Avast WEBforum
Other => Viruses and worms => Topic started by: Yveline on June 15, 2012, 04:20:07 PM
-
Avast blocked an internet page saying a threat had been detected. Shortly afterwards, error messages started to appear, then a smart repair window scanning my PC and asking me to pay for fixing it, then the desktop became black with no icon and the start menu became blank every other time or so. The scan brought no result but avast still tells me there is a threat.
Cruising aroung with another computer, I slowly understood (I am far from being a pro) I got infected by smart repair that appears to be difficult to treat by various antivirus. Today, when I rebooted the computer, Avast updated and told me to run a scan right away.
Its result :
c:\programData\ge697PHqssaffz.exe infected par Win32 : Dropper-gen [Drp] (where I wrote 7 is actually a sign I don't know, close to 7 but the bottom part is vertical. Rest of the scan result
Click on
1 Cancel
2 Cancel all
3 Quarantine
4 Quarantine all
5 Fix
6 Fix all
7 Ignore
8 Ignore all
I clicked on 5 to fix and got error 42060 (the file didn't get fixed).
At this point, I don't know what to do because I am paranoied of doing something wrong and I need to enter something to get further. Can somebody tell me what to do?
Thanks,
Yveline
-
The safest option would be to Quarantine as that at least leaves you other options, whilst Delete doesn't leave any.
-
Thank you
I'll do that.
Yveline
-
Hey i would also recommend you do a scan with malware bytes anti malware witch is a good program to clean this kind of rough programs witch smart repair is.
http://filehippo.com/download_malwarebytes_anti_malware/
good luck.
-
Thank you
I'll do that.
Yveline
You're welcome.
-
Hi do you have the desktop and icons back ?
If not
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) and save it on your desktop.
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png)
- The report has been created on the desktop.
Please attach: All RKreport.txt text files located on your desktop.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Wow! You're faster than I am. Your post regarding roguekiller was there before I had completed the process with malware byte. I was surprized it went fast since I read it took several hours. But, true, I went for the recommended quick scan. Should I go for the thourough scan?
Here is the report from malware byte. I saved it but don't know what to do with it.
Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Version of the database: v2012.06.15.07 Windows Vista x86 Service Pack 2 NTFS Internet Explorer 9.0.8112.16421 Rogine :: PC-DE-ROGINE [Administrator] 15/06/2012 18:31:10 mbam-log-2012-06-15 (19-12-54). txt Type: Full scan Scan options enabled: Memory | Start | Register | File System | Heuristic / Extra | Heuristic / Shuriken | PUP | PUM Scan options disabled: P2P Item (s) analyzed (s): 194581 Time elapsed: 5 minute (s), 37 second (s) Process memory detected (s): 0 (No malicious items detected) Module (s) detected memory (s): 0 (No malicious items detected) Key (s) detected the registry (s): 0 (No malicious items detected) Value (s) of the detected registry (s): 0 (No malicious items detected) Item (s) Memory Processes detected (s): 2 HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced | Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken. HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced | Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken. File (s) detected (s): 0 (No malicious items detected) File (s) detected (s): 0 (No malicious items detected) (end)
Regarding roguekiller, I have tried to download it but I got a red alert window that told me it might damage my computer. So I shied away. I had the same with pre_scan.
-
The programme is safe otherwise I would not recommend it, if it is IE with the red alert then select Actions > Run anyway
If it is Avast then select run normally.
This programme should restore all your folders and icons and OTL will show me what remains ;D
-
Does the malware byte report tell you anything?
-
It tells me that you may have a new variant as nothing was detected
-
Weird! The screen (before clicking on save report) tells me they detected 2 malware PUM.hijack.start menu
I'll now proceed to do something about roguekiller.
Yveline
-
They were just some registry entries that may be either good or bad dependant on what they are used for (Potential Unwanted Modification)
-
I completed the first part of rogue killer and attached the 3 files you said. I also have a quarantine file that was not there before.
I am moving on to next step and trying to find what is that page that popped out (system check). Maybe it is what you said next step should be)
Yveline
-
OK there are all the files and folders back... Next OTL to remove what remains ;D
RogueKiller V7.5.4 [07/06/2012] par Tigzy
mail: tigzyRK<at>gmail<dot>com
Remontees: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Blog: http://tigzyrk.blogspot.com
Systeme d'exploitation: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Demarrage : Mode normal
Utilisateur: Rogine [Droits d'admin]
Mode: Raccourcis RAZ -- Date: 15/06/2012 20:16:18
¤¤¤ Processus malicieux: 0 ¤¤¤
¤¤¤ Driver: [CHARGE] ¤¤¤
¤¤¤ Attributs de fichiers restaures: ¤¤¤
Bureau: Success 15 / Fail 0
Lancement rapide: Success 2 / Fail 0
Programmes: Success 3 / Fail 0
Menu demarrer: Success 30 / Fail 0
Dossier utilisateur: Success 4839 / Fail 0
Mes documents: Success 8695 / Fail 0
Mes favoris: Success 48 / Fail 0
Mes images: Success 552 / Fail 0
Ma musique: Success 2 / Fail 0
Mes videos: Success 3 / Fail 0
Disques locaux: Success 10562 / Fail 0
Sauvegarde: [FOUND] Success 0 / Fail 1
Lecteurs:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\HarddiskVolume7 -- 0x2 --> Restored
[G:] \Device\HarddiskVolume3 -- 0x2 --> Restored
[H:] \Device\HarddiskVolume4 -- 0x2 --> Restored
[I:] \Device\HarddiskVolume5 -- 0x2 --> Restored
[J:] \Device\HarddiskVolume6 -- 0x2 --> Restored
¤¤¤ Infection : Rogue.FakeHDD ¤¤¤
Termine : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
-
Well, I went on with next step which was downloading OTL. I first had a red alert from smart screen telling me it could damage the computer but I did proceed, and once it was downloaded, my antivrus (avast) popped out saying it found it suspicious and ran it in "the sandbox". Should I keep going?
Yveline
-
Restart OTL and when Avast sandboxes, it in the drop down box select run as normal and tick the remember box.
-
I had some trouble proceeding. Avast did want to run OTL in the sandbox and thge scan took a while.
Attached are both logs.
Yveline
-
OK lets now run this - once done could you let me know if you are having any problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2012/06/15 01:20:26 | 000,000,152 | ---- | M] () -- C:\ProgramData\-ge69lPHqSsaFFzr
[2012/06/15 01:20:26 | 000,000,000 | ---- | M] () -- C:\ProgramData\-ge69lPHqSsaFFz
[2012/06/15 01:20:24 | 000,000,609 | ---- | M] () -- C:\Users\Rogine\Desktop\Data_Recovery.lnk
[2012/06/15 01:20:22 | 000,000,256 | ---- | M] () -- C:\ProgramData\ge69lPHqSsaFFz
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Here are the logs. I can see no additional file compared to last time but I can see these files got modified. So, I assume the new logs are on them.
Now, the icons came back on the desktop and the start menu is populated again (don't know yet if everything is there) but the desktop is still black.
Yveline
-
Whilst I look at the log, right click on the desktop and select personalise
Select a new background .. Does it change ?
-
There are a few Norton drivers left.. If you wish I can remove them for you
Otherwise that looks good
-
Yes, the desktop looks right after doing what you said.
And if the Norton drivers are not necessary, might as well remove them
-
OK they be gone ;D Is the system behaving itself now ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SymIM.sys -- (SymIMMP)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\SymIM.sys -- (SymIM)
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
-
I am going to run OTL like you said.
Apparently, the screen look fine at the moment, but of course, I have not used it yet, since I was busy with OTL etc.
-
OK once you have rebooted have a little play with the computer to see that all is working as it should... Then once you are happy I will remove my tools and tidy up
-
After running OTL with the code you gave, I just checked my mail and quickly googled. The PC looks FINE. What can I say? THANK YOU. You cannot imagine how tense I have been all day trying to understand what was what and doing things beyond my skills.
When you talk about removing your tools, is it about removing antimalware byte, rogue killer, OTL and their logs? I was about to ask what to do about them.
Besides, I have something that's popping up the file XYZ (long name, exactly the one avast told me was a threat) has been modified or moved. This shortcut doesn't work properly any longer. Do you want to cancel it. Is it the right time to cancel it?
Yveline
-
OK I can see it I missed two - this should clear it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2012/06/15 01:20:24 | 000,000,000 | ---D | C] -- C:\Users\Rogine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery
[2012/06/15 01:57:39 | 000,000,633 | ---- | M] () -- C:\Users\Rogine\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
-
Here is the new log.
-
Could you confirm that the error has now gone
-
Yes, the error has gone.
-
Ah, j'oubliais... J'ai remarqué que la ligne "documents récents" du menu démarrer a disparu. Ce n'est pas fondamental, mais il y a peut-être des choses comme cela à droite et à gauche que je découvrirai au fur et à mesure.
-
Ok I will look for a fix for that
-
Have a look here http://www.vistax64.com/tutorials/148461-personal-user-folder-restore-missing-folder.html
-
J'ai essayé avec cette page, mais cela n'a rien donné.
Par contre, j'ai essayé une autre manipulation (merci le résultat google à une recherche sur le sujet) en cliquant droit sur barre des tâches et en papouillant sur une fenêtre relative au menu démarrer. La ligne document récents est réapparue tout comme les lignes "réseau" et "connection". Je n'avais pas encore réalisé qu'elles manquaient mais je trouvais que c'était un peu clairsemé dans ce coin-là.
-
Any further problems ?
-
Can I delete the stuff that came with getting rid of the virus?
- Roguekiller; antimalwarebyte and OTL
- logs that now sit on the desktop as well as a quarantine file from roguekiller
- I also saw in a subfolder a number of files starting with "reg". I don't think they were there before.
-
essexboy will remove the tools used when he is done....so check back tomorrow. ;)
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
I just did good part of what you said:
- I ran OTL. A log popped out when it was done, but I couldn't locate it after I had to reboot. I notice I still have the shortcut to OTL on the desktop as well as under C:\. I still have the roguekiller reports and quarantine folder on the desktop
- I upgraded Java. I was surprized you said it was out of date as I have automatic updates and proceed when I am told
- I downloaded malwarebytes at the beginning of the struggle. From what you said, I understand I should keep it and run it weekly. As I am far from being a geek, I am always shy about such downloads/set ups as I hear about conflicts and don't know point one about these. So, Malwarebytes will be living OK with Avast + whatever security comes with windows vista?
- you tell me to download FileHippo update checker. Windows automatic updates is activated and brings in new stuff regularly. What more will that update checker do? (Feel free to laugh if that is obvious to you)
- you say it is critical to have a firewall and antivirus and keep them updated. I thought I had. Avast is updating constantly and when I click on windows security center, I can see: firewall, automatic updates, anti malware protection, more security, all green and activated.
-
ran OTL. A log popped out when it was done, but I couldn't locate it after I had to reboot. I notice I still have the shortcut to OTL on the desktop as well as under C:\. I still have the roguekiller reports and quarantine folder on the desktop
Re-run OTL and then hit the cleanup button to do the final removal
I upgraded Java. I was surprized you said it was out of date as I have automatic updates and proceed when I am told
The autoupdater is sometimes a tad slow
I downloaded malwarebytes at the beginning of the struggle. From what you said, I understand I should keep it and run it weekly. As I am far from being a geek, I am always shy about such downloads/set ups as I hear about conflicts and don't know point one about these. So, Malwarebytes will be living OK with Avast + whatever security comes with windows vista?
MBAM works quite happily with Avast as they have different areas of responsibility
you tell me to download FileHippo update checker. Windows automatic updates is activated and brings in new stuff regularly. What more will that update checker do? (Feel free to laugh if that is obvious to you)
This programme will tell you when any non-windows programmes have an update available for download... e.g. Notepad++
you say it is critical to have a firewall and antivirus and keep them updated. I thought I had. Avast is updating constantly and when I click on windows security center, I can see: firewall, automatic updates, anti malware protection, more security, all green and activated.
This is a generic warning for those that are not so savvy and need prompting.. So I add to all my cleanup processes.. Nothing more than that
-
I ran OTL again. This time, OTL has disappeared from the download folder and I cannot see it any longer under C:\ . The OTL shortcut on the desktop doesn't work any longer (this, I know I can safely delete). I still have on the desktop 3 RK report + 1 quarantine folder + 1 Malwarebyte log.
Thank you for the answer regarding the file hippo update checker. To make sure : will it live happy with the windows updater?
Besides, I periodically run CCleaner (from a previous computer, I learnt you should do computer cleaning as you do house cleaning) ( ;). Each time, I see CCleaner can fix registry as well. On one hand, I hear that registry is touchy matter and only skilled people should deal with it. On another hand, I hear that over time, havoc builds up in the registry and it not good for the computer. Is using CCleaner "fix registry" a safe part of good maintenance or should I keep on keeping away from it? (Hopefully you won't tell me to download and update regularly one more software!)
Yveline
-
Just delete the RK logs from the desktop.. I guess the naming has changed so OT will need to update the cleaning routines
From my perspective, registry cleaning is a total waste of time and it can be dangerous... There is no performance affect in having an untidy registry ... Unless you can see milliseconds differences in booting ;D
-
I did delete the logs and made note of your answer regarding fix registry.
Thanks
Yveline
-
My pleasure keep safe ;D