Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Fireforgey on May 07, 2014, 08:18:40 AM
-
Hi guys, I need help. Ever since I put in a few flash drives into my computer (I know I know, but I had to do it) Avast keeps popping up every 5 seconds with two notifications:
Avast Web Shield has blocked a harmful webpage or file.
Object : http://www.weebly.com/uploads/28/1/0/28102339/ahpaa.exe
Infection: URL: Mal
Process C:\\Windows\System32\wscript.exe
And Another exactly the same, but with a different Object:
Avast Web Shield has blocked a harmful webpage or file.
Object : http://www.weebly.com/uploads/28/1/0/28102339/22.exe
Infection: URL: Mal
Process C:\\Windows\System32\wscript.exe
So far, I'm doing a full system scan with Avast, did a full system scan with Malwarebytes (got rid of quite a few things but it didn't solve the problem) and I'm quite lost as to what to do.
Please help.
Edit:
Am currently uploading the files, but it said that asw doesn't work on Windows 8 which is the system that I'm using. Is that ok? There other scans will be uploaded in a few minutes once scanned.
-
Attach your logs. (MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
-
Alright, here all all of the uploaded files
-
OK, now you've to wait. Unplug all/any flash drives.
-
OK lets start..
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
[2014/05/07 08:31:53 | 000,000,836 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk
[2014/05/07 08:31:47 | 000,894,464 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\asadfkjowea.exe
[2014/05/07 08:31:46 | 000,000,000 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\asfkjowea.exe
[2014/05/06 22:59:51 | 000,000,000 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\weaefasdasf.exe
[2014/05/03 13:30:29 | 000,118,656 | ---- | C] () -- C:\Users\Omar Eldahan\AppData\Roaming\aiasfacoiaksf.vbs
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download MCShield (http://www.mcshield.net/) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
-
Well, first of all, that you all so much for all of your help. Getting rid of this virus almost feels like a job...and I'm just following a couple of instructions. On a positive note, the AVAST pop-ups have stopped, however I noticed something interesting. Every-time I turned on the computer, two cmd.exe windows would appear and disappear. Now, they stay because a command box opens saying that it can't find C:\Users\Omar Eldahan\AppData\Roaming\asadfkjowea.exe or something like that. I've attached the scan logs that you asked for. Enjoy ;D.
-
That is because some numpty missed a registry entry :)
Let me know how the computer is after this
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O4 - HKCU..\Run: [asodakaossd] C:\WINDOWS\SysWow64\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Omar Eldahan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk = C:\Windows\SysWOW64\cmd.exe (Microsoft Corporation)
[2014/05/07 18:29:04 | 000,000,836 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk
[2014/05/07 18:28:58 | 000,893,881 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\asadfkjowea.exe
[2014/05/07 18:28:49 | 000,000,000 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Roaming\asfkjowea.exe
[2014/05/07 18:21:08 | 000,001,453 | ---- | M] () -- C:\Users\Omar Eldahan\AppData\Local\psppirerc
[2014/05/04 12:12:38 | 000,000,836 | ---- | C] () -- C:\Users\Omar Eldahan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok, well I did as you said and everything seems to be fine. The cmd.exe windows stopped appearing. However, I have a few questions. first of All, the MCShield said that their were suspicious files on my flash drive and that it "renamed" them. Does that mean it fixed them? Also, which of these programs that I downloaded should I keep, and which should I get rid of? Huh, this experience has been kind of depressing. I usually consider myself to be pretty good with computers, and yet I do not have the slightest clue as what I've done; it seems to have worked though. Hats off to all of you.
-
MCShield basically made them inactive due to renaming. Keep MCShield on your system to protect you from bad flash drives, it uses no resources
All that was done was the run entries/startup entries and associated files were deleted
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
You guys be awesome. 8)
-
It was our pleasure to assist :)