Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on September 30, 2014, 06:12:41 PM
-
While I was traveling last week, I noticed that AVAST! would keep ringing in every time I went to Google search on Chrome on my netbook!!
NOW, that I am home, I keep getting the same warnings from AVAST! on my desktop computer!
I am thinking that either Chrome, or (most likely) my entire Google account has been hacked!
The warnings come from BOTH - something labeled "jaoohqvqda.ru" AND ALSO an IP (that is prolly masked) of 88.208.7.204
ANY advice as to WHAT this is and HOW I can remove it is greatly appreciated!
MANY thanks!!
-
What is the full message from avast ..... you may attach a screenshot
-
Hi Pondus,
You should read that here (5 hours ago) -> http://www.sweclockers.com/forum/22-microsoft-windows/1324472-blir-galen-jaoohqvqda-ru-cookie-eller-virus/ (You are the Viking among us ;) ).
Not predicting much good here: tracking going on from jaoohqvqda dot .ru -> http://totalhash.com/network/ip:88.208.7.204
Waiting for more explicit info from the victim indeed,
hej hej,
polonus
-
P&P ;D,
it would not surprise me if it is part of the RBN.
Nowfreespeech,
please follow the instructions and attach the logs :
https://forum.avast.com/index.php?topic=53253.0
-
Ha Eddy,
Delving in the direction you pointed at and yes Artemis botnet C&C probably comes in view.
Server nginx/1.4.4 on that website jaoohqvqda dot ru is vulnerable to conditional redirects.
The WOT rep of the Cert. hoster, megasml dot ru is very low - Trustworthiness Very Poor (15/100)
04/14/2014 SURBL Site blacklisted at ws.surbl.org (sa-blacklist web sites). [link]
htxp://jaoohqvqda.ru/ -> something bad out there, the host you provided doesn't allow incoming HTTP HEAD requests.
web bug results:
HTTP/1.1 403 Forbidden
Server: nginx/1.4.4
Date: Tue, 30 Sep 2014 22:16:43 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
Vary: Accept-Encoding
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.4</center>
</body>
On that Autonomous System:
AS39572
AS Name: ADVANCEDHOSTERS-AS ADVANCEDHOSTERS LIMITED
IPs allocated: 34816
Blacklisted URLs: 730
Hosts...
...malicious URLs? Yes
...badware? Yes
...botnet C&C servers? Yes
...exploit servers? No
...Zeus botnet servers? No
...Current Events? Yes
...phishing servers? No
...spam servers? No
...spam bots? No
...spam activity? No
This domain was hosted in the Netherlands and here, Eddy, you could be right:
https://www.virustotal.com/nl/domain/cnt1.xhamster.com/information/
See: http://urlquery.net/report.php?id=1412105524298
Asprox Criminal botnet for Artemis, see: https://www.virustotal.com/nl/file/5fd0c62db91b93bf5630838a66635a5516fd8863e06db036d0ca2dae2983de58/analysis/
polonus
-
from the swedish forum Polonus posted ...... case solved by removing Ace stream / magic player from chrome
-
Thanks, Pondus, for that reply,
pol
-
Really, Pondus?? Removing AceStream player cleared it up?? Damm....I LOVE my AceStream player :-(
Damm.....I removed and re-installed Chrome TWICE, changed passwords twice, and dumped all cookies and browsing history since the beginning of time!! WHY does it still keep bothering ME?
But AVAST! DOES KEEP SHOWING (and, presumebly, stopping) IT....so does it mean that I have CAUGHT some malware or virus? Or does it mean that it keeps trying and that AVAST! keeps stopping it??
-
Hi nowfreespeech,
The only way to know that for sure is just going through the routine as prescribed here:
https://forum.avast.com/index.php?topic=53253.0
Provide us with the logs and wait for a qualified removal expert here to go over them.
polonus
-
Regretfully.....I am EXTREMELY computer illiterate......so, Polonus, I am just going to do step-by-step-by-step the procedures on that thread - I'll post what I get back on the log here! Downloading MalwareBytes now -
Many thanks again!
FIRST OFF, however....I trashed the AS Magic Player extension on Chrome.....lessee if THAT does anything......
-
Well, nowfreespeech, we understand that and the qualified remover will take you by the hand and gently will tip-toe with you through the necessary steps of the cleansing routine and explain everything in detail so you will feel completely comfortable. They know what they are supposed to do. You should not worry one bit. Believe me.
polonus
P.S. A malware remover has been notified, wait for his arrival in this thread.
-
Hi,
I am Valinorum and I will be your helper for this issue. Please attach the logs when done and we will go on from there. If you have any questions or do not understand anything, stop and ask.
Thank you.
-
My Internet Connection here in South East Asia is almost TOTALLY down (The A.A.G. Cable breakage ensures that it'll be at dial-up speeds for at least one week) so I couldn't do the update. But I DID run the scan - here is what it says:
Proceeding to NOW re-boot and continue with the rest of the steps on that thread!
Really can't thank you folks enough! REALLY 'ppreciate all your help!!
-
Acknowledged. I will try to make sure the tools use minimal bandwidth as possible.
-
Broadband High-Speed Internet came back BRIEFLY - was able to update MalwareBytes and do a re-scan!
WHAT THE HECK is "Installmate"???
I can guarantee that I didn't KNOWINGLY download THAT!
Re-booting now and then going to run Fabar Recovery Scan Tool!
Thanks so much again!!!
-
WHAT THE HECK is "Installmate"
you mean PUP.Optional.InstalleRex.A
PUP.Optional.InstalleRex got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker. This Potentially Unwanted Program is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic), so if you have downloaded a software from these websites, chances are that PUP.Optional.InstalleRex was installed during the software setup process.
The PUP.Optional.InstalleRex infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.
-
Fabar scan results -
-
Thanks, Pondus.....THAT is kinda unnerving! You say it COULD come packaged INTO "(video recording/streaming, download-managers or PDF creators)".....
WONDER if, as others have suggested, the AceStream program is the carrier??
NOW - I keep getting THIS every five seconds -
Infection blocked
URL hxxps://codegv.ru
Infection URL:Mal
WHY are they picking on ME?? LOL!
-
ASWMBR log
-
I have tried everything on the thread about Logs to assist in cleaning Malware! I just now uninstalled AceStream Player and re-booted!
AND NOW - EVERY SINGLE TIME I go to ANY webpage, I get the AVAST! warning -
Infection blocked
URL hxxps://codegv.ru
Infection URL:Mal
HOWEVER - I get NO warnings at all on Internet Explorer!!
Which tends to make me believe that either my Google Chrome browser has been hacked, AND/OR (probably), my entire Google account has been hacked!
I am VERY happy that AVAST! is stopping these hack attempts every time I go to ANY webpage.....but does anybody have even a GUESS as to WHAT this thing is??
ANY advice?
Thank you all again so much - you've been really patient with me! This is just really frustrating :-(
-
I have the exact same problem,
I get spammed to death by:
URL hxxps://codegv.ru
Infection URL:Mal
-
Check your extensions in the Google Chrome browser for you might have installed a malicious extension.
Read here:
http://security.stackexchange.com/questions/65097/sophos-virus-protection-continuously-blocking-codegv-ru
AS Magic Player 1.0.0 imay be t the culprit of it!
polonus
-
Hi,
I will slowly so you will not get immediate result. I am sure you will have a smile on your face when I declare you A-Okay. Bear with me please.
- Step #1 P2P Warning
**IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
- BitTorrent
- StreamTorrent 1.0
I shall provide you with a few reference links, please read them up to know the risks of having a P2P program.
- P2P File-Sharing: Evaluate the Risks (http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt128.shtm)
- ITSC: Risks in Peer-to-peer File Sharing (http://www.cuhk.edu.hk/itsc/about/p2p-risk.html)
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P file-sharing as a major conduit to spread their wares.
My recommendation is that you uninstall the programs listed above. If you choose not to remove them, please do not use them until this computer is clean.
- Step #2 Uninstall Programs
I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them.
[/li]
[/list]
- Step #3 Fix with AdwCleaner
- Download AdwCleaner by Xplode to your Desktop from the following link.
- Download Link #1 (http://www.bleepingcomputer.com/download/adwcleaner/)
- Download Link #2 (http://general-changelog-team.fr/fr/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner)
- Right-click on AdwCleaner.exe and choose Run as administrator;
- Click on Scan and let the program run unhindered;
- When done, click on Clean and allow the system to reboot after it is done;
- A log will be opened automatically after the restart;
- Attach the log in your reply.
- Step #4 Fix with Junkware Removal Tool
Download Junkware Removal Tool by thisisu to your Desktop from the link below.
Download Link 1 (http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/)
Download Link 2 (http://thisisudax.org/downloads/JRT.exe)
- Disable your anti-virus to avoid potential conflicts. For more information please acknowledge yourself this (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/) article;
- Run the program either by double-clicking(Windows XP) or Right-clicking and choosing Run as administrator(Windows Vista and above);
- Please be patient as the tool cleans your system;
- After completion of the process a log named JRT.txt will automatically open and is save to your Desktop;
- Attach the log in your next reply.
Re-run FRST and check all its boxes. Then click Scan. Post the logs when done.
- Required Log(s):
- AdwCleaner Log
- Junkware Removal Tool Log
- Farbar Tool Logs--
Regards,
Valinorum
-
I had the same codegv.ru issue. followed Valinorum's directions and it worked mostly.. however, it did so after several attempts.. what i did differently was.. i first uninstalled Acestream then ran both adware removal and junk removal as prescribed.. the malware was still there after restart. so i ran ccleaner and ccleaners' reg cleaner, then re-ran both adware and junkware removal, it was still there at restart, then ran both again simultaneously .. this time i did not let it reboot.. instead, after the junkware removal tool was finished, i re-started avast and did a browser cleanup through avast.. at analysys, avast reported that the Speedbit extension and another extension (both on chrome) had low reputations and i removed them. Re-started the computer and now its clean!
thank you, Valinorum, for your help!!
-
I had the same codegv.ru issue. followed Valinorum's directions and it worked mostly.. however, it did so after several attempts.. what i did differently was.. i first uninstalled Acestream then ran both adware removal and junk removal as prescribed.. the malware was still there after restart. so i ran ccleaner and ccleaners' reg cleaner, then re-ran both adware and junkware removal, it was still there at restart, then ran both again simultaneously .. this time i did not let it reboot.. instead, after the junkware removal tool was finished, i re-started avast and did a browser cleanup through avast.. at analysys, avast reported that the Speedbit extension and another extension (both on chrome) had low reputations and i removed them. Re-started the computer and now its clean!
thank you, Valinorum, for your help!!
In future, try not to follow advices given to other people as you may end up with an unbootable PC should there be a different type of malware in your system. Just because the symptoms are the same do not mean the malware is. Good day!
-
INTERESTING!!!
I KILLED the Chrome extension "AS Magic Player 1.0" on Chrome................
....THEN, OUT OF NOWHERE, it came back!!
Troubling!
So I removed it AGAIN!
I removed all my P2P stuff, Valinorum, and I got rid of AceStream Player yesterday. Gonna do steps three and four now - I will let you know how it goes after the final re-boot!
-
adwCleaner report log below -
# AdwCleaner v3.311 - Report created 02/10/2014 at 20:49:33
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)
# Username : CPN - CPN-PC
# Running from : C:\Users\CPN\Desktop\ALL ANTI-Malware nasty virus killer stuff\STILL HAVE TO USE FOLDER\adwcleaner_3.311.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\save nett
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17280
-\\ Google Chrome v37.0.2062.124
[ File : C:\Users\CPN\AppData\Local\Google\Chrome\User Data\Default\preferences ]
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Search Provider] : hxxp://startsear.ch/?aff=1&src=sp&cf=6c8ebcfb-c7f8-11de-85c4-e8652fa017bb&q={searchTerms}
Deleted [Search Provider] : hxxp://start.facemoods.com/?a=ostpl&s={searchTerms}&f=4
*************************
AdwCleaner[R0].txt - [3105 octets] - [28/04/2014 11:52:35]
AdwCleaner[R1].txt - [1236 octets] - [02/10/2014 20:43:59]
AdwCleaner[S0].txt - [3220 octets] - [28/04/2014 11:54:57]
AdwCleaner[S1].txt - [1515 octets] - [02/10/2014 20:49:33]
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1575 octets] ##########
-
....annnnnnd, the Junkware Removal Tool scan:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.2.6 (10.02.2014:1)
OS: Windows 7 Home Premium x86
Ran by CPN on Thu 10/02/2014 at 20:58:02.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 10/02/2014 at 20:59:45.03
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
It APPEARS to be gone!!
Great work, Valinorum!
ANY GUESS as to what exactly that attack was??
You're correct - I AM smiling now!
Thanks again SOOOOOOOO MUCH to everybody on this thread!!!!!!!!!
-
Good news. How is your internet? If it is good, I will ask for an online scan. If not, give me a FRST scan. To do the latter, re-run FRST.exe and click on Scan and post the log when done.
-
It appears to be running quickly - we can do an online scan! HOW do we do that??
-
- Step #5 ESET Online Scanner
Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/) for additional information.
- Download esetsmartinstaller_enu.exe by clicking here (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe).
- Right-click on the program and choose Run as administrator.
- Accept their terms and condition and proceed.
- Install Add-On/Active X if prompted.
- From the Computer Scan Setting --
- Enable detection of potentially unwanted application
- Click on Advanced Setting--
- Uncheck the following box --
- Check the following boxes --
- Scan archives;
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on Start and wait for the virus signature database to update.
- The online scan will begin automatically and can take several hours.
- Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
- After the Scan finishes --
- If no threats were found:
- Put a checkmark in Uninstall application on close.
- Close the program and report that nothing was found
- If threats were found:
- Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
- Attach the log file in your next reply.
Note: Enable your security programs afterwards.
Regards,
Valinorum
-
Hey!
I have the same problem with codegv.ru malware.
I have done the steps according to valinorum and it doesn't seem to disappear... Any suggestions?
Must have accidentally erased adw-cleaner's log.. but i have JRT:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.2.7 (10.03.2014:1)
OS: Windows 8.1 Pro x64
Ran by Tim on 2014-10-03 at 13:10:12,80
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2014-10-03 at 13:14:54,12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Regards Tim
-
If you disable and remove the MS Player extension (associated with Ace Stream) from Firefox and/or Chrome it solves the problem. It is an infection that you get when you instal Ace Stream! I was running virus scans and digging in forums translating from Russian for 10 hours before I found the answer
-
JRT file
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Home Premium x64
Ran by andys laptop on 23/10/2014 at 7:34:01.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs\\Tabs
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Toolbar.CT3072253
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Toolbar.CT3072253
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ApnStub_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\ApnStub_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\ApnStub_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\ApnStub_RASMANCS
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
~~~ Files
~~~ Folders
Successfully deleted: [Folder] "C:\Users\andys laptop\appdata\locallow\conduit"
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 23/10/2014 at 7:51:13.52
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
how do i do a FRST scan?
-
Please start your own topic and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
-
Is there any way to lock the solved topics?
-
Is there any way to lock the solved topics?
Unfortunately not. :(
-
I do think the administrators should consider a discussion regarding this. A general forum regarding malware issue discussion and a child-forum dedicated to Malware Removal assistance with proper moderation should suffice.
-
Hi there,
I'm having the same issue with codegv.ru malware.
I've done all steps from 2 to 4. I'm sending the logs in attachement.
For now it seems to be solved!
Thanks for your tips
-
Well actually it is still showing... Not as much but happens from time to time.
Do you know from the logs what have i done wrong? What else can i do to solve this?
Thanks in advance for any tips you can share!