Avast WEBforum
Other => Viruses and worms => Topic started by: greengarden on August 12, 2012, 01:32:22 AM
-
Hello everyone!
Three days ago, I downloaded this stupid program that included Babylon Search. Ever since, I have been plagued with viruses. I've used Norton Internet Security, Ccleaner, Search and Destroy, Malware Bytes, and now Advast Antivirus. I've done full system scans and other miscellaneous scans with no success. Every time I think I got the virus(es) out of my system and restart my laptop, I get the dreaded, "Detected virus" pop-up as soon as I'm logged into my account.
According to Advast, I have Malware-gen, Downloader-PKU, and Sirefef-A. I'm so distressed about this and unfortunately do not have the re-boot/recovery CD that originally came with my laptop. Any help would be greatly appreciated. Thank you! :) Attached are my logs.
P.S. Since I do have "sirfef" as well, I'm including the farbar service scanner log as well. Thank you in advance. A good weekend to all.
-
malware removers are notified. it may take hours before one arrive so be patient
-
Thank you for that immediate update. :) I have all the patience in the world. I have been trying to battle this one out on my own for the past three days, so I can most certainly wait. Thank you for your assistance. 8)
-
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKU\S-1-5-21-51124437-1587450825-3072365709-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109597&tt=3212_1&babsrc=SP_ss&mntrId=4da068f000000000000000ff9aad576a
IE - HKU\S-1-5-21-51124437-1587450825-3072365709-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 61.54.82.130:808
[2012/08/08 11:24:34 | 000,002,349 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
""="%systemroot%\system32\wbem\wbemess.dll"
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]
:Files
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Isaac\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
FINALLY
Re-run FSS and attach the log please
-
I'm so sorry, but I need your help. I tried running ComboFix after disabling Norton Internet Security and Advast but it prompted me that Norton Antivirus was still running. I disabled both Smart Firewall and Antivirus Auto-Protect for NIS. :( I tried to do CTRL-ALT-DELETE to manually turn off NIS and ComboxFix closed in the process. You said not to re-run ComboFix and to consult with you. What should I do?
I did do the OTL as you instructed (with the reboot and QuickScan) and that log is attached. Sorry for messing up the ComboFix! :(
-
No problem accept the combofix warnings but do not allow anything to be deleted or quarantined... You really should only have one AV
-
I know, I started with Norton Internet Security first. When it failed to remove the viruses, I googled and heard rave reviews about Advast. I'll remove Norton Internet Security straight away and will do the ComboFix thereafter. Thanks so much for all your patience and help. You are awesomeness!
-
so you have avast and Norton installed ::)
never install multiple AV... as this will give you...a slower machine / mysterious windows errors / false positive detections.....
so uninstall one, and then run the removal tool to clear any leftover files that may conflict http://singularlabs.com/uninstallers/security-software/
I googled and heard rave reviews about Advast
and why do you keep calling it advast ? the name is a v a s t ;D
-
'Cos it adds vastly to your protection silly ;D ;D
-
ahaaa.....forgot that ;D
-
I apologize for the delay AND for the typo! :) I'm not familiar with Avast and just recently became introduced to it. I uninstalled NIS and ran the ComboFix. I am no longer able to use Firefox or Internet Explorer for some reason ("Illegal operation attempted on a registry key that has been marked for deletion"). I had to save the log on a USB and am posting the log on another uninfected computer. Thanks again. :)
-
("Illegal operation attempted on a registry key that has been marked for deletion")
restart the computer one more time...should fix it
-
Thank you for both your help!!! It means so much. I will restart right now! :D
Edit: Firefox and Internet Explorer are both working now!!! :) Thank you for the restart tip, Pondus! ;D
-
Could you attach the combofix log please and the re-run of FSS
Also how is the computer behaving ?
-
My computer is acting normal!! :) No constant pop-ups from A-V-A-S-T (:D) about trojans. :) I'm doing the FSS right now. Attached is the log from ComboFix. I have to leave for church in a few but will post the log for the FSS before I leave. Thank you most sincerely for your help. You are magic! 8)
-
Well, goodness, that was quick. The FSS log is attached below. :) I'll be back later. Thank you so so so so so much!!! ;D
-
The FSS report will tell me if any repairs are needed, but so far looks good
-
Thank you! :) I'm back now.
You have such a wonderful gift and talent with this; I am truly amazed and humbled. If you haven't noticed, I'm not a very techy person. I love technology and cannot do without it, but with issues like this, it all appears to me as a second language. :)
I do have two questions (feel free to answer at your leisure -- no rush).
My first question is, how come NIS and AVAST failed to rectify this issue? Were these triple trojans an advanced virus?
And second: Am I now possibly disease/virus free? That is, have they been completely removed and can I have my peace?
Thank you both so much; especially essexboy! :) If you are from Essex, U.K., Americans LOVE Sophia Grace and Rosie, as well as Russell Brand. I believe all three are from Essex!
I sincerely appreciate your amazing help and assistance. You are a true doctor! Thank you for the cure. ;) :D
-
There are no Av's at this time that can stop this from installaing as the dropper is changing on an almost hourly basis
But Avast will stop it from doing further damage
Once you have run this small registry fix then all should be well, but let me know as we have to remove the tools and tidy up
So lets get at it
Any problems with this then just shout
From the link below download bits.zip to your desktop
https://dl.dropbox.com/u/73555776/BITSVista.zip
Double click the zip file to open
Then extract the reg file to your desktop
Double click the reg file
Accept the warnings
Reboot
Once rebooted could you try windows updates please
-
Sorry for the late response. I have downloaded the bits.zip and did as you instructed. I'm currently doing the Windows update and it is installing Windows Vista Service Pack 2 at the moment. :) Will update with the final outcome. Thank you SO much! :)
And lastly, I just wanted to make sure I understood you correctly. There are no anti-virus systems that can stop these trojans from installing, so therefore, these trojans are still present on my laptop? However, Avast will prevent the trojans from doing any further damage? Am I understanding this correctly? So there is no absolute "cure" for these viruses, but with all your amazing help, Avast will keep the viruses from doing any additional damage? I'm sorry if this sounds stupid and redundant. I'm just not technically gifted as many on this forum. :o
Edit: I have successfully completed Windows update. :) If you need any updated logs or information, please do let me know. Again, I really appreciate all your help. Have a wonderful day. :D
-
Avast held the malware in check until I was able to remove it.. You should now be nice and clean again .. If all is working well then ..
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Dearest EssexBoy:
Thank you so much for your incredible patience, hard work, and care in regards to curing my computer. You are simply incredible and just amazing. A true doctor and magician--all in one! :) I have followed your instructions and sure enough, my desktop has been cleaned.
I will absolutely keep my laptop running for 24 hours and will report back if I have any problems. 8)
I do want to say a million thanks to you and to the others on this board who help cure people throughout the world and sincerely pray and hope you are massively blessed and favored in all that you do. I am so grateful to have come across this board and for fate to have our paths crossed. Thank you from the bottom of my heart for your careful individualized attention and care! You are the epitome of awesome! ;)
:wave: :hugs: :handshake: :thumbsup: :) :) :)
-
Shucks :-[
-
I did a full system scan today and the Avast located a virus -- Sirefef-PL (Rtk). Is this something I should be concerned about? I'm attaching a screenshot of what Avast discovered in the full system scan. I'm no expert at this, so I would sincerely appreciate your opinion on this. Thank you so much again. :)
-
Move that one to the Chest, by and of itself it is of no import as all the main files that it is try to run are no longer there... I have found that sometimes this one does manage to hide and escape
-
Thank you for your help! :) It would not allow me to move it to the chest, unfortunately, but it did allow me to "delete" it. After it was deleted, Avast recommended I rebooted. I will run another full system scan today to make it has been fully eradicated from the system. Thanks so much. I hope you have a wonderful day. ;)
-
Oh, well, this should be interesting. >:( I'm running Avast's full system scan again and so far the system scan has completed only 8% and it has already detected 82 infected files? I haven't downloaded anything since the amazing major clean-up. I have no idea where these infected files came from. Hopefully they are just tracking cookies? I will keep you posted. :'(
Edit: Here are screen captures of the various threats detected. The last three threats say: "Error: The system cannot find path specified (3)". I'm rebooting my laptop as the other 79 detections require a system reboot (action postponed until the next reboot).
-
Part II of screenshot.
-
Part III of screenshot.
-
And finally, part IV. Thank you in advance for your review and input. :)
-
They look like false positives
Please update Avast and rescan
They are in the winsxs folder which is where windows keeps some backup copies
Running a scan on my system now to check it out
-
Well, I'm still in the reboot process.
"Updates were not configured correctly. Reverting changes. Do not turn off your computer." It has been like this for the past twenty minutes but I am happy to patiently wait.
Strangely, when I turned on my laptop this morning, Avast said it was updated (or had been updated). I will nevertheless, update Avast once the updates or changes are done and will re-do the scan. :)
Update: Windows has finished doing whatever it was doing (reverting changes) and is now re-booting. Will update Avast and re-scan pronto! :D
-
Ah of course... Windows updates day
I will get them and scan to see if I get the same errors
-
Hmmm.....so I was never able to get to my login screen. The laptop stays on the "Updates were not configured correctly. Reverting changes. Do not turn off your computer" and then restarts, then goes back to the "Updates were not configured correctly. Reverting changes. Do not turn off your computer" and then restarts and gets stuck at the "Updates not configured" before going through the restart process over and over again.
I hope I haven't done anything wrong but I'm so confused. :o I haven't turned off the laptop because it says not to. Gosh, this is quite the escapade.
-
OK could you reboot the computer and immediately press and Hold F8
You will get a menu appearing
Select repair my computer
Then select startup repair
-
Will do. Thank you so so so so sooooooooooo much. :)
-
First try startup repiar
If that fails then select system restore and pick a restore point for yesterday
-
I tried Startup Repair first but it went back to the "Updates were not configured correctly. Reverting changes. Do not turn off your computer" phase. Now I'm doing the System Restore but the earliest (and only) restore point is from 6:32 a.m. today. I cannot find the "Clean" restore point I saved? I chose the only restore point from today, 08/14/2012, at 6:32 a.m. and it is restoring the files at the moment. Fingers crossed it works. :) Thank you sincerely. You are the Super Man of the virus/malware world. 8)
-
OK that should have been the one that windows created prior to the updates... Were you doing a scan while the updates were being installed ?
-
Oh gosh, the restoration was successful and I am now logged into my account. :) This is bad because I'm only in my 20's, but I cannot recall for sure if I was doing scans while the updates were being installed? Would there be a log that I can check to verify? The past week has been a total blur. The viruses were a total nightmare and being on the computer has not been the same ever since. I'm so paranoid about viruses now and have to admit that scanning has become my therapy.
Avast is saying that the database has been updated. Should I run a scan now? Or should I just lay low? I feel like I'm doing more damage than good so I'm not going to do anything until you say so. :'(
-
Just run a quick scan, but I will let you into a secret I only scan when I remember (not that often) otherwise I just let the screensaver scan do the work
-
Thank you for sharing your little secret. 8) I did a quick scan and it found nothing. You are awesome! Thank you for your intelligence, time, and dedication to this cause. You are most appreciated and needed in our world. Thank you so much! :D ;)
-
My pleasure.. Keep safe