AV programs won't run, system seems clean, but is it?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Gink, Apr 21, 2010.

  1. Gink

    Gink Private E-2

    XP system, had a few problems which seemed to clean up just fine. Had PersonalAV infection which Malwarebytes seemed to clear up a while back. Most everything seems to run smooth, but can't seem to get any antivirus software to work. Have tried Avast, AVG, and Avira and while they install just fine, and can fun scans, upon rebooting their resident scanner is always disabled, or they show their database being corrupted or have some other problem that won't allow them to work. I've uninstalled and reinstalled them, used removal tools for all of them plus norton and mcaffee in case there were lingering bits and pieces from the past, nothing seems to work, so I'm thinking there's something hiding that nothing seems to detect.

    Here's my logs.
     

    Attached Files:

    Gink, Apr 21, 2010
    #1
  2. Gink

    Gink Private E-2

    And the last log files.

    Thanks!
     

    Attached Files:

    Gink, Apr 21, 2010
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What did you do to this PC on April 19th? Most of your system files were changed or updated. Did you do a reinstall, or a repair, or a System Restore?

    It does not look like your problem may or may not be due to malware. However ComboFix was finding that a couple of system files were infected. There could be more.

    You still have lots of left overs from all the protection software you installed. It is never a good idea to do what you did by trying one program after another. You just cluttered up your PC and registry with garbage and thousands of leftovers.
     
    Last edited: Apr 22, 2010
    chaslang, Apr 22, 2010
    #3
  4. Gink

    Gink Private E-2

    Repair install, for other reasons. This issue with AV software not working after a reboot was happening before then. The repair install, using a slipstreamed copy of the original OEM XP SP2 disk +SP3 and all current updates, fixed all the other issues the system was having, but not this one.

    Research into this sort of behavior has led in two directions... malware, or remnants of past AV software. I've run removal tools for a variety of common AV, and that hasn't helped, so thought maybe since the system had malware on it previously, specifically PersonalAV, malware that pretends to be AV software, there might be some remnant of it that MBAM didn't remove, that somehow is disabling AV software on startup, or corrupting AV databases. It also seems to corrupts the installers for AV software, they can only be used to install until the system is rebooted, then they won't run. There doesn't seem to be any sign of rootkit activity, or anything obvious in startup. But that seems to be where things are getting messed up. There's some odd folders and multiples of exe files in gibberish folders in the HP Imagine folder, but they pass all scans, right?

    All the other tools and scanners can be uninstalled, their thousands of bits and pieces removed. The only one that installed "thousands" is the A-Squared nonsense, it's initial install is small, but then it says it is updating and downloads an additional 85MB. Irritating. And none of them are resident or full time running, so they don't conflict with each other or system software.

    Anyway, guess you can't help me. Thanks for the prompt response though!
     
    Gink, Apr 22, 2010
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Some times repair installs can be helpful but sometimes they also break many things. I'm going to give you some cleanup to do below, but you may need to do real complete reinstall to fix the problems that may have occurred to your OS.

    Uninstall A-squared which is not recommended anyway since it has way too many false detections.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (file missing)
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 23, 2010
    #5
  6. Gink

    Gink Private E-2

    Thanks for getting back to me with this. I had already gone ahead and removed all the scanners, etc. And had tried again installing Avast 4.8 to see if it'd been conflicting with anything. It installed fine, but was having the same problem, basically that after a period of time the virus database gets "destroyed" and on a reboot the program reports that it can't find the database so won't run.

    Went ahead and followed your instructions, however I only selected the 02, 02, and 018 lines in HijackThis, as the 023 lines weren't there, probably since I'd cleaned up Avast 5 and reinstalled 4.8, so things didn't match.

    The first time I dropped the script on ComboFix, it started running, then I got a bunch of "Application Corrupt" error windows, followed by a Windows File Protection asking to insert the SP3 CD to fix files. Interesting, once ComboFix got to the Yes/No window, I selected No, got out of it, deleted it from the desktop, downloaded a new copy and ran it again. This time it ran fine.

    When I ran the GetLogs.bat I got this error:

    C:\WINDOWS\System32\cmd.exe
    C:\ProgramFiles\Alwil Software\Avast4\aswMonVd.dll. An Installable Virtual Device Driver Failed DLL Initialization. Choose 'Close' to terminate the Application.

    So I did, then got another similar one, close, the log program continued and produced the logs.

    Can't really tell how things are running at this point, since ComboFix deleted the Alwil Software folder and all the files in it for Avast. The system seems to be running alright, but not sure if this helped the AV problem. I can try reinstalling Avast and seeing if it will work, but didn't want to do anything until I hear back from you, since I may have caused problems with this last process because I'd changed the state of the system a bit after giving you the previous logs. So I'll leave it alone for now in case we need to run this stuff again.
     

    Attached Files:

    Gink, Apr 23, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Was not requested!

    Yes this messed things up. Per the first instructions in the READ & RUN ME, once you start working with us, you must only do what we request and nothing else. You previous logs only showed a broken uninstall of Avast and my fix was trying to clean it up. When you reinstalled, you totally messed up the fix and the fix totally messed up your reinstall and left more broken entries around. In addition, you are installing an outdated version of Avast which you really should not be using anymore.

    Now we need to perform similar cleanup instructions again, however, let me first make this statement. If you have made any other changes to the PC again since last posting your logs, do not continue with the below. Stop and get a new log from MGtools and attach it. And then make no further changes. If I do not ask you to do it, don't do it. ;)

    First since you appear to have install Malwarebytes several times and into different folders, start by uninstalling Malwarebytes since my fix will be deleting leftovers.

    Now delete the current copy of ComboFix.exe from your Desktop and then download and save this new version to your Desktop: combofix.exe


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (file missing)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 25, 2010
    #7
  8. Gink

    Gink Private E-2

    Doh! Didn't get an email saying there was a new reply, didn't realize this was here. Anyway, haven't done much with the system lately, but I'm sure I did something. Here's a fresh log, I'll stop being a dumba**, won't touch the system til I hear back from you, and will keep an eye on the thread so I know when you reply.

    Thanks for your patience.
     

    Attached Files:

    Gink, May 3, 2010
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now we need to use ComboFix one more time.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! I want to make sure all of the above folders were completely removed before any reinstalls are attempted.
     
    chaslang, May 4, 2010
    #9
  10. Gink

    Gink Private E-2

    When ComboFix finished running and brought up its log, I got an error:

    Generic Host Process for Win32 Services has encountered a problem and needs to close.

    Appname: svchost.exe
    Modname: repdrvfs.dll

    It didn't seem to effect anything though, and otherwise everything seems to be working normally. Will wait your instructions before trying to install Avast and see if it works.
     

    Attached Files:

    Gink, May 5, 2010
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 6, 2010
    #11
  12. Gink

    Gink Private E-2

    Avast now runs just fine. Thanks so much for your help fixing that problem.
     
    Gink, May 10, 2010
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, May 10, 2010
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds