Need help removing spyware off laptop/Where to find avast log files?

jimb0b

Distinguished
Feb 28, 2010
10
0
18,560
Where can i find the log files for avast on a vista laptop?

My dad helped my brother finfance a laptop,he couldnt make the payments so my dad took it over.It has a BUTTLOAD of spyware in some temp files located in the system32 directory.

Im hoping if i can upload the log file someone can help me safely get rid of this junk without messing up his pc.Its terrible.
 
Solution
Another option is to install WinPatrol by BillP studios.

After install when the application opens you will see a box that can be check marked named "Display Secret Startup Locations (Advanced mode)), place a checkmark in it. It is under the "Startup Programs" tab.

This should display the rootkit activity so you can remove it from startup. Please note that it also displays valid hidden windows entries so don't just remove everything.

Also look through the other tabs for the offending entries.

Once you have been through the options try running MBAM again, it might likely be that the rootkit was hiding its activity from a malware scan.

You may need to reboot the pc for the changes to take affect, but to be sure run a scan before and...

saran008

Distinguished
Jan 7, 2010
239
0
18,960
In my point of view, avira is better than Avast.
Avira+Malwarebytes will do the job!
Ccleaner installed with these gives good security & optimization setup.

Download & Install the following 3 freewares. It forms a free complete security suite for your system!
1. Avira Anvivir - http://www.free-av.com/en/download/index.html .
Avira is best & light solution for excellent overall system protection & internet security with real time updates, .

2. Malwarebytes - http://www.malwarebytes.org/ .
Malwarebytes is one of the best & effective antimalware tool out there.

3. Ccleaner - http://www.piriform.com/ccleaner/download .
CCleaner is a system optimization, privacy and cleaning tool with an efficient & most useful registry cleaner.
 

aford10

Distinguished
There's a simple process I follow to cleaning PCs. Though, some infections just can't be cleaned.

Here's what I do....

Boot into safe mode with networking. Download, install, and update malwarebytes. Do a full system scan.
http://www.malwarebytes.org/

When Malwarebytes is done, restart into windows. Download, install, and update Avira. Avira only installs in normal windows. Once it's installed, restart into safe mode with networking. Do a full system scan to double check that the system is clean.
http://www.avira.com/en/downloads/

Now, download ccleaner and run the registry cleaner to clean and repair any registry damage that the malware did.
http://www.ccleaner.com/

Once that's done, the system should be clean.
 

jimb0b

Distinguished
Feb 28, 2010
10
0
18,560
The first thing i done was run malwarebytes...it didnt find anything.


The only thing im worried about is the fact that this is not my pc i dont want to have to worry about something not working right for some reason after cleaning everything,otherwise if this was my pc,i wouldnt worry about it one bit
since i have more than a few ways to fix any problem short of total hardware failure.

My brother had problems with this laptop not even booting right before(dont know the whole story,not my laptop,thats why im here)...and we dont have the vista install disk so im basically screwed if something were to mess up somehow...i just want the opinion of someone more experienced than myself,just to be sure of the actions i take with these particular files.I dont imagine theres much to worry about but i dont have a whole lot of experience removing viruses and the like,so im not too sure about what the outcome might be if one of these files happens to be something nasty.

I take more of a a defensive approach to things like this,i like to know what im dealing with and what to expect before i mess around with things.


Here are the main files im concerned abut,Theyre all named chkdsk.dll and protect.dll,only in
different locations.


C>Users>craig>AppData>Roaming>Microsoft>Windows>

Startmenu>Programs>Startup>chkdsk.dll

-->win32:Rootkit-gen


C>Users>Craig>protect.dll -->win32:Rootkit-gen


C>Users>Default>protect.dll -->win32:Rootkit-gen


C>Users>guest.craig-pc>Appdata>Roaming>Microsoft

>Windows>Startmenu>Programs>Startup>chkdsk.dll -->win32:Rootkit-gen


C>Users>Guest.craig-pc>protect.dll -->win32:Rootkit-gen


C>Windows>ServiceProfiles\Localservice>protect.dll -->win32:Rootkit-gen


C>Windows>System32>Config>System>Systemprofile>Appdata>Roaming>Microsoft>Windows>Startmenu>Programs>Startup>chkdsk.dll -->win32:Rootkit-gen


C>Windows>System32>Config>SystemProfile>protect.dll --->win32:Rootkit-gen


I just dont like the fact that theyre named "chkdsk.dll" and "protect.dll"

Heres a couple more.

c>windows>winxs>x86_microsoft-windows-mediaplayer-wmvcore_31bf3856ad364e35_6.0.6000.20864_none_05990578F1Fb9a4\WMVCORE.DLL -- "error:the system cannot read from the specified file"


C>windows>system32>driverstore>filerepository>prnhp.imf_5641fa75>I386>HPFIMG50.DLL -- "error:the system cannot read from the specified file"

And theres a few which i would bet he most likely from frostwire:

C>Windows>System32>LocalServise>317.music.au
>318.music.au
>319.music.au
>320.music.au




Finally i must mention the 11,000 some .tmp files that are causing the avast "spyware blocked" window to keep poping up.They are all win:32:spyware-gen and theyre in the windows/system32 directiory.AKA Win32 Dracur in the scan log.

What should i do here?If i run a boot time scan with avast,are the files safe to quarantine without messing up the pc?
 

aford10

Distinguished


If Malwarebytes didn't find anything, and you've got that many infections, you probably didn't run the scan in safe mode with networking. That's where I'd start.

Rootkits can be real hard to get rid of. From your list, it looks like they are in the system folder. This one may require a fresh install. It's worth a shot to try and clean it.
 

btk1w1

Distinguished
Oct 13, 2008
173
0
18,660
Another option is to install WinPatrol by BillP studios.

After install when the application opens you will see a box that can be check marked named "Display Secret Startup Locations (Advanced mode)), place a checkmark in it. It is under the "Startup Programs" tab.

This should display the rootkit activity so you can remove it from startup. Please note that it also displays valid hidden windows entries so don't just remove everything.

Also look through the other tabs for the offending entries.

Once you have been through the options try running MBAM again, it might likely be that the rootkit was hiding its activity from a malware scan.

You may need to reboot the pc for the changes to take affect, but to be sure run a scan before and after rebooting the PC.
 
Solution

btk1w1

Distinguished
Oct 13, 2008
173
0
18,660
You can also upload the files to Jotti or Virustotal to rule out any false positives, although it is highly unusual to have so many at any giiven time.

If you want to do this you may need to enable display hidden files and folders to do this.