Yesterday morning there was a red alert box from Avast in the lower right corner of the desktop screen that was popped up that stated 3 trojan viruses were found. I followed the directions to remove them, but one of the three could not be found. It then prompted me to restart my computer and run another full scan in DOS mode. I did this (which took all day) and when I returned later, the scan finished and it was back at the desktop. I tried to open Avast and could not. I tried opening any application and cannot. I tried rebooting in Safe Mode (regular) to run any application and cannot. I also cannot run any application from another source (thumb drive - trying to install malware to run that scan as I’ve seen others recommending to do so).
Unfortunately I did not note the virus name when it was shown.
I’m running Windows 7 - recap:
don’t know the virus name (any way Avast keeps a log somewhere in a txt file for me to check?)
can’t open any application
can see files but cannot open them
tried a system restore (accessories, system tools) from 2 days prior - unsuccessful
restarted in safe mode (regular) - cannot open any application
tried to install additional virus scanners from external drive, cannot launch those either
cannot launch browsers - so cannot download anything (which is why I went for the external drive approach)
In the meantime I’ve disconnected my network cable so I am not connected to the internet as I fear my machine has turned into a slave.
Yesterday I came down with a similar situation although it was after doing a full scan and not an out-of-the-blue Avast! warning. The full scan said that it found 3 “corrupt” files. I followed Avast! instructions and it moved the first 2 files to the Virus Chest (it wouldn’t move the 3rd, probably because it had already done that with its doppleganger, the 1st file, which it could no longer find, probably because it was already in the virus Chest). I then continued to follow Avast!'s instructions. rebooted along with a boot-time scan. The pc rebooted after that and I experienced just what someone else on the Forum mentioned: after the reboot the system (Windows 7) seemed fine but: (1) Avast! wouldn’t run, (2) most of the applications wouldn’t run (my Control Panel was not, however, empty, and seemed to work normally). Virtually all of the rest of my applications were DOA (e.g., Firefox, Word, Excel, Avast!, IE, folders, etc.). Example, I clicked on the Ad-Aware icon and the software did not open, did not run. It was as if it were no longer stored on the pc. The speculation is that this was caused by moving kernel32.dll to the virus Chest…It may, in fact, be a system file, critical for Windows 7 to function - c:\windows\sysWOW64\kernel32.dll|>[emul]) and was probably NOT infected (a false positive). I used a similar solution to what was suggested in someone else’s post: In the Command Prompt type SFC /Scannow. Once it’s finished running, corrupted files will be repaired and your .exe’s will work once again. After running the scan (about 25 min) I received a message from Windows saying “Windows Resource Protection found corrupted files and successfully repaired them. Details are included in the CBS.log windr\logs\CBS\CBS.log” After that message I rebooted and ran a new Full Avast! scan: it found no problems. More importantly, the pc appears to be running normally again. Good luck!
Thank you VERY much! ;D The scan fixed the problem for me too.
The files that avast miss identified were dll’s connected to the WoW64 subroutine of Windows. By using my mother-in-laws computer and internet access to research it, I found that this program lets 32-bit programs operate in a 64-bit environment. So essentially none of the programs installed in the Program(x86) file (the 32-bit programs) would work, and even some of the ones in the Program file (64-bit programs) would not work either. Including Avast5. I would guess this is because it has some 32-bit aspects to it. So I could not even open it to retrieve the files from the chest. It was a GREAT relief to see your solution!
Followed steps to scan which worked. I ran another scan and the same 3 files came up as threats again: WIN 32: Cybot-KI [Trj] for SysWOW64 and WINSXS. I saw another post a few up from mine that says these might be false positives. I tried to “repair” but Avast gave me errors. Any other advice since these came up flagged again? I am going to run a different virus scan and see what that brings up in the meantime.
Ran AVG full scan - no virus found. Left everything as-is since Avast couldn’t repair the false-positive files. Hope this helps others. Sounds like I’m not the only one who had this happen.
About the same thing happened to my one month newly built Windows 7 64 bit “dream machine.” I first noticed the small window that jumps around the screen while Avast is working as a screen saver scanner had turned red and when I moused out of it the Avast warning box popped-up with I think the same named “bad guys” mentioned in a previous post. Cybot-K or whatever. I say “think” because my notation of it was supposed to be done with FastStone screen captures which seemed to work as usual when performed, but I later found the captures files I had made were not saved.
Again, I “think” (because I’m a frazzle headed old fart) there were three items in the list and I tried to put them in the chest, but was not allowed so I opted to delete them. That seemed to work and I then followed the suggestion to do a boot time scan. After which, like others, I could not run programs on restart. I tried using a couple restore points, but both attempts were un-successful. I found all 32 bit programs I tried were un-responsive. Double click on the icon and nothing. But! 64 bit programs I tried worked.
Anyway I took stock of my situation and friggin FREAKED! I HATE this when it happens … then took a couple days to cool off and go back to my old PC to look for help. Thankfully I discovered this thread and the solution to get back to what seems normal.
The SFC /Scannow thing worked for me too. Afterward full scans with both Avast and Malwarebytes show I’mn clean … but alas left more than a bit paranoid. I’ve tried to figure out how I could have been invaded and wonder if it happened when I turned Avast OFF to install software. Often I would disable the shields until a re-boot, and sometimes I would forget to do that right after the install. I also wonder if I had hints of attack prior to this happening.
I access the net through a mobile broadband USB device and have a 5G per month limit so I sort of monitor my up/down load activity using visible sent and received counters showing in the device’s software. It was about a week ago I had a mysterious happening. I noticed about 140meg went OUT of my machine when maybe only 10 to 20 meg should have. That’s a huge amount of upload for what I recall was a period of normal activity. I’m still worried what went out and to where. Could that have been the work of this Cybot-K bug. I’ll have to try to learn more about it.
Holey Moley tho … it wasn’t an easy thing for me accomplish the Scannow action as after I figured out how to get the Command Prompt and typed in the command I was “told” it had to be done by an administrator in a certain window or something. I pulled my hair out over that for awhile finally finding with online help using my old PC that a right click was need so the command prompt could be run as an administrator. DUH! OLD frazzled is my excuse again. ;>
Something else I wonder if a clue things had gon amiss was that the Avast screen saver suddenly changed on me. Instead of the colorful mystic flow lines and the jumping box showing which files Avast is scanning I had the box and a large text message saying I needed to get a better video card and DirectX 9 for it to work right. At the time I though maybe it was due to a change made due to an Avast program update, because GEEZE I have a $200 GTX560 in my new “hot rod!” I had fuzzy thoughts that symptom happened about the same time as a update, but I dunno for sure. After this “fix” the screen saver scanning is back to looking like it should.
Lessons learned … I need to disable Avast for software installs only for a very short time especially when online. I need to learn how to make a bootable back-up using Acronis that I’ve recently purchased for the puropse. And, I need to THANK and support the Superman fighters for Homeland PC Security and pray they seriously kick some badguy hacker butt!
I had a similar situational response to the “administrator requirement” since this was the first time I decided to try and “fix” a virus myself. It was kind of scary. And, like you, I discovered that the fix was actually very easy.
I have not found that I need to disable Avast for software installs. I just need to be more discerning as to whether a reported “virus” is a system file or not. If it is a system file and it is moved somewhere, then the os can’t run (duh!). So I’ll be much more careful next time.
Lastly, I use Acronis to backup by entire system. I’ve been using it for for six years and fortunately have never had to reinstall my system, but I’m very happy with the way it works in terms of easy-of-backup. Hopefully, if I ever actually have to use it it will work as simply as the backup part. :-))
We have finally found a solution today … thought Id let everybody know in case somebody has a similar problem.
We cleaned all the front-end through Windows Defender and Ad-aware Lavasoft. No virus was found, so we figured the problem was in the database somewhere.
Somebody then suggested we look in the facileforms subrecords in PHPmyadmin. I realised then that somebody who has nothing better to do with their lives inserted a script via one of our forms. Apparently this is called cross-site scripting … they insert some javascript into a form, which looks to another website hosting a Trojan, and so it looks as though there is a Trojan on our website. I deleted the offending records. Were running the most up-to-date version of facileforms It seems the only way to stop this from happening again is to check the database daily and delete any subrecords that have a script in them.
Thanks for your advice Absalom, however were running PHP 4.4.4 I believe so I dont think that was the problem.
During the past couple of weeks we have contacted our web host several times and they would not answer even the most routine questions, such as “are you running Front Page extensions on the server”. I am not impressed.
Thanks for posting here, this thread saved my computer health and sanity after a day and a half of searching and pulling my hair out. The SFC/scannow did the trick for a PC that was unresponsive to rootkill attempts, system restore attempts, and even a windows 7 recovery disk attempt. I’ve yet to fully go through my log to determine the culprit, and will post here if I find anything different than the rest of you had. Thanks again.
