 - HKLM IFEO\avastUI.exe: Debugger - C:\Windows\SysWow64\svchost.exe (Microsoft Corporation)

CAUSE OF IT NOT OPENING

Modern malware can use this registry key to replace any process executed with itself. It’s a dirty little trick but it works both ways.

your logs shows loads of them

i dont know when a malware specialist is online, i think maybe tomoz your better off waiting until tomoz 8)

Anthony

5

I’m much farther from a malware specialist. I’m better at finding all the help I need to fix/change something for the better, but I understand this enough to see why that seems suspicious.
I wish I knew what the name of the fake AV was that kept coming up. I think its the same thing my fiancee got on her laptop. Anyways, a little more research and those registry entries are definitely bad. Removed all of them, and now MWB runs. After a scan, returned a trojan.fakealert.

aswMBR and MWB logs attached.
Edit: The two registry keys shown in the MWB log were the only two I couldn’t delete.

6

without being 100% sure…it cannot be the same rogue fakeAV…as this malware changes on daily basis…we have the rogues with different file hashes almost everyday…how i wish if we could have a sample to be submitted to avast! your main problem is u dont have a additional line of real time protection.

7

You think I don’t have a sample to work with here? I haven’t submitted it yet, but I’m willing to if someone will give me the right link. My fiancee’s family is staying a couple days, just visiting during the summer. They brought their computer with so I could fix it.

Fake Edit: I realized, before I finished typing this, that MBAM might have deleted C:\Users\Loni\AppData\Local\sjhzbr.exe

8

please submit the samples via e-mail to virus@avast.com with subject: undetected malwares

keep the files zipped and password protected…and specify password in email body :wink:

U can use 7-zip to do so…

Preferable password: infected

and u can give a link to this topic in the e-mail too…add the file to your avast chest and scan the file after next VPS and if not detected right click on the file in chest and send it to virus lab again and then manually update the defs to send it…

9

@ Atani,

Thank you for posting your other logs, but what we really need are your OTL logs, then we can notify the malware removal specialist. There is no need to submit the file to Avast when you need help with malware removal on your machine.

Please attach the OTL file (there will be 2 of them) like you did with the others. Once you post them, the malware specialist will be along. He usually comes on the forum late UK time zone.

In the meantime, do not make changes to your machine, do not sync anything to your machine, and try not to use your machine. Thank you.

Edit: Essexboy (Malware Removal Expert) has been notified to monitor this thread) and will respond once the OTL logs have been posted.

10

why shouldnt he submit the samples ::slight_smile: after all he got infected with avast on there and in turn we are helping avast in getting a rouge detected and protecting the other users against it who could be vulnearable…

@Atani

please do submit them for analysis…this will help getting the future victims protected :slight_smile:

thank you.

11

He needs a malware specialist to help him/her remove it from his machine. There is a Sticky for users to follow directions as to what logs to attach to their posts in preparation for the specialists. In general, we do not submit them to Avast.

12

Lets just leave it up to atani…if he wants to protect the future victims he will upload them :smiley:

13

Hi there lets get it running first before we look at uploads

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Download the attached fix.txt to your desktop

Run OTL

[]Press the Run fix Button
[]A dialogue will open asking for the loaction of the fix.txt
[*]Navigate to and select it

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

14

Eh, I think I only have “8481266688.quar” located in MBAM’s Quarantine folder.
And I’m not sure how to restore the file so I can zip it and send it. MBAM won’t let me.

See my second post in this thread for OTL logs. Here’s the Pastebin again.
I think this is the third time essexboy has helped me with malware…and only once was it on my own computer.

That’s the plan. If someone can walk me through making MBAM give the damn file back…

Can do. Thanks, and I’ll put the results in my next post.

15

Eh, I already removed all the registry keys by hand with regedit.
So I’ll just take that section out of the fix.txt

16

If they are gone it will not matter to run the fix as it is - OTL will not remove what isn’t there it will just go on to the next bit

17

I was a little worried that OTL was having issues. After I clicked run fix, supplied fix.txt, and clicked run fix again…and it seemed
to stop making progress, and the green bar at the bottom kept filling and emptying repeatedly for a good few minutes.
The resulting log is gonna be far too large to attach, so Pastebin’d again.

Sadly, avastSvc.exe and avastUI.exe still point to svchost.exe
I can’t manually delete those keys, nor could OTL.
Edit: Also, on a seemingly unrelated side note…I installed 7-zip today on the affected machine and it wouldn’t add any archiving options to the right click menu.

18

OK lets proceed now to stage two

The OTL delay was as it was removing the junk files
Total Files Cleaned = 3,560.00 mb

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

19

Combofix log attached. One of them, at least. Let me know if you want any of the other files it produced.
The computer itself is running fine, but it already was. The issue was not being able to run Avast because of the keys I couldn’t delete.
And of course, any other remaining effects of the malware that aren’t as obvious.

20

Is everything working as it should now - including Avast ?