Avast WEBforum
Other => Viruses and worms => Topic started by: JPBoston on January 02, 2012, 03:39:34 AM
-
Hey there,
Really hoping you guys can help me out, before I'm forced to re-install windows. (Vista, Laptop)
My laptop has been hit hard by some kind of virus.... all loads well until I connect to the internet, then the system becomes overloaded and I can't do a thing. I can't even update Avast. Pretty sure that when I am able to open Task Manager, no real major cpu or memory usage is shown, despite the "thinking" light being on, so steady its not even blinking.
I've run a bunch of anti-virus programs that I was able to get updated in Safe Mode, and Avast (without a fresh update) did a boot-time scan and found several things, but still the problem persists. I did try downloading the update file on this Avast site and copying it over to the laptop so I could update that way... but the update application fails.
I'm sorry for lacking in more detail... not used to having to fight off a virus like this. Let me know what info you need to help and I'll dig it up for you.
Thanks in advance!!
-Joe
-
http://forum.avast.com/index.php?topic=53253.0
follow the above link to the guide and attach all the logs.
essexboy is notified and he will be here to help u.check back by night.
-
Thanks for the quick reply....
Here are the OTL log files (I'll do more as I can get free time tonight):
-
Thanks for the quick reply....
Here are the OTL log files (I'll do more as I can get free time tonight):
Hello!
Your hosts file is not original.
I can advise you to use curing utility Dr.Web CureIt!
http://www.freedrweb.com/cureit/?lng=en
It restore the hosts file and check for viruses, but when you run the utility disconnect completely Avast, Avast blocks it.
-
From your OTL log it seems you have avast and Microsoft Security Essentials installed ???
never install multiple AV as this can/will create all kind of windows errors and false positive detections
read the reply from quietman7 here
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260844&view=findpost&p=1441638
it is recomended to run a removal tool so all leftovers from the AV you remove is gone
run and reboot - Uninstallers for Security Software
http://thewebatom.net/uninstallers/security-software/
-
Hi the log looks OK which means it is something deeper
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
-
Awesome, thanks guys. I'll get that new log posted asap.
For the record... I only installed Microsoft Security after the virus attack. I was attempting all options possible. ;)
-
If aswMBR should fail to run then do the following please
Download
RogueKiller (http://www.geekstogo.com/forum/files/file/413-roguekiller) to your desktop
- Quit all running programs
- For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
- When prompted, type 1 and validate
- The RKreport.txt shall be generated next to the executable.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
[/list]
-
Just ran ASW... seemed to get hung up (for 20 mins)near the end in a Windows Live folder... it was so long I couldn't read the whole file path.
So I saved the log even though it hadn't finished... running it one more time to see if I can get a full scan and then I'll move on to Rogue Killer.
Abbreviated ASW log attached.
-
Did you install the somoto toolbar ?
-
Did you install the somoto toolbar ?
Definitely not on purpose (I hate any toolbar add-ons, and I'm pretty good at keeping them from sneaking on from other program installs)... A quick look at my program files doesn't show anything from Somoto.
ASW is hung up in the same area again... file path that I can read is:
C:\USERS\Joe\AppData\Local\Microsoft\Windows Live\Installer\Catalog\wl....
(The "...." at the end meaning that the window isn't big enough to read further then that, and I don't seem to be able to expand the window at all).
ASW still seems to be running and "thinking", and the computer isn't locked up or anything, so I'll leave it alone this time and see if it moves past it.
-
OK lets kill the toolbar and see if that removes the problem
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/10/19 15:50:43 | 000,000,000 | ---D | M] (Somoto Toolbar) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\1mz8nlvo.JP\extensions\{652853ad-5592-4231-88c6-706613a52e61}
[2011/10/19 15:50:36 | 000,000,000 | ---D | M] (Somoto Toolbar) -- C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\h8a4y122.default\extensions\{652853ad-5592-4231-88c6-706613a52e61}
O2 - BHO: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll ()
O3 - HKLM\..\Toolbar: (Somoto Toolbar) - {652853ad-5592-4231-88c6-706613a52e61} - C:\Program Files\somototoolbar\vmntemplateX.dll ()
O3 - HKU\S-1-5-21-2297640326-2697785836-1506157427-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
[2009/10/27 13:46:41 | 000,000,024 | -H-- | C] () -- C:\ProgramData\.811261211181235583101118113995
[2008/08/08 18:21:25 | 000,000,024 | -H-- | C] () -- C:\ProgramData\.119889580931711767808769176
[2008/08/08 18:09:07 | 000,000,021 | -H-- | C] () -- C:\ProgramData\.24554863501262644635642126105
[2010/09/13 20:04:54 | 000,000,000 | ---D | M] -- C:\Users\Dee\AppData\Roaming\ooVoo Details
:Files
ipconfig /flushdns /c
C:\Program Files\somototoolbar
C:\Program Files\AskBarDis
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Thanks, Essex! I'll run that later tonight, as I'm about to leave the house and probably shouldn't let it sit too long after its run its course.
Thank you for the quick replies --- really hoping we dig this sucker out. :)
PS --- Should I hold off on the Rogue Killer for now then?
-
Aye sorry I was going to add that ... The main thing I was looking for in aswMBR is not present so there is no need for roguekiller ;D
-
Have you tried disabling everything at start up using msconfig.exe
disable all startup items except avast go to safemode and run malware bytes
here are to tools to help you
Malwarbytes
https://store.malwarebytes.org/342/cookie?affiliate=1879&product=29945&redirectto=http://files7.majorgeeks.com/files/679635e8efe21e055ae3693f6145f298/spyware/mbam-setup-1.60.0.1800.exe
RogueKiller
http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe
run these and you should be ok
-
disable all startup items except avast go to safemode and run malware bytes
Nope....Malwarebytes should only be run in safe mode if normal mode dont work
and i dont think Essexboy needs to be told what tools to use ;)
-
Hey there,
The OTL scan ran and completed... attaching log. But the internet problem still persists.
The computer is fine until I plug in the ethernet cable, then within a few moments, it gets locked up. Avast didn't even have time to update it's definitions... got about half-way thru 'step 1'.
-
That sounds like an interference with the TCPIP
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Just installed the Combofix program... it ran and completed just fine.
Computer is still acting wonky though. Avast disapeared from the system tray, MS Essentials wouldn't turn on, turning on Ad-Aware crashed the system (after plugging in the 'net).
I'll reboot and try again...
-
Rebooted again... problem persists. Though MS Security Essentials did start itself automatically this time. FYI, all this posting on the forum and downloading programs is done on my desktop PC and transferred to laptop via USB flash drive, and logs copied to flash drive and brought back over to desktop. Fun process. ;)
This happens over the course of 5 minutes or so: In Task Manager, CPU usage is at roughly 10% Physical Memory at 60%... but trying to start Firefox after plugging in the ethernet cable is taking FOREVER. The "thinking" (what the heck is that light called?) light is blinking like crazy, but CPU just dipped back down to 3%... Firefox browser did open a few mins ago, but blank white 'page' and 'not responding' message when I try to click somewhere in Firefox.... just lost control of the mouse.... mouse is back, but clicking on Task Manager window is unresponsive, takes about 30 seconds if I click on a tab within it for it to actually open. CPU never goes over 3%, physical mem never goes over 66% for the last 5 minutes or so.
Sorry for the random flow of thought there... thought it might describe the problem a little more.
-
I really need to see what processes are running so to that end I will ask you to something a bit weird
I would like you to download AVPTool and run the first part disconnected from the net. However, for the second, analysis part I would like you to connect before running the programme so that I can then see all processes that are active whilst it is running
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPfront.gif)
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpsettings.gif)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
Megaupload (http://www.megaupload.com/)
-
The initial Kaspersky report took over 10 hours to complete, but it did finally finish. It found 2 trojans in what looks like email folders. Report attached.
I'll run the second scan right now and post the results when I can. :)
-
make sure u keep the net connected while doing the manual disinfection process as essex told. ;)
-
make sure u keep the net connected while doing the manual disinfection process as essex told. ;)
I did. Problem is... like I described above, connecting to the 'net freezes the computer. So the scan didn't get far. Woke up to a frozen computer.
-
Since my last post, I've been patiently waiting for my laptop to come out of 'sleep' mode from the overnight scan... I had to unplug the ethernet to get any action at all.
It finally just popped up now... two MS-Dos looking windows were first to come up...
They are blank-black... but the top-left of one of the windows has the C:\ logo followed by "_uninst_33346271" they just disappeared as I was copying them down, but the other number was similar... they disappeared right as Kaspersky re-opened.
Kaspersky then asked for a system reboot with a little pop up window that said "error message is" but no error message was listed... and the install window is up, why Kasperksy needs to re-install is beyond me.
I'll let it re-install and see if it managed to create any logs. I'm guessing the entire system crashed soon after plugging into the 'net.
-
Okey Dokey
Could you download and run the latest aswMBR please and also run a fresh OTL scan with all users selected. I now have a possible inkling about this
-
Okey Dokey
Could you download and run the latest aswMBR please and also run a fresh OTL scan with all users selected. I now have a possible inkling about this
Cool --- Re-downloaded ASW from the link you provided on page 1 and it shows a new File Version #. About to run it and then OTL as suggested.
I did manage to reboot a few times and get to Kasperskey's aborted log. Looks like it shut off a few minutes after I started it, long before any sleep mode kicks in (I ran it and went to bed for the night, sleep mode kicks in after an hour or two).
Unfinished log attached, just in case it shows anything useful...
-
ASW Finished... here's the scan log (seems like it found 2 things).
Do I click "Fix MBR"?
-
No it is not an MBR problem
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
C:\Users\Joe\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here's the OTL log... seemed to run as planned. I haven't tried connecting to the 'net though... waiting to hear back first, just in case.
-
Could you try a connection please and let me know the result
-
Could you try a connection please and let me know the result
Hey... was about to plug-in just like you asked, but noticed my 'thinking light' was buzzing a bit... opened up Task Manager and see that SearchFilterHost.exe is taking bit of power. It goes up to 50 CPU and calms down to 4-5, then back up to 50, then back down, etc.
Just wanted to get your thoughts and see if I should still plug-in.
-
This process is used by the windows search and indexing service. It is indexing all the files on your computer in case you want to search for them .. I have turned mine off ;D
-
Skynet itself must have hijacked my computer... cause it's still slowing to a stop as soon as I plug in the ethernet cable.
-
Could you re-run the AVP analysis scan only - disconnected this time and then upload the entire zip file to either mediafire or magaupload or similar so that I can download it
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPAnalysis.gif)
On completion click the link to locate the zip file to upload and attach to your next post
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/AVPZiplocation.gif)
Megaupload (http://www.megaupload.com/)
-
OK.... here it is:
http://www.megaupload.com/?d=7Q1N3YX4
-
I notice that you have YouSendIt.com installed - this is a file uploader, did you install it ... It is running
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif)
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif)
begin
DelBHO('{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}');
DelBHO('{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}');
DeleteService('ASKUpgrade');
SetServiceStart('ASKUpgrade', 4);
DeleteService('ASKService');
SetServiceStart('ASKService', 4);
DeleteFile('C:\Program Files\AskBarDis\bar\bin\AskService.exe');
BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\AskService.exe');
DeleteFile('C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe');
BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe');
DeleteFile('C:\Program Files\Norton Internet Security\MUI\16.7.2.11\09\01\rcSvcHst.dll');
BC_DeleteFile('C:\Program Files\Norton Internet Security\MUI\16.7.2.11\09\01\rcSvcHst.dll');
DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
BC_DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
end.- Your system will reboot on completion, if it does not please do so yourself
- On completion please run another analysis scan and attach the zip file
-
I notice that you have YouSendIt.com installed - this is a file uploader, did you install it ... It is running
Yeah, I installed that several years ago... haven't used it in about a year though, had no idea it was running.
I'll run the script and report back... in the meantime, should I attempt an internet connection after rebooting before reporting back?
ADDED: Whoops, just noticed the 'run new scan and post the log'. Will do.
-
Here's the newest new log...
http://www.megaupload.com/?d=NQ3LBVZ7
-
FYI --- Connection to internet still results in PC locking up.
-
Lets remove the running uploader file and see if that helps
As it is at the momnet I can see no apparent malware
- Re-run AVPTool
- Select the Manual Disinfection tab and press Script execution
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpmanual.gif)
- Where it states Insert text script in the following box copy the below script and press Run script
Copy from Begin until End
(http://i1224.photobucket.com/albums/ee362/Essexboy3/AVP%20shots/avpscript.gif)
begin
DeleteFile('C:\Program Files\YouSendIt\Express\version2\YsiExt.dll');
BC_DeleteFile('C:\Program Files\YouSendIt\Express\version2\YsiExt.dll');
DeleteFile('C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL');
BC_DeleteFile('C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved','{BDEADF00-C265-11D0-BCED-00A0C90AB50F}');
DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
BC_DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_56657627.bat');
DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_02113337.bat');
BC_DeleteFile('C:\Users\Joe\AppData\Local\Temp\_uninst_02113337.bat');
end.- Your system will reboot on completion, if it does not please do so yourself
-
Hey again ---
My desktop's monitor died, so I was incommunicado for awhile.
I was just able to run your last 'manual script' via Kapersky, rebooted, and the problem persists.
Any chance anyone else has had this problem and any more ideas?
-
Lets check out the files used for internet connection
run farbar service scanner (http://"http://download.bleepingcomputer.com/farbar/FSS.exe")
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg)
Tick All options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Hey again...
Good news! Laptop is up and running after I deleted Amazon's cloud uploader... It came to me randomly the other night, that the only 'new' thing I was doing back when the Laptop started acting up was uploading a few albums to amazon to try on my kindle fire.
Anyway --- I was going thru and deleting stuff I didn't need to clear up space, and came across a problem file.
It's a 9.5gb video file, and the sucker just won't delete. I rebooted, tried again and let it sit for 40 minutes, and still nothing.
Could one of those programs Essexboy had me DL be able to delete the thing?
PS
Thanks again for the help, Essex!