I have a trojan that interferes with Avast (it tries to turn off the Firewall and Startup protection).
It also blocks the virus-scan at 26%.
Unfortunately the aswMBR-scan also could not be completed (see JPG with error-message).
unfriendly trojanis there a friendly one?
You may try to run aswMBR from safe mode
that log is usually not needed, and if needed essexboy have other rootkit tools
Essexboy will be back online tomorrow
There does appear to be something amiss as system files appear to be locked
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Hello Essexboy,
I ran the scans on my second laptop (same unfriendly trojan I assume) and here are the results. Actually I tried also to run aswMBR in safe mode on both but that didn’t work. I did copy the text of the error-message for the second laptop (refer to error_antirootkit_aswMBR.txt).
Then I tried to run Combofix but after some error messages and a Combofix-initiated restart the system got stuck in an endless loop. Some pop-up messages about missing access to certain files in c:\windows\system32\config\system … with something about RegReplaceKey came up.
On the first laptop an Avast Scan still can’t run through (only made it to 3% this time). One error during the scan refered to the server being “ausgelastet”.
@tis either something very new or a system malfunction.
I would like to check this outside of windows. You will need a spare USB stick for this and can run on both systems
Create an emergency repair USB drive:
Download Dr Web Live USB to your desktop
[]Connect a USB flash drive to the computer. Registering the plugging in event takes no more than 10 seconds.
[]Launch drwebliveusb.exe.
[*]The program will detect available USB-devices automatically and prompt you to choose the one you?d like to use as an emergency repair drive. You can format the device if you like (a warning will be displayed before you proceed with formatting). In order to read the License agreement, follow a corresponding link found in the program window (the page containing the license agreement text will be loaded in your default browser).
https://dl.dropbox.com/u/73555776/liveusb_ru.jpg
[]To create a bootable USB flash drive, press the Create Dr.Web LiveUSB button.
[]Files will be copied automatically.
[]Once the copying process is completed, press the Exit button to close the application.
[]Reboot the infected computer with the USB in the drive
[]Ensure that the first boot device is USB - If you are not sure about that then see this page for instructions
[]As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
https://dl.dropboxusercontent.com/u/73555776/Live%20boot%20screen.png
[*]Use arrow keys to select DrWeb-LiveCD (Default)
https://dl.dropboxusercontent.com/u/73555776/drwebselect.JPG
[*]Press select objects for scanning
https://dl.dropboxusercontent.com/u/73555776/drwebfolders.JPG
[*]When the system is loaded, check the disks or folders you want to scan, and click on Start.
[*]The programme will now scan for and cure/delete any malware that it finds. Allow it to do so
https://dl.dropboxusercontent.com/u/73555776/drwebscan.JPG
[*]When it has completed
https://dl.dropboxusercontent.com/u/73555776/drwebscancomplete.JPG
[]Select Open Report and copy to the USB
[]Once completed reboot to normal windows, and attach the report here
Dear Essexboy,
I ran the scan with Dr.WebLiveUSB but the current version doesn’t offer the report function any more.
What next?
Could you now run me a fresh FRST please and let me know if the problem persists… Did Drweb find anything ?
Dr Web still starts every time I start the computer after logging in to windows (in an annoying series of 0.2 second pop-up windows). After ten minutes it appears to run out of steam and then I can continue. Is there any way to stop DrWeb?
I ran a fresh FRST. Here are the files.
Since it is a live cd/dvd/usb it would only run if have still have insert the cd/dvd/usb.
Take it out.
I have a concern about the following as it should not be occurring
Failed to access process -> smss.exe Failed to access process -> csrss.exe Failed to access process -> wininit.exe Failed to access process -> csrss.exe Failed to access process -> winlogon.exe Failed to access process -> services.exe Failed to access process -> lsass.exe Failed to access process -> lsm.exe Failed to access process -> svchost.exe Failed to access process -> svchost.exe
My initial suggestion would be to use a backup image of the drive if you have one or re-install windows