Author Topic: avast keep sending block allarm for flashlose.cc (Read 3881 times)

rav89 · « **on:** September 26, 2012, 06:28:57 PM »

hello,i got a problem with avast that keep blocking a access to a url message pop up every 10 15 minuts tried malwarebytes and other avast scan it find nothing...also i cant connect diablo 3 but maybe doesnt depend on that anyone could help me?

processo is process where its copyed malware (guess)

http://www.avast.com/it-it/lp-fr-virus-alert?p_ext=chrome&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fit-it%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Users\kkk\AppData\Local\Microsoft\Windows\Temporary%20Internet%20Files\Content.IE5\L3GIRI5B\agenearn_1

it try block access to (dont click) http://flashlose.cc/lost.dat

Pondus · « **Reply #1 on:** September 26, 2012, 06:32:35 PM »

you are infected....possible a rootkit $:-\$

follow this guide and attach the logs...not copy and paste http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

rav89 · « **Reply #2 on:** September 26, 2012, 07:44:42 PM »

still running scans but i think i found out problem with hijackthis its

CDisplay_is1.scr

it run pop up and block all host(explain why i cant run diablo that use spec host file)

still working on 2 scans but im almost sure thats problem i cant remove it from msconfig/run and itried fix it with hijackthis but it cant be fixed tried delete CDisplay_is1.scr but it say program is in use so ya im kinda blocked anyone has a solution?

put 2 logs for now still finishing malware bytes log and otl ill put later

rav89 · « **Reply #3 on:** September 26, 2012, 08:34:58 PM »

ok other 2 scans

i dont know really how to fix....tried unactivate HKLM..\Run: [CDisplay_is1] C:\Users\kkk\AppData\Roaming\CDisplay_is1\CDisplay_is1.scr () in msconfig but it activate again alone and avast keep showing pop up with blocked access to a url

really need help

[2012/09/26 15.32.30 | 000,000,000 | --SD | C] -- C:\Users\kkk\AppData\Roaming\CDisplay_is1 thats issue was create today at 3.30 pm after iw as back from work and turned on my pc

rav89 · « **Reply #4 on:** September 26, 2012, 09:32:42 PM »

pondus give me a solution for remove it please!!!!avast keep spamming me with block url messages....deactivating avast is a bad solution guess

Pondus · « **Reply #5 on:** September 26, 2012, 09:35:14 PM »

now you relax and wait for the malware remover to arrive .... it may take hours so be patient

essexboy · « **Reply #6 on:** September 26, 2012, 10:21:39 PM »

Hi let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-1136535188-260250515-840242000-1000\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O3 - HKU\S-1-5-21-1136535188-260250515-840242000-1000\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKU\S-1-5-21-1136535188-260250515-840242000-1000\..\Toolbar\WebBrowser: (no name) - {414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3} - No CLSID value found.
O4 - HKLM..\Run: [CDisplay_is1] C:\Users\kkk\AppData\Roaming\CDisplay_is1\CDisplay_is1.scr ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: CDisplay_is1 = C:\Users\kkk\AppData\Roaming\CDisplay_is1\CDisplay_is1.scr ()
[2012/09/26 15.32.30 | 000,000,000 | --SD | C] -- C:\Users\kkk\AppData\Roaming\CDisplay_is1

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

rav89 · « **Reply #7 on:** September 26, 2012, 11:21:04 PM »

yes worked while otl was removing registry key avast blocked a file "dropper" with always cdisplay in system after reboot all registry and msconfig was clean

thx for help is it a new virus?cause no other antivirus detected it tried everything

essexboy · « **Reply #8 on:** September 27, 2012, 12:01:56 AM »

That is where the manual inspection comes in, no automated tools can analyse the logs like a human

Once it has been reported and located then they will find it but, they will never be able to locate all the run locations

If all is well tomorrow let me know and I will remove my tools

true indian · « **Reply #9 on:** September 27, 2012, 11:12:43 AM »

Sounds like another medfos:
O4 - HKLM..\Run: [CDisplay_is1] C:\Users\kkk\AppData\Roaming\CDisplay_is1\CDisplay_is1.scr ()

doesnt it,essexboy?

Author Topic: avast keep sending block allarm for flashlose.cc (Read 3881 times)

rav89

avast keep sending block allarm for flashlose.cc

Pondus

Re: avast keep sending block allarm for flashlose.cc

rav89

Re: avast keep sending block allarm for flashlose.cc

rav89

Re: avast keep sending block allarm for flashlose.cc

rav89

Re: avast keep sending block allarm for flashlose.cc

Pondus

Re: avast keep sending block allarm for flashlose.cc

essexboy

Re: avast keep sending block allarm for flashlose.cc

rav89

Re: avast keep sending block allarm for flashlose.cc

essexboy

Re: avast keep sending block allarm for flashlose.cc

true indian

Re: avast keep sending block allarm for flashlose.cc