Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: r.a.i.n.b.o.w on August 21, 2013, 12:34:14 PM
-
Hello,
Earlier today I did the install of the upgrade that avast had been reminding me to do for almost a month, and ever since I'm getting the bubble popping up, with the voice saying "Threat Has Been Detected" The bubble says "Malicious URL Blocked" and "avast Network Shield has blocked a harmful site", the website (which is 99.9% of the time brwxfjiypph.cm/ with lots of random letters) and that it was "URL:Mal". The bubble appears at least once a minute, even when I have no browser or programmes open. When I click on "More Details" I get a webpage basically congratulating me for using avast because it's stopped my computer crashing.
Why is this happening now, when it was fine before the upgrade - and how can I stop it? :-\
Thanks all :)
-
if this happens when not doing anything.... it indicate a infection, something is trying to phone home
could you attach a screenshot of the avast warning....
follow guide here http://forum.avast.com/index.php?topic=53253.0 and attach the requsted logs ... not copy and paste
run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR
when done removal experts will be notified and check the logs for infections, and remove them if any is found
when finish he will remove the tools used
-
Many thanks for your reply - I will get onto this right now.
-
I have the same problem but I do not understand the answer. Can this be fixed remotely by someone I can trust. Can Avast access my computer and fix it? Arthur Murata
-
No there is no remote connection, we analyse where the malware is and then give step by step instructions for it to be removed using a variety of automated tools
-
Bit of a delay in replying as avast has made my PC unusable online, so have had to temporarily disable the shields while I do the scans. (Although the bubble pop-ups have pretty much stopped since I first posted)
AdwCleaner log attached
-
If the alerts are still appearing could you run the OTL scan and attach here please
-
If the alerts are still appearing could you run the OTL scan and attach here please
Will do - just working through the scans as requested by Pondus - currently waiting for MalwareBytes to finish so I can post that.
-
:)
-
Malwarebytes log attached
-
There are some bad boys there which will need removing once I see them all
-
OTL logs attatched
-
There are some bad boys there which will need removing once I see them all
Much appreciated essexboy, just about to use aswMBR (OTL logs attached to previous post above).
-
OK I can see it now
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O3 - HKU\S-1-5-21-1893033244-659061508-1042013740-1005\..\Toolbar\WebBrowser: (no name) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No CLSID value found.
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab (Reg Error: Key error.)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_15-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB8E-AE8D-11CF-96B8-434553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Reg Error: Key error.)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[2011/08/04 22:01:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG10
[2011/01/08 19:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2012/06/30 15:53:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CheckPoint
[2011/08/04 22:00:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MFAData
[2011/01/09 14:19:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\AVG10
[2012/06/30 16:22:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\CheckPoint
[2011/06/13 16:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Tracey\Application Data\coupons
:Reg
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll
:Files
C:\RECYCLER\S-1-5-18\$0b05a22fcf32a0152a983da59bbb5c40
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
What shall I do about aswMBR? It took an hour to download, has been running for over an hour, and seems to get stuck on one folder/file for 20 minutes or more before suddenly scanning again. Is it necessary to do this scan?
-
nope he probably dont need it...as he say he see the problem
-
nope he probably dont need it...as he say he see the problem
Thank you Pondus - I will start using the fix now and will report back :)
-
Nope no need as the culprit was found in the OTL log, there appears to be a problem with the aswmbr server hence the long download. I will wait till it gets better before I use that
Please run the fix
-
OTL run as requested, new scan log attached.
Just going to run the ComboFix now.
-
That killed the main bad boy, combofix will now tidy up for me :)
-
That killed the main bad boy, combofix will now tidy up for me :)
ComboFix sat there with the text: "Scanning for infected files . . . This typically doesn't take more than 10 minutes However, scan times for infected machines may easily double" but no other text - I waited almost 2 hours (SOMETHING was happening, as the orange light was constantly flickering) but have had to stop it (and did a reboot) as I need to go to bed. Can I restart the process tomorrow?
Also, something has made all the file extensions (jpg, wps, etc) display - will this be fixed when I complete a ComboFix scan?
Thanks you so much for all your help.
-
Certainly, the extensions will be rehidden once I tidy up. How is the computer otherwise ?
-
Certainly, the extensions will be rehidden once I tidy up. How is the computer otherwise ?
Seems quite whizzy! Best it's been in a LONG time! :-*
So ComboFix will be OK to run tomorrow, from the original download?
-
Yes use the original, if it asks to update then allow it to do so
-
Well I started ComboFix at about 11.15 this morning, and 7 hours later it was still sitting with the text "Scanning for infected files . . . This typically doesn't take more than 10 minutes However, scan times for infected machines may easily double" and nothing else. The orange light was flickering constantly and I could hear the PC working. I can't leave it running anymore today so have had to stop ComboFix again.
Isn't there anything quicker I can use? Or have you any idea how long I should be waiting? (as clearly, 10 minutes/'easily double' is not going to be an accurate estimate for me!)
Thanks :)
-
OK one possibility is that daemon tools is blocking it, it does do this sometimes. But rather than disable that (unless necessary) how is the computer behaving at the moment ? Any problems or anomalies
-
OK one possibility is that daemon tools is blocking it, it does do this sometimes. But rather than disable that (unless necessary) how is the computer behaving at the moment ? Any problems or anomalies
Seems to be OK, a LOT faster than before I registered Avast the other day. No pop up bubbles so far.
The file extensions are still showing though. And the PC wants to go into Stand-by if I leave it for more than 20 minutes - although I guess this is just a setting that's been restored to factory default with all the scans and fixes, and I can go reset it back to how I want it?
Also - what's daemon tools? I don't recognise this as being something I've ever had on my PC?
-
Yes reset the power options to how you want them, I will tidy up now and see how it runs after that
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755).
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
DELETED - apologies, I was being premature, all is sorted now :)
Thanks so much for your help, my computer is happy now 8)