Help with my PC

I had Avast installed like 2 months ago, then someone plugged a flash drive in my PC, then the problem occurs with avast, its like its been uninstalled, yet its still there. there’s been some problem in running it. i didn’t put much attention on it since my Pc is still running good, but its like im using my PC without any antivirus.

now i doubt i got virus in my computer, im trying to reinstall first malwarebytes anti-malware it installed okay but its seems laggy and next it stopped working. i tried next the avast but its red, the Avast won’t start. it said the avast service has stopped and i can’t update :((. i think this is somewhat work of a virus trying to hinder any software that has to do with anti-virus.

what should i do?
thanks

HI I must ak you a question though what operating system are you using? What avast product are you using avast free/pro/internet security? What program version are you using?

Since you have made a topic here all ready here is the link for you to go into and download some programs to scan your computer only and put the logs back on this thread and then a malware expert will be notified and check the logs for virus or malware on your computer here is the link below it gives you instructions on how to clean your computer of malware or a virus.
http://forum.avast.com/index.php?topic=53253.0

give you some advice though next time you suspect you have a virus or malware on your computer in the future go to virus and worms forum for help with this type of thing.

some programs to run
to clean malware are:
adwcleaner save the log that up and save it to your desktop and also attach to this thread.
Malwarebytes malware free save the log to your desktop and then when you have scanned and have all the logs then attach the logs to this thread.
OTL save to your desktop only do a scan nothing else.
aswBMR.exe when you scan with it let it finish before you save the log to your desktop
save All these programs to your desktop and run them one at a time and save the logs in text document
encoding save in ANSI Save all the logs from the following programs in this.

If you need more help come on back.

Just follow the instructions here http://forum.avast.com/index.php?topic=53253.0

A malware expert will assist you. Please be patient as they are assisting other users. :slight_smile:

Oh okay sorry for that i thought i was in the right place, thanks for the advice. Am i still good here? Maybe a moderator can transfer my thread :slight_smile:

Im using Windows 7 Ultimate, the Avast i installed was the Avast version but im used the old version, i think i got it at year 2011, i can’t use the 2013 version, i keep getting this error message: “Setup Selfextract: An Error 0 (00000000) has occurred. Last performance was: spawning”

I followed thru your link and attached the Report Logs of every software mentioned, except for the Farbar recovery tool, since i don’t have a CD Drive in my computer.

1. AdwCleaner Seach Log:

AdwCleaner v2.303 - Logfile created 06/25/2013 at 21:11:00

Updated 08/06/2013 by Xplode

Operating system : Windows 7 Ultimate (32 bits)

User : Paolo - CLINXR

Boot Mode : Normal

Running from : C:\Users\Paolo\Downloads\Programs\adwcleaner_2.exe

Option [Search]

***** [Services] *****

***** [Files / Folders] *****

File Found : C:\Windows\system32\roboot.exe
File Infected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2008\Microsoft Visual Studio 2008 Documentation.lnk ( arg. : /helpcol ms-help://ms.vscc.v90 /LaunchNamedUrlTopic DefaultPage /usehelpsettings VisualStudio.9.0)
Folder Found : C:\Program Files\Search Results Toolbar
Folder Found : C:\ProgramData\APN

***** [Registry] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\SpeedBit
Key Found : HKLM\Software\DataMngr
Key Found : HKLM\Software\PIP

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

-\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Paolo\AppData\Roaming\Mozilla\Firefox\Profiles\46e000bv.default\prefs.js

Found : user_pref(“extensions.enabledAddons”, "DivXWebPlayer%40divx.com:2.0.2.039,%7B71BB60AF-0D26-459D-B23F[…]

-\ Google Chrome v27.0.1453.116

File : C:\Users\Paolo\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.37] : keyword = “search-results.com”,
Found [l.41] : search_url = “hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=130&systemid=414&apn_uid=6470961414184054&apn_dtid=BND414&o=APN10649&apn_ptnrs=AGA&q={searchTerms}”,


AdwCleaner[R8].txt - [1638 octets] - [25/06/2013 21:11:00]

2. AdwCleaner Delete Log

AdwCleaner v2.303 - Logfile created 06/25/2013 at 21:12:49

Updated 08/06/2013 by Xplode

Operating system : Windows 7 Ultimate (32 bits)

User : Paolo - CLINXR

Boot Mode : Normal

Running from : C:\Users\Paolo\Downloads\Programs\adwcleaner_2.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\Program Files\Search Results Toolbar
File Deleted : C:\Windows\system32\roboot.exe
File Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Visual Studio 2008\Microsoft Visual Studio 2008 Documentation.lnk
Folder Deleted : C:\ProgramData\APN

***** [Registry] *****

Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\SpeedBit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\PIP

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.7600.16385

[OK] Registry is clean.

-\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Users\Paolo\AppData\Roaming\Mozilla\Firefox\Profiles\46e000bv.default\prefs.js

Deleted : user_pref(“extensions.enabledAddons”, "DivXWebPlayer%40divx.com:2.0.2.039,%7B71BB60AF-0D26-459D-B23F[…]

-\ Google Chrome v27.0.1453.116

File : C:\Users\Paolo\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.37] : keyword = “search-results.com”,
Deleted [l.41] : search_url = "hxxp://dts.search-results.com/sr?src=crb&gct=ds&appid=130&systemid=414&apn_uid=[…]


AdwCleaner[R8].txt - [1767 octets] - [25/06/2013 21:11:00]
AdwCleaner[S9].txt - [1546 octets] - [25/06/2013 21:12:49]

########## EOF - C:\AdwCleaner[S9].txt - [1606 octets] ##########

continuation~

3. Malwarebytes Anti-malware Report

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.25.01

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Paolo :: CLINXR [administrator]

6/25/2013 8:34:07 PM
mbam-log-2013-06-25 (20-34-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 293522
Time elapsed: 9 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Windows\System32\28463 (Keylogger.Ardamax) → Quarantined and deleted successfully.

Files Detected: 43
C:\Windows\System32\bpk.dat (Keylogger) → Quarantined and deleted successfully.
C:\Windows\System32\inst.dat (Keylogger) → Quarantined and deleted successfully.
C:\Windows\System32\pk.bin (Keylogger) → Quarantined and deleted successfully.
C:\Windows\System32\28463\DOME.009 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_08_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_38_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\BIAJ.001 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\BIAJ.002 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\BIAJ.002.tmp (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\BIAJ.009 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\BIAJ.009.tmp (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\DOME.001 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\DOME.002 (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_18_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_28_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_38_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_48_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__05_58_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_08_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_18_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_28_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_38_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_48_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__06_58_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_08_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_18_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_28_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_48_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__07_58_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__08_08_41.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__08_18_42.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__08_28_42.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__08_38_42.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\key.bin (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__03_38_39.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__03_48_39.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__03_58_39.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_08_39.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_18_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_28_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_38_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_48_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.
C:\Windows\System32\28463\Feb_04_2013__04_58_40.jpg (Keylogger.Ardamax) → Quarantined and deleted successfully.

(end)

next post continuation

4. aswMBR report

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-06-25 21:36:32

21:36:32.964 OS Version: Windows 6.1.7600
21:36:32.964 Number of processors: 2 586 0x603
21:36:32.966 ComputerName: CLINXR UserName: Paolo
21:36:34.371 Initialize success
00:20:14.289 AVAST engine error: 2
00:20:27.104 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
00:20:27.106 Disk 0 Vendor: ST3160215A 3.AAD Size: 152627MB BusType: 3
00:20:27.194 Disk 0 MBR read successfully
00:20:27.196 Disk 0 MBR scan
00:20:27.199 Disk 0 Windows 7 default MBR code
00:20:27.201 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 53432 MB offset 63
00:20:27.204 Disk 0 Partition - 00 05 Extended 80191 MB offset 148344210
00:20:27.220 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 80190 MB offset 148344273
00:20:27.244 Disk 0 scanning sectors +312576705
00:20:27.386 Disk 0 scanning C:\Windows\system32\drivers
00:20:35.284 Service scanning
00:21:18.690 Modules scanning
00:21:36.567 Disk 0 trace - called modules:
00:21:36.582 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
00:21:36.586 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x871842a8]
00:21:36.591 3 CLASSPNP.SYS[8c6fc59e] → nt!IofCallDriver → [0x86a55880]
00:21:36.595 5 ACPI.sys[8c5a43b2] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x86181610]
00:21:36.599 Scan finished successfully
00:22:19.454 Disk 0 MBR has been saved successfully to “C:\Users\Paolo\Documents\Avast\MBR.dat”
00:22:19.460 The log file has been saved successfully to “C:\Users\Paolo\Documents\Avast\aswMBR Report.txt”

5. Rogue killer “RKreport[0]_D_06262013_002649” Report

RogueKiller V8.6.1 [Jun 24 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Paolo [Admin rights]
Mode : Remove – Date : 06/26/2013 00:26:49
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → REPLACED (2)
[HJ POL] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[APPINIT][SUSP PATH] HKLM[…]\Windows : AppInit_DLLs (C:\PROGRA~2\Wincert\WIN32C~1.DLL [-]) → REPLACED ()

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160215A ATA Device +++++
— User —
[MBR] 790551a524bfab33e0c8c11f1e122e56
[BSP] 5af41aaa8d4597c67e76d02091550d24 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 53432 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 148344210 | Size: 80191 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[0]_D_06262013_002649.txt >>
RKreport[0]_S_06262013_002553.txt

6. Roguekiller “RKreport[0]_S_06262013_002553” Report:

RogueKiller V8.6.1 [Jun 24 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Paolo [Admin rights]
Mode : Scan – Date : 06/26/2013 00:25:53
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[HJ POL] HKLM[…]\System : ConsentPromptBehaviorAdmin (0) → FOUND
[HJ POL] HKLM[…]\System : EnableLUA (0) → FOUND
[APPINIT][SUSP PATH] HKLM[…]\Windows : AppInit_DLLs (C:\PROGRA~2\Wincert\WIN32C~1.DLL [-]) → FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3160215A ATA Device +++++
— User —
[MBR] 790551a524bfab33e0c8c11f1e122e56
[BSP] 5af41aaa8d4597c67e76d02091550d24 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 53432 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 148344210 | Size: 80191 Mo
User = LL1 … OK!
User = LL2 … OK!

Finished : << RKreport[0]_S_06262013_002553.txt >>

7. OTL report is attached on my 2nd post


did i miss something?

Yes the main OTL log, you attached the extras… Could you attach the main log

its attached here

Let me know what the problems are on completion of this run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\xhunter1.sys -- (xhunter1)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva399.sys -- (XDva399)
[2012/02/02 03:17:54 | 000,000,000 | ---D | M] (Savevid Toolbar) -- C:\Users\Paolo\AppData\Roaming\Mozilla\Firefox\Profiles\46e000bv.default\extensions\{23cd218f-af09-443f-bbb1-adb89fd5986d}
[2012/07/12 19:40:33 | 000,000,000 | ---D | M] (8 Ultimo) -- C:\Users\Paolo\AppData\Roaming\Mozilla\Firefox\Profiles\46e000bv.default\extensions\{2b6788a0-0ccd-11e1-be50-0800200c9a66}
O2 - BHO: (no name) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {23cd218f-af09-443f-bbb1-adb89fd5986d} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O20 - AppInit_DLLs: (C:\PROGRA~2\Wincert\WIN32C~1.DLL) - C:\ProgramData\Wincert\win32cert.dll ()
O36 - AppCertDlls: x86 - (C:\Program Files\Search Results Toolbar\Datamngr\apcrtldr.dll) - C:\Program Files\Search Results Toolbar\Datamngr\apcrtldr.dll ()
[2013/01/09 11:45:43 | 001,247,232 | -H-- | C] () -- C:\Program Files\imnotahacktrustme.dll


:Files
C:\ProgramData\Wincert
C:\Program Files\Search Results 

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Okay, its attached

uhm, is my PC fixed with all of these scans?

Sorry I appear to have lost notifications for this thread… How is the computer running now ?

I still experience the same problem i had

So Avast is not running and you cannot install MBAM is that correct

Old version of Avast is not running, i had the MBAM but it hangs whenever i do some scan, and a error problem occurs when i try to install the new version of Avast

OK first off we will fully uninstall Avast and use a fresh copy… Let me know if this works

Lets reinstall Avast

Download Uninstall Utility to your Desktop.
Download the correct version of Avast
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel

[]Run aswClear
[
]It will offer to reboot to safe mode … Accept that

https://dl.dropbox.com/u/73555776/aswclear.JPG

[*]Once it has rebooted to safe mode
[*]In the Select Product to Uninstall dropdown choose the version of Avast that is on your system.
[*]Press Uninstall
[*]Once complete reboot your system to Normal Mode
[*]Reinstall Avast