Avast is detecting multiple threats after a full system scan, will not repair/move to chest any of them. I’m on Windows 7 x64

C:\Windows\explorer.exe Threat: Win32:Patched-RP [Trj]
C:\Windows\SysWOW64\wininit.exe Threat: Win32:Patched-RP [Trj]
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5\rsamcp[1].exe Threat: Win32:Alureon-IF [Rtk]

Many others detected, some of them say Win32:Induc, Win32:Crypt-HPA, Window32:Trojan-gen, Win32:MalOb-BX. I ran a full MBAM scan, but MBAM said it detected 0 threats ???

have you just installed avast, your first scan ?
did you use default scan settings, or have you changed anything ?

Sorry, I forgot to update MBAM when I scanned earlier, it’s found 28 threats and still scanning as I type this

All right, MBAM full scan is done, the log is attached. I told MBAM to remove all the threats, but upon rebooting my PC, explorer.exe still will not load. If I try to force explorer.exe to open through Task Manager, I get this error message;

C:\Windows\explorer.exe
Operation did not complete successfully because the file contains a virus

Pondus - I just did a Full Scan, I didn’t change any settings. I’ve had Avast for a while, the program and definitions are up to date.

• Run MBAM again and this time when the scan is complete, all detections should have a check mark in the box to the left of the entry, leave them selected (or select if not selected). At the bottom of the window there is a button, Remove Selected, click that and the items will be removed.

Clear your Temporary Internet Files.

If you previously sent the files detected to the chest (a protected/encrypted area) then MBAM wouldn’t find anything that avast previously had.

I did all that, but Avast is still detecting trojans/rootkits that MBAM isn’t. Is there a way to post an Avast log?

Update: Avast just finished a quick scan, it found;

C:\Windows\explorer.exe Threat: Win32:Patched-RP [Trj]
C:\Windows\SysWOW64\wininit.exe Threat: Win32:Patched-RP [Trj]

If I click Repair, I get Error: Access is denied (5)
If I click Move to Chest, I get Error: The specified file is read only (6009)

The problem with these is that they are legit files and have been infected, if they were to be removed it could trash your system as they are essential files. So even infected they still do their take but also other things. Bearing in mind that the loss of these files could have a serious impact I would be looking at backing up important data, etc.

So we need to try and actually repair them, or replace them with uninfected versions.

DrWeb CureIt! - See http://www.freedrweb.com/cureit/ - Download ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe (Free) Fairly effective against file infectors, more so when used in safe mode. DrWeb also do a Live CD if you are unable to get into your system see, http://www.freedrweb.com/livecd/?lng=en, documentation ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf

That said I don’t know if these are compatible with 64bit OSes.

Concur with Dr Web but first run TDSSKiller to clear the rootkit

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

Download Dr.Web CureIt to the desktop.

[*]Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[*]Once the short scan has finished, chose the Complete Scan.
[*]Select all drives. A red dot shows which drives have been chosen.
[*]Click the green arrow
http://perplexus.geekstogo.com/drweb_green_arrow.jpg
at the right, and the scan will start.
[*]Click ‘Yes to all’ if it asks if you want to cure/move the file.
[*]When the scan has finished, look and see if you can click the following icon next to the files found:

http://perplexus.geekstogo.com/drweb_check.gif

[*]If so, click it and then click the next icon right below and select Move incurable as you’ll see in next image:

http://perplexus.geekstogo.com/drweb_move.gif

[*]This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can’t be cured. (this in case if we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer to allow files that were in use to be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.

NOTE: During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Thanks for joining the party essexboy.

Thanks for the help guys, here’s the TDSSKiller log. Ew @ rootkits, so much for x64 being the anti-rootkit system, eh?

First essexboy is likely to be sleeping now, just after 1am in the UK right now.

I’m not too familiar with TDSSkiller, but it looks like it has found one instance, but I don’t know if it has removed/cured it as I can see anything in the log about which file it was.

So lets assume that it has cured it as the instructions essexboy gave (did it ask to reboot, if so do that first ?) and proceed with the DrWeb Cureit scan mentioned.

If you aren’t comfortable we will have to wait for essexboy to get back to the forums later today.

Yep the 64 bit rootkits are here. Could you repost the TDSSKiller log please but first ensure the log is saved as ANSI as opposed to unicode. If it is a new version I may have to check your MBR

Sure. I’m having some difficulty navigating around my comp, I have to use Task Manager to open any files I want since Explorer.exe is infected. Also, I did a full Dr. Web scan, it looks like it cleaned out a few things but Explorer.Exe is still infected. And when I go to upload the Dr. Web log, the forums tell me the file size is too large.

Here, I just ran TDSKiller again, it says it found 1 item

This is the one it doesn’t like:

2010/09/15 18:43:43.0034 sptd (602884696850c86434530790b110e8eb) C:\Windows\system32\Drivers\sptd.sys 2010/09/15 18:43:43.0034 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 602884696850c86434530790b110e8eb 2010/09/15 18:43:43.0049 sptd - detected Locked file (1)

Though you chose (User select action: Skip).

Hopefully essexboy will be back soon with further instructions.

Edit: So presumably this is the one it said it found again, did you not select cure as the option on this run ?

It only gives me the option to Skip, Quarantine and Delete. I think because TDS detected it as suspicious instead of malicious. I’m pretty sure sptd.sys is a driver for Daemon Tools, a CD emulation tool for mounting .ISO files

OK that is part of your cd emulator and is safe - lets see if windows will replace the infected file

Go to start > Run and type in the following

sfc /SCANFILE=c:\windows\explorer.exe

Go to start > Run and type in the following

sfc /SCANFILE=C:\Windows\SysWow64\explorer.exe

I did both of those, the command prompt popped up for a split second and then disappeared on both commands, too fast to read what the prompt said. I rebooted, still won’t load explorer.exe

Edit: I opened the actual CMD instead of typing them directly into the Run bar, it returned:
You must be an administrator running a console session in order to use the sfc utility

So basically I need to run CMD as admin, which is pretty difficult without a start menu since I can’t just navigate to Command Prompt, right click and Run as Administrator. I’ll google around for a command or something

Update: Got CMD in Admin mode

sfc /SCANFILE=c:\windows\explorer.exe Returned:
Windows Resource Protection found corrupt files and successfully repaired them.

But on sfc /SCANFILE=C:\Windows\SysWow64\explorer.exe it returned:
Windows Resource Protection did not find any integrity violations

I’ve rebooted, and Explorer.exe is back up! Got my desktop back! Guess I’ll just run some more scans to make sure everything is clean

Thats good - it was only the 32bit version that was compromised

Let me know what problems you still have