My computer is running Windows 7 and I have Avast Professional.
Today my computer crashed while I was on the internet. Avast gave me a warning pop-up, but it only lasted a few seconds before I got a BSOD. I do not remember the error code but the last dozen or so restarts where I have crashed the most common error is IRQL_NOT_LESS_EQUAL, but there have been a one or two sporadic different ones.
I have never had a blue screen before on this computer, which I have had for several years. 90% of the time I have restarted it today have resulted in an instant blue screen. I can only get into safe mode occasionally and I have not been able to get back into it after running MalwareBytes. The first thing I tried to do was get into safe mode and run Avast. It found two infected files which I removed. The problem did not end so I ran MalwareBytes and it found one infected file. I selected to remove it and restarted on prompt. I have not been able to load into safe mode or normal mode since.
I am 95% sure my computer has been compromised by malicious software because of the timing of events. I do not know what to do. I would like to solve this problem without having to completely reinstall Windows 7. I am currently posting from another computer.
Hi, I just pm’ed someone who may come here to help … main problem being that you can’t boot at all. You might have to load something on CD and boot from that to clean your computer. Okay all I can suggest for now is you wait until a member here called Essexboy pops in
edit: did you try to start using the “last known good configuration” option? do you have a system image backup?
you could attempt a system restore (using a restore point, not an image) with your Win7 DVD, but that’s risky… as your restore points might be infected as well or/and the restore process may just fail… or succeed in restoring an infected system. Your best option is still to wait until Essexboy (he’s a malware expert) comes, might be tomorrow. The guy’s from England and it’s 11:15 pm there right now.
nope, I was thinking of a malware tool -none in particular - burned to CD, that Essexboy may suggest if you can’t boot Windows at all. As to your Windows DVD, it doesn’t contain any malware diagnostic tool. Your repeated BSOD’s just mean that some drivers have been involved/broken etc… What would be interesting would be your latest memory dump (generated when BSOD occurs ). Not sure if that’s needed… such files are big, must be compressed and uploaded to a server to be diagnosed. They’re located directly under your Windows directory and called memory.dmp You might be able to grab a copy of yours by inserting your hard disk in another computer, but there’s a risk to infect the other computer (not with the dump file, but with the infection that you described). Can also be done using your Windows DVD, go in repair mode, list your Windows directory and copy the file to an external drive. You should also have a minidump file, much smaller and located in Windows\Minidump But don’t bother yet, as again this might not be needed at all.These dump files won’t tell what sort of infection affected your system but might tell what was affected, and that’s a lead.
Ok. If I seem too eager, it’s because this has come in the middle of an important project that I cannot complete on another computer. I have used my windows disk to system restore. I still cannot boot normally, but I am posting from the computer now in safe mode.
I am definitely infected with spyware. As I was typing up this post, Java loaded up of its own accord and I was redirected to a spam website. At least now I have access to the computer directly. Java Virtual Machine Launcher loaded and gave the error “Unable to access jarfile \195.28.10.31\pub\new.avi”.
Because it looks like the malware is connecting to the internet, I am going to disconnect this computer from the network and continue posting on another computer. Hopefully I can get help from someone other than an expert now that I can boot!
Sorry for the double post, but I have leads on what has infected my system.
I checked the log file Avast4/DATA/log/Warning.log and here is the contents, with an annotation of when the crash occurred:
4/10/2011 1:02:27 PM 1302454947 SYSTEM 1340 Sign of “Win32:FakeAlert-AFC [Trj]” has been found in C:\Users\Dan\AppData\Local\Temp\axmonewcrs.exe" file Crash occurred seconds after the previous warning.
4/10/2011 2:56:54 PM 1302461814 Dan 2036 Sign of “Win32:Trojan-gen” has been found in “C:\Users\Dan\AppData\Local\Temp\0.8766734525601846.exe” file.
4/10/2011 3:20:24 PM 1302463224 Dan 2036 Sign of “Win64:Alureon-B@mbr [Rtk]” has been found in “C:\Windows\MEMORY.DMP” file.
The last warning intrigued me when I found it just now. I told avast to scan the latest memory dump file in my windows folder and the same error comes up. Is this information useful to figure out what I should do?
Edit: Huzzah. Searching the forums for posts about Alureon lead me to the Kaspersky tool for removing it from the MBR. This has made my system stable again. Of course, now my computer might still be completely compromised so I need advice on how to ensure everything is clean! I need this computer to do sensitive work that I cannot afford to have exposed to malicious activity. The first thing I did once I successfully rebooted was upgrade to Avast 6
and upload the log here… I’m not familiar with that at all, never had to use it. You can always run it and see if anything suspicious appears in the log. As to taking subsequent action if necessary, you’ll have to wait for Essexboy to tell you … don’t know where the guy is tbh ??? ;D
Yep I would ;D As we can get to safe mode that is a good start
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.