Avast WEBforum
Other => Viruses and worms => Topic started by: Menecairiel on June 22, 2012, 11:19:47 PM
-
...and it sets off my AVAST! network shield.
I was hit at the same time by two seperate processes in different folders trying to contact urbangood.info
The first was a string of numbers for a name of an app in my user folder. This didn't change name, it remained the same but set my network shield off about every ten minutes no matter what I was doing.
The second, that hit at the same time and is clearly connected, is changing name. I can see the apps spawning in the programdata folder and changing name to a string of letters. There is one file that stays the same name, (and it is listed as a file not an app, called 'ootlclxrxndzgll'), and everytime there is a change of the time on the date last modified for it, another app is spawned or one disappears, so it definitely seems to be the 'cause' of it. This sets off my network shield too, but it seems to be only when I open up a webpage with this one, and it's a different app with a new name each time that is listed on the avast popup. It is also trying to contact urbangood.info
Now, I ran sophos virus removal tool. It found two threats. One I have no idea if it was related or not, but the other was definitely related. It was called the troj/zbot-cbw and after clean up it succesfully deleted the first app I described, the one that was a string of numbers and remained the same.
However, after clean up, it hasn't got rid of the ones in the programdata folder that is spawning and changing.
The log sophos left over is:
2012-06-22 20:13:33 Could not open C:\hiberfil.sys
2012-06-22 20:14:06 Could not open C:\pagefile.sys
2012-06-22 20:28:57 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc5226be-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc5226cc-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:28:57 Could not open C:\System Volume Information\{dc522731-b89e-11e1-8676-0024548519b0}{3808876b-c176-4e48-b7ae-04046e6cc752}
2012-06-22 20:29:20 >>> Virus 'Troj/Zbot-CBW' found in file C:\Users\Katherine\0.5262248442813692.exe
2012-06-22 21:00:44 >>> Virus 'Mal/ExpJS-AL' found in file C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm
2012-06-22 21:16:38 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2012-06-22 21:16:38 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\DEFAULT
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SAM
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SECURITY
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2012-06-22 21:16:43 Could not open C:\Windows\System32\config\RegBack\SYSTEM
2012-06-22 21:17:16 Could not open C:\Windows\System32\drivers\sptd.sys
2012-06-22 21:35:57 The following items will be cleaned up:
2012-06-22 21:35:57 Troj/Zbot-CBW
2012-06-22 21:35:57 Mal/ExpJS-AL
2012-06-22 21:36:22 Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22 Process "C:\Users\Katherine\0.5262248442813692.exe:pid:00002d7c" has been cleaned up.
2012-06-22 21:36:22 File "C:\Users\Katherine\0.5262248442813692.exe" belongs to 'Troj/Zbot-CBW'.
2012-06-22 21:36:22 File "C:\Users\Katherine\0.5262248442813692.exe" has been cleaned up.
2012-06-22 21:36:22 Removal successful
2012-06-22 21:36:34 File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" belongs to malware 'Mal/ExpJS-AL'.
2012-06-22 21:36:34 File "C:\Users\Katherine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N2116PGF\index[4].htm" has been cleaned up.
2012-06-22 21:36:34 Removal successful
2012-06-22 21:37:56 Scan completed.
2012-06-22 21:37:56
Any ideas on how I can get rid of this other half of the problem? Is it left over from the clean up? I'm running a kaspersky virus removal tool scan now, but I'm losing hope! I should also say I'm a tech simpleton so I may be slow!
Thanks in advance
-
follow this guide and attach (not copy and paste) logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
when done a malware remover will be notified and check the logs.........it may take several hours before he arrive
-
I am downloading OTL and got a notice that "OTL is not commonly downloaded and could harm your computer"....should I take heed to that?
-
if avast sandbox should alert then select "run normal"
-
If it is IE9 reporting then select run anyway
-
I allowed it and it is currently running :)
The MBAM report is attached. After running it, the files were removed and so far, nothing has spawned and no Avast has gone off. However, the file that kept changing its name is still there so I am doing all the steps just in case.
-
I will be going off line in a bit - but I will look first thing tomorrow ;D
-
Thank you! And I want to say thank you to everyone for being so helpful! It is strange how it feels like it is the end of the world when something like this happens...
Also, please see attached...everything else :) Hopefully this will help?
-
I see that you have run TDSSKiller, could you post the log
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (af1652ev)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-593423473-182427553-3595481273-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-593423473-182427553-3595481273-1000\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
[2012/06/22 22:49:25 | 000,000,052 | ---- | M] () -- C:\ProgramData\ootlclxrxndzgll
[2010/10/04 14:17:04 | 000,000,000 | -HSD | M] -- C:\Users\Katherine\AppData\Roaming\.#
@Alternate Data Stream - 1287 bytes -> C:\Program Files\Common Files\System:kjM0wgPfQPoB5RXv5ZYLFd
@Alternate Data Stream - 1286 bytes -> C:\Users\Katherine\AppData\Local\Temp:w1mZJk8b2rhFVfc09e8LCPo
@Alternate Data Stream - 1286 bytes -> C:\Users\KATHER~1\AppData\Local\Temp\:w1mZJk8b2rhFVfc09e8LCPo
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:99C301D0
@Alternate Data Stream - 1231 bytes -> C:\ProgramData\Microsoft:mqbG8FTYwbvW7JfddmiuN98nUe
@Alternate Data Stream - 1227 bytes -> C:\ProgramData\Microsoft:Y3ZYw9n4PNpvWEeRTP2RU2xsZ
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:AAA14AF9
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Thank you. The file was too large to attach so I had to split it between two documents...sorry about that! Part 1 posted here, part 2 posted after this one as it didn't even allow me to do two at one... :(
Doing the fix now as well :)
-
And part 2...
-
Once the fix has run and rebooted could you let me know of any problems
-
It's rebooted and it looks ok.... (I am almost scared to say those words!)
Here is the report from the OTL (well, the one that popped up after I rebooted) :) Did I mention thank you?
EDIT: Will attach the OTL quick scan log when I have done it...it is in the process of doing so!
-
Total Files Cleaned = 1,360.00 mb
Lots of rubbish removed ;D
Could you now use the computer as normal and let me know if anything appears weird, wrong or just downright hookey
-
Total Files Cleaned = 1,360.00 mb
Lots of rubbish removed ;D
hmmmm...someone need to install CCleaner....or ATF cleaner ;)
-
Yeah...me dirty computer had.............
Thank you so much, essexboy and Pondus, for help and support when the world was ending! :)
-
Or TFC ;D
-
Hehe, I have now downloaded CCleaner...I have been a bit scared of using them in the past (don't know why!!)
Finished the OTL report and included it in here, seeing as I was half way through it.
Again...thanks for all your help!!! :) I know where to turn in the future should anything go wrong!
-
Well they appear to be gone ;D If all is well tomorrow let me know and I will remove my tools and tidy up
-
All is well!!! Thank you so much for all your help, it seems everything is running better than it used to :)
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
All done and all good! Again, thanks!!!!!!!!! xxx
-
My pleasure ;D