Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can i make an avast auto run disc?


  • This topic is locked This topic is locked
9 replies to this topic

#1 idiomtangent

idiomtangent

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 17 June 2009 - 12:51 AM

my computer is beyond messed up with maleware. ive tried posting before but to no help. i cant run an exe files even in safe mode. i can open files on cd so i was wondering if there was anyway to set up a auto run disc to have avast start on its own without me having to install it.

please let me know my computer have been useless for over 2 weeks now.

thanks to all in advance.

Edited by idiomtangent, 17 June 2009 - 12:51 AM.


BC AdBot (Login to Remove)

 


m

#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:25 PM

Posted 17 June 2009 - 09:16 AM

I'm moving your topic to Am I Infected
I'm sorry that your last post was overlooked


If mbam won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 idiomtangent

idiomtangent
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 22 June 2009 - 06:12 PM

ok so using the renaming program ive run MWB in safe mode as a full scan 4 times total now... got rid of 30 problems and hasnt found anything since. i still cannot get any other program to run. i seem to be having all the same problems. the log that came up after said nothing else has been found.

is there any way i can get avast to run with a rename program?

where do i go from here?

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:05:25 PM

Posted 23 June 2009 - 05:38 PM

where do i go from here?


Well posting a log so we can look at it wouldn't hurt
Update mbam and run a FULL scan
Please post the results

Then try running ATF and SAS
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 idiomtangent

idiomtangent
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 05 July 2009 - 10:15 PM

ok so its been a little while but i havent had the time to sit down and run the scan. ran the update and a full scan in safe mode...here is the log

Malwarebytes' Anti-Malware 1.37
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/5/2009 11:00:35 PM
mbam-log-2009-07-05 (23-00-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 349339
Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinBlueSoft (Rogue.WinBlue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tempo-setup2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\ry\local settings\temporary internet files\Content.IE5\KTS9EV0T\WMFlashLicense_v1.1.587[1].exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tempo-setup2.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


restarted the computer and when it started up in regular mode the symptoms were still there

#6 idiomtangent

idiomtangent
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 09 July 2009 - 10:46 PM

anyone have any ideas?

#7 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 10 July 2009 - 05:24 AM

Hi idiomtangent,

Sorry your post got away from everyone. Do you still want help? If so, please continue with the following:




Step 1: ATF Cleaner



If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".


Please download ATF Cleaner by Atribune & save it to your desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



Step 2: Next I'd like for you to run a rookit scan called GMER


Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

* Click NO
* In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
* Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
* Click OK.
* GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
* Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Step 3: Next I would like for you to run an online scan called Kaspersky online scan



To run this scan, your Java needs to be up-to-dat and you will need to disable any antivirus program you have running. I'll give you the instructions you need:

The newest Java download and installation should remove old versions of Java. Check add/remove programs after we run the installation to see if this was the case. If you're not sure, ask.

Please go to Current Java Download and do the following:* Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
* Click the "Download" button to the right.
* Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
* Click on Continue.
* Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
* Close any programs you may have running - especially your web browser.
* Double-click on the Java installation program on your desktop and allow it to install the newest version.(Vista users, right click on the jre-6u14-windows-i586-p.exe and select "Run as an Administrator.")



Here is a link that will help you determine how to disable your particular antivirus program:

How to Temporarily Disable your Anti-virus, Firewall and Anti-Malware Programs




To start the Kaspersky Online Scanner, click on the magnifying glass and then on accept.
A database will be installed on your computer
Then run the full scan
Be sure to re-enable your antivirus program when the scan finishes!


Step 4: Please post the logs or reports for the following:Kaspersky Online Scan log
GMER.txt


Let me know how this went?
Zllio


#8 idiomtangent

idiomtangent
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 19 July 2009 - 03:00 PM

So I finally got to run all three programs. Here are the logs.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-18 23:40:28
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 86339BE8 ZwEnumerateKey
Code 86367370 ZwFlushInstructionCache
Code 86318326 IofCallDriver
Code 862A2966 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 8631832B
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 862A296B
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 4 Bytes JMP 86339BEC
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 86367374
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\gxvxcclrpptwpaqslkdkddfiqctxilwsuhchm.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [420] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys (*** hidden *** ) [SYSTEM] gxvxcserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcclrpptwpaqslkdkddfiqctxilwsuhchm.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcslapbncpooysiowstrwbppcjtjkwspsg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@imagepath \systemroot\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcserv \\?\globalroot\systemroot\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcl \\?\globalroot\systemroot\system32\gxvxcclrpptwpaqslkdkddfiqctxilwsuhchm.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gxvxcserv.sys\modules@gxvxcclk \\?\globalroot\systemroot\system32\gxvxcslapbncpooysiowstrwbppcjtjkwspsg.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\gxvxcclrpptwpaqslkdkddfiqctxilwsuhchm.dll 22529 bytes executable
File C:\WINDOWS\system32\gxvxccount 4 bytes
File C:\WINDOWS\system32\gxvxcslapbncpooysiowstrwbppcjtjkwspsg.dll 27649 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcgdeydwomjdrqbkgwuhnsxswevssuyxxa.sys 48128 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\drivers\gxvxckklypiqwhowfvdovngglxfmqejpaxtep.sys 48128 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcmpdmrqfoasbpxmdbyueugoswwfsxtsvn.sys 48128 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcsvoqylqrhceykjiwicalbjkupddtcjlj.sys 48128 bytes executable
File C:\WINDOWS\system32\drivers\gxvxcwwfhikuuhvdmbetxwlxyhtahyuustmav.sys 48128 bytes executable

---- EOF - GMER 1.0.15 ----



The Kaspersky scan found nothing under critical or my computer so there is nothing to post.

Thanks for the help Zllio, much appreciated.

#9 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 20 July 2009 - 09:55 AM

Hi idiomtangent,

Please go through the instructions in the
Preparation Guide and when you're finished, start a thread in the HijackThis forum. Once you've completed those instructions, try to use your computer as little as possible and don't make any changes to it like adding new programs until someone can help you. Also, please mention this thread and refer to the GMER log here when you post in the HJT forum.

Thanks.
Zllio

#10 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,703 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:25 PM

Posted 31 July 2009 - 10:56 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/245902/warning-yourre-in-danger-on-my-desktop/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users