Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: larryvir on September 11, 2012, 06:12:29 AM
-
Was hit, and locked up, by this twice:
09/07...Just rebooted, and it went away.
09/09...Persistant, had to reboot in safe mode. Avast 'Behavior' pop-up: Randll wgsdgsdgdsgsd.exe. Sent to Virus Chest, where it still is. Then ran full scans (with PUPS) via Avast free 7.0.1466, and Piriform SAS free 3.06.1433. No virus or threat found. Reran both 09/10 with same results.
But now, whenever I reboot I get pop-up saying, roughly: RANDLL...X Error loading wgsdgsdgdsgsd.exe...module not found (probably because it's in the Virus Chest). I just X it out and all's well. Ran Search for RANDLL; is pervasive, found 272 entries including 60 with RANDLL32 title, all the latter v short and dated 09/07-09/09...which seems suspicious to me. PC seems to run sl slower than usual, but not bad, may be my imagination.
I'm not concerned about that silly threat, but is that damn thing still on my PC? Would appreciate help (reassurance) on this. And what shd I do about those RANDLL32 entries?
PC is old (2004) Dell ON6381; OS XP Pro 32-bit SP3; Intel Pentium 4; RAM 512MB single DDR @ 166MHz per Speccy, but 2.80GHz (sic) per CCleaner; HD 78GB MaxtorGYO8OLO; I'm on BB. Speccy offers all (?) data if you need more.
Please help, Larry
-
I'm not concerned about that silly threat, but is that damn thing still on my PC? Would appreciate help (reassurance) on this. And what shd I do about those RANDLL32 entries?
start a new topic in the virus and worms section ......and in that topic you do this
follow this guide and attach (not copy and paste) the requested logs http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
then help will arrive there later today ;)
-
So atleast Avast Behaviour Shield is doing something :P ....glad to see it was able to get the ransomware :)
-
:)PONDUS, don't have these on my PC, so no logs to send.
And where do I find 'virus and worms'? :)
-
:)PONDUS, don't have these on my PC, so no logs to send.
that is why my post had a link to all the info ....click it ....read it .....download
somone her will help you...got to go to work ;)
-
:)Hi again PONDUS...ty for your interest.
1. I am usually v loath to dl all that stuff onto my PC, but will take and follow ur advice. This will take a while, but will get it done.
2. I am like the avg guy behind the wheel: can drive well, but wd not contemplate taking the transmission apart. Also not used to navigating THIS site...eg, how do I 'attach' what to where , and how?
3. Further, I am a v poor/slow typer. Don't want to appear lazy, but is there someway I can move my post from Free/Pro/Suite to Virus/Worms? :-[
-
ok to make it easyer we dropp making a new post in the virus and worms section..
just attach the logs here to this.....and i will notifie the malware remover of your post here
1. when the malware remover is done he will remove all tools used
below the box where you write in here you find a "attachments and others options"
click that when attaching
-
Just in case a screenshot can help you understand what Pondus meant... ;D
-
true indian: TY but I cannot read that even blown up 4X :)
Pondus:
1. ADWCLEANER...GOT 'WARNING, unsafe site' so did NOT dl.
2. Malewarebytes...successful. Acted much like CCleaner, but found a TROJAN.RANSOM, which CC did NOT. Also found, as CC always does, that my MS updates is turned off (I want it off). Nothing else. Now in quarantine. Unfortunately, this log did not show up in 'my documents', but in Notepad, and I do not know how to 'attach' from Notepad... log still available if I find out how :-[
Very encouraging...will continue with the other dls ;D
-
Hi again Pondus,
This is continuation from previous...
(2a: incorrectly refered to CCleaner...was actually SuperAntiSpyware that is my usual malware hunter, and which did NOT find that TROJAN!)
3. Got lost in navigating, but finally got OTL. Followed instructions carefully and got scan. Can see nothing bad in that. Should I look for anything specific? Unfortunately, I cannot send that log to you; contains some v confidential items. Please do not consider me uncooperative.
Will continue with last scan:aswMBR.exe after an interruption for some work...I DID tell you I am SLOW :(
-
true indian: TY but I cannot read that even blown up 4X :)
Dont blow it up, just click on the picture
-
You can attach the OTL log and as soon as I have analysed it you can remove it from the thread
-
1. ADWCLEANER...GOT 'WARNING, unsafe site' so did NOT dl.
what gave that warning?
you can copy and paste malwarebytes and aswMBR log
OTL is the most important log here, but this you must attach as it is so big that it may take 10 posts with copy and paste to do and will also complicate Essexboys work
-
OK, I'm about ready to quit this >:( These dls and scans are scattered all over my PC, and when I go to move one I lose something. Too complicated for me. This is like the farmer giving road instructions, but forgetting that the Big Oak was cut down :)
craigb...TY I knew there must be a simple way to view that, so call me simple :)
Pondus
(1a the ADWCLEANER gave the red WARNING when I pressed 'run'.)
4. I managed to dl aswMBR.exe, and it scanned. Finally found log file in Doc&Set. Have attached it here, I think...will see when it is sent.
Can we make a guess with what you now have?
-
the AdwCleaner is not that important....Essexboy will see the same stuff in the OTL log ....but depending on what it removed would make the OTL fix script smaller
so now we have aswMBR log
if you manage also attach or copy and paste Malwarebytes log .....if the program does not find and remove anything then you can dropp that log
and the most important OTL.txt
-
Hi again Pondus
(3a found the OTL scan logs)
Am gaining some confidence in this; maybe I'm not so stupid :)
If the fiiles come through, please be sure to DELETE them when you finish with them...they will still be here on my PC...somewhere :)
Now another problem: 'file is too large'...now what?
-
will try sending only the txt file
-
Tried sending 'X-file' :) too large...limited to 190KB ???
-
OK lets now start to remove it.. I will clear all tools once we are done
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[2012/06/20 23:31:40 | 000,000,000 | ---D | M] (Web Assistant) -- C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
[2002/09/03 15:50:45 | 000,004,819 | ---- | M] () (No name found) -- C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\q2x3nuf8.default\extensions\pxrruksrrw@pxrruksrrw.org.xpi
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
O3 - HKU\S-1-5-21-1085031214-1844237615-725345543-1003\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\AutoRun\command - "" = BOOTEX\thumbcache_131.exe
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\explore\command - "" = BOOTEX/thumbcache_131.exe
O33 - MountPoints2\{2d087c52-b052-11de-ae7a-fe820eab1ade}\Shell\open\command - "" = .////BOOTEX/thumbcache_131.exe
:Files
C:\Program Files\Web Assistant
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(https://dl.dropbox.com/u/73555776/RKDelete.GIF)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
-
Hi essexboy, welcome to my problems.
I gather that I (surprisingly) sent you enough info to analyze my problem, and hope you will not be underwhemed by my lack of expertise here. I'm over 80 but feel under 8 in this mix-up. But I'm learning. If you are careful to dot the t's and cross the i's in your instructions I wd be most appreciative. I'll do my best.
1. Are we just chasing down this virus or making more fixes to my PC? Shd I anticipate any major changes in my programs? And according to CCleaner my Registry is a mess, but I'm afraid to 'fix' it.
2. OTL seems clear, but to be certain: a) does 'shut down all processes' include Avast,etc? b) I gather I'm not to change anything in the initial set-up, but I shd copy/paste the entire (bluish) box at bottom from :OTL through [reboot]; c) after quick scan, where will this log show up?
3) RogueKiller: a) To get it on my DT, is that an option while dling?; b) I am on IE8...where is this Smartscreen Filter, and how do I disable it?; c) two reports after Scan, one before and one after 'delete'?; d) and a third after ShortcutsFix, correct?
I realize these questions are basic (infantile) but I'd rather not be as embarrassed as I was after the first go-around :) :-[ Will start, and await your answers anxiously.
-
essexboy
This showed up on Notepad after reboot.
-
essexboy
...But (here we go again!) after quick scan, second entry in Notepad is 09122012-204319
This does not show up on Desktop or in My Documents, and I cannot attach it here directly from Notepad :-[ :-X
...What am I doing wrong? and how to get it posted?
-
essexboy
Ran RogueKiller. Have three RK reports, attached hereto.
Still working on getting second OTL to you...it's still on OTL, but no longer on Notepad. How can I get it attached here?
-
Here is a very good guide that will take care of this in minutes.
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
-
Here is a very good guide that will take care of this in minutes.
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware
As essexboy is already handling this issue then it is best left in his hands.
-
There is no forum rule that others cannot help. Bleepingcomputers is a top site for malware removal help. I have done exactly this on 25 computers and its removed it minutes rather then days of scanning with OTL. OTL is great and so is essexboy but if someone knows a faster more easier way then it should be provided. OTL is kinda old school and can be very tedious for a newbie. Emsidoft Emergency Kit can also be installed as a portable app.
-
There is no forum rule that others cannot help.
Its well known that once you start recieving help from a malware specialist others need to butt out and let the specialist ( essexboy ) do there job.
-
Again I will say that if it's a forum rule then it should be clearly stated as such and not assumed. Also if essexboy is the only one that can help then there should be a seperate section in the forum that only he can post in. No one knows everything. Especially essexboy. Ive been in the compueter business for 15 years and still don't know everything. OTL is old school and takes help. The link I provided is an easier and more effective way. We are a community and in a community we all help each other. Thanks.
-
No offense to essexboy but if I can add more education then it should not be turned down or deleted. 2 days later and it's still not done. I have provided several clients with this exact guide and within 25 minutes its fixed.
-
It's not just about cleaning out the malware, the logs requested also provide information as to wheather there are other problems as well and there is alot of information that can also be collected from infected systems to further help avast in it's fight.
essexboy is not the only malware specialist we have here and there is a seperate are for them to provide help but unfortunately not all people with issues start there thread in the correct section " hence this thread"
-
One scanner is not enough. That's why there are do many free on demand scanners out therer. The most important thing is turn around time. Why spend days going back and forth with log postings when on a matter off minutes it can be fixed. Use the info provided in the link then follow up with an MBAM scan. Never hurts to scan with HMP also or CCE.
-
Aventador This is not the same malware as the one you have linked to I am afraid, malware does not stay the same so a tool that worked yesterday will not work today.. HMP has killed a fair few systems I have had to recover. Also working in a shop with the computer is easy, working remotely is not
larryvir this should be the last run, once done can you let me know of any problems you are experiencing
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
2012/09/08 23:07:55 | 004,503,728 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS1\Application Data\dsgsdgdsgdsgw.pad
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I beg to differ. I also do house calls and work remotely via Teamviewer.
-
I beg to differ. I also do house calls and work remotely via Teamviewer.
as essexboy said you have worked via a remote access a system not like essexboy is doing like here in this forum...I know how hard it is when you dont have your hand on the system since i do such stuff everyday...whether remote access,hand on cleaning or what ever...I remember when i was very knew to such removal stuff and believe me i have wrecked a few machines by following hand-on guides and having years of experience too.... ;D
-
Excuse me but please do not assume. When someone emails me or calls me with a problem I often provide them with links to aid them. Which means there on there own. The instructions laid out by Bleepingcomputers can be used and followed by anyone. OTL involes special care an
D interaction with an expert to work.
-
No one can know everything. I sure don't. But if someone can share info which can provide a safer and faster way to help the person it should not be shied away from. In the field no one uses OTL anymore cause it's too tone comsuming.
-
That is why I use OTL as it will show me the areas that need to be removed/fixed/repaired. The tools used as a standalone will not get all of the bad files/registry entries. Plus I am an Instructor in online malware removal, so I do have a modicum of experience in this area. Could we refraiin from using this thread to discuss it as larryvir will be lost in what to do
-
I respect your last post essexboy. Just return the favor. Thanks.
-
To all of you:
I'm surprised by all the hits/interest shown in this problem, and embarrassed by so many observing my (let's be polite and say) inexperience here. As I indicated before, most of us can drive a car well, but few can delve into a motor or transmission...we call a mechanic. Pondus and essexboy have been my most helpful mechanics, and I shall leave the resolution of this matter in the hands of essexboy..."too manycooks spoil the broth" :) So ty to all, but ease off please.
To essexboy:
1. I truly appreciate the time and efforts you are taking on my behalf. But can I prevail upon your good nature to check my Reply#19, and answer some of the basic questions I raised?
2. I have no problem running the scans, and can see that they are really prodding around in my innards :) But I am frustrated by my inability to post all the scan results for you. Are you getting enough info? Can you tell me how to improve my score? I know this is lack of v basic knowlege on my part, but I find it v annoying to have all this scattered somewhere on my PC and not be able to communicate it >:(
3. Very few (v minor) problems have arisen. That TROJAN.RANSOM is no longer in evidence...SAS, Avast and MalowareBytes don't show it...none show any theats at all, but I guess they may be hidden.
4. ONWARDS :) , but I hope I shall be able to post the scans. Please tell me how to get from Notebook to attachment...when they get to My Documents all is well, but sometimes I cannot get them there, then... :(
-
Hi essexboy, welcome to my problems.
I gather that I (surprisingly) sent you enough info to analyze my problem, and hope you will not be underwhemed by my lack of expertise here. I'm over 80 but feel under 8 in this mix-up. But I'm learning. If you are careful to dot the t's and cross the i's in your instructions I wd be most appreciative. I'll do my best.
1. Are we just chasing down this virus or making more fixes to my PC? Shd I anticipate any major changes in my programs? And according to CCleaner my Registry is a mess, but I'm afraid to 'fix' it.
2. OTL seems clear, but to be certain: a) does 'shut down all processes' include Avast,etc? b) I gather I'm not to change anything in the initial set-up, but I shd copy/paste the entire (bluish) box at bottom from :OTL through [reboot]; c) after quick scan, where will this log show up?
3) RogueKiller: a) To get it on my DT, is that an option while dling?; b) I am on IE8...where is this Smartscreen Filter, and how do I disable it?; c) two reports after Scan, one before and one after 'delete'?; d) and a third after ShortcutsFix, correct?
I realize these questions are basic (infantile) but I'd rather not be as embarrassed as I was after the first go-around :) :-[ Will start, and await your answers anxiously.
1. The process is to remove the main bad files and anything that they may leave behind. A messy registry is not a problem unless you can determine start speeds to the nano-second ;D
2. OTL will request each running process to close, if it refuses (like Avast will ) then it moves on to the next process etc..
The script in the code box can be either a scan request or a fix command dependant on what we wish it to do
All logs will appear in the same location as the main OTL file, so if it is on the desktop that is where it will be
3. RogueKiller is a multipurpose tool in addtion to killing any known bad processes/registry keys it will also inspect the Master Boot Record for any infection. The shortcuts fix will restore any files/folders
that the malware has hidden. The smartscreen filter is under the tools option on the main IE bar
As I will always ask a mechanic what he is doing when repairing my car it is only fair for you to do the same. Plus like the mechanic I never leave any tools behind ;D
So how is the computer behaving now.. Do you have any problems at all ?
-
essexboy
Three showed up on Notepad:OTL.Txt, ExtrasTxt, and 09132012_145535
Only the attached was movable to My Docs, and cd be found in 'Browse'.
If you want the others, please tell me how.
-
Nope all I need now is to know what problems remain before I tidy up ;D
-
To essexboy
1. Phew, glad that's over :) Don't know how to thank you enough for all that time and effort! Great job! I assume I can delete the debris now (?) I intend to keep Malwarebytes...can't hurt to have two roach -killers on the job (but yes, only one AV, Avast for sure!)
2. In general PC runs much as before: good. TROJAN.RANSOM gone; no threats found by my three ghost-hunters; all seems 'quiet on the home-front'.
3. Very minor 'problems' such as that damn Windows security shield back in my tray which pops up on every boot telling me updates shd be dled...forget how I removed it before. But if that's the biggest complaint you ever get, you must be doing pretty well ;D
4. I might mention a few possible 'indicators', none of which may pertain to this: a)In my first post I mentioned Rundll32...shd I delete the ~60 suspicious ones, short ones (~30-60bytes) which appeared 09/07-09/09 when the trouble started?; b) Something strange showed up in My Docs ~70 'album art' (half long and half short jpg's) covers of music I've dled...is that of any signifigence?...I may delete them; c) That wgsdgsdgdsgs.exe is still in Avast jail, labeled 'no virus'...shd I delete that?: d) "Error on page" appears more frequently, at the bottom just above the Start line...mean anything?
Again my heartfelt thanks for a great job. Will let you know if anything else shows up. Will also keep you on tap shd I need help in the future [that's the trouble with showing expertise... ;) ;D ]
-
Anything in the virus chest can now be deleted
Reference the windows updates you should install them to keep your system secure
"Error on page" appears more frequently, at the bottom just above the Start line...mean anything?
I assume that you mean internet explorer
Go to Control Panel > Internet Options > Advanced Tab
And reset the settings.. See picture at the bottom
I will clear my tools now and once that is done let me know of any further concerns
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Hi essexboy
PC running well, about as usual. Lost two PWs, easily replaced; some sites load sl more slowly, but load speed varies normally.
Followed your 'end-game' plan:
1. OTL. Ran fix, then cleanup (twice). OTL did not delete itself, so I did it manually. But I notice those 'attachments' still show up on my posts...How can I delete them?
2. Hidden f&f was already checked (from long ago).
3. Malwarebytes I shall keep, as mentioned before, so I shall have Avast and two roach hunters.
4. A word on auto updates: I dislike them...they are intrusive,slow down my PC and bark at the wrong time. I generally manually update all each month, but will do so 2X/mo if you think it best. Will add Windows update to that list...have been reluctant to update Windows (created problems in the past)...was talked into updating in July...170 loaded my PC! Wd rather not have 'Hippo'.
5. 'Error on page'. Wd rather not reset all...some I set for other, unremembered, reasons. Is there some specific setting I shd reset? (Msg is showing right now)
6. Have a Firewall (windows) but never found out how to 'update' it...will check. Avast free offers no firewall, does it?
7. Emptied Avast Virus Chest...no change noted.
8. Wd still like to know how to rid my PC of that damn Window Security shield in my tray...it keeps insisting I turn on auto update >:(
Guess that's it. Please answer above when/if you get time/inclination. You have done a fine job, and gone 'beyond the call of duty'. I won't thank you again...you might get the impression that you've done someting clever :) ;) ::)
-
A word on auto updates: I dislike them...they are intrusive,slow down my PC and bark at the wrong time. I generally manually update all each month
Second Tuesday of each month is the update day ;D
Wd still like to know how to rid my PC of that damn Window Security shield in my tray...it keeps insisting I turn on auto update
Go to control panel > Security center. Turn it off there (pic 1 below)
Have a Firewall (windows) but never found out how to 'update' it
That is done via windows updates
'Error on page'. Wd rather not reset all...some I set for other, unremembered, reasons. Is there some specific setting I shd reset? (Msg is showing right now)
Again control panel > Internet Options place ticks in the debugging boxes (pic 2)
But I notice those 'attachments' still show up on my posts...How can I delete them?
On the top right of the post is a modify button, click that and then delete the attachment
-
Second screenshot