My scheduled scan ran today for the first time since I started this post. Today it showed to virus found entries for PEV.exe in C:/Combofix and C:/Windows and it identified them as Threat: Win32:Rootkit-gen [rtk]. I let it move them to the chest and reran the scheduled scan and it had no viruses. Is this normal for Combofix?
Combofix was run under the recommendation of essexboy and its log was sent to him as requested. My scheduled scan has not run until today since I originally started this post and the running of Combofix at the direction of essexboy. Therefore this latest post is asking for clarification if it is normal for Avast to find Combofix as a rootkit virus after a recommendation to run it.
yes…and quietman7 explains it if you click that link i posted
Thank you very much. I did initially click on the link but didn’t read it entirely before making my post, sorry. Should I restore the files from the chest that Avast found and then run the Combofix removal tool recommended? Does the referenced link mean that I have been without System Restore capabilities since I ran Combofix? If so, I was not aware that it would happen.
you could just download it again
and READ what is marked with RED in Essexboys post here http://forum.avast.com/index.php?topic=90883.msg722609#msg722609
I think that I have not made myself clear enough in what has happened to date. Therefore I am going to summarize all of the posts contained to try to create a clearer picture.
I first opened this post whenever my scheduled scan received a message stating that “Some files could not be scanned”. Because of what it was pointing to I decided to seek help on the Avast Forum. I started the post and listed the two error messages that I received.
Essexboy was the first to respond and for some reason he wanted me to download and run aswMBR.exe and post the resulting log. The scan log contained the following message:
File: C:\Windows\system32\svchost.exe INFECTED Win32:Downloader-LWR [Trj]
I posted the log and the options presented by the scan that I ignored.
Essexboy apparently read the log, instructed me not to run the Fix Member option of the scan, and to download and run Combofix.exe and post its log. In the mean time while waiting for a response from essexboy on the Combofix log I decided to force my scheduled scan to run to see if it corrected the “Some files could not be scanned” problem. I still got this message and posted that to essexboy. He responded by stating that message really may not a point of concern but to run aswMBR.exe again to see if the original “Infected” error for svchosts.exe has reappeared. It was no longer there and I posted that for essexboy. I then went away for about 10 days over the Holidays.
Upon returning this past weekend I decided to again force my schedule scan to run on Monday Jan 9 and at that time I got two Virus warnings pointing to PEV.exe and that they were viruses and I instructed Avast to move them to the Chest. I then posted this information to my original post. Pondus was the first to respond to this post and pointed me to a link that stated that many Antivirus and Malware programs will indicated this error and the proper method to correct it is to uninstall Combofix. Being that Avast has put the two programs into the Chest I assumed that the uninstall program would not work unless I restore them from the Chest back to the original locations and I posted this question. Pondus then responded to just download Combofix.exe and I assumed also to rerun Combofix.exe.
Had I known that Combofix.exe should be uninstalled after its use I would have done so and today’s post would not have been needed.
So my question now is should I just have Avast move the programs from the Chest back to the original locations, run the Combofix uninstall program, and ignore the current “Some files cannot be scanned” error message that I am still receiving?
I hope that this summary makes my problem and questions more clear. And again, thank to both of you for the help provided.
So my question now is should I just have Avast move the programs from the Chest back to the original locations, run the Combofix uninstall program, and ignore the current "Some files cannot be scanned" error message that I am still receiving?yepp...you can try that
Are you still running XP SP2 ???
Your aswMBR.txt shows that
OS Version: Windows 6.0.6002 Service Pack 2
That’s Vista with SP2.
@TwoShoes ,
If you could follow the instructions of essexboy with patience, then he can get a better picture of the whole problem. Some changes on your system are part of these instructions, and you should still follow them as written (so, please carefully read them).
Once the issue is completely solved, essexboy will post additional instructions so your system will get back to work as it should, with the settings as they were before. But if you get impatient and keep changing back the settings, or you don’t follow the complete set of instructions, then essexboy will have even more problems to solve the complete issue.
One of those instructions (among others) is how to run each of the tools (like combofix): with or without the antivirus working, or in Windows Safe Mode, or disconnected from the Internet, or with “right click and run as administrator” and so on (these are just possible potential examples of some possible conditions to some of the tools). So, as Pondus already mentioned, read carefully and your system will be back (with the correct settings) after the final instructions of essexboy (which he would post eventually, after the whole issue is solved).
Not sure I understand you response to my last post. I have done everything exactly as requested and according to the instructions provided by essexboy and have provided the requested logs. The only issues that I have are: 1. Still getting the message “Some files cannot be scanned”, and 2. Avast indicates that PEV.exe is a virus. As far as issue number 1 is concerned this is not necessarily a problem. Essexboy, along with others on this forum have mentioned this to many others with the same concerns on this Forum. Concerning issue number 2 and the possible Virus warning I now see where there is another post about this same problem and it may be a false positive. Also with issue number 2 is the necessity to uninstall Combofix or just leave things as they are presently (PEV.exe in the Virus Chest). My system is running normal without any problems and I just did verify that the System Restore Function is active.
@TwoShoes,
I’m sorry if I misinterpreted your previous posts. I had no bad intention. When I read the topic, including Pondus insistence on reading again the instructions, I was under the (now I know to be wrong) impression that you were not only not reading the full instructions carefully enough, but also running tools or changing settings when was not specifically requested (for example, (re)running some tools when not requested to, may have bad consequences in some situations).
As I said, this was my impression, and from you last post I understand I was wrong about it. In any case, the fact remains: essexboy usually “cleans up” his work and tools after the main issue is solved. If for whichever reason Combofix (or any other tool) is not needed anymore, essexboy will tell you when and exactly how to “clean up”.
About the “PEV” issue, I also read that other topic, but as of right now I have not seen a concrete response. I don’t know if this is a FP, or that some other setting should be used (as I said, sometimes some tools are supposed to be ran with avast shields paused, as an example).
I would suggest waiting for essexboy so to follow his next instructions.
Thanks for your reply and no apology is necessary. Sometimes I don’t include enough information to make sure that everyone understands the current issues. I will wait to see if essesboy has the need for anything additional and what to do next if necessary.
As you have removed part of Combofix but not the executable it should still uninstall properly, if it does not then OTL cleanup will remove any remnants
Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK
http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg
[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled
.
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
I did try the uninstall as you recommended and Avast gave a Warning saying that Combofix.exe was a Trojan and recommended running it in the Sandbox. I clicked OK to that and then it appeared to continue and then a popup appeared which said: “Do not run Combofix in compatibility Mode. Doing so may damage the Machine”. When I click OK to the popup it just appears that it ended but I get no indication that the uninstall worked.
Don’t know what you mean by OTL???
Do not let Avast sandbox it, it is not a trojan so ignore that
Once done run this small programme - it will self-uninstall on completion
[]Download OTC to your desktop and run it
[]Click Yes to beginning the Cleanup process and remove these components, including this application.
[*]You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
I did rerun the Combofix uninstall and when Avast asked if I wanted to run it in the Sandbox I selected to open normally. It did however still put out the message: “Do not run Combofix in compatibility Mode. Doing so may damage the Machine”. I then ran OTC and the reboot and all looks normal. Thank you for all of your help.
I got a similar problem with my Windows 7 machine:
File Name Status
Disk \?\Volume{78287502-720b-11df-b39a-806e6f6e6963} Boot Record Error: The device is not ready (21)
Volume{78287502-720b-11df-b39a-806e6f6e6963} Error: The device is not ready (21)
Is that still OK to apply the same method now?
I have the latest free version of Avast.
Thanks
@ perlovka,
Please start your own thread. This fix is specific for the original poster (OP). Thank you.
In your post, please specify the version of Avast Free you have, if your machine is up to date with all it’s software, was it working properly at the time up until you did the Boot Scan, and what other security software do you have on this machine (firewall, other security software both on-demand and resident) both now and in the past? Thank you.