My efforts to completely clean my system of the Vundo trojan has led me to purchasing Avast antivirus professional. I’ve created the Avast boot disk following instructions after my first run of the program.
I can boot up into the Avast antivirus and recovery tools CD without any problem. The issue however is that the CD does not recognize my hard disk. When I click on Run Now in “Avast! Antivirus” from under the “security tools” menu, it leads me to an error that says “Local Hard Disk is Not Detected”. I can’t scan my hard disk - which would be the point of purchasing the software! Any help would be greatly appreciated.
Some details that I think might be pertinent:
Avast! BART CD version 2.0
BART Administrator License
OS: Windows XP SP2
This is running on my Lenovo T61 laptop
Looking forward to your support. I searched the forum to see if other members have had a similar issue but was unable to find any related issues posted by other members.
Yes, I can. The computer can boot with no issues using the internal HDD. The trojan that has infected my computer however has attached itself to Winlogon.exe and according to posts on various forums, people have had success removing it using Avast’s boot CD + tools, which is why I went ahead and bought the license this morning.
However, when I try using the virus scan on the Avast boot disk, it comes back with a “Local Hard Disk is Not Detected” error. I’ve looked up help resources on this support forum as well as elsewhere on the Internet but there isn’t much reference material related to this issue.
If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
An analysis tool that could help us to help you if the avast boot-time scan doesn’t find anything.
Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste) into this topic, you may need to split it over two or more posts depending on how large it is.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:58 PM, on 12/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
You should consider XP SP3 it has been out for 6 months, there are some patches now out after SP3 and I don’t know if they are available if you don’t have SP3. The same is true of your IE version that too received a bump in security after SP3.
You have lots of remnants or still have a Symantec/Norton product installed, not good as they can conflict possibly leaving you less secure.
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs: Removing your Norton program using SymNRT
What do you know about these entries:
Do you have to use a proxy in IE for some purpose, this IP failed a whois check so I don’t know what it is ?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.17.109.54:8080
Unknown
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ultimatix;indelm;*.local;
Is this hardware on your system
O4 - HKLM..\Run: [AirCardEnabler] C:\Program Files\Sierra Wireless Inc\Network Adapter Manager\Network Adapter Manager.exe
Is this something you placed in the trusted zone:
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
Do you have an IBM/Lenova Thinkpad (strange that this file is missing do a search of the HDD)
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
acnotify.dll is a Access Connections Module from IBM belonging to ThinkPad Communications
Fix:
O2 - BHO: (no name) - {4807C067-9614-4EB9-A558-7C7D26B1D450} - C:\WINDOWS\system32\khfgeFxv.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O20 - AppInit_DLLs: womsat.dll (this is related to vundo)
My company’s CRM system that I need to use regularly crashes for some reason with SP3 installed. If you think not having SP3 is a major security concern and these types of issues may be hard to avoid, I’ll figure a way around it.
Yes, I do have Norton AV installed. This infection is on my work laptop and it comes pre-installed with Norton AV. I’m not sure I can remove it.
Yes, in certain locations I need to access the Internet via the above proxy server.
Yes, this is a wireless data card I have installed on the laptop.
This seems to be related to the conferencing/collaboration tool I use at work - WebEx.
No, I did not place these sites in the trusted zone. A Google search for the two sites reveals these may be related to the virus/trojan.
Yes, I have a Lenovo T61 laptop. I ran a full hard disk search for the file and it was found at this location:
c:\program files\thinkpad\connectutilities
I’ve tried this before in HJT only for the entries to return again. Will give it one more shot now and post back after a restart and a fresh log.
SP3 closes some vulnerabilities but for the most part it is a consolidation of the security updates released after SP2 up to the release of SP3 plus a couple of other security features added (some enhancements that were part of Vista). The main issue is if any security update requires SP3 then you wouldn’t be offered that security update and that isn’t a quantifiable security concern.
You can (and should if work allows this) remove Norton a conflict could actually lock your system, which could lock you out no boot and have to boot into safe mode and uninstall avast to get a boot and then uninstall Norton. The only issue is if you used the recovery partition to restore to factory settings it would obviously wipe everything and you would have Norton again. So I would be in no hurry to revert my system back to when it was purchased.
If you can’t remove Norton because of work then you should only have one resident AV because the likelihood of conflict to a concern. Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
No problem if you set those proxies up.
I would certainly remove/fix those trusted zone entries then.
Fine that the file exists, unfortunately there is no path in the O20 entry as to where it is missing from and it could be copied there. I guess if the laptop is working then this connectutilities can’t be a critical issue, though I would have though that it was important, I don’t know if registering the dll might resolve this or not, it isn’t something I’m familiar with.
I did notice a number of other things in the HJT log but they seemed to be lenovo related, since you confirmed you have the laptop not concern.
If they return then there is likely to be another undetected/hidden element to this vundo infection.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Regarding the problem with BART - I’d suggest to update to BART 3.0 beta.
Or, you may temporarily disable Native SATA mode in Bios before booting to BART.