Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on February 06, 2013, 04:44:17 AM
-
Avast randomly popped up and told me: "Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection."
Short of deleting this and probably having to reinstall my OS what should I do?
Also, when I scan this file, specifically, with avast, or the entire systems32 folder, no threat is ever found, it was only this once that Avast randomly told me it may have a malware infection? Is this something to be worried about.
-
Man you got a real long name. Please do not use your e-mail as nickname. BTW welcome to Avast! forums.
A screenshot of the alert would be helpful. Also the name of the file that Avast! detected.
Is the file popping up continuously or just that one time ? How is the comp. behaving ?
Have you done a full scan with avast! ? Did it find anything ?
Follow this guide: http://forum.avast.com/index.php?topic=53253.0
and attach ( Do not copy/paste ) logs for AdwCleaner, malwarebytes', OTL, and aswMBR.exe.
An expert in the removal of malware will help you.
Some time may pass before getting help due to time zone differences. Meanwhile do your scans and attach the logs.
-
Explorer.exe? hhhmmm...try to copy that file into another computer with the same Operating System and version. that was the trick I've used. worst scenario, you have to format your computer. you must put into habit of Creating a restore point with windows. so that you have a backup plan when your computer crashes. most of the user here don't know how to use that special function of Windows.
-
....worst scenario, you have to format your computer.
No need to format your OS AdoptablePeach, just attach the logs and let a specialist to look at them.
-
Ok so here is the initial log after downloading adwcleaner.
C:\Users\Everett\AppData\Roaming\Mozilla\Firefox\Profiles\pvm8n7zl.default\user.js ... Deleted !
[OK] File is clean.
File : C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\jwetvlj6.default\prefs.js
Deleted : user_pref("browser.search.defaulturl", "hxxp://search.gboxapp.com/?q=");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.gboxapp.com/");
Deleted : user_pref("extensions.4fa188d75bf14.scode", "(function(){try{if('aol.com,mail.google.com,mystart.inc[...]
Deleted : user_pref("keyword.URL", "hxxp://search.gboxapp.com/?q=");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaulturl", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Deleted : user_pref("sweetim.toolbar.urls.homepage", "hxxp://home.sweetim.com");
-\\ Google Chrome v24.0.1312.57
File : C:\Users\Roy\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
File : C:\Users\Zack\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.866] : homepage = "hxxp://home.sweetim.com/?crg=3.1010000.10004",
Deleted [l.1352] : urls_to_restore_on_startup = [ "hxxp://home.sweetim.com/?crg=3.1010000.10004", "hxxp://www.g[...]
File : C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
File : C:\Users\Ethan\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.8] : homepage = "hxxp://search.conduit.com/?SearchSource=10&ctid=CT3201318",
Deleted [l.12] : urls_to_restore_on_startup = [ "hxxp://search.gboxapp.com/" ]
Deleted [l.42] : search_url = "hxxp://search.gboxapp.com/?q={searchTerms}",
Deleted [l.43] : suggest_url = "hxxp://search.gboxapp.com/?q={searchTerms}"
Deleted [l.1094] : homepage = "hxxp://search.conduit.com/?SearchSource=10&ctid=CT3201318",
Deleted [l.1421] : urls_to_restore_on_startup = [ "hxxp://search.gboxapp.com/" ]
*************************
AdwCleaner[S1].txt - [307 octets] - [05/02/2013 23:32:30]
AdwCleaner[S2].txt - [19719 octets] - [06/02/2013 16:44:31]
########## EOF - C:\AdwCleaner[S2].txt - [19780 octets] ##########
-
My malwarebytes scan.
Internet Explorer 9.0.8112.16421
Everett :: DESKTOP [administrator]
Protection: Enabled
06/02/2013 5:01:16 PM
mbam-log-2013-02-06 (17-01-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 352343
Time elapsed: 25 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCR\CLSID\{0696f815-a3a9-490a-bb14-9ec3350b1276} (PUP.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|ShopperReports 3.1.69.0 (Adware.HotBar) -> Data: -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|SRS_IT_E879077FBD765C5534AE96 (Malware.Trace) -> Data: -> Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 10
C:\ProgramData\OptimizerPro1\OptimizerPro1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-BC69E.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-JA7JO.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-QSU73.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) -> Quarantined and deleted successfully.
C:\Users\Zack\AppData\Local\Temp\ICReinstall\Facemoods.exe (Adware.InstallCore) -> Quarantined and deleted successfully.
C:\Users\Everett\Local Settings\Temporary Internet Files\Content.IE5\CJP1QB9U\uninstaller[1].exe (PUP.Offerware) -> Quarantined and deleted successfully.
C:\Users\Everett\Local Settings\Temporary Internet Files\Content.IE5\N43Y57YF\agent_setup[1].exe (PUP.Offerware) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Framework.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files (x86)\OIS.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Program Files (x86)\SkseProxy.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
(end)
-
No need to copy/paste log results. Attach the log text file. How to attach logs see my image below.
Still need OTL and aswMBR.exe
Specialists were notified.
-
This is a print screen of what appears.
-
My OTL.txt and Extras.txt
-
Hi,
I need aswMBR.txt logreport. Run aswMBR.exe AntiRootkit tool.
http://forum.avast.com/index.php?topic=53253.0
Go to control Panel > add or remove programs and uninstall OptimizerPro
--------------------------------------------------
> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.
> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
How to disable avast:
- Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
- In the window that opens on the top right corner, click Settings.
- In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
- Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.
> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
*********************************
Re-run OTLScan
- Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
Ok, will do. Here's my aswMBR. Sorry I don't think it finished.
-
After restarting my computer my profile no longer displays. I can log in but it's just a black screen. I have to open this through task manager can I fix this, or do I have to bring it in to a shop?
-
Hi,
Did you run Combofix? If you have, i need to see Combofix.txt log. (C:\Combofix.txt)
If you dont't have Combofix log, then delete current and download fresh Combofix and re-run.
Can you load windows safe mode? Anyway i need to see COmbofix log as your system is infected.
-
I can't see any part of my desktop. How do I disable the shields permanently without the icon on the bottom right? I have to go through my files to do anything.
-
Ok here is the combofix log.
-
Hi,
It is necessary that you follow instructions that is given ...
Step#1
Open notepad and copy/paste the text present inside the code box below:
KillAll::
File::
c:\windows\Tasks\OptimizerProUpdaterTask{C216DF16-E33C-4CF7-AFAD-7D410EF1B4B1}.job
Folder::
c:\programdata\Premium\OptimizerPro
ClearJavaCache::
DDS::
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
**************************
Step#2
Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
- Press Start Scan
- If Suspicious object is detected, the default action will be Skip, click on Continue.
- If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
**************************
Step#3
Re-run OTLScan
- Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
My TDSSKILLER log.
-
The new combofix text.
-
New OTL text, I didn't get an Extra.txt file this time.
-
Also my desktop is back up I can see my profile.
-
Hi,
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\URLSearchHook: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - No CLSID value found
IE - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm114^LENCA^ca&si=CN-xifCKjrACFbEBQAod103BpA&ptb=4ADD6BD3-8DF2-406B-BC17-F220EF8B3E6A&psa=&ind=2012052001&st=sb&n=77ed7a21&searchfor={searchTerms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG10\Firefox4\ [2011/08/11 08:25:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\plugins/avgnpss.dll
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll File not found
O3 - HKU\S-1-5-21-1573336260-1148118520-3100803624-1002\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
:files
C:\Program Files (x86)\AVG
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
****************************
Re-run OTLScan
- Make sure all other windows are closed and to let it run uninterrupted.
- Click on Scan All Users
- Paste this into Custom Scans/Fixes box at the bottom
/md5start
explorer.exe
/md5stop
C:\windows\system32\explorer.exe /md5
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please attach them in this thread.
-
Ok here is the OTL from the first step. I had to force restart and while it was restarting it just stopped and the screen went black for a long while. I had to use the shutdown button to restart it.
-
Once again I have not gotten an extras.txt from my scan. I just got this.
-
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:processes
killallprocesses
:Otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\plugins/avgnpss.dll
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
:commands
[Reboot]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
*********************
detected explorer.exe is leght and it's catch via heuristics.
How's your computer running now?
-
Here is the log after the reboot. My computer is running fine now. Thank you for all of the help :D
-
np ;)
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
------------------------------------------
> Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
-----------------------------------
I recommended to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
Thanks again man. Also should I keep adwcleaner or not?
-
Thanks again man. Also should I keep adwcleaner or not?
You may use if you will, but before each use you need to download fresh&updated versions and after each use, uninstall AdwCleaner.