Avast WEBforum
Other => Viruses and worms => Topic started by: adc on February 02, 2012, 10:40:01 PM
-
Greetings All,
I've been working with a friend's Asus laptop that was infected with a fake security program.
I have been able to get Avast Internet Security (AIS) running and have removed and deleted;
(1) isecurity.exe (Fake Security App)
(2) $REEEP7L.exe described as MSIL:Dropper
and
(3) other various temp, or infected files.
I've had some of the same problems as others here. Trying to repair, or move consrv.dll
which causes a boot problem which needs to be repaired before troubleshooting can be resumed.
A current scan with AIS shows that only 4 files remain that need some type of "Action".
(1)C:\...\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(2)C:\...\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(3)C:\...\RLO2j3.com High Threat: Win32:FakeAlert-BVT (Trj)
(4)C:\...\consrv.dll High Threat: Win32:Siref-HO (Rtk)
I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.
The laptop's OS Windows 7 SP1, 64 bit.
Thanks for any help.
Al
-
I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.
you find the guide here
http://forum.avast.com/index.php?topic=53253.0
attach the logs: lower left corner > additional options > attach
-
Monitoring
-
Thanks for link.
Results for MalwareBytes scan and repair.
OTL is on my Desktop. 8)
++++++++
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.02.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jwoww :: J-PC [administrator]
2/2/2012 1:55:30 PM
mbam-log-2012-02-02 (13-55-30).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215061
Time elapsed: 5 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\System32\RLO2j3.com (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\Windows\SysWOW64\RLO2j3.com (Trojan.Krypt) -> Quarantined and deleted successfully.
C:\Users\Jwoww\Downloads\FLVPlayerSetup.exe (Adware.Agent) -> Quarantined and deleted successfully.
(end)
-
OTL.txt attatched.
-
Extras.txt attached.
Note:Both files were too large in total to place both in one reply.
Should I wait for a reply to run aswMBR?
-
Should I wait for a reply to run aswMBR?
nope...run and attach log
Essexboy is logged out now. but will be back tomorrow. He is usually in here around 08:00pm - 11:59pm UK time
-
Completed aswMBR scan, and the log file is attached.
Should I "Fix", or wait for a reply?
Or,should I just wait for Essexboy's reply tomorrow?
THX
Al
-
Should I "Fix", or wait for a reply?
you wait for Essexboy....so this is done properly ;)
OBS....that is the longest aswMBR logg i have seen
-
you wait for Essexboy....so this is done properly ;)
OBS....that is the longest aswMBR logg i have seen
I thought I might have to split the log in two in order to attach. ;D
THX again.
Al
-
aswMBR gets better every time
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-72642340-1585939968-2348190475-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
[2011/11/18 23:19:20 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Jwoww\AppData\Roaming\Mozilla\Firefox\Profiles\21lng6lc.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O4 - HKLM..\Run: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe" File not found
[2011/12/24 04:50:50 | 000,000,112 | ---- | C] () -- C:\ProgramData\k3yIM1c.dat
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\StartNow Toolbar
C:\Windows\tasks\At*.job
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png)
Save the log as before and post in your next reply
-
Essexboy,
I started OTL 25 minutes ago (12:25 pm PST) and I got an alert box that read "Cannot create file C:\Windows\System32\drivers\etc\Hosts." I clicked "OK" and OTL has the message at the bottom that says "Resetting HOSTS file. DO NOT INTERRUPT..." and it has had that message for over 12 minutes.
OTL may be stuck.
-
OK close it out and manually reboot please - do you have spybot
-
OK close it out and manually reboot please - do you have spybot
Yes Spybot is installed on machine. I can remove if needed.
-
It is protecting the HOST file and it does need resetting.
So if you could uninstall when we do the final sweep OTL run
-
Spybot is uninstalled, and machine rebooted.
Waiting to restart OTL.
-
OK you will notice the biggest difference when aswMBR has done its thing
-
OK you will notice the biggest difference when aswMBR has done its thing
Don't we need to re-run OTL with your script first before running aswMBR?
-
When you ran the OTL fix resetting hosts is the last element - so it did the other removals
So go straight to aswMBR fix run now please
-
When you ran the OTL fix resetting hosts is the last element - so it did the other removals
So go straight to aswMBR fix run now please
The new scan with aswMBR indicated some removals had not been accomplished with OTL.
A 2nd scan with aswMBR and "FIX" appears to have quarantined all infected files.
The "fixed" aswMBR log file is attached.
Waiting for further instructions. :)
-
It does look better doesn't it ;D
Could you now run a fresh OTL quick scan please to see what remains
How is the system behaving now ?
-
It does look better doesn't it ;D
Could you now run a fresh OTL quick scan please to see what remains
How is the system behaving now ?
Yes, the log file looked much cleaner. 8)
And, I'm sure the machine is running better.
Will get a fresh OTL quick scan log for you shortly.
-
I will be off line soon as I need to listen to Harry's Game ;D But I shall return on the morrow
-
I will be off line soon as I need to listen to Harry's Game ;D But I shall return on the morrow
Attached is a "fresh" OTL log file.
Thank you.
I will monitor the laptop for awhile to watch for any strange operation.
I thought after all this, and being a member of the Avast forum since 2008, my status as "Newbie" would change, but alas it was not to be. ::)
-
I thought after all this, and being a member of the Avast forum since 2008, my status as "Newbie" would change, but alas it was not to be.
User rankings dependent on number of posts made by user. :)
It's just that you have had few problems, which is a good thing.
-
That looks pretty - could you now do the following to reset the TCPIP stack
Run the MSFixit on this page http://support.microsoft.com/kb/299357
Please download Malwarebytes' Anti-Malware[/b] (http://www.malwarebytes.org/mbam-download.php)
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish, so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]
-
That looks pretty - could you now do the following to reset the TCPIP stack
Run the MSFixit on this page http://support.microsoft.com/kb/299357
Cheers... ;D
Applied MSFixit without any error message.
I had already run a quick scan after you signed off yesterday, but ran it again this morning as you request.
Attached is the log.
-
It's just that you have had few problems, which is a good thing.
mchain,
You are correct. I am fortunate to have had only one "serious" problem in 4 years. :)
cheers,
Al
-
Any further problems apparent ?
-
Any further problems apparent ?
I do have a question about an error with the firewall as I get a Windows Firewall error when try to "Use recommended settings".
"Windows Firewall can't change some of your settings.
Error code 0x80070424"
Is this something AIS is causing, or something that needs to be corrected?
Neither Zonealarm, or Comodo are installed.
Other than this everything seems to be running normally.
Edit Added:
Windows Defender is stopped and issues an error when attempting to Start.
"The specified service does not exist as an installed service. (Error Code: 0x80070424)"
-
OK lets check for damage
run farbar service scanner (http://"http://download.bleepingcomputer.com/farbar/FSS.exe")
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/fss.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
Your link doesn't work, but I found it. :)
FSS.txt attached.
-
Oops my error a different forum software
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
I am just going to upload to my site the registry keys that you are missing
Download them to your desktop
Right click each one and select merge
Accept the warnings and then re-run Farbar
https://skydrive.live.com/?cid=32D8666F4048075B&id=32D8666F4048075B%21117&sc=documents
Files are :
wscsvc.reg
bfe.reg
MpsSvc64.reg
-
All 3 Reg files Merged successfully.
FSS.txt attached.
-
Could you now reboot and try the firewall and defender
-
Reboot...
Windows Defender is still stopped and issues an error when attempting to Start.
"The specified service does not exist as an installed service. (Error Code: 0x80070424)"
The Firewall is still giving the same error as before.
-
Well all the related files and keys are there so lets go for an automated fix to kick start them
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
Go to step 2 and allow it to run Disc check (This stage can be skipped)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture3.gif)
Once that is done then go to step 3 and allow it to run SFC
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.gif)
On the start repairs tab select advanced mode and click start
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif)
Select the items ticked(remove the ticks from the rest ) and tick restart system when finished
-
Tweaking is still working hard at Step 5.... ::)
I forgot to tick Restart. Presume manual restart okay?
-
Aye that will work
Did the sfc scan do any changes ?
-
Aye that will work
Did the sfc scan do any changes ?
SFC results indicated;
"Windows Resource Protection did not find any integrity violations."
Tweaking just finished. Asking for restart.
p.s.
It's getting to be pretty late where you are..
How much longer will you be available?
-
Machine is back up.
The Firewall and Defender are still down.
The Firewall error appears to have changed from "0x80070424"
Current error;
"Windows Firewall can't change some of your settings.
Error code 0x8007042c"
Can't restart Defender either.
-
During the current lull period I ventured to the below Microsoft website and within the 11 pages I found the solution, as did many others. My Base Filtering Engine (BFE), Windows Firewall, Windows Defender are currently running. :)
Error Code 0x80070424 with Windows Firewall, Defender in Windows 7 (http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-code-0x80070424-with-windows-firewall/ec3fc3b8-69ec-4b4b-a703-4b745fe6e8ee)
In addition I found that the protections on the laptop's 2nd Hard drive (D:) had been removed. Protection was probably disabled on D: drive during the recent Malware Attack, and rendered it unusable. I re-enabled protection on it to bring it back to life. :)
I will continue to monitor the operation of the laptop, and see if there is anything else that falls in the category of strange behavior of the OS.
For now everything is going okay, and I have attached a current FSS.exe scan. ;D
Thank you again for your expertise, and time.
I will be standing by in case you have any other requests.
Cheers,
Al
-
Essexboy,
I no longer have the laptop in my possession as the owner came tonight to pick it up.
It was recommended that the owner just shut the laptop off and bring it back to me immediately if the Fake Security Malware appears again. Hopefully the problem won't come back. ::)
THX to all. ;D 8)
Al
-
Yes that looked clear. The problem I saw with the last Farbar scan was that the services were set to disabled and windows repair should have reset them as all the keys and files were in the right place just not started
The only follow up I was going to do was to remove the tools
-
Yes that looked clear. The problem I saw with the last Farbar scan was that the services were set to disabled and windows repair should have reset them as all the keys and files were in the right place just not started.
The only follow up I was going to do was to remove the tools
I received a call from the laptop's owner last late night, and he was very pleased that the malware infection was eliminated. ;D
It was a pleasure to work with you.
Clean-up accomplished. :) Removing the tools, reg files, and logs was the last item of business before returning the laptop. ;D 8)
Cheers,
Al
-
No problem - I hope you got some good tools out of it ;D