Avast WEBforum
Other => Viruses and worms => Topic started by: dallasa on June 23, 2012, 05:45:13 AM
-
Hi,
Recently Avast has been giving me warnings that it has blocked a "JS:Banker-IC" trojan. This happens when opening any program (or even trying to do things such as update Avast or Firefox) or download any file. I don't remember opening anything or visiting any website that could have given me this, and Avast and Malwarebytes scans come up with nothing. I have no idea what to do or how dangerous this is to my online passwords. Help please?
Here are my Malwarebytes log, OTL log, and aswMBR log:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.06.22.12
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Arnand :: ARNAND-HP [administrator]
6/22/2012 7:53:57 PM
mbam-log-2012-06-22 (19-53-57).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210464
Time elapsed: 6 minute(s), 44 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
essexboy or jeff will arrive to help later today evening ;D
-
I see that you have run Combofix, could you attach the log please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Yes sir here are the logs.
-
Is Avast still warning about this ? If so what file does it reference
-
Yes it is. It references whatever file I'm running or trying to run at the time. Everything from the Avast updater to Firefox to Skype, etc. Sometimes it references a "wpad.dat".
-
Do you use a proxy to get online ?
run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
No, I don't. Here you go.
-
OK lets now delve really deep
Scanning with GMER
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
-- If you encounter any problems, try running GMER in safe mode (http://www.computerhope.com/issues/chsafe.htm).
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
-
Here you go. Only hit is a videogame that I've had installed for months with no problem, so I'm assuming it's a false positive. Although Gmer would only let me scan for Services, Registry, and Files... all other boxes were untickable.
-
This programme will produce a zip file for me to analyse, the forum does not allow this type of attachment so could you upload to a file sharing site or dropbox for me to collect
Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop
Run the programme you have just downloaded to your desktop (it will be randomly named )
First we will run a virus scan
Click the cog in the upper right
(http://dl.dropbox.com/u/73555776/Kas%20front.JPG)
This programme will create a zip file for me to analyse, unfortunately the forum does not allow that type of attachment so could you upload it to a file sharing site or dropbox for me to collect
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan
(http://dl.dropbox.com/u/73555776/Kas%20Scan%20area.JPG)
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
Now the Analysis
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information
(http://dl.dropbox.com/u/73555776/kas%20manual.JPG)
On completion click the link to locate the zip file to upload and attach to your next post
(http://dl.dropbox.com/u/73555776/Kas%20Zip.JPG)
-
Hello,
I too suddenly have this exact same problem. I have done a boot-time scan... Avast detects the virus but for some reason, it does not get deleted. When I start my PC Avast throws up the message...
A script started by c:\...\AvastUI.exe
JS:Banker-IC[Trj]
Process: c:\Program Files\...\AvastUI.exe
Sometimes when opening a browser the process is "AvastUI.exe".
I am fastidious about security & have no idea where this came from. My OS is Windows 7 & I use IE 8
Any insight would be sincerely appreciated.
Geoff Pearson
-
If you've been fastidious too, perhaps it is a problem with Avast? I've certainly had no luck getting anywhere so far, although I will report back in once the Kaspersky scan is done (which will be a while, estimating 16 hours now).
-
That has crossed my mind too. I might give Kaspersky a go overnight.
GP
-
I am also suffering with the same JS:Banker-IC issue. I receive the warning message from Avast when I open IE(9), Skype and Avast.
Have run Avast virus scan and the boot time scan, which both claim to have deleted the virus, but it reappears.
I have also run MBAM and even installed Microsoft Security Essentials, both returned 0 infection results.
Please help as I am pulling my hair out here!
Thanks
Paul
-
I am also suffering with the same JS:Banker-IC issue. I receive the warning message from Avast when I open IE(9), Skype and Avast.
Have run Avast virus scan and the boot time scan, which both claim to have deleted the virus, but it reappears.
I have also run MBAM and even installed Microsoft Security Essentials, both returned 0 infection results.
Please help as I am pulling my hair out here!
Thanks
Paul
start your own topic in the virus and worms section.....where you attach the requested logs
follow this guide and attach (not copy and paste) Logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
-
I am wondering whether this is a false positive, could you manually update the virus definitions and see if it still occurs
-
Kaspersky came up with nothing. All of my virus definitions are up to date so I can't manually update... I'll try uninstalling and reinstalling Avast in a bit and see what happens.
-
OK this is really weird as I am not seeing anything that would cause this
-
I keep getting this "JS:Banker-IC [Trj]" thing come up too.. ive already run sophos antirootkit aswell as spybot/adaware and pc-matic, before seeing this entry... none of the above came up with anything...
-
I do not believe it to be a false positive now as I am getting no indication of this on either XP or 7
Is it on any specific page or any specific browser
-
Still getting the warnings after reinstalling. It isn't on any specific browser, both Firefox and Chrome bring up the warnings. The objects I've seen that bring up the warning are anything that requires a connection to the net (Firefox, Chrome, Skype, wpad.dat, avast.setup, etc.)
-
Do you connect via a router ? And do any other computers using it experience the same problem
-
Yes I do. And I don't have access to the other computers right now, so I don't know.
-
I t may well be worth resetting the Router
Do you know how to do that ?
What is the router model
-
I am wondering whether this is a false positive, could you manually update the virus definitions and see if it still occurs
I'm thinking the same thing, see http://forum.avast.com/index.php?topic=100088.msg799230#msg799230 (http://forum.avast.com/index.php?topic=100088.msg799230#msg799230), my reply to a new topic started by pevans8180 in response to request by Pondus.
I have submitted it to avast for analysis.
-
I recall that that this started happening right after Avast did an automatic virus definition update. I don't have anything else does auto updates on my PC & I hadn't been doing anything out of the ordinary so... I wonder, could this be Avast itself that is corrupted?
-
Not corrupt as such, but a virus definitions update could have modified a signature that now detects a file as infected by JS:Banker-IC.
However, yours is slightly different different to this and the other topic as this was on a website file but same JS:Banker-IC signature, an update of this could have implications across many files.
Yours however, refers to a script
A script started by c:\...\AvastUI.exe
JS:Banker-IC[Trj]
Process: c:\Program Files\...\AvastUI.exe
Normally I would say that you should submit the file detected to avast for further analysis, but I don't see how you can send a script as there is no reference to the script, just the file starting it.
-
Not corrupt as such, but a virus definitions update could have modified a signature that now detects a file as infected by JS:Banker-IC.
However, yours is slightly different different to this and the other topic as this was on a website file but same JS:Banker-IC signature, an update of this could have implications across many files.
Yours however, refers to a script
A script started by c:\...\AvastUI.exe
JS:Banker-IC[Trj]
Process: c:\Program Files\...\AvastUI.exe
Normally I would say that you should submit the file detected to avast for further analysis, but I don't see how you can send a script as there is no reference to the script, just the file starting it.
I should have been more clear earlier, but the same thing (getting a warning for a script) is also what's happening to me most of the time, with the .exe's (of Firefox, Avast, etc.) being the objects that start the script. The only warnings that aren't associated with a script seem to be for wpad.dat.
-
OK, that is what I have sent off for analysis, but that doesn't mean its the same file or site, just the one I investigated from the other topic.
-
I have received a reply in relation my submission for analysis, to the issue in the other topic (not considered an FP), http://forum.avast.com/index.php?topic=100088.msg799388#msg799388 (http://forum.avast.com/index.php?topic=100088.msg799388#msg799388).
-
Hi I am trying this on some others now that Avast has given me a heads up on the possible source
- Select Tools and then Internet Options.
- Click the Connections tab.
- If you are using a LAN, click the LAN Settings button. If you are using a Dial-up or Virtual Private Network connection, select the necessary connection and click the Settings button.
- Make sure the 'automatically detect proxy settings' is checked
- Make sure the 'use a proxy automatic configuration script' option is not checked
- OK out .
(https://dl.dropbox.com/u/73555776/Lan%20settings.GIF)
-
I'm assuming you meant to post the same OTL scan as you did in the other topic too? ;) Here's the log, it didn't give me an Extras.txt though.
-
The extras.txt is only generated on the first run of OTL.
-
OK next step I will reset the reg setting for that area
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"WinHttpSettings"=hex:28,00,00,00,00,00,00,00,01,00,00,00,00,00,00,00,00,00,00,\
00
Copy everything in the above code box to a notepad file
Save the file as HTTP.reg
In the drop down box select all files to save it as a reg file to your desktop
(https://dl.dropbox.com/u/73555776/Save%20Host.jpg)
The icon will look like this
(https://dl.dropbox.com/u/73555776/regicon.GIF)
Right click the file and select merge
Accept the warnings
Start IE and see if the alerts are still present
-
Done, and the alerts are still present.
-
OK back to the drawing board... I will find the solution to this
-
Alrighty, I'll stay tuned. And thank you very much for all of your efforts so far, they are much appreciated!
-
Hello,
I think Avast have fixed this issue, maybe in their latest virus definition updates. Problem was, if you already had the virus or whatever it was, the definitions couldn't update automatically because Avast itself was blocking the update when it detected the JS:Banker virus (falsely or otherwise). I basically just uninstalled Avast then downloaded the latest version & reinstalled. Everything appears to be normal again... at least so far!!
Geoff Pearson
-
Amend my last post... the virus message is back! Time to try another anti-virus program perhaps!
Geoff Pearson
-
Personally I would stick with the analysis process, given that the avast labs have confirmed the detection is good.
Switching AV may well see a cessation of the alert, but that is no guarantee that it wasn't good and may leave you vulnerable.
-
That is correct, I am currently doing some research to find out where this could be running from
Switching to another AV will remove the alerts no problem... But then you are wide open to a dns changer malware
-
Avast still throwing up warnings about JS:Banker-IC Trojan.
I Googled it & found this removal tool...
http://www.uninstallvirus.net/remove-trojanproxyjsbanker-n-automatically-from-your-computer
Can anyone tell me if it is genuine?
Geoff Pearson
-
Hmm are you advertising this ?
@dallasa
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:regfind
wpad.net.ms
wpad.dat
85.214.17.43
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
That removal tool sounds a bit sketchy, don't think I have the balls to try it yet :P Here is the SystemLook log.
-
ON top of that it will probably find something and say only the registered copy can fix it, so pay up.. And as this is so new it won't find it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache\LAN]
[-HKEY_USERS\S-1-5-21-1975912946-2902256343-3894994544-1001\Software\Microsoft\Windows Media\WMSDK\Local\AutoProxyCache\LAN]
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Still getting the warnings. Thank you for your perseverance, here is the log.
-
OK I will now check out all the registry settings within that subkey
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Media\MimeTypes /s
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Local /s
HKEY_CURRENT_USER\Software\Microsoft\Windows Media\WMSDK\Sources /s
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Media /s
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so.
-
Ok here is the log.
-
OK I need to find another route, sorry about this taking so long
-
It's fine, no rush as long as Avast continues to block the threat. Thank you very much for staying with this!
-
Could you run MS Security scanner please as that will theoretically scan any file associated with this
http://www.microsoft.com/security/scanner/en-gb/default.aspx
This will be the first time I have used this, so I will be running it on my system to figure out some instructions for it
-
Ok. A quick scan found nothing. I don't have time right now to run a full scan, and I won't go anywhere near the custom scan option until I receive instruction from you ;D
-
I must admit this is being a right pig.... If it was a false positive I would have more than just 3 or 4 people with the problem. I guess I will now have to search for a common denominator between you all
-
the 'JS' of 'JS:Banker-IC' made me think that it was just that... a bit of javascript somewhere.... and i was right... a file named wpad.dat thats been sitting in IEs cache for over a year now containing nothing but a line of javascript....
so many applications claim to be 'running' it due to so many apps using the trident html rendering engine for their UI (such as avastui.exe and others) ... and of course it triggers when starting IE itself...
i just opened my computer > documents and settings > right clicked my user folder and clicked scan... it found the offending file... odd that the 'script shield' didnt know where it was.... seems avast needs to be a bit more... integrated... ::)
so yeah... scan your user folder then send the offending one line file to the chest...
i archived it in a password protected rar... so if one of the higher ups here wants to see the offending code i still have it...
-
Better idea send it to me and I will forward it to them
I will pm my e-mail address
Which makes me feel a right numpty as I was looking for a reference in the registry and I should have looked for the file
@dallasa
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
wpad.dat
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
-
The rest of us numpties wouldn't have even known were to begin, so don't sell yourself short ;D
-
something funny going on here.... ....remove all those infected files and yet the script shield still goes off...
..first one is just wpad.dat ... then the hydra of the bunch is wpad[1].dat .... all clean.. right? nope...
more tempting to just disable the script shield than to wait who knows how long for all 1.4TB of hdd space in this machine to be fully scanned... esp since avast doesnt play well in 256mb of ram (its just a file server)... >:(
if anyone with this script bug does a full scan and finds anything else dont hesitate to post... :-\
-
I'll second that comment about knowing where to start!
I have quite recently moved to Win 7 & I'm not a power user... I tried to follow the instructions but I don't see "Documents & Settings" on the Windows Start menu. I recall it was a standard feature on XP but unless I'm missing something, Win 7 is different.
In any case, I scanned the Windows folder on my "c" drive & sure enough, it picked up one infected file "wpad.dat". I did as instructed & moved it to the chest but... I still have the problem. I then cleared my IE8 cache but that didn't fix it. I then re-scanned the Windows folder with Avast & it reported zero infected files but... I'm still getting the Avast popup with "wpad.dat" as the culprit.
Seems that maybe I looked in the wrong place... any ideas?
Geoff Pearson
-
i think its just 'users' in c:\ on win7 and vista... dunno... been switching from xp to linux rather than going to win7
-
Here is the log of that scan. And yeah, moving the file to the chest doesn't seem to help much. I ran a full boot-time scan a few days ago, which detected wpad.dat and moved it to the chest, but the warnings continue.
-
ive found it, complete with url from which its downloaded, in the registry... dunno if deleting those keys would be a good idea or not tho...
---
addendum
well... i finally got rid of it but.... um... id rather tell essexboy how i did it so he could translate my 'slide in sideways' approach to this thing to something everyone could do... so... yeah.... essex... when you get back online drop me an email or pm... (pref email cos i cant send pm over this forum for some reason)
-
ive found it, complete with url from which its downloaded, in the registry... dunno if deleting those keys would be a good idea or not tho...
Hi Mephitidae,
Perhaps a better idea would be to post the registry lines here so essexboy can have a look for it. We are all numpties when something new like this comes along... best to wait on these registry references....
...Once you have 20 or more posts here, then you can pm....
-
well... thats just it... i had a mindset of 'im just going to reinstall anyway so what the heck' when i did what i did so i didnt care if i broke things... fortunately i didnt and fixed it instead... i didnt keep a record of the registry lines... but they may be in the backup data... ...registry tricks arent what solved it tho and thats where the slide in sideways part comes in...
-
Having gone this far it would best followed through, that way it would have helped you, but importantly give essexboy information to help others in this position.
I think he feels like I do a reformat and reinstall (nuclear option) is one of last resort.
-
false alarm.... didnt get rid of it.... only blocked it for a single reboot and then it came back.... even tho there is nothing in the registry that references the url its downloaded from....
-- edit
i cant change the homepage IE is set to either... so something is most likely hidden in gpedit.msc .... yay...
--edit again
something is rewriting it ... its being stored in HKU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections among other places... ... mentions a malformed url http://wpad/wpad.dat ...
-
This may or may not be related, but I remembered reading something earlier where they talked about Wpad.
http://www.wilderssecurity.com/showthread.php?t=327034
-
I believe that I have found the common denominator now... Took some reading but fingers crossed
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.ms
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
that caused a hard freeze when it wanted to reboot but i reset the machine and it continued...
heres the log file....
oddest part about this log is that opera java and flash were uninstalled quite some time ago..
--edit
didnt clean the virus out either... it still re-downloaded
-
Have the alerts ceased ? Also could you run a quick scan so that I can check the TCPIP
-
OK just seen that could you run this MSFixit prior to the OTL scan please http://support.microsoft.com/kb/299357
-
heres the resetlog.txt from the KB article.... the OTL quick scan is taking quite a while... will post that when its done...
-
The fixit replaced some bad values... This has shown that I need to learn more about networking
-
OTL quickscan is stuck.... its used about 600+mb of ram which on my system (256mb) goes into the page file.... its just sitting there thrashing the hdd while doing nothing...
suggestions?
-
Aye stop it reboot the system and just run a quick scan
-
Well, while you're trying to sort that out, here is my OTL log after running the fix and scan (and MSFixit). Warnings continue.
-
OK next question, are any other computers using the same router as you ? If so do they get the same alerts
-
Just want to share my experience, I've this problem for a week and I had used the Malwarewbytes and Kaspersky to scan my computer, no virus or malware could be found.
But when I bypass my router(running TomatoVPN), ie. direct connect my computer to the ISP, no JS:Banker-IC alert appears from Avast. However, once I connect back the router, the alert comes back.
Cheers.
-
So a router infection is your experience ?
-
Other computers on the same router have the same alert with Avast but not on the computer just with Microsoft Security Essential.
-
Have you reset the router and changed the password ?
-
quick scan is what gets stuck... i dont have enough ram on that system...
as for other computers on the same router the other (windows) machine doesnt have any alerts and does have avast so its not spread over the lan on mine...
-
The other computer using the router isn't receiving any alerts, however it is a Mac. I will test a couple other Windows machines later today.
-
The other system is not using open dns or the like ?
-
No I don't believe so.
-
Could you try Open DNS oon the affected system please
Details here http://www.howtogeek.com/79998/protect-your-kids-online-using-open-dns-2/
-
My router will be reset every night and I don't think there is a virus in the router.
However, my router is using the open DNS but not on the computers.
-
When you say reset do you mean just turned off ?
-
Yes.
-
tcp reset (had to manually put the ips back in) ... virus still re-downloads ...theres a dropper in here somewhere that avast isnt finding...
-
I am now running OpenDNS... No changes in the situation.
-
OK it is definitely on the system then ... I will need to have another research on this
-
Lets now check DCHP
Go to Control Panel > Network Connections
Right click the current network and selecect properties
Select IPV4 and select properties
On the general tab are the settings the same as mine
(https://dl.dropbox.com/u/73555776/dchp.GIF)
-
Yeah they are the same, although I was using the OpenDNS server address but I have reset it back to automatic.
-
OK progressing through the various aspects of this could you go start > all programs > accessories
Right click the command prompt and enter the following two commands pressing enter between each
ipconfig /release
ipconfig /renew
-
Done, annnd....... the warnings have stopped somehow, for now at least. I'll see if they return upon reboot.
-
Yes please reboot and see if it returns .. If it does then it again gives me an idea of where to go next... Once we can get it sorted then any further instances of this will be a darn sight easier to remove
-
Everything's still clear after rebooting. Fingers crossed that it stays that way, and if so that seems like a simple solution after all that trouble :D
-
It actually appears that a two pronged approach is needed
First to remove the TCPIP domain and then clear the DCHP
I will now go and try that with the rest ;D
-
Hopefully that solves everyone else's issue too then. Thank you very much for your help though this, you're a hero ;D
-
This is definitely something new, it appears to be an attempt at the man in the middle type malware (only used by Flame so far)
But thanks to your perseverence and assistance I may now be able to fix this in just two or three posts, so you have been a great help
Let me know tomorrow if it is still OK and then I will remove all the rubbish I have put on your system
Once again Thanks ;D
-
what do those who dont use dhcp do?
-
DCHP is enabled by default on Vista and 7 but I am not overly sure about XP ... Need to check that out
-
i dont have a dhcp server setup so i cannot use dhcp... ips for the computers on my lan must be set manually regardless of what os they run
-
This is not really anything to do with a local area networks, it relates to how the dns server is set up on each individual computer when it connects to the net and whether it uses a dynamic or static address
-
so on a machine with a static manually assigned ip/dns this virus does nothing? even if still present?
-
DCHP is enabled by default on Vista and 7 but I am not overly sure about XP ... Need to check that out
The DHCP service is started Automatically on my XP Pro SP3, certainly don't recall ever setting it to Automatic, I'm usually the revers in either disabling or setting services I don't need (blackviper) to manual just in case.
I don't have a local network setup, though I have two computers they aren't networked, my second connects by WiFi to my router.
-
Very recent XP install shows the service as automatic so I would say it is set that way by default.
-
how that fix worked i'll never know :o windows is a strange creature in the world of OSen ...
but many thx for the fix 8)
-
So it has now disappeared ?
-
i was already in the habit of deleting the file on each boot to shut the notifications up but it would always redownload on the next boot... now it doesnt...
-
Well that was a journey around the mysteries of windows networking... Once you are happy let me know and I will remove all my rubbish
-
rubbish? just dont delete the ultimate fix for the googlers out there.... still have this haunting feeling that it will pop up again... call me paranoid :P
-
Nope I will just remove all the tools that you have downloaded ;D
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2012/06/23 16:33:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2012/06/22 20:35:51 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\Arnand\Desktop\aswMBR.exe
[2012/07/02 13:09:51 | 000,650,240 | ---- | M] () -- C:\Users\Arnand\Desktop\MicrosoftFixit50199.msi
[2012/06/29 18:31:33 | 000,139,264 | ---- | M] () -- C:\Users\Arnand\Desktop\SystemLook.exe
[2012/06/25 14:32:55 | 000,000,220 | ---- | M] () -- C:\Users\Arnand\Desktop\http.reg
[2012/06/24 14:01:50 | 000,011,518 | ---- | M] () -- C:\Users\Arnand\Desktop\avptool_sysinfo.zip
[2012/06/23 16:32:25 | 137,641,400 | ---- | M] () -- C:\Users\Arnand\Desktop\setup_11.0.0.1245.x01_2012_06_24_00_42.exe
[2012/06/23 15:36:53 | 000,294,216 | ---- | M] () -- C:\Users\Arnand\Desktop\gmer.zip
[2012/06/23 14:57:03 | 000,340,609 | ---- | M] () -- C:\Users\Arnand\Desktop\FSS.exe
[2012/06/22 21:25:34 | 000,000,512 | ---- | M] () -- C:\Users\Arnand\Desktop\MBR.dat
[2012/06/22 20:36:28 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\Arnand\Desktop\aswMBR.exe
[2012/06/23 15:34:22 | 000,302,592 | ---- | C] () -- C:\Users\Arnand\Desktop\gmer.exe
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Alrighty then, everything is back to normal. Once again thank you so much for your help, especially considering that this seemed to be a previously unknown infection!
-
OK... I tried this from the command prompt on Windows 7 & this is what I saw...
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\OEM>ipconfig/release
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its me
dia disconnected.
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b12d:11c3:898e:4545%11
Default Gateway . . . . . . . . . :
Tunnel adapter isatap.gateway.2wire.net:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:1cb1:21d:85c3:208
Link-local IPv6 Address . . . . . : fe80::1cb1:21d:85c3:208%13
Default Gateway . . . . . . . . . : ::
C:\Users\OEM>ipconfig/renew
Windows IP Configuration
No operation can be performed on Wireless Network Connection while it has its me
dia disconnected.
Wireless LAN adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : gateway.2wire.net
Link-local IPv6 Address . . . . . : fe80::b12d:11c3:898e:4545%11
IPv4 Address. . . . . . . . . . . : 192.168.1.64
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
Tunnel adapter isatap.gateway.2wire.net:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:b5:c91:3f57:febf
Link-local IPv6 Address . . . . . : fe80::b5:c91:3f57:febf%13
Default Gateway . . . . . . . . . : ::
It appears to have found my Ethernet LAN but I'm still getting the Avast poup error.
Does the above tell anybody anything? Like.. am I doing something wrong?
Geoff Pearson
-
Did you run from an elevated command prompt ?
If you had the start point would have been C:\Windows\system32 and not C:\Users\OEM
Plus we will need to determine if a TCPIP point should be removed
-
I have the same problem, although I use an elevated command prompt and TCPIP is removed.
-
Hello All,
I tried this fix but, I still have this problem on my Win 7 Professional PC. I am not an OS or Internet wizard & I'm confused but. Can anyone tell me...
1) Is this actually a virus?
2) If affirmative, what exactly is the perceived threat?
3) How come only Avast is affected? ie. is it an Avast problem?
4) How come none of the other AV scans pick it up?
5) Would it be a safe assumption that if I change my AV program to say... Norton, I would be just as well protected as any other Norton user?
Any insight appreciated.
Geoff Pearson
-
Hello All,
I tried this fix but, I still have this problem on my Win 7 Professional PC. I am not an OS or Internet wizard & I'm confused but. Can anyone tell me...
1) Is this actually a virus?
2) If affirmative, what exactly is the perceived threat?
3) How come only Avast is affected? ie. is it an Avast problem?
4) How come none of the other AV scans pick it up?
5) Would it be a safe assumption that if I change my AV program to say... Norton, I would be just as well protected as any other Norton user?
Any insight appreciated.
Geoff Pearson
Hi gpearson,
As this infection was new to essexboy and others,it did take a little more time to get a successful repair and fix here.
As for point #5, at the time this thread was started, only Avast! was able to detect this infection. You can, of course, remove Avast!, and thus not get alerts anymore, but the infection will still remain on your system. I would choose to get the infection cleared first, and then go and get another a/v if that is what I thought was best.
If you wish to get help here for this, please start your own topic in this section by going to "New Topic" button upper right. Please see and read http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) and attach all logs produced by Malwarebytes, OTL, and aswMBR in your new topic.
As malware is changed, in some cases almost hourly, this infection may not be exactly the same as the one essexboy dealt with here, and thus the repair may/may not work for you. Fixes made by essexboy and others are always custom-made only for the system affected; attempting to repair using the custom fix can damage your system.
Once the logs are posted, please do not make any changes to your system other than those requested by the malware expert assisting you. This will make cleaning and repairing your system much easier, and at far lower risk of system damage than otherwise.
Quote from essexboy, page 7, same thread as this one:
This is definitely something new, it appears to be an attempt at the man in the middle type malware (only used by Flame so far)
But thanks to your perseverence and assistance I may now be able to fix this in just two or three posts, so you have been a great help
Let me know tomorrow if it is still OK and then I will remove all the rubbish I have put on your system
Once again Thanks ;D
So someone is in the middle between you and the internet, possibly intercepting your data transfers, user passwords, etc.