Avast WEBforum
Other => Viruses and worms => Topic started by: jason.roberts10000 on March 09, 2016, 03:11:02 AM
-
Hi,
Some introduction before I get to the problem.
Today I was watching a youtube video and got a virus notification. I thought nothing of it as Avast blocked it, until I started getting these popups requesting server access to my computer to download a file called "thawbrkr.dll". Every time I clicked "no" the popup would reappear after about 1-2 minutes. I tried to determine what was causing the popups to appear, to no avail (I'm fairly experienced with dealing with viruses and malware; so I checked the usual places AppData, ProgramData, Windows, Program Files, and Temp folders but found nothing at all). I figured that accepting it would cause the virus more access but I was at wits end and figured that once it was on the machine I could get rid of it.
So now I have this virus that keeps being blocked by my Avast Antivirus scanner, called "Reannewscomm.com". Every 10-15 seconds it blocks its attempt, for the past 2-3 hours now that I've been trying to get rid of it. I ran a complete scan of Malware Fighter and it did not detect it, and a complete scan of Avast Antivirus, and it didn't find it. I've looked in the usual places again, and deleted any temporary files that came on the computer today (March 8), any cookies for today, and reupdated both Avast and Malware fighter to no avail.
The precise details of the blocked virus are as follows:
Object = http://reannewscomm.com/ads.php?sid=1967
Infection = URL:Mal
Process = C:\Windows\Explorer.exe
I tried to follow several guides on how to remove it manually (as the other option requires buying a tool that I've never heard of before and it only scans for free), and none have succeeded. All the usual indications of this virus are not present yet as Avast blocks it from putting those down and activating them. However, something is clearly trying to activate but I don't know where to find it.
The popups only appear when I'm connected to the internet. When I disconnect from the internet (I use a wired connection) the popups cease to popup, leading me to believe that that server I allowed access to my computer is trying to create the virus or deploy the virus or something. I dunno. As stated, neither Avast nor my Malware Fighter detects the virus on my machine, and thus I feel that that server is causing the issue. So... does anyone know how to block a server from accessing the computer AFTER you've given it permission to have access?
However, something strange did happen recently. After trying to solve the problem for 4 hours, I got frustrated and left the computer alone. When I returned, it sounded like the computer was playing a podcast... though no podcasts were found on my machine, no internet explorer windows were open and no media player type programs were active. Disconnecting the internet / resetting the router didn't stop this podcast, but ending Explorer.exe did (though that made the system unstable forcing me to restart it). The other thing of note is I have limited download capabilities right now (I can download it if I click Save Target As, but not any other method (ie Run / Save / Save As; these crashes internet explorer))
Any help would be appreciated.
-
Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253
-
Logs
EDIT:
(When attempting to post logs initially, internet explorer crashed)
The final log couldn't be acquired as the program froze my machine entirely forcing a hard restart. It froze while scanning Windows -> System32 -> DiagCpl.dll
-
OK, now you've to wait a bit...
-
Managed to get the log from the final program by changing my IP address manually.
-
Let me know if this kills it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-429370524-3042837960-4195566341-1001\...\Run: [QujiBvaw] => regsvr32.exe "C:\Users\Jason\AppData\Roaming\QolaRzavd\YitUvfo.dll"
C:\Users\Jason\AppData\Roaming\QolaRzavd
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S0].txt as well.
-
Hmm, I'll try that.
One thing I did notice after leaving my computer disconnected from the internet for a while and coming back to it this morning, the popups have stopped when I connected to the internet.
I had been fiddling with IPConfig before I disconnected (I tried to switch over to IP v 6 from IP v 4, but that didn't work; nor did release or renew, but then I tried flush DNS and registerDNS) However, I doubt that means it is gone (probably hibernating or biding its time), so I'll still do this suggestion and get back to you.
-
I ran that FRST program again with the fixlist, it asked me to restart, I did. It partially worked. By partially, I mean it got rid of reannewscomm popups, but it is now replaced with two new ones I've never seen before for two different URLs; same otherwise URL: Mal and C:/Windows/Explorer. But they only appeared once, after I booted up.
Trying next program.
-
K did that. Reannewscomm appears to be gone, but at restart, had 4 blocked URL:Mal C:/Windows/Explorer, weirdly named sites, each different from the last.
Here is the log. (Didn't find it in C:/ though, found it in Program Files)
-
Could I see the FRST fixlog please, are you still getting alerts
-
I spoke too soon. Today Reannewscomm.com came back, and the others aren't around. So frustrating.
Um... I don't know if it did produce a log. But I'll check.
EDIT: Found it!
EDIT 2: Nope, the other 4 just re-appeared. Poop.
EDIT 3: I will mention that the Fix didn't technically kill the virus. It moved a "copy" of the virus to quarantine, but a fresh copy was rebuilt at C:/Users/Jason/AppData/Roaming/QolaRzavd or, it copied the virus to quarantine and left the original... not quite sure which. Anyway, I left the virus copy in quarantine and deleted the original, but I'm still get the popups. Note, I was getting them before and after deleting it so I doubt deleting the original is problematic.
-
Could I have a fresh FRST log please also a screenshot of the popups
-
Sure I'll rerun FRST64.exe and try to get screenshots of the popups.
-
Okay Reran, nothing detected, but uploading logs anyway. Also, got 4 screenshots. 1 for Reannews, and 3 for ones I've never seen before, and not the earlier 4 I mentioned. Haven't seen those pop up again recently, so no screenshots for them. But...
In Task Manager, in Processes, I'm noticing several of these pop up increase in memory and CPU and then disappear. These tend to correlate precisely when I get another popup. Also, I have about 4-5 of them active in my Task Manager as well. Processes (if it helps):
COM Surrogate
Console Window Host
CTF Loader
Windows Installer
Client Server Runtime Process
I'll also mention that since the virus is only active when I'm online, these processes are not active when I'm offline if it helps and only become active the moment I plug in my wired connection.
-
4 attachment maximum, so posting other two here.
-
I would like you to run this fix from safe mode as the bad boy has re-appeared
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-21-429370524-3042837960-4195566341-1001\...\Run: [QujiBvaw] => regsvr32.exe "C:\Users\Jason\AppData\Roaming\QolaRzavd\YitUvfo.dll"
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
2016-03-08 13:39 - 2016-03-08 15:47 - 00000000 ____D C:\Users\Jason\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2016-03-08 13:39 - 2016-03-08 13:39 - 00003336 _____ C:\Windows\System32\Tasks\SpyHunter4Startup
2016-03-08 13:38 - 2016-03-08 13:38 - 00022704 _____ C:\Windows\system32\Drivers\EsgScanner.sys
2016-03-08 13:18 - 2016-03-08 13:18 - 00000000 ___HD C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}
Task: {5B66FAC9-6967-42C8-80C9-62DA1432E660} - System32\Tasks\SpyHunter4Startup => C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe
HKU\S-1-5-21-429370524-3042837960-4195566341-1001\Software\Classes\.exe: exefile => <===== ATTENTION
HKU\S-1-5-21-429370524-3042837960-4195566341-1001\Software\Classes\exefile: <===== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\str => ""="service"
C:\Users\Jason\AppData\Roaming\QolaRzavd
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Can't. Restarted in Safe Mode, and whenever I click on to run the program, with or without Run as Administrator, explorer.exe crashes, and resets back to the Help / Support screen that initially pops up when restarting in safe mode.
EDIT2: I just noticed that the file I tried to use may not have been the original FRST, so I'm going to try the original FRST in safe mode now.
EDIT: After deleting the original virus in Roaming, the virus threw a tantrum for the reannewscomm WITHOUT running FRST, at restarting, stating for Register Server that it couldn't be found.
However the other viruses has returned in force.
The popups go away before I can grab screenshots, but the files they are trying to use are in C:/Windows/System32/ : All by a new virus called "xml.infinity.info.com"
- conhost.exe
- msiexec.exe
- explorer.exe
- ctfmon.exe
- PresentationHost.exe
- msdtc.exe
- taskhost.exe
- notepad.exe (found in windows)
If none of the fixes here will solve the problem, I will be forced to use the last resort option, which is to contact my ISP and see if they can block the servers from contacting me (as they'd have to send their signals and viruses through my ISP to do it). However, I'm reticent to do this as I'm not sure it will work OR if they could do it.
-
Nope, wouldn't work in Safe Mode. So I ran it in normal mode, and it "appears" to have killed the virus.
I had no popup for register server at boot up this time. And haven't yet had any other Avast popups.
I'll remain watchful for the rest of the day to ensure it isn't hiding somewhere, but I believe that finally did it so...
THANK YOU VERY MUCH I REALLY APPRECIATE IT!
Uploading fixlog just in case.
-
Looks like the main miscreant was hiding in the program data folder
Could I have one final FRST scan to check please
-
Sure I can do that. Here are the logs.
-
Now the programme data folder has gone the trigger is revealed :)
Let me know of any problems after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
CustomCLSID: HKU\S-1-5-21-429370524-3042837960-4195566341-1001_Classes\CLSID\{2D349E57-23E4-4A67-9624-F1DC6B65AABF}\InprocServer32 -> C:\ProgramData\{F66CB4EE-546F-4D54-9332-216DE189AAB0}\tsmf.dll => No File <==== ATTENTION
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Ok, did that. Here is the fixlog.
I couldn't find that file manually before fixing it, as the folder didn't exist anymore in ProgramData, but I'm sure there is a good reason you suggested doing it so I did it anyway. Appears that whatever you wanted removed got removed.
Need any more scans?
-
That was just an orphan task, I like tidy :)
Any further problems ?
-
Nope. None have reared their ugly head for the past few days. Thank you very much for your assistance!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix (http://www.bleepingcomputer.com/download/delfix/)
Select the options as shown
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php)
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave: