Avast Working In Enhanced Protection Mode ??

Viruses and worms
1

Problem : I can’t open the avast user interface, windows booting in safe mode and sometimes normal mode, and facebook access is blocked.

Could be some kind of a virus or spyware or malware. My facebook im keep sending those ‘hi, are you fine?’.’ Do you wanna laugh?’ and those stuffs.

I need help here. What steps should i take or do ?

2

Yep, this is an infection, quite the opposite of “enhanced protection”.

See here for the guide to get you started>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

3

RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: fazlina [Admin rights]
Mode: Remove – Date : 08/21/2011 14:19:25

Bad processes: 8
[HJ NAME] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.5.0\svchost.exe → KILLED [TermProc]
[SUSP PATH] sysdriver32.exe – c:\windows\sysdriver32.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.tray-7-0\svchost.exe → KILLED [TermProc]
[SUSP PATH] l1rezerv.exe – c:\windows\l1rezerv.exe → KILLED [TermProc]
[HJ NAME] svchost.exe – c:\windows\update.1\svchost.exe → KILLED [TermProc]
[SVCHOST] svchost.exe – c:\windows\update.2\svchost.exe → KILLED [TermProc]

Registry Entries: 26
[SUSP PATH] HKLM[…]\Run : wxpdrv (C:\Windows\services32.exe) → DELETED
[HJ NAME] HKLM[…]\Run : tray_ico0 (C:\Windows\update.tray-7-0\svchost.exe) → DELETED
[SUSP PATH] HKLM[…]\Run : 557726.exe (“C:\Users\fazlina\AppData\Local\Temp\557726.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32.exe (“C:\Windows\sysdriver32.exe” rezerv) → DELETED
[SUSP PATH] HKLM[…]\Run : sysdriver32_.exe (“C:\Windows\sysdriver32_.exe” rezerv) → DELETED
[SUSP PATH] HKLM[…]\Run : 9490933.exe (“C:\Windows\Temp\9490933.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 8714823.exe (“C:\Users\fazlina\AppData\Local\Temp\8714823.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 8738750.exe (“C:\Windows\Temp\8738750.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : l1rezerv.exe (“C:\Windows\l1rezerv.exe”) → DELETED
[SUSP PATH] HKLM[…]\Run : 9082760.exe (“C:\Windows\Temp\9082760.exe”) → DELETED
[SUSP PATH] HKCU[…]\RunServices : MicrosoftWindows (C:\Users\fazlina\AppData\Roaming\windows32.exe) → DELETED
[SUSP PATH] HKCU[…]\RunServicesOnce : MicrosoftWindows (C:\Users\fazlina\AppData\Roaming\windows32.exe) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvbtcclient (C:\Windows\update.5.0\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srviecheck (C:\Windows\update.2\svchost.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : srvsysdriver32 (C:\Windows\sysdriver32.exe srv) → DELETED
[BLACKLIST] HKLM[…]\services : wxpdrivers (C:\Windows\update.1\svchost.exe srv) → DELETED
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\Security Center : AntiVirusDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : FirewallDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\Security Center : UpdatesDisableNotify (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) → REPLACED (0)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

4

On completion of this you may need to run a repair of Avast

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> svchostdriver.exe -> C:\Windows\update.7.1\svchostdriver.exe
[Win32 Services - Safe List]
YN -> (wxpdrivers) wxpdrivers [Unknown | Stopped] -> 
YN -> (srvsysdriver32) srvsysdriver32 [Unknown | Stopped] -> 
YN -> (srviecheck) srviecheck [Unknown | Stopped] -> 
YN -> (srvbtcclient) srvbtcclient [Unknown | Stopped] -> 
YY -> (ddservice) ddservice [Auto | Running] -> C:\Windows\update.7.1\svchostdriver.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> 
YN -> HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> http://search.myfacesounds.com
YN -> HKEY_LOCAL_MACHINE\: URLSearchHooks\\"{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\: URLSearchHooks\\"{038cb5c7-48ea-4af9-94e0-a1646542e62b}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\: URLSearchHooks\\"{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< HOSTS File > ([2011/08/21 14:04:51 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\Windows\System32\drivers\etc\hosts
YN -> Reset Hosts -> 
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{09ec805c-cb2e-4d53-b0d3-a75a428b81c7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\] > -> HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{038CB5C7-48EA-4AF9-94E0-A1646542E62B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{09EC805C-CB2E-4D53-B0D3-A75A428B81C7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{30F9B915-B755-4826-820B-08FBA6BD249D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "tray_ico" -> []
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
< Run [HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\] > -> HKEY_USERS\S-1-5-21-308889232-4092686600-1910383354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "NVIDIA driver monitor" -> [c:\users\public\nvsvc32.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  update.7.1 -> C:\Windows\update.7.1
NY ->  update.2 -> C:\Windows\update.2
NY ->  ufa -> C:\Windows\ufa
NY ->  rpcminer -> C:\Windows\rpcminer
NY ->  phoenix -> C:\Windows\phoenix
NY ->  update.5.0 -> C:\Windows\update.5.0
NY ->  EventProviders -> C:\Windows\System32\EventProviders
NY ->  av_ico -> C:\Windows\av_ico
NY ->  update.1 -> C:\Windows\update.1
NY ->  update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY ->  update.tray-7-0 -> C:\Windows\update.tray-7-0
[Files/Folders - Modified Within 30 Days]
NY ->  hîsts -> C:\Windows\System32\drivers\etc\hîsts
NY ->  info1 -> C:\Windows\info1
NY ->  phoenix.rar -> C:\Windows\phoenix.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  ufa.rar -> C:\Windows\ufa.rar
NY ->  rpcminer.rar -> C:\Windows\rpcminer.rar
NY ->  l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
NY ->  loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY ->  sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY ->  sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY ->  services32.exe -> C:\Windows\services32.exe
[Files - No Company Name]
NY ->  ufa.rar -> C:\Windows\ufa.rar
NY ->  rpcminer.rar -> C:\Windows\rpcminer.rar
NY ->  l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY ->  info1 -> C:\Windows\info1
NY ->  geoiplist -> C:\Windows\geoiplist
NY ->  geoiplist.rar -> C:\Windows\geoiplist.rar
NY ->  unrar.exe -> C:\Windows\unrar.exe
NY ->  loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY ->  sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY ->  sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY ->  services32.exe -> C:\Windows\services32.exe
[Custom Scans]
YY ->  svchost.exe : MD5=0CD76DB73F3108CDB413EE8239212ECE -> C:\Windows\update.2\svchost.exe
YY ->  svchost.exe : MD5=6EECAB7626BABA17DB082754B5E8C5CE -> C:\Windows\update.5.0\svchost.exe
YY ->  svchost.exe : MD5=AA72E1635B2CDBFFF923ADEF52B6D3B8 -> C:\Windows\update.1\svchost.exe
YY ->  svchost.exe : MD5=AA72E1635B2CDBFFF923ADEF52B6D3B8 -> C:\Windows\update.tray-7-0\svchost.exe
YY ->  svchost.exe : MD5=AA72E1635B2CDBFFF923ADEF52B6D3B8 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

5

Thank you so much for the help essexboy.

I don’t understand ‘On completion of this you may need to run a repair of Avast’. I’m quite blur with that. Do that means that i need to install avast back ?

This is the information of the log of actions taken during the fix.

6
I don't understand 'On completion of this you may need to run a repair of Avast'. I'm quite blur with that. Do that means that i need to install avast back ?
if your avast install is damaged.......

avast repair
For a repair of avast. Windows, Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button from the pop-up window, scroll down to Repair, click next and follow.

7

That is correct as this malware damages Avast

WHat problems are still there

8

Owh, i did a repair of avast already and also the fix essexboy gave me. So, what is my next step ?

9

Did the repair work ?
If not you will need to reinstall avast, may be best to do a clean reinstall.

  • Download the latest version of avast, 6.0.1203 http://files.avast.com/iavs5x/setup_av_free.exe and save it to your HDD, somewhere you can find it again (if you didn’t save your last download). Use that when you reinstall.

  • Download the avast! Uninstall Utility, aswClear.exe find it here and save it to your HDD (it has uninstall tools for both 5.x and 6.0.x).

    1. Now uninstall avast! (using add remove programs, if you can’t do that start from the next step), reboot.- 2. run the avast! Uninstall Utility from safe mode, first for 5.x if previously installed and then for 6.0, once complete reboot into normal mode.- 3. install the latest version, reboot.
10

What problems remain ?

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.