Avast WEBforum
Other => Viruses and worms => Topic started by: Nick33 on November 30, 2012, 02:50:11 AM
-
Hello
I have recently received warnings from Avast! regarding the above virus (Pop-up attached). I have deleted the two files displayed in the pop-up but they keep returning when I restart the system (internet connection?). The virus tries to disable Avast! on each start up (notification pop-up) which I choose "No" of course and I have attached the OTL, aswMRB, and SuperAntiSpyware logs.
I have downloaded ComboFix onto my desktop as well in preparation that I may need it but reading through some of the other posts it looks as though it is quite powerful so I don't think I want to be using it without some expert guidance.
All help is greatly appreciated!
Regards
Nick
-
And the SuperAntiSpyware scan log.
Edit: I have also attached the Malwarebytes Anti-Malware log (yesterday after infection).
-
removal specialists are notified. it may take hours before one arrive so be patient
-
Let me know if this stops the alerts
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
:Files
C:\Users\Nick\AppData\Local\bqhquaye
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Sorry for the delay, here is the Quick Scan and Run Fix logs. When the system restarted the Avast! alert with the blocked file was displayed again. Would the next step involve using ComboFix?
-
I am loth to use combofix unless really necessary
Could you attach a screenshot of the latest alert please
I am removing the steam crack from startup as that may be the root of the problem
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\searchpredict@speedbit.com:
O4 - HKCU..\Run: [JwvDfaej] C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
O20 - HKLM Winlogon: UserInit - (C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe) - C:\Users\Nick\AppData\Local\bqhquaye\jwvdfaej.exe File not found
[2012-11-29 11:33:47 | 000,102,464 | ---- | C] () -- C:\Users\Nick\AppData\Roaming\LVx6d96.exe
[2012-11-27 20:24:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cracked Steam
:Files
c:\Users\Nick\AppData\Local\bqhquaye
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
I have attached screenshots of both pop-ups (virus attempt to shutdown avast and blocked virus files). I doubt that cracked steam is the problem since it has been installed for several months, but I have run the code as you have requested and the program seems to freeze when processing the first Firefox Extension - maybe it's because I don't have Firefox installed?
Regards
Nick
-
OK lets continue with Combofix although the data appears to be in the temp files
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I have tried to run ComboFix (as administrator) but it disappears without warning and the process is not present in task manager. This eratic program closing behaviour seems to also affect Google Chrome. Do you want me to try run ComboFix in safemode with or without networking?
-
Try safe mode with networking, also rename combofix to Gotcha
-
Renaming ComboFix to Gotcha has allowed it to run under normal system settings. I have attached the log as requested.
-
OK lets now manually kill it
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\users\Nick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jwvdfaej.exe
Folder::
c:\users\Nick\AppData\Local\bqhquaye
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JwvDfaej"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Here is the log as requested. I hope we are close to removing this stubborn infection.
-
OK I will need to work outside of windows for this one
Could you reboot the computer and press F8
On the safe mode menu is the option "Repair my Computer" ?
If so do you have access to a USB drive
-
Yes, I have rebooted the computer into "Repair my Computer" mode and I'm at the dialog box "System Recovery Options". I happen to have a USB right next to me.
-
Excellent
Download the following following programme to your USB :
Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe)
Insert the USB into the sick computer and start the computer.
Reboot to the safe mode menu
Click repair my computer
(You may not see all the following screen shots)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
(https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif)
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
The log is attached as requested :)
-
Download the attached fixlist.txt to the USB drive with the FRST file
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7
Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.
-
Fixlog attached.
-
Could you now reboot to normal windows and run an OTL quickscan please
-
OTL Quickscan log attached. Just wanted to ask if any legitimate (safe) deleted files need to be restored or what the cleanup procedure is?
Thankyou so much for your help, the Avast! alerts haven't returned and no programs (such as Chrome) are behaving abnormally.
If you don't mind me asking, why did the infection (I suspect it happened when avast! alerted me when I closed a pop-up ad) seem more difficult to remove than others?
(Just read through other threads where running ComboFix was all that was needed)
-
No legitimate files were killed..
This programme had a file protection feature of some sort, probably kept within memory. Hence the need to work outside of windows
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
I have removed ComboFix and run the cleanup procedure in OTL but I am cannot re-enable Avast! shields or services. Nothing appears to happen when I click enable on the taskbar notification icon and re-ticking the Avast! self-defense module in settings doesn't stay. Also when I run exe files as administrator a dialog box pops-up which won't accept my details even though my account is set as administrator? I have attached screenshots of both issues.
Regards
Nick
-
OK first run a repair of Avast , do you know how to do that ?
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
I have repaired Avast! but still cannot turn on real-time shields (9 of them), the firewall and definition updates are working fine.
Edit: running Windows Repair (all in one) seems to have solved the Avast! problems but I still cannot run that exe file (administrator permission pop-up). You would think after Windows Repair reset file permissions it would work, but apparently not...
This issue in minor and we have successfully removed the virus so I guess your work here is done.
Thankyou for your expertise, greatly appreciated. :)
-
A few quotes from MS on that problem
Method 2:
You may even use the below steps and check -
1. Right click the program file and click properties.
2. Now click on the compatibility and select run the program as administrator .
3. Now click on change settings for all users and click ok. Now check if the issue resolves.
Hope this helps. Let us know the results.
Thanks,
Meghmala – Microsoft Support
First you should login as an administrator to perform these actions, although if you don't you will just have to supply the administrator's password at least once.
Locate the shortcut that you use to open the program. If you use more than one method, you may have to do this multiple times. Right click on the shortcut or menu item and select Properties. Navigate to the Compatibility tab and click the Change settings for all users at the bottom. In the new popup dialogue, check the Run this program as an administrator at the bottom within Privilege level. Click OK, OK to finish off the program Properties dialogue.
That should raise the program`s privilege level to administrator anytime it is run by any user on that machine.