Disabled Avast Antivirus - Possible Infection

N

nummer

New Member
:confused:Hi,

I have an old box that I just built for a specific purpose to use Usenet. I have installed WinXP, SP3, Avast and Newsbin Pro. Even before setting up Avast has come back reporting Malware. I have run Malwarebytes and HyjackThis and posted logs below. Would appreciate if someone could have a look and advise how to clean this unit. Currently

Avast reports that the system is unprotected and the Fix button does not get it going.

If this box is infected, it is possible this may have infected a couple of my other boxes via a usb flash stick.

Malwarebytes Log :

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7655

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

05/09/2011 13:20:44
mbam-log-2011-09-05 (13-20-33).txt

Scan type: Quick scan
Objects scanned: 148473
Time elapsed: 25 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\amva (Spyware.OnlineGames) -> Value: amva -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HyjackThis Log :

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:54:28, on 05/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1343024091-1580818891-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe

--
End of file - 3698 bytes


Thanks in advance

nummer
 
As long as you had malwarebytes remove those infections, then your log is ok. Did you click on remove selected button?

If you believe your flash drive is infected you can do the following.

You can download flash disinfector and run it with your usb flash drive attached to the system. It will create an autorun file that will stop any infections from getting on it.

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
 
Thanks for the reply johnb35,

I'm pretty sure I used remove selected. I will do again to make sure. Problem is, I now cannot run the box in normal mode, only in safe mode.

Also Google Chrome will not load and Avast has stopped running and unable to get it started; it says I am currnetly unprotected.

Any ideas?

Thanks

nummer
 
Boot safe mode with networking and download the following and run it.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
  • Download this file here :

    Combofix

  • When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
  • Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.

    cf-icon.jpg
  • We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:

  • Close all open Windows including this one.
  • Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
    Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  • Please click on I agree on the disclaimer window.
  • ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.

    cf-preparing.jpg

  • ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.

    erunt.jpg

  • Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:

    recovery-console-prompt.jpg

  • At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  • Please click on yes in the next window to continue scanning for malware.
  • ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  • ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.

    still-scanning-clockchanges.jpg

  • When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  • This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  • When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  • Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
Hi johnb35,

I tried to download Combofix this morning, prior to going to work, on the problem box in Safemode With Networking.

Unfortunately, I cannot get to the internet on this box, so will download on another box at work and transfer via flash drive. Will run tonight when i return home. Hope this ok.

Regards

nummer
 
:(Hi johnb35,

Combofix Log :-


ComboFix 11-09-06.01 - Administrator 06/09/2011 21:38:25.1.1 - x86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\messenger\msmsgsin.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-06 to 2011-09-06 )))))))))))))))))))))))))))))))
.
.
2011-09-05 20:26 . 2011-09-05 20:26 -------- d-----w- c:\documents and settings\Administrator
2011-09-05 12:53 . 2011-09-05 12:53 388096 ----a-r- c:\documents and settings\X\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-09-05 12:53 . 2011-09-05 12:53 -------- d-----w- c:\program files\Trend Micro
2011-09-05 11:40 . 2011-09-05 11:40 -------- d-----w- c:\documents and settings\X\Application Data\Malwarebytes
2011-09-05 11:36 . 2011-07-06 18:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-05 11:35 . 2011-09-05 11:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-09-05 11:35 . 2011-07-06 18:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-09-05 11:35 . 2011-09-05 11:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-09-04 23:06 . 2011-09-04 23:17 -------- d-----w- c:\documents and settings\X\Local Settings\Application Data\Temp
2011-09-04 23:06 . 2011-09-04 23:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-09-04 23:05 . 2011-09-04 23:09 -------- d-----w- c:\program files\Google
2011-09-04 23:05 . 2011-09-04 23:20 -------- d-----w- c:\documents and settings\X\Local Settings\Application Data\Google
2011-09-04 23:05 . 2011-07-04 11:36 309848 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-04 23:05 . 2011-07-04 11:32 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-04 23:05 . 2011-07-04 11:32 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-04 23:05 . 2011-07-04 11:36 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-04 23:05 . 2011-07-04 11:35 43608 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-04 23:05 . 2011-07-04 11:35 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-04 23:05 . 2011-07-04 11:35 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-04 23:05 . 2011-07-04 11:32 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-09-04 23:03 . 2011-07-04 11:43 40112 ----a-w- c:\windows\avastSS.scr
2011-09-04 23:03 . 2011-07-04 11:43 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-04 23:01 . 2011-09-04 23:01 -------- d-----w- c:\program files\AVAST Software
2011-09-04 23:01 . 2011-09-04 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-09-04 22:16 . 2011-09-04 22:16 -------- d-s---w- c:\documents and settings\X\UserData
2011-09-04 21:58 . 2011-09-04 22:48 -------- d-----w- c:\documents and settings\X\Application Data\NewsBin
2011-09-04 21:58 . 2011-09-04 21:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NewsBin
2011-09-04 21:58 . 2011-09-04 22:46 -------- d-----w- c:\program files\NewsBin
2011-09-04 21:40 . 2011-09-04 21:40 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-09-04 21:40 . 2010-09-28 20:50 15872 ----a-w- c:\windows\system32\drivers\XPTWOPORT.sys
2011-09-04 21:38 . 2011-09-04 21:38 -------- d-----w- c:\windows\OPTIONS
2011-09-04 21:38 . 2011-07-13 08:29 1270120 ----a-w- c:\windows\system32\drivers\rtwlanu.sys
2011-09-04 21:38 . 2011-09-04 21:38 -------- d-----w- c:\windows\system32\RtlGina
2011-09-04 21:38 . 2011-09-04 21:38 -------- d-----w- c:\program files\REALTEK
2011-09-04 21:38 . 2010-12-01 08:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-09-04 21:38 . 2011-09-04 21:38 -------- d--h--w- c:\program files\InstallShield Installation Information
2011-09-04 14:21 . 2011-09-04 14:21 -------- d-----w- c:\documents and settings\X\Application Data\IsolatedStorage
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3apphk"="S3apphk.exe" [2001-12-04 28672]
"Norton Ghost 9.0"="c:\program files\Symantec\Norton Ghost\Agent\GhostTray.exe" [2004-07-29 1122304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-07-04 3493720]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\REALTEK\\11n USB Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\REALTEK\\11n USB Wireless LAN Utility\\RTLDHCP.exe"=
"c:\\Program Files\\NewsBin\\nbpro.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\AVAST Software\\Avast\\AvastUI.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R1 aswSnx;aswSnx; [x]
R1 aswSP;aswSP; [x]
R1 PQIMount;PQIMount; [x]
R2 aswFsBlk;aswFsBlk; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-04 136176]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-09-04 136176]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
R3 trid3d;trid3d;c:\windows\system32\DRIVERS\trid3dm.sys [2001-12-27 149244]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XPTWOPORT;XP TWO PORT Intermediate Driver;c:\windows\system32\DRIVERS\XPTWOPORT.SYS [2010-09-28 15872]
S0 PQV2i;PQV2i; [x]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\rtwlanu.sys [2011-07-13 1270120]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-04 23:05]
.
2011-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-04 23:05]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-06 21:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-09-06 22:05:00
ComboFix-quarantined-files.txt 2011-09-06 21:04
.
Pre-Run: 32,837,468,160 bytes free
Post-Run: 32,817,795,072 bytes free
.
- - End Of File - - 1062430333C2FC089A7E00B0B6CBED37



HijackThis Log :-


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:16:36, on 06/09/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1343024091-1580818891-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk = C:\Program Files\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: PEVSystemStart - Unknown owner - C:\ComboFix\pev.3XE (file missing)

--
End of file - 3749 bytes



Box still unable to connect to net and unable to run Avast. Can now log into account normally; do not have to use safemode.

Not sure how well Combofix ran.

Await the next move.

Thanks so far

nummer
 
Ok, are you connecting wirelessly or through an ethernet cable to the lan port on the pc?

Click on start, click run, type "cmd" without quotes and hit enter.

Now type "ipconfig /all" without the quotes and hit enter.

Give me the information listed for

1. IP address
2. subnet mask
3. default gateway
4. dhcp server
5. dns servers
 
:confused:Hi johnb35,

Update for you after my last post.

While I was away on another machine posting the logs, I left this machine attempting to connect to the net. When I came back some 10-15 mins later, I found that this pc had connected and had loaded the google homepage. I tried to search for other sites and this was done successfully. Don't know if this is a random connection or whether it will do this all the time now. It was late by this stage and I needed to get to bed for work next day. Will do more this evening.

Am at work today so will post reply to your process above later.

For info, I am connecting wirelessly with a usb wifi plugin device (EDUP EP-N8508). Is this an issue?

Avast still will not fix itself or start the program though.

Thanks

nummer
 
ok, keep me updated. You may want to try uninstalling and reinstalling AVAST as I don't see any issues in your log.
 
:)Hi johnb35,

Apologies for the delay in replying, it is due to an improvement on the system and I wanted to be accurate before replying.

Firstly, please see attached view of the report of ipconfig /all.

As I reported previously, the internet connection appeared to be working now and i can confirm this is still the case. Cannot explain this as everything was enabled and is so now; I have done nothing to change this.

I took you advice and uninstalled Avast and then re-installed; this is now also working fully.

The only thing I can think of as to what was causing the problem was the usb wifi device intermittantly/temporarily failed as Avast was being installed. This then caused a corrupt install and the wifi device went awol for the next 24-48 hours. Why it is working now is beyond me.

Do you have any thoughts that may have caused the issue?

To summarise, everything sems to be good, Avast completed a scan and reported the machine as clean.

Thanks for your help with this matter.

Kind regards

nn
 

Attachments

  • ipconfig.JPG
    ipconfig.JPG
    57.6 KB · Views: 72
You must log in or register to reply here.
Back
Top