Boot Time Scan Logs

Avast Free Antivirus / Premium Security
1

I ran a boot time scan on an infected computer and it had deleted a few things. When it finished the scan and restarted, it won’t boot anymore. It goes into a boot loop which tries to run Recovery tools but that fails too.

It’s Vista Home Premium x64. I Google’d where to find boot time scan logs and booted into Ubuntu to find them and see what was deleted exactly. One site said to find them at:
C:/Program Data/Avast Software/Avast/Report/aswBoot.txt

I did find an aswBoot.log file in that location, but it was completely useless. There was no log of files deleted. Is there another way to remotely view log files?

2

Nevermind, the logs were there. I was in the Log folder, not the Report folder. However, I still need help deciphering what was deleted that needs to be restored.


12/03/2011 10:25
Scan of all local drives

File C:\HP\BIN\EndProcess.exe is infected by Win32:KillApp-W [PUP], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\63562ec0-1dfe8300|>photo\Crop.class is infected by Java:Agent-ACY [Expl], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\63562ec0-1dfe8300|>photo\ExtResolution.class is infected by Java:Agent-ACL [Expl], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\63562ec0-1dfe8300|>photo\Image.class is infected by Java:Agent-ADX [Expl], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\63562ec0-1dfe8300|>photo\MultiZoom.class is infected by Java:Agent-ACM [Expl], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\63562ec0-1dfe8300|>photo\Zoom.class is infected by Java:Agent-ACN [Expl], Deleted
File C:\Users\p&p\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\2a68dcdf-69af1689|>morale.class is infected by Java:CVE-2011-3544-J [Expl], Deleted
File C:\Users\p&p\Desktop\_standard_loadout\LibO_3.4.2_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard6.bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File C:\Users\p&p\Desktop\_standard_loadout\LibO_3.4.2_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard6.bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File C:\Users\p&p\Desktop\_standard_loadout\LibO_3.4.2_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template6.bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File C:\Users\p&p\Desktop\_standard_loadout\LibO_3.4.2_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template6.bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File C:\Windows\assembly\GAC_32\Desktop.ini is infected by Win32:Sirefef-FQ [Drp], Deleted
File C:\Windows\assembly\temp\kwrd.dll|>[UPX] is infected by Win32:PUP-gen [PUP], Deleted
File C:\Windows\assembly\temp\U\00000002.@|>[Embedded_R#00290]|>[UPX] is infected by Win32:PUP-gen [PUP], Deleted
File C:\Windows\assembly\temp\U\80000032.@ is infected by Win32:DNSChanger-VJ [Trj], Deleted
File C:\Windows\SoftwareDistribution\Download\5c921ff8e325b532a35b10a0eddd3ac5\BIT7561.tmp|>amd64_wpf-xamlviewerapplicationmanifest_31bf3856ad364e35_6.0.6001.22208_none_c5357433a2505597\xamlviewer_v0300.exe.manifest Error 42127 {CAB archive is corrupted.}
Number of searched folders: 33634
Number of tested files: 916960
Number of infected files: 11
3

The PUP (Potentially Unwanted Program) isn’t an issue as it is a legt HP file in this location, it is getting notified because its purpose it to End Processes and avast isn’t to know if that purpose is for good or evil, hence the PUP classification.

You probably have an old version of JAVA which can be exploited, I would suggest for now that you clear the JAVA cache and uninstall this version. Later you can download and install the latest version - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

However this one is of a more serious nature and you will need the help of a malware removal specialist.

  • This needs further analysis by a malware removal specialist:
    Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.
4

I don’t see any particular file that is part of the booting process. You have Java, LibreOffice and some temporal files there listed, in addition to the one of HP.

Besides the need to check your system for what’s really going on, you would probably need some repair function from your HP Windows installation discs.

Your system may have also a special boot MBR, and possibly also a special “Factory Default” partition. So, when you seek for help, you should mention the exact model, and add the information about how your system is partitioned.

Be aware that “Factory Default”, if exists, would delete your data too, so a backup is in place, probably before anything else. For the backup, you could use your Ubuntu and some external media (CD/DVD/UFD/other).

There is also the possibility that only your MBR boot code was affected and restoring / repairing it would be enough to boot your system again, but anyway keep in mind that further scans are necessary to find out the original source of the problem.

Start a new topic in the “Viruses and Worms” subforum here in Avast. You may add there a link to this topic if you want.