Avast WEBforum

Other => Viruses and worms => Topic started by: Waldoctg on October 05, 2012, 11:59:06 PM

Title: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 05, 2012, 11:59:06 PM
Should I post the names of the viruses here?

I sent them to the chest, but I don't know if I should delete them or not...
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Pondus on October 06, 2012, 12:34:11 AM
what files was detected?
where was they located?
what malware name did avast give?
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 08, 2012, 04:25:43 AM
I tried to post a image, but I could not figure it out.

Here are the 5 locations:

C:\TDSSKiller_Quarantine\25.07.2012_15.28.08\mbr0000\mbr0000\tsk0000.dta
C:\TDSSKiller_Quarantine\25.07.2012_15.28.08\mbr0000\mbr0000\tsk0001.dta
C:\TDSSKiller_Quarantine\25.07.2012_15.28.08\mbr0000\mbr0000\tsk0003.dta
C:\_OTL\MovedFiles\07252012_152241\C_Windows\assembly\GAC_32\Desktop.ini
C:\_OTL\MovedFiles\07252012_152241\C_Windows\assembly\GAC_64\Desktop.ini

Here are the names of the 5 viruses:
MBR:Pihar-D[Rtk]
MBR:Pihar-D[Rtk]
MBR:Alureon-B[Rtk]
MBR:Win32:Sirefef-PL[Rtk]
MBR:Win32:Sirefef-PL[Rtk]

That's all the information I have.  Is this adequate?
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Pondus on October 08, 2012, 04:51:47 AM
have you run TDSSkiller before?
have you run OTL before?

it seems you have not followed essexboys last instructions to remove his tools when the jobb was done, as what you are detecting is files that was quarantined by those programs

i have sendt him a PM so that he will be back with new instructions   ;)
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: essexboy on October 08, 2012, 04:08:19 PM
Hmm the date indicates 25 July ... 

Run OTL and press the cleanup button
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 08, 2012, 11:59:38 PM
Thanks!

Actually, I did follow the instructions and cleaned everything up.  I deleted OTL off of my computer, in fact.  Should I just re install it and then run it again?

On a side note... my browsers keep trying to change their default search browser to search.snap.do.com... I've never used this, so I am confused... it even installed a add-on to Mozilla Firefox.  Is it correlated?

Thanks!
Connor
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: essexboy on October 09, 2012, 04:22:55 PM
Lets clear the bad boy called snapdo

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop
Secondary link  (http://www.itxassociates.com/OT-Tools/OTL.exe)
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 09, 2012, 09:23:37 PM
Here is the test.

NOTE: There was no "Extra.Txt" file.
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: essexboy on October 09, 2012, 09:29:56 PM
You will need to reset Chrome manually

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:OTL
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=hp
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKU\S-1-5-21-3121085536-567810485-1202720719-1000\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=ds&q={searchTerms}
FF - prefs.js..browser.startup.homepage: "http://feed.snap.do/?publisher=Download&dpid=Download&co=US&userid=667ef997-2074-40db-9731-9d0770d78bf7&searchtype=hp"
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\fbphotozoom@installdaddy.com: C:\Program Files (x86)\fbphotozoom\fbphotozoom15.xpi
[2012/10/01 17:41:38 | 000,000,000 | ---D | M] (ASPCA App By We-Care.com) -- C:\Users\Mastah C\AppData\Roaming\Mozilla\Firefox\Profiles\rgit5epd.default\extensions\wecarereminder@bryan
[2012/05/08 18:18:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mastah C\AppData\Roaming\Mozilla\Firefox\Profiles\rgit5epd.default\jetpack\FantapperExtension@brandaffinity.net
[2012/05/08 18:21:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Mastah C\AppData\Roaming\Mozilla\Firefox\Profiles\rgit5epd.default\jetpack\FantapperExtension@brandaffinity.net\simple-storage
O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com)
O4 - HKU\S-1-5-21-3121085536-567810485-1202720719-1000..\Run: [Browser Infrastructure Helper] C:\Users\Mastah C\AppData\Local\Smartbar\Application\SnapDo.exe startup File not found


:Files
C:\Users\Mastah C\AppData\Local\Smartbar
C:\ProgramData\WeCareReminder

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 11, 2012, 07:53:47 PM
Awesome.  Thanks so much.  Snap.do.com seems to be gone so far...  :)  Here's the new log.
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: essexboy on October 11, 2012, 08:27:08 PM
You still need to reset Chrome as it is visible there, but the rest looks OK , any problems
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: Waldoctg on October 12, 2012, 02:28:52 AM
Awesome.  Thank you, thank you, thank you so much!!! I'm reinstalling Google now :)

Waldoctg
Title: Re: So I'm getting some virus updates from Avast!... HELP!
Post by: essexboy on October 12, 2012, 11:30:54 AM
Run OTL and press the cleanup button to tidy up