Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on November 04, 2014, 04:09:24 PM
-
I have been using Avast free anti-virus and Malwarebytes paid version (as I found that Avast did not pick up some things that MWB did.)
Prior to using Avast free I had used AVG paid but found that AVG was getting very bloated with add-ons and becoming a nuisance.
For 4 years this new PC and security seemed to keep me free of problems. I also had Windows Firewall and Defender running.
2 days ago I was suddenly blocked by 'UK Police/Interpol' with the usual demand pay £100 to unlock the PC.
The PC would not even run in Safe Mode with Networking.. as soon as Windows desktop opened the Bad Page filled the screen.
Once or twice previously a similar threat had shown but I was able to Ctrl Alt Del, use Task Master to end the offending IE pages.
This time it was a full hijack.
With my laptop I was able to download AVG Rescue Disk and Kaspersky Rescue Disk. AVG said it found some bits but nothing that looked related to ransomeware. Kaspersky allowed me to start the PC and look at files but not start Windows or use the internet. Kaspersky did not indicate that it had found anything.
After contacting Avast Tech Support http://www.avast.com/en-gb/total-support and paying $179.99 for 1 year support, I was given a number to call Avast Tech Support. The guys I spoke with all said AVAST many times so I assume were indeed employed by Avast, or on behalf of Avast.
After many attempts I was able to get Safe Mode with Networking running and the Techie could get into the PC.. he seemed to do a good job as the PC is running well now and, according to Avast and Malwarebytes, is free of problems. Having said that neither software had detected any problems in the last few weeks.. Avast and MWB run scans every second day as does Windows Defender and none of them alerted a problem.
So what are my problems/questions now?
1. Should I have Windows Defender running or should I disable it (as I was told by Avast Techie that it might conflict with Avast)?
2. Should Windows Security Centre service be running? it is alerted as 'turned off' and when I try to 'Turn on now' it shows 'Windows Security Centre service can't be started'. I have tried some Microsoft advice to restart Windows Security Centre service but without success.
3. Should I trust that the Avast Techie has done/cleaned all possible or should I run any other test?
Thanks for looking.
-
1. disable it as it is useless and a waste of resources.
2. yes the security centre should be running so the malware guys here should be able to help sort that out for you when some logs are supplied.
3. obviously not since your security centre is not working
-
I have been using Avast free anti-virus and Malwarebytes paid version (as I found that Avast did not pick up some things that MWB did.)
There is no product in the world that can detect everything. Unfortunatly(?) you will have to use multiple applications. MBAM + avast is a good combination.
For the ransomware, I have to make a guess here, but you are using your system as a user with admin rights or even as a real admin wich is always a really bad idea. Always use a system with a limited user account, that (almost) always prevent this type of malware to infect the (user-) admin account. Meaning you can still boot the system and remove the crap.
After contacting Avast Tech Support...
It is third party that handles it, not avast itself. There are many complains about it.
1]
http://usa.kaspersky.com/internet-security-center/internet-safety/multiple-antivirus-products
2]
Yes, it should be running. Since it doesn't your system still has one (or more) problem(s).
Please provide the logs as stated in the sticky of this webboard.
3]
It was not a tech from avast.
See 2]
-
Thanks CraigB and EDDY.
EDDY...
1. The Kaspersky link was useful reading. I will kill Defender.
2. What/which/how logs to post (see I really am a Newbie in distress when it comes to hands on management of PC bugs).
3. 'Not a Tech from Avast' but it must be with the knowledge of Avast? and therefore a responsibility of Avast? I realise that Digital River, who use email address avast@digitalriver.com, are involved with many companies (including MS, Logitech, Kespersky and it seems Avast). As the ransomeware was apparently cleared but I now have a problem with Security Centre should I not either go back to 'Avast Technical Support' or just cry and ask for a refund?
Waiting with hated breath.......... well a bit miffed.
-
Digital River only handles the payment, the support you received was via a 3rd party company "not avast".
imo you can get better support here, supplying logs are explained in the stickies at the top of this board https://forum.avast.com/index.php?topic=53253.0
-
Am working on logs.. well, Farbar is.. will post soon.
But.. 'not Avast' Yet it is sold as Avast on Avast website .... http://www.avast.com/en-gb/total-support. Do you still feel that Avast have no responsibility for it.. note it is en-gb. Maybe not global? not US?
-
Farbar logs... FRST and Addition
fingers crossed that I've done this correctly.........
-
aswMBR result attached
-
Thanks for providing the logs.
One of the experts will have a look at them soon and guide you.
Most are in Europe and it is around dinner time, so have patience please and do not change anything on that system.
-
Thanks EDDY.
OK// I'll wait but I was about to run this this set of cmd entries in Windows\system32...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You may follow these steps and check if the issue persists.
a. Click Start -> Type CMD -> Right click on CMD from the result -> Click Run as Administrator
b. Run the following command one at a time and press enter to execute
• cd /d %windir%\system32\wbem
• for %i in (*.dll) do regsvr32 -s %i
• for %i in (*.exe) do %i /regserver
c. Close all windows and reboot the computer and now try opening the system information
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Why? because in the Addition log System error reported " The Windows Management Instrumentation service terminated with the following error:
%%126" a Google search revealed this fix that has worked for others .....
http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_programs/windows-management-instrumentation-error-code-126/1202e348-5964-e011-8dfc-68b599b31bf5
the result was offered by ..........
Debleena S replied on April 12, 2011 Microsoft
Anyway, I'll do as you say and hold off meddling.
Thanks again.
-
Only a few minor elements left
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
Thanks essexboy for your help.
I have done as you said and have a fixlog.xtx with a message to RESTART, close all windows.
Should I do that before going on adwcleaner ? or what?
-
oops here is fixlog.txt attached....
-
Continue to AdwCleaner please :)
-
Thanks but do I follow the fixlog instruction to RESTART?
My earlier question>>>>>>>>>>
I have done as you said and have a fixlog.xtx with a message to RESTART, close all windows.
Should I do that before going on adwcleaner ? or what?
-
Yes allow a reboot as it will need to finish prior to windows loading
-
OK -- did Restart then ran AdwCleaner and all seems to be back to normal.. THANKS!
Is there any final scan/check that will confirm all is now OK?
Are you able to explain briefly what was wrong and what has been corrected?
-
The remnant was a change to Chrome that would allow unsigned files to run otherwise it was just a matter of clearing the junk files :)
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
DOUBLE BRILLIANT THANKS essexboy................... I will run all that and post confirmation.
Over and OUT for today :)
-
OK, finally I think it's all done.
The repair of Action Centre Security worked until a reboot then the problem returned. I then used this fix from MS Community (because the error code I saw was 126):
http://answers.microsoft.com/en-us/windows/forum/windows_xp-windows_programs/windows-management-instrumentation-error-code-126/1202e348-5964-e011-8dfc-68b599b31bf5
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Method 1
You may follow these steps and check if the issue persists.
a. Click Start -> Type CMD -> Right click on CMD from the result -> Click Run as Administrator
b. Run the following command one at a time and press enter to execute (without the dot before the code and take care of spaces)
• cd /d %windir%\system32\wbem
• for %i in (*.dll) do regsvr32 -s %i
• for %i in (*.exe) do %i /regserver
c. Close all windows and reboot the computer and now try opening the system information
This above fix Method 1 worked and has stayed fixed.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I ran DELFIX exactly as you advised.
I completely uninstalled Java
I have also set my account as Standard User and set a new Aministrator account.
CryptoPrevent is downloaded and installed but it seemed to need installing in both my User account and in the Admin account.. is that right? Also I can not find it anywhere in Programmes or Task manager under Processes or Services unless CryptSvc - Cryptographic Services - Network Service is CryptoPrevent? Also, I suppose it makes sense to purchase the Premium to get updates?
Windows Defender and Windows Firewall are no longer running ..... Does MalwareBytes and/or Avast provide a Firewall?
I look forward to receiving clarification of the above points please.
After so many years using PCs this episode has once again shown me how little expertise I really have... THANKS AGAIN!!!
-
Paid versions of Avast! give you a Firewall, Free does not (So you don't get one from Avast!)
There are many free Firewalls out there. I use Comodo FW, but have heard decent things about ZoneAlarm and Online Armo(u)r.
http://www.online-armor.com/
http://www.personalfirewall.comodo.com/
http://www.zonealarm.com/security/en-us/zonealarm-pc-security-free-firewall.htm
Edit: Answered my own question :)
-
Thanks for that Michael.
Rather than introduce a third security software (fourth with CryptoPrevent) I wonder whether it may be better to move to Avast Internet Security with Firewall?
Advice? Michael, essexboy, anyone?
-
...I wonder whether it may be better to move to Avast Internet Security with Firewall?
Sure, why not... ;)
-
Thanks for that Michael.
Rather than introduce a third security software (fourth with CryptoPrevent) I wonder whether it may be better to move to Avast Internet Security with Firewall?
Advice? Michael, essexboy, anyone?
I don't think it'll make a HUGE difference. The reason why I do it with Comodo, MBAM, Avast!, Unchecky, MCSHield etc is because if 1 falls, the others remain. Just my personal preference, and my computer can handle all the programs I run (i7 3770, 16GB of RAM and a 2TB drive is more then enough)
-
What I am concerned about is conflict between so many security pieces?
-
What I am concerned about is conflict between so many security pieces?
My personal opinion is, that for average users a suite will fit well, advanced users can go with Michael's setup.
-
What I am concerned about is conflict between so many security pieces?
My personal opinion is, that for average users a suite will fit well, advanced users can go with Michael's setup.
Agreed.
I have mine setup that way for various reason aside from, if 1 falls the rest remain. For you, I'd just go with the Suite. Avast! paid, MBAM should be fine.
-
Cryptoprevent does not run it just makes changes to the registry so you will not see any processes :)
-
Thanks for the Crypto clarification EB.
Should I use the PAID version in order to get updates?[/b]
sorry, didn't mean to shout.
-
I don't think it's needed. Just every once in a while, update it manually.
-
Weekly should suffice with a manual update
-
Yet it's only $15 for 'Premium' with auto updates etc.... have paid but will download later.
Ah, no need to download just to enter Product Key.. so all done with CryptoPrevent... Worth $15 not to have to remember to update.
AND Komodo Firewall now installed .. all seems to be working OK.
BUT Komodo did find a folder Tific which had no active files in it... date loaded showed as 2 Nov, the date the ransomware kicked in... maybe Tific was the empty remains of that infection?
Now only 2 Unknown files showing on Komodo Scan:
cfrmd.sys and mahostservoce.exe............... cfrmd shows as Komodo Mahostservice shows as Alcatel-Lucent
They both seem OK? I should mark them as 'Trust' in Komodo?
-
cfrmd.sys this is from Comodo
mahostservoce.exe did you mean mahostservice.exe
-
yes, service................
BUT now, since installing Komodo ebay website is running jerky... when scrolling down or going to next page... any ideas?
-
Komodo or Comodo?
Komodo would be fake, Comodo is real..
Never had that issue before. I do know though, that issue is present on all of my school computers (The ones owned by the government,)
What browser are you using? I'll look into it.
-
Oh dear, it's time for bed... yes COMODO (was dreaming of dragons) ................. browser Int Exp 10.
AND I have found several reports of Comodo-Avast conflict.
So... I will now uninstall Comodo and pay for Premium Avast................... am I a dipstick? I think so!
OK.. done... Comodo all gone................ Avast upgraded £49 paid for 2 years max 3 pcs.
All seems OK . watch this space!
-
I have used AIS since it was first released and have had no problems from Vista to windows 8.1 :)
-
Oh dear, it's time for bed... yes COMODO (was dreaming of dragons) ................. browser Int Exp 10.
AND I have found several reports of Comodo-Avast conflict.
So... I will now uninstall Comodo and pay for Premium Avast................... am I a dipstick? I think so!
OK.. done... Comodo all gone................ Avast upgraded £49 paid for 2 years max 3 pcs.
All seems OK . watch this space!
Did you have D+ installed aswell? I believe I warned you via PM not to install D+ with Comodo Firewall.
-
My Avast internet started saying internet connection not connected so i phoned what i thought was Avast, the guy took over my computer and told me my PC was infected with virus's, as i'm inexperienced with computers i started to panic, he was saying my PC would stop and cause me all kinds of headaches. he told me it would cost £129 for 12 months then started telling me about a deal for 2 years, i told him 12 months, he told me he worked for Avast and i had the full Avast support behind me, i was 9 months into a 12 months licence and thinking it was Avast i thought it would be OK. he was on the PC for about 4 hours then someone else took over for 1 hour more. that night the computer stopped working, after 2 hours it started working again , then i lost me gmail and had to phone them up. i found out they were based in Costa Rica, over the next couple of days my PC went down 5 or 6 times, then i get a email telling me there was a problem with the billing and to send them my bank details so they could put money back into account, but i had paid with Paypal, when i phoned up they told me they didn't know what i was talking about and should ignore the email, they didn't seem put out at all. sorry the company is called Avast total support, this only happened on the 29th October and the email for my bank account was sent on the 1st November, the email had all my details? i decided to look on this forum and there where lots of people complaining that this company is 3rd party but says it's Avast, i even sent a email to avast about this and got a reply from them. Sandra Richard | avast! Total Support Escalations – Customer Care | avast!, i haven't got a problem with Avast ,in fact i just bought a 3 year Avast premier even though i had 3 months left on my old Avast, even if you look at their website it looks like it is Avast, because i don't know anything about computers i'm thinking what have they done on my PC. I think they where reading your website and replying to me like they where you when one of the people on your forum gave me a email address. can you help.
-
Jonny, what I meant was start your own thread -_-.
Regardless, I'm sure Essex will help you here.
Start by following the guide: https://forum.avast.com/index.php?topic=53253.0
-
Did you have D+ installed aswell? I believe I warned you via PM not to install D+ with Comodo Firewall.
No, D+ not installed.. had to Google to know what it is :)
-
Jonny, Michael is right - start a new thread .... essexboy has been extremely helpful to me.
I will also be contacting Avast regarding misrepresentation of Tech Support and not full clearance of the problems on my PC. I will be seeking a cancellation of the 1 year Tech Support contract (via Avast an UK MasterCard) and will then donate £50 to the charity of choice of essexboy (I'll post the receipt here).
-
After all that (see thread) MWB tells me I have problem with qfWY.dll. It shows as Trojan.Agent.DE
I attach FRST files: FRST and Addition
Thanks in advance to my Guardian Angel..............
-
Could you post MBAM's log please as there is nothing untoward showing
Download and run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
-
MWB attached. willco the other.
-
Here the FSS.
Thanks.
-
Download and run this small programme to reset your services http://www.tweaking.com/content/page/set_windows_services_to_default_startup.html
MBAM was in a temp folder so try to make a habit of cleaning them regularly
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
Once done let me know of any problems
-
willco.
I attach CCleaner settings. I run CCleaner after every session on the PC.
Maybe there are other boxes that should be ticked?
-
OK looks good, not that I use CC myself :)
How is the computer behaving ?
-
OMG.... all was apparently going well then this afternoon I ran an Avast Boot-time scan. It showed that it fund quite a bit of 'stuff' and 'fixed' it all but it was taking hours so I cancelled. Avast insisted on reboot then OMG Restart with only plain desktop as in original set up. IE without all my favourites, tags/headers etc.. nothing!! Fortunately Restore to 6 November worked OK BUT Avast Firewall would not start, Repair did not repair.... had to Uninstall Avast then reinstall from old download as new Download from Avast would not download (?) .. Then after updates etc all is again running well for Avast, Malwarebytes.. Windows Firewall bur Defender disabled. Guns are such dangerous weapons in the hand of the untrained!!! :-[
Panic now over (mostly) .. I'll move run TFC and report.
Malwarebytes shows this under Exclusions pu.trafficshop.com/popunder.php I find some info on the web but don't get clear info.. should I kill this from MWB Exclusions?
-
You must have added the exclusion as it wouldn't get there by itself, it appears to be a proxy server used for unblocking internet services, I would delete it and if something on your system requires it the you will receive a popup from Malwarebytes again.
-
Only use bootscan if you are asked to by Avast as it is more aggressive in this mode and care must be taken with what you remove and you must let it complete :)
When you use system restore you must first disable Avast self protection or it will throw a wobbly
Do you have a USB drive ? As that is ideal for making a weekly system image in case everything goes pear shaped
-
Bootscan - point taken.. once bitten never touch again!
Syst Restore and Avast.... I left Avast running and after Restore I could not Turn On Avast Firewall so Uninstalled, Reinstalled, Updated and Avast now seems OK.
I have Turned Off GrimeFighter which was annoying and seemingly only an ad.
Only problem I see at the moment is that when I try to Download TFC nothing downloads. I tried to Download CCleaner from File Hippo which always Downloads OK and still no Download.. it seems as though Download definitely not functioning. Normally a 'do you want to Run or Save' box appears not now, nothing. Any ideas please? Oh MAN, protect us from amateurs like me.
I'll get to USB later.
YES - something definitely wrong... not able to download any file from File Hippo or similar place. Search suggests security blocking but can't find anything.
-
do you get an error when you try to download
-
No but I think its' an IE10 prob as I have been able to make normal download of LastPass using Chrome.
-
Can you download and install IE11 from here http://windows.microsoft.com/en-GB/internet-explorer/ie-11-worldwide-languages
-
Yes, thanks, it's downloading via Chrome.
Hopefully that should do the trick. Will IE11 replace IE10 or do I need to uninstall IE10?
IE11 downloaded via Chrome and now installed.
All seems OK except download of CCleaner via File Hippo still does not start/show/download but it did via Chrome.[/b] in fact I can download nothing with IE.
Have searched, tried bits but no change ..... no download works with IE but all work OK with Chrome. Has to be a setting somewhere? but where?
-
OK lets try this ..
First export your IE bookmarks to the desktop http://www.sevenforums.com/tutorials/86795-internet-explorer-import-export-favorites.html
Then go to control panel > Internet Options > Advanced tab
On the bottom right is a reset button Press that and apply then OK out
Now retry downloading with IE
-
Nope- same .. nothing. Normally a bar rises from the bottom asking RUN/Save/SaveAs this no longer shows and did not show in IE 10 as soon as I had this problem. Chrome runs OK.
-
Download Windows All In One Repair from Tweaking.com (http://www.tweaking.com/content/page/windows_repair_all_in_one.html) to your desktop
Install the programme and run
Select Step 5 : Back up your registry and create a system restore point
(https://dl.dropboxusercontent.com/u/73555776/waiobackup.JPG)
Then select the Repairs tab
(https://dl.dropboxusercontent.com/u/73555776/waiorepairs.JPG)
Select Open repairs
Select the following repair number items :
7
Click Start
(https://dl.dropboxusercontent.com/u/73555776/waiorepair.JPG)
Once it has completed then reboot the system
-
Wow, that looks Super Charged...... I'll need some sleep before attempting that.
I'll get onto it tomorrow.
Thanks again EB!!
-
OK I find that a handy little tool to keep on my systems
-
That process found nothing, at least nothing has changed.
I have searched and found many people have reported 'no downloads' with IE 10 & 11.
Not 'fails to complete download' but total zilch download.
Also TOOLS click View Downloads produces no response.
I'll research more and post later.
Now, to tempt fate, apart from this IE download prob (which is overcome by using Chrome or Firefox) the PC seems to be running OK.
-
It seems that nobody has found an answer for this hiccup... It occurrs in IER10 and now IE11...
EXCEPT maybe there are 2 answers.............
use Firefox or Chrome......
-
A possibility
Go to control panel > Internet options > Security tab
Select Reset all zones to default level
Apply then OK out
Flash up IE and see if that has cured it
-
Been there, done that ... still no downloads happen.
Am still researching.. will post finds. So many out there with same prob.
Thanks again EB!!
Update: SO MANY POSTS ON FORUMS OF PPLE WITH SAME PROBLEM BUT NO SOLUTIONS..... except to leave IE behind.
FINAL SOLUTION: have ditched IE and replaced with Firefox.......... all running OK. Is Firefox better to use than Chrome?