About 10 days ago, AVAST reported 6 files on my laptop representing the 'Win32:Malware-gen threat at a High Severity. As with past such instances, I was given the option of sending them to the virus Chest, which I did. It also suggested that I schedule a Boot-Time scan (which I have also done successfully in the past) but at about the same time, the laptop started behaving strangely. Something was using up serious CPU and Hard drive resources and, within minutes, the pointing device froze and the computer locked up. Knowing that I should be able to safely schedule the Boot-Time scan from Safe Mode, I rebooted to there and clicked on the ‘Schedule Now’ button and then used the nearby ‘Restart Computer’ ‘link’. Surprisingly, the computer restarted but went straight to Windows, where the aforementioned resource issues reappeared. I have since run full two scans on the laptop with no threats being reported and have tried to Schedule the Boot-time scan several more times with the same results on restart/start (I am fairly sure that there is something ‘nasty’ in memory causing these problems but, without the Boot-time scan, I can’t seem to do anything about it). In the ten or so minutes I have before the laptop locks up again, I have also tried to update the AVAST engine and virus definitions but that just stays stuck in the ‘initializing’ phase. My registration expires in about 10 days and I am not sure of where to go from here. I have had pretty good success with AVAST Free over the past 5 or so years and would like to be able to continue using it.

Balls

Dell C610 Latitude (512MB), Windows 2000 Professional (Build 2195 SP4), wireless connection

start a new post in the virus and worms section and you will get help …

Thanks Pondus,

While you are at it, please read: http://forum.avast.com/index.php?topic=53253.0 Malware specialist will need the logs to help you clean your system. You only have a ten minute window whilst in Safe Mode as well? Some of the work can be done in Safe Mode with Networking or USB transfer of programs and logs from a good, clean computer to the sick one, and vice versa.

No, thankfully, I am able to stay in Safe Mode and work for as long as I want. I will read the information provided and provide results as soon as time allows.

As Pondus says, our (five) volunteer malware specialists look for users who need help over at viruses and worms. But you can also get help here, is not mandatory. We do not even care if you do not have Avast! as your a/v, just so you know.

Hmmmm… I thought that I copied this thread to the ‘Virus and Worms’ forum but now I can’t find it over there. In any event, I have now worked my way through the first 3 steps of the “logs to assist in cleaning malware” tretise by essexboy (when I try to run aswMBR.exe, it tells me that it can’t comply because it is not a windows32 application - I will keep working on that. What follows is the logs form MalwareBytes:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.03.07

Windows 2000 Service Pack 4 x86 FAT32
Internet Explorer 6.0.2800.1106
Administrator :: B586863B [administrator]

03/09/2012 12:20:11 PM
mbam-log-2012-09-03 (12-20-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 139303
Time elapsed: 14 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4 (Worm.AutoRun) → Quarantined and deleted successfully.

Files Detected: 9
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\krnln.fnr (Worm.Autorun) → Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\eAPI.fne (Worm.Autorun) → Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\sock.fne (Worm.Autorun) → Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\shell.fne (Worm.Autorun) → Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\E_4\internet.fne (Worm.Autorun) → Quarantined and deleted successfully.
C:\WINNT\system32\comsa32.sys (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINNT\system32\drmgs.sys (Rootkit.Agent) → Quarantined and deleted successfully.
C:\WINNT\system32\winset.ini (Malware.Trace) → Quarantined and deleted successfully.
C:\WINNT\KBPC080604.log (Trojan.Agent) → Quarantined and deleted successfully.

(end)

and then I have attached the two logs from OLT.

Looking forward to receiving some input from the experts here so that I can restore my laptop to its former peak performance and get on with many productive items that have been backing up. Any thoughts on how I can get aswMBR.exe to run would be most appreciated.

Hans

Any thoughts on how I can get aswMBR.exe to run would be most appreciated.

Since I required web access to download the malware logging programs, I was fortunately able to ‘sneak’ those downloads in between freezes of my laptop (no internet access in Safe Mode). I did eventually get aswMBR.exe to run (it helps when one is able to download the ENTIRE program) but then I noticed the message “Initialize error C0000263 - driver not loaded” in the preamble to actually performing the scan. When I then clicked on the ‘Scan’ button, the program returned a “Scan error:” message and then ‘greyed’ out the ‘Scan’ button. Any thoughts on which driver they are referring to and where I go from here?

A malware expert has been notified. Help should be coming soon.

As you may not have any antivirus protection, suggest that you gain access to a second healthy computer for your internet access. Transfer programs and logs to and from to continue with posting, so as to not damage your computer any further than it already is.

Do not worry overmuch about aswMBR.exe not running, there are a multitude of ways to cleanse your system. OTL is the main one, and you’ve got that one down.

You will be in good hands.

Hi this looks like the new zero access

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Had considered doing this earlier but I was worried about transporting whatever this ‘thing’ is to my healthy (and protected by BitDefender Internet Security) desktop computer via my flash drive. BitDefender does offer me the option of scanning the flash drive for viruses (malware?) as soon as I plug it in to the desktop computer. Do you think that this risk is smaller than that of “damagin(ing) (my) (laptop) computer any further than it already is” if I continue trying to ‘hobble along’ with internet access on the infected laptop? I still have AVAST Free on the laptop but the virus definitions are not up-to-date (that appears to be one of the things that this malware is preventing) and I have recently received a couple of notices that a new ‘program’ is available which I haven’t yet tried to download - one crisis at a time!

I will await your comments before I take the next step as laid out by essexboy and download and run RogueKiller.

Essexboy is qualified malware remover and its recommended to do his steps right away…

Hi balls69bc,

With essexboy, a qualified removal expert that had a training by the best and qualifications that are recognized all over the internet by security experts, you are in the best of hands. First thing these experts learn is not to harm your computer and software. There are some bundled automatic removal tools that I would not trust on my computer, but with essexboy and the likes no whim of a doubt…he actually helped me once and did a helluva job…
Let him cleanse, even your jolly fine Bitdefender (a fine product I admit) will be running better after this cleansing routine has been performed…
Remember also this, essexboy may have experienced and cleansed malware in amounts that other normal human beings would not see in five lifetimes,

polonus

O.K., so not too sure about the trade-offs here (as mentioned in my previous post) but I decide to try and download RogueKiller on my desktop computer and then transfer it to the infected laptop using a flash drive (after using BitDefender Internet Security to check it for viruses/malware). The downloading went fine, as did the copying of the executable to the flash drive. Started up the laptop in Safe Mode and copied the RogueKiller.exe file to the Windows 2000 desktop. Double-clicked on the icon and got the following: “… is not a valid win32 application”, almost exactly the same thing I got earlier with aswMBR.exe. I then removed the flash drive from the laptop, took it back to my desktop computer and, once again, checked it for viruses/malware and then I downloaded RogueKiller again. It came back at exactly the same size as the first download (1.31 MB) so I decided to try a little ‘Googling’ around ‘RogueKiller’. What I found was the RogueKiller is indeed 1.31 MB but it only runs under Windows 7/Vista/XP and, as I wrote earlier and the scan reports show, I am running Windows 2000 Professional. So, now what do we do to restore the use of my laptop?!

Sorry just noticed win2k I have never seen that on a laptop before. Unfortunately that severely restricts the tools I can use

Could you tell me exactly the problems that you experience in normal mode. As this will all have to be done manually

Dear essexboy,
Sorry, don’t really know what else to tell you except what I originally posted on Aug. 13th. The only other things I can think of that have appeared in about the same timeframe are: when the laptop starts up, it doesn’t produce a series of beeps which it has been doing ever since I added 256 MB of memory [over a year ago] (‘Googling’ tells me it has to do with a failing power supply but I don’t really believe that). It has also started keeping enabled the PCMCIA card (laptop does not have built-in wireless capability) even though the driver (wirelesscm.exe) has been stopped by an error condition and it has started requesting to check for hard drive consistency every time it boots (in order to maximize my chances of getting something useful done until the laptop eventually ‘freezes up’, I have been bypassing this). It has also not been going to ‘sleep’ after a period of inactivity, instead the fan starts running continuously, which tells me that the CPU is working very hard (100% according to Task Manager) and generating lots of heat. Hope this helps you provide me with some guidance.

Do you have the ability to burn a CD ?

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn

[]Double click Dr Web
[]IMGBurn will open
[*]Burn the ISO to a cd

[]Reboot the infected computer with the CD in the drive
[]Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
[*]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdbootscreen.gif

[*]Use arrow keys to select DrWeb-LiveCD (Default)

[*]When the system is loaded, check the disks or folders you want to scan, and click on “Start”.

http://i1224.photobucket.com/albums/ee362/Essexboy3/Dr%20Web%20shots/livecdDriveselection.gif

[]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
[]Once completed reboot to normal windows
[*]No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist

I can burn a CD on my uninfected desktop computer but NOT on the infected laptop (only CD drive, no CD-RW). Should I go ahead and download the two programs you suggested to the desktop of my desktop computer and burn the CD, then adjust the laptop Bios for CD to be first boot device and insert the CD in my laptop optical drive and follow the rest of your instructions?

Yes it would be better to burn the CD on a different computer, just in case any infection interferes with the burn

And, as I said, I don’t have the ability to burn a CD on the infected laptop, which has a CD read-only drive.

I see that Dr. Web LiveCD is a 190 MB download and the disc created is an Emergency Recovery disc for systems that have become un-bootable (which point I’m not at yet). While I can access the internet wirelessly from my laptop, I am only on a dial-up connection for my desktop computer, and therefore, a 190 MB download will take a very long time (and may require several attempts to complete). Is it possible that the Dr. Web CureIt! product which, being based on an on-line scanner, would do at least as good a job as Dr. Web LiveCD and won’t require such a very large download?