Avast foumd several high severity rootkits in regular scan mode. I couldn’t move them to the virus chest, delete or repair the infected files. I restarted the computer and Doss scan mode for avast kicked in asking me several options to either delete, delete all, move to chest, move all to chest, repair, repair all, ignore, or ignore all. I tried to delete, move to chest and repair, none worked what do I do? I am now running my computer in safe mode and doing another scan, when the program detects the viruses again, I just need to know what to do next? Thanks to all of you have replied to the other topic that was originally started earlier.
Prior information and responses here:
http://forum.avast.com/index.php?topic=132092.0
Sorry for not responding sooner but I have been in and out all day. This is the progress thus far. Please note I could not find another way to attach the report from Malwarebytes other than to copy and paste it. This is all the steps that I have done at this point. There is still something that is attacking this computer. As I am typing Avast has alerted me that something was blocked. Should I do the other steps past this point?
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.08.11.06
Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.19088
Angelo N Dawn :: OUR-OFFICE-DELL [administrator]
Protection: Enabled
8/11/2013 6:15:50 PM
mbam-log-2013-08-11 (18-15-50).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 227554
Time elapsed: 11 minute(s), 34 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Angelo N Dawn\Downloads\MapsSetup.exe (PUP.Optional.Inbox) → Quarantined and deleted successfully.
(end)
2013/08/11 18:13:51 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting protection
2013/08/11 18:13:51 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Protection started successfully
2013/08/11 18:13:51 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting IP protection
2013/08/11 18:14:46 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE IP Protection started successfully
2013/08/11 18:14:50 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting database refresh
2013/08/11 18:14:50 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Stopping IP protection
2013/08/11 18:14:53 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE IP Protection stopped successfully
2013/08/11 18:15:06 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Database refreshed successfully
2013/08/11 18:15:06 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting IP protection
2013/08/11 18:15:19 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE IP Protection started successfully
2013/08/11 18:22:48 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Executing scheduled update: Daily
2013/08/11 18:22:59 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Database already up-to-date
2013/08/11 20:07:40 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting protection
2013/08/11 20:07:40 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Protection started successfully
2013/08/11 20:07:40 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE Starting IP protection
2013/08/11 20:07:46 -0400 OUR-OFFICE-DELL Angelo N Dawn MESSAGE IP Protection started successfully
This is the extras text from OTL, sorry for putting it here but it will not allow me to attach anymore files.
12.0.6661.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 269
seconds with 180 seconds of active time. This session ended with a crash.
Error - 8/11/2013 8:02:08 PM | Computer Name = Our-Office-Dell | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 114
seconds with 60 seconds of active time. This session ended with a crash.
[ System Events ]
Error - 8/11/2013 6:02:20 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!
Error - 8/11/2013 6:03:14 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!
Error - 8/11/2013 6:03:46 PM | Computer Name = Our-Office-Dell | Source = HTTP | ID = 15016
Description =
Error - 8/11/2013 6:04:42 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7000
Description =
Error - 8/11/2013 6:06:28 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7022
Description =
Error - 8/11/2013 8:05:28 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!
Error - 8/11/2013 8:06:21 PM | Computer Name = Our-Office-Dell | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!
Error - 8/11/2013 8:06:30 PM | Computer Name = Our-Office-Dell | Source = HTTP | ID = 15016
Description =
Error - 8/11/2013 8:07:56 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7000
Description =
Error - 8/11/2013 8:09:26 PM | Computer Name = Our-Office-Dell | Source = Service Control Manager | ID = 7022
Description =
< End of report >
Okay, this is the latest action that I have taken in the step by step process that I have been given. Please see attached. Thanks again for all your help regarding this matter.
MM1
Hi what file was detected by Avast as a rootkit
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {ab56dfde-0c14-45b3-9df6-7b0eba617870} - No CLSID value found.
O2 - BHO: (no name) - {EFA17361-CDC0-4927-9AFC-BAAD1F96B2AE} - No CLSID value found.
O3 - HKLM\..\Toolbar: (TotalRecipeSearch) - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (PopularScreensavers) - {f339a07f-9578-412d-85e0-b8a80277151a} - C:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (TotalRecipeSearch) - {A0154E07-2B48-475C-A82A-80EFD84EA33E} - C:\Program Files\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKU\S-1-5-21-3015119447-338064841-221048989-1000\..\Toolbar\WebBrowser: (PopularScreensavers) - {F339A07F-9578-412D-85E0-B8A80277151A} - C:\Program Files\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O4 - HKLM..\Run: [] File not found
O4 - HKU\S-1-5-21-3015119447-338064841-221048989-1000..\Run: [ConduitFloatingPlugin_nemfjadlboooiffmcelkafilagddogim] "C:\Windows\system32\Rundll32.exe" "C:\Program Files\Conduit\CT3289663\plugins\TBVerifier.dll",RunConduitFloatingPlugin nemfjadlboooiffmcelkafilagddogim File not found
O4 - HKU\S-1-5-21-3015119447-338064841-221048989-1000..\Run: [p5PopularScreensaversWallpaper] C:\Program Files\PopularScreensavers\p5ScrCtr.dll (FunWebProducts.com)
:Files
C:\Users\Angelo N Dawn\AppData\Local\Apps\2.0\2D487A43.561
C:\Program Files\PopularScreensavers
C:\Program Files\Conduit
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Hello, sorry for not responding sooner but I have been at work all day, so combating this problem has not been an easy task for me between yesterday and today for that matter. Let me recap here for a moment; after the rootkits were first discovered when it first brought me to the Doss reboot screen. I had called the free tech support shortly thereafter and to be perfectly honest, I didn’t think to have that information readily available. Which brings me to the next point, my computer has been off all day while I was at work, so I don’t know the condition of it at this time as I am using my laptop to communicate here. I have included all logs thus far except maybe the extended log for OTL (at least I believe it was OTL)…well anyway is there a way to find out by going into Avast archives on that computer to determine what they were? If not what next?
I am a bit frustrated at this point…if my memory serves me correct, I believe one of them was a win32. For the most part, after running the Malwarebytes program it indicated that only ONE was left from that point and that was a PUP32 or something like that. I have included the previous log from that scan as well as others. All I can ask is that if you would please review the attachments previously included and also the text from the screens that I included, if you tell me what to do next, I will follow it to a “T” from here on out I promise! I apologize as this is the first time I have ever had to seek help outside of what I already know…I am not a techie or savvy atl this stuff. With that being said, that doesn’t mean that I am not willing to learn! In advance, thank you again for all your help and assistance, you guys ROCK!!!
MM1
The aswboot log will be found here C:\ProgramData\AVAST Software\Avast\log this will show what was detected
If you run the OTL fix that will remove the remnants of the Win32 adware
No problem with questions we thrive on them here 