Avast WEBforum
Other => Viruses and worms => Topic started by: denebuff on April 08, 2014, 10:13:03 PM
-
I was hoping someone could give me some help, Im not a computer tec. just a average guy tired of spending money to people that can't fix a problem.
I had my XP desktop worked on because of a virus. 5 days later and $70.00 for the repair now I get a pop up every 3 to 4 minutes with the attached picture. I called AVAST Tec Surport but they wanted $170.00 to fix problem. I can't do that.
-
Thats some malware that wants to call home :)
Follow this guide and attach the logs from Malwarebytes, OTL and aswMBR: http://forum.avast.com/index.php?topic=53253.0
Windows XP is not getting anymore Updates and is very insecure now, Hackers collected Security leaks over the last months.
Its recommended to switch to Windows 7 or 8 if possible.
-
Stven can you please explain what attach the logs from Malwarebytes, OTL and aswMBR: means
-
Click the Attachments and other options function under the answer Box and select the logs to attach them.
(See screenshot)
Mine is in German but the placement is the same.
-
Just a little more in depth to what Steven said.
When you finish running the programs, they'll produce logs. (MBAM=1, OTL=2 on first run and aswMBR=1). Following Stevens pictures, which is in (Dutch?) I believe. When you make your next post, there is a option called Attachments & Other Options. CLick it
The picture is in german, Michael. :)
Sorry, lol, thought that was dutch.
-
The picture is in german, Michael. :)
-
Ok Thank you both, I'm running the scan as we speak, I'll keep you posted. so far it has found 3 objects and still running.
-
Monitoring, this may be an infected system file
-
OK it finished put I just got another pop up, also the 3 are quarantined it did not ask me to do a reboot should I reboot .
-
If its not asking for a reboot there is no need to reboot.
Save the log and attach it here later. :)
-
I'm running the OTL but forgot to past this in.
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT
-
Just abort the scan and run it from scratch please.
Be sure to attach the correct log.
-
OK Will do.
-
OK Here is the log.
-
Now please run aswMBR and attach the logs from aswMBR and Malwarebytes. ;)
Then essexboy will check the logs.
-
Ok Steve
here is what I got.
-
Ok Steve here is what I got.
-
Essex is asleep. Check back tomorrow...
-
OK Thank You Will Do.
-
Hi there, I have two possibilities in mind so lets see which it is
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
As soon as I turned on my AVAST it started again with the Thereat has been detected. :(
I have attached the log from combo fix
-
Got it, it appears that blackbeard has changed and is now targeting XP
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy::
c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll|c:\windows\system32\rpcss.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
OK I did what you asked and attached the New Log. As soon as I got back on the net and turned on my AVAST I got the threat message that "a threat has been detected". are we getting close :)
-
Now the threat as a new name. "colombus45 and a few other names I think we have them on the run!
-
stupid question, but should I be doing a reboot after each run? before I get back on line?
-
Here is the other name on the warning.
I don't know if this makes a difference or not.
-
Essexboy is in bed now since its midnight in the UK.
Check back tomorrow. :)
-
OK Thank You for all your continued support.
I will be back on line after 11:30 am Eastern Standard Time, as I live In PA. USA
-
Ust to explain a little bit... You were infected by the "Blackbeard" Trojan. It has modified svchost or made a new one to contact these domains to further infect your PC. To address your comment "I think we have it on the run", while Essex directly targets the malware,yes we do.
The process responsible is svchost, which most likely they'll be 5+ of them in task manager, so don't try to kill it since it most likely has a restore reg key to relaunch it.
-
Michael
I can not thank the people of the site for all there help. as of right now AVAST is not giving me the alert Malwarebytes is.
-
This is what pops up now when I open my email.
See attached.
-
I forgot to mention my email program I use is outlook express 6.
-
So the Avast alerts have now ceased ?
Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(https://dl.dropbox.com/u/73555776/tdss%20start.JPG)
- Then click on Change parameters.
(https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG)
- Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(https://dl.dropbox.com/u/73555776/tdss%20threat.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that
-
Here is the results, the program found nothing.
-
Have the Avast alerts ceased ?
Have you emptied your deleted e-mails folder
-
having trouble getting on this site. Yes Avast alerts have ceased, and yes I have deleted my delete box and did a reboot, as soon as I open my email program wither I'm on line or not I get a continues pop up from Malwarebytes informing me of the bad file or website. I have attache a copy of the warning as it apears on my screen.
-
having trouble getting on this site. Yes Avast alerts have ceased, and yes I have deleted my delete box and did a reboot, as soon as I open my email program wither I'm on line or not I get a continues pop up from Malwarebytes informing me of the bad file or website. I have attache a copy of the warning as it apears on my screen.
-
Do you have any draft e-mails or e-mails in the outbox that you do not recognise
-
essexboy
I have check my outbox and draft nothing in them at all they are empty. I also deleted any sent and deleted message.
I'm still getting that pop up.
-
Could you replace Outlook Express with windows live mail http://www.microsoft.com/en-gb/download/details.aspx?id=3945 it will offer several programmes but only accept live mail (OE is so far out of date now)
-
if I do that will I lose all my contacts and my saved folders, and if not ,I don't think I know how to import that info into the new program. Most of all will that eliminate the bad file?
-
Follow the instructions here on exporting OE6 and importing to live mail http://www.pcdon.com/080113OutlookExpress-WindowsLiveMail.html
-
Essexboy
Thank You for all your help with this, as I type this I have installed windows Live and trying to import all my contacts. Is that infected file still in my computer?
-
Once you have transfered your contacts over, live mail will then download fresh copies of your e-mails so anything bad will be gone. It may have been an infection in OE as it is many years out of date.
Once done launch live mail and let me know how that goes
OE can then be disabled by using the control panel Add/remove > remove windows features
-
Essexboy
I will keep you posted as the weekend gives me more time to spend more time on this project.
Again I sincerity appreciate all you time and help.
Respectfully
Denny G.
-
Essexboy
Guess what poped up right after I lodged into Live mail.
-
What is the ISP that you use for your e-mal ? e.g. mine is @Hotmail.co.uk
-
@ptd.net
-
Hmm that is in the US. Could you check the accounts that are active in Live mail and ensure that they are ones you know about
-
Ok
I'm not home but as soon as I return in a couple of hours I will take a look and let you know.
-
OK, also apart from that how is the computer behaving ?
-
Everything seems the same as it was. No big changes I guess that could be a good thing.
-
So we just need to figure out why MBAM is alerting
-
essexboy
I just checked the contacts in Windows Live and there are only 2 and I know who they are and there both Gmail accounts, I still have not figured out how to import my email contacts from Outlook 2000 into Windows Live.
-
From outlook 2000 export the contacts as a windows CSV file, then import that into live mail
-
Essexboy
Can you explain with a little more detail? After 60 the mind is the 2ed thing to go!
-
I was able to import my file folders but can't figure how to get all my email address into WL
-
Is this OE6 or outlook 2000
-
Outlook 2000
-
OK .. Export the outlook 2000 files to outlook express 6
Open OUTLOOK EXPRESS & import all the messages, contacts & calender entries from Outlook 2000's ".pst" file
Then from Live mail import them all
-
Essexboy
I know I have outlook express but after I did the windows live thing just outlook showed up, I also knew that was on my PC, but for the life of me I can't find Express. :(
-
OK after a tortuous search .. Nice one MS :) I found these instructions to export them http://office.microsoft.com/en-gb/outlook-help/export-contacts-HA101870639.aspx
-
I got dragged to a BBQ
Will have to pick this up in the AM
Essexboy take the rest of the night off.
Thank you for all your help today.
-
Essexboy
The directions from MS are for outlook 2010
I have 2000, there is no Options tab under file.
-
I found Outlook Express 6 and all my email address are in it, how do I get them into Windows Live.
-
Copy the *ENTIRE* OE message store folder to the desktop. (Folders.dbx must be included).
Open WLMail and: File > Import > Messages > Microsoft Outlook Express 6 and browse to the desktop where you saved it.
-
I tried doing that but for some reason it will not let me. What am I doing wrong?
I also tried In Outlook Express, click on Addresses>File>Export and follow the prompts, which give options for exporting different types of address books. If uncertain about which type to choose, try a CSV (comma separated values) file. This will create a plain text list with the various items such as Name and Email Address separated by commas. Give the file a name along with a .txt extension. This should make the data easily found and importable into Windows Live Mail Contacts.
But EXPORT is Grayed out.
-
Within the OE folders should be an address book file with the 3 letter extension .wab have you got that ?
-
How do I find the 0E folder
-
They should be in one of these locations, the GUID is a string of numbers :
C:\Windows\Application Data\Outlook Express\{GUID}
or
C:\Documents and Settings\<User>\Local Settings\Application Data\Identities\{GUID}\Microsoft\Outlook Express
You may need to show hidden files :
1. Click Start, and then click Control Panel.
2.Click Appearance and Themes, and then click Folder Options.
3. On the View tab, under Hidden files and folders, click Show hidden files and folders.
-
is there any way we can do a remote?
-
You could use Team Viewer: http://www.teamviewer.com/en/
Or via Avast remote assistance.
-
We need to determine a time when we are both on and can use the Avast remote connection
-
I have Team Viewer, You let me know whats good for you. I know your 5 hours ahead of me.
-
Would 8 pm (my time) be good for you that would be 1500 for you
I would like to use Avast as I do not have team viewer
To use Avast
It is Help > Remote assistance
Click Get assistance and a code will be generated
PM me that code
Leave Avast open on the desktop, as the minute you close it the connection becomes invalid.
If you want to break the connection at any time then just close Avast using the X
(https://dl.dropboxusercontent.com/u/73555776/remote.JPG)
-
By the way essexboy, TeamViewer is free legit software.
-
I will bring it down and have a play :)
-
Thats fine I'll use AVAST, 1500 hours is 3:00PM my time does that mean tomorrow?
-
We can use team viewer if you have it .. I have just downloaded it and it looks very straight forward
Yep I will make sure I am available for that time tomorrow :)
Currently reading up on OE as I have not used it for many a year
-
Ok
1500
Hours. I will pm you at that time and give you the numbers.
I can't thank you enough for all the time you have spent on this.
-
Are they all in now ? Sorry about the faffing around but I have my system set to single click .. I was forgetting to double click :)
-
Essexboy
Yes everything is in and 100% complete.
After you logged out I grabbed the Denny file from Recycle on my USB memory stick and used it in my laptop running 7 and with windows live and that worked. Thank God I was paying attention to what you did.
Thank You and everyone that helped with this problem, I hope some day I can do the something for someone else. I'm a full time commercial photographer and not much of a computer guy other then the software that I use. If I can be of help when it comes to photography I would be more then happy to help.
Respectful
-
Glad to help, lets tidy up now and see how it runs
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
I ran both of the programs, can i use them in myBrides computer she also runs XP and my lap top runs 7?
I have AVAST already, thats how I found you guys!! Thank God.
-
It depends really what you want to do.. Delfix does the following :
Clears all restore points and creates a new one
Removes all tools I have used for malware cleaning/analysis
Reset system files back to hidden
Cryptoprevent I would recommend for any computer that you have as it blocks currently known Ransom malware
Further programmes that may be useful :
A small tool that may help when you download programmes that may be bundled with adware
http://unchecky.com/
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup(http://i1059.photobucket.com/albums/t432/cinjo23/uncheckysetupicon.png) or folder and choose to Run as Administrator
Once open click the Install button.
(http://i1059.photobucket.com/albums/t432/cinjo23/uncheckysetupwindow.png)
Then click on Finish
(http://i1059.photobucket.com/albums/t432/cinjo23/uncheckyfinishsetupwindow.png)
Unchecky is now installed and will help you keep unwanted check boxes unchecked ;)
General tidying up of junk files
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
-
Essexboy
thank you for the software, the only way I can run Uncheckey in the Administrator mode is in Safe mode and Uncheckey will not allow me to run it in Safe Mode. :(
-
For unchecky it just needs to be installed, after that it works silently in the background. Only activating itself when it needs to
-
OK Thanks!!! ;)