Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AVAST Realtime Shields keep being disabled by system32 process [Closed


  • This topic is locked This topic is locked

#16
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

I'm just away for this weekend - will get back to you on Monday.


  • 0

Advertisements


#17
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Sorry could you guide me as to how you'd prefer that I make the images available here? :)


  • 0

#18
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Use the snipping tool in windows 10.  Save it to the desktop  and use the attach files option to upload

 

Capture.JPG

What shields are not working though


  • 0

#19
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

These are my components - I will post what happens when it disables again - I suspect it is user driven (as in I am being remotely hacked through a back door somehow) because it is completely random in terms of timing and some days the shield will just not disable at all.

Attached Thumbnails

  • AVAST components.jpg

  • 0

#20
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

How do you know when the shields are disabled ?


  • 0

#21
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Avast has a red x over the logo and thats about the only thing I notice actively apart from that window that pops up when it happens - it alt-tabs me out of any games as well.


  • 0

#22
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

So it does not come with an alert that something or someone is try to turn the programme off ?

 

If so this would tend to suggest a conflict and it may be that NVIDIA is the problem .. However, first  I will remove conflicting security files that are on the system

 

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [54736 2016-10-04] ()
2016-10-04 11:18 - 2016-10-04 11:33 - 00000000 ____D C:\ProgramData\HitmanPro
2016-10-04 11:18 - 2016-10-04 11:18 - 00000000 ____D C:\Program Files\HitmanPro
2016-10-04 11:15 - 2016-10-04 11:18 - 11579432 _____ (SurfRight B.V.) C:\Users\TheArk\Downloads\hitmanpro_x64.exe
2016-10-01 14:12 - 2016-10-01 14:12 - 00000000 ____D C:\WINDOWS\Trend Micro
2016-10-01 14:12 - 2016-10-01 14:12 - 00000000 ____D C:\ProgramData\Trend Micro
2016-10-01 14:07 - 2016-08-22 21:20 - 00332512 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2016-10-01 14:06 - 2016-10-01 14:06 - 00000036 _____ C:\Users\TheArk\AppData\Local\housecall.guid.cache
2016-10-01 14:05 - 2016-10-01 14:06 - 02527376 _____ (Trend Micro Inc.) C:\Users\TheArk\Downloads\HousecallLauncher64.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers

 

Save this as fixlist.txt, in the same location as FRST.exe
FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that


  • 0

#23
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Ok so after waiting a while I see it was disabled in the early hours of this morning again - this is what I see when it is disabled and I am given no warnings. Should I still continue with the fixlog?

Attached Thumbnails

  • Components (disabled) 2.jpg
  • Components (disabled) 3.jpg
  • Components (disabled).jpg

  • 0

#24
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

Yes run the fix please..  Once that has been done we will try to kick start the problem

 

Right click on Avast icon in the system tray,

select “Avast Shields Control > select “Disable until Computer is restarted”
Restart the Computer

 

Let me know if the error still occurs.  To the best of my knowledge the AV system is still working


  • 0

#25
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Ok, completion log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by TheArk (19-10-2016 19:30:41) Run:2
Running from C:\Users\TheArk\Desktop
Loaded Profiles: TheArk (Available Profiles: TheArk)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
S3 hitmanpro37; C:\WINDOWS\system32\drivers\hitmanpro37.sys [54736 2016-10-04] ()
2016-10-04 11:18 - 2016-10-04 11:33 - 00000000 ____D C:\ProgramData\HitmanPro
2016-10-04 11:18 - 2016-10-04 11:18 - 00000000 ____D C:\Program Files\HitmanPro
2016-10-04 11:15 - 2016-10-04 11:18 - 11579432 _____ (SurfRight B.V.) C:\Users\TheArk\Downloads\hitmanpro_x64.exe
2016-10-01 14:12 - 2016-10-01 14:12 - 00000000 ____D C:\WINDOWS\Trend Micro
2016-10-01 14:12 - 2016-10-01 14:12 - 00000000 ____D C:\ProgramData\Trend Micro
2016-10-01 14:07 - 2016-08-22 21:20 - 00332512 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2016-10-01 14:06 - 2016-10-01 14:06 - 00000036 _____ C:\Users\TheArk\AppData\Local\housecall.guid.cache
2016-10-01 14:05 - 2016-10-01 14:06 - 02527376 _____ (Trend Micro Inc.) C:\Users\TheArk\Downloads\HousecallLauncher64.exe
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************
 
Restore point was successfully created.
hitmanpro37 => service removed successfully
C:\ProgramData\HitmanPro => moved successfully
C:\Program Files\HitmanPro => moved successfully
C:\Users\TheArk\Downloads\hitmanpro_x64.exe => moved successfully
C:\WINDOWS\Trend Micro => moved successfully
C:\ProgramData\Trend Micro => moved successfully
C:\WINDOWS\system32\Drivers\tmcomm.sys => moved successfully
C:\Users\TheArk\AppData\Local\housecall.guid.cache => moved successfully
C:\Users\TheArk\Downloads\HousecallLauncher64.exe => moved successfully
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 294145 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11681983 B
Java, Flash, Steam htmlcache => 188200364 B
Windows/system/drivers => 45019160 B
Edge => 0 B
Chrome => 232075148 B
Firefox => 375696309 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 1642 B
NetworkService => 0 B
TheArk => 150101011 B
 
RecycleBin => 0 B
EmptyTemp: => 956.6 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 19:32:01 ====
 
Also, got a warning message at startup - see attached. Obviously clicked no because I'm assuming that would give them admin privilege back to turn it off.

Attached Thumbnails

  • AVAST warning.jpg

  • 0

Advertisements


#26
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm I am seeing nothing that is malware related however, lets double check that this uses the GMER rootkit detector
 
 
 
Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan
AswMBR%20scan.JPG
On completion of the scan click save log, save it to your desktop and post in your next reply
  • 0

#27
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2016-10-20 00:02:49
-----------------------------
00:02:49.455    OS Version: Windows x64 6.2.9200 
00:02:49.455    Number of processors: 4 586 0x3A09
00:02:49.455    ComputerName: DESKTOP-LDIRC25  UserName: TheArk
00:02:50.198    Initialize success
00:02:50.198    VM: initialized successfully
00:02:50.198    VM: Intel CPU BiosDisabled 
00:02:58.387    AVAST engine defs: 16101801
00:03:12.035    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000034
00:03:12.037    Disk 0 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 11
00:03:12.120    Disk 0 MBR read successfully
00:03:12.120    Disk 0 MBR scan
00:03:12.120    Disk 0 Windows 7 default MBR code
00:03:12.136    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS NTFS       476487 MB offset 63
00:03:12.151    Disk 0 Partition 2 00     27 Hidden NTFS WinRE NTFS          450 MB offset 975847424
00:03:12.188    Disk 0 scanning C:\WINDOWS\system32\drivers
00:03:22.010    Service scanning
00:03:35.362    Modules scanning
00:03:35.372    Disk 0 trace - called modules:
00:03:35.813    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll iaStorA.sys 
00:03:35.829    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffff9f8211f37060]
00:03:35.829    3 CLASSPNP.SYS[fffff8028b195efb] -> nt!IofCallDriver -> [0xffff9f820f7aa190]
00:03:35.844    5 ACPI.sys[fffff8028a0a4571] -> nt!IofCallDriver -> \Device\00000034[0xffff9f820f7ad400]
00:03:36.829    AVAST engine scan C:\WINDOWS
00:03:38.716    AVAST engine scan C:\WINDOWS\system32
00:06:18.518    AVAST engine scan C:\WINDOWS\system32\drivers
00:06:30.112    AVAST engine scan C:\Users\TheArk
00:39:06.581    AVAST engine scan C:\ProgramData
00:42:20.357    Disk 0 statistics 2404119/0/0 @ 0,60 MB/s
00:42:20.357    Scan finished successfully
09:23:32.174    Disk 0 MBR has been saved successfully to "C:\Users\TheArk\Desktop\MBR.dat"
09:23:32.177    The log file has been saved successfully to "C:\Users\TheArk\Desktop\aswMBR.txt"

  • 0

#28
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hmm that shows nothing untoward

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.

  • 0

#29
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Initial logfile before reboot:

 

# AdwCleaner v6.030 - Logfile created 21/10/2016 at 14:50:00
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-10-18.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : TheArk - DESKTOP-LDIRC25
# Running from : C:\Users\TheArk\Desktop\adwcleaner_6.030.exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
Folder Found:  C:\ProgramData\c23f11e4
Folder Found:  C:\Users\TheArk\AppData\Local\StormFall
 
 
***** [ Files ] *****
 
File Found:  C:\END
File Found:  C:\prefs.js
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [24752 Bytes] - [19/12/2015 07:06:54]
C:\AdwCleaner\AdwCleaner[S1].txt - [25367 Bytes] - [19/12/2015 07:05:04]
C:\AdwCleaner\AdwCleaner[S2].txt - [1304 Bytes] - [21/10/2016 14:50:00]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1377 Bytes] ##########

  • 0

#30
Heresedward

Heresedward

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts

Post restart log:

 

# AdwCleaner v6.030 - Logfile created 21/10/2016 at 14:51:34
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-10-18.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : TheArk - DESKTOP-LDIRC25
# Running from : C:\Users\TheArk\Desktop\adwcleaner_6.030.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\ProgramData\c23f11e4
[-] Folder deleted: C:\Users\TheArk\AppData\Local\StormFall
 
 
***** [ Files ] *****
 
[-] File deleted: C:\END
[-] File deleted: C:\prefs.js
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [24752 Bytes] - [19/12/2015 07:06:54]
C:\AdwCleaner\AdwCleaner[C2].txt - [1109 Bytes] - [21/10/2016 14:51:34]
C:\AdwCleaner\AdwCleaner[S1].txt - [25367 Bytes] - [19/12/2015 07:05:04]
C:\AdwCleaner\AdwCleaner[S2].txt - [1456 Bytes] - [21/10/2016 14:50:00]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1329 Bytes] ##########

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP