Virus made Avast delete files, what to do?

Hello,

When Avast ran boot scan I pressed the option “2-Delete All” , and 30 infected files have been deleted,not only the virus files.
My question is, How do I find which files were deleted and is there anything I can do about it, or the deletetion of these files can risk the operation of my Windows 7 Home Premium? the virus was mazebat or tazebama or something.
Please help me it’s a new pc and some 1 else used it before I even installed an antivirus.

Thanks.

Are you able to use the computer at the moment ?

If so then follow the steps in this thread and post the logs here http://forum.avast.com/index.php?topic=53253.0

Thanks for quick reply,
I am able to use the computer
MBAM deleted 1 infected file,
Is it now safe to use the computer or is there still a worm/virus?
And what happened to the files Avast! deleted on the boot scan ? Will it affect Windows 7?

Could you continue and do the OTL and aswMBR scans please to confirm that there is nothing left

Also could you open Avast
Go to Maintenance
Open the virus chest and note what files have been quarantined

Thanks again
OK I did the OTL and aswMBR and nothing is said to be left.
But my question now is, when Avast! did the boot scan I saw that 30 files were deleted, for example the Windows Solitaire game, so maybe something else more imporant than Solitaire was deleted when Avast! removed the infected files? How can I know that?

Both of those tools are analysis tools - and unless you know how to read them they will give you no meaning full data

What was the virus name that avast reported ?

Could you attach the OTL and aswMBR logs please

When Avast ran boot scan I pressed the option "2-Delete All"

Just a suggestion…the prudent thing to do if/when a suspected virus/malware is found is to quarantine in the virus chest until you can confirm whether the threat is real or a false positive.

I know it was stupid but I did that because I saw in google tazebama is a sure virus.
So, did I damage my Windows beyond reapir ( I havent set backup yet ) ? or the 30 files I saw removed at the boot scan werent necessary (Like the Solitaire I mentioned)

Untill I can look at the logs then I am unable to say

This is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 17:49:41

17:49:41.906 OS Version: Windows 6.1.7601 Service Pack 1
17:49:41.906 Number of processors: 4 586 0x2A07
17:49:41.908 ComputerName: USER-PC UserName: user
17:50:17.424 Initialize success
17:50:18.300 AVAST engine defs: 12031800
17:50:36.648 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP3T0L0-3
17:50:36.650 Disk 0 Vendor: ST500DM002-1BD142 KC44 Size: 476940MB BusType: 3
17:50:36.684 Disk 0 MBR read successfully
17:50:36.685 Disk 0 MBR scan
17:50:36.689 Disk 0 Windows 7 default MBR code
17:50:36.712 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
17:50:36.734 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 239900 MB offset 206848
17:50:36.768 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 236938 MB offset 491522048
17:50:36.794 Disk 0 scanning sectors +976771072
17:50:36.978 Disk 0 scanning C:\Windows\system32\drivers
17:51:06.763 Service scanning
17:52:00.406 Modules scanning
17:52:30.904 Disk 0 trace - called modules:
17:52:31.267
17:53:02.538 AVAST engine scan C:\Windows
17:53:41.607 AVAST engine scan C:\Windows\system32
17:58:45.197 AVAST engine scan C:\Windows\system32\drivers
17:59:06.391 AVAST engine scan C:\Users\user
18:02:00.916 AVAST engine scan C:\ProgramData
18:02:16.914 Scan finished successfully
18:08:31.171 Disk 0 MBR has been saved successfully to “C:\Users\user\Documents\MBR.dat”
18:08:31.175 The log file has been saved successfully to “C:\Users\user\Documents\aswMBR.txt”

The MBAM log when found the file:(That was after Avast! deleted the 30 files, so there was still something left?!)

Memory Processes Infected: 0
(No malicious items detected)

Memory Modules Infected: 0
(No malicious items detected)

Registry Keys Infected: 0
(No malicious items detected)

Registry Values Infected: 0
(No malicious items detected)

Registry Data Items Infected
(No malicious items detected)

Folders Infected: 0
(No malicious items detected)

Files Infected: 1
C:\Users\user\AppData\Roaming\tazebama\zPharaoh.dat (Worm.Mabezat) → Quarantined and deleted successfully.
(end)

Could you attach the OTL log please as you did have a worm

the OTL are attached

Looks like everything was killed

To check your system files run an elevated command prompt

Go Start > All Programs > Accessories
Right click Command prompt and select run as Administrator
In the black box that opens type the following command and press Enter

sfc /scannow

That should repair any damaged files

For getting solitaire etc… back, go to Control Panel > Programs and Features
Select turn windows features on and off
Then in the next box that opens re-tick the ones that are missing

EDIT: I also see AVG search toolbar, that is a total waste of space so I would recommend that you uninstall it

Thanks alot for your support and patience, you really helped.
I did the sfc /scannow and it told me "Windows Resource Protection found corrupt files but was unable to fix some of them.
btw, besides the games deleted, are you sure no important windows files have been removed ?
*about the AVG toolbar, it was mistakely installed with other program I installed ;D ->Removed
Thanks again.

Usually the ones that sfc is unable to fix are ini files but they are of no import

How is the computer behaving any problems ?

Havent noticed any problems yet, I hope there wont be because I got my windows without any installation disc and I havent set backup prior to the virus :cry:
*should I post the sfc log?

The first thing you need to do then is create a repair disc

Create a Windows 7 System Repair Disc

Note: the below can only be done if your machine has a a type of CD/R or DVD/R optical drive installed. Also depending on the exact type of OEM your machine has you may be unable to actually create a SRD.

[*]Click on Start(Windows 7 Orb) >> Run…(or the Windows key and R together) to bring up the Run box, then copy/paste the following command into the box and click on OK:

recdisc.exe
[*]Allow the[B] UAC(User Account Control)[/B] prompt via selecting [B]Yes[/B]. [*]You should now see a menu like the below:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD1.gif

[*]Put a blank rewritable CD/DVD in your optical(CD/DVD) drive and then click on Create disc.
[*]Note: If a AutoPlay window pops up, just close it.
[*]When the SRD has been created you will see the below:-

http://i280.photobucket.com/albums/kk173/Dakeyras_album2/WTSRD2.gif

[*]Now click on Close >> OK.
[*]You now have a Windows 7 System Repair Disc.

THEN

Read this page on how to create a backup… http://www.howtogeek.com/howto/4241/how-to-create-a-system-image-in-windows-7/

I would recommend that you put the backup on a seperate external drive

Should I backup even though I had a virus?
Btw, do you think that if antivirus and malware (Avast and MBAM) full scans find no threats it really means there are no more threats? or the virus/worm I had earlier may still be on the computer and it is not safe for me to log in to websites with personal information such as facebook, bank , as my accounts are at risk of being revealed by the trojan/worm/virus?
*If I can restore my system to a point before the virus, should I do that?

The probability is that if both programmes can find nothing you are probably safe, there was nothing untowards showing in the logs.

That is an option - do you have a restore point prior to the infection ?