Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on December 23, 2014, 05:24:50 PM
-
I have a suspicion that this may have come from a zip file containing mulitple files including a image editor picture that was sent to me to edit for work, but I could be wrong.
Tried multiple tools to clean in safe mode, uninstalled/reinstalled brower (lasted 2 days without a detection), and now it's back again. Detections on multiple page browsing.
Thank you for the help.
-
New logs (since windows updates and add'l scans)
-
For a start, remove Spybot.
It is by far from as good as it once was.
Nowadays we advise to use MBAM.
-
For a start, remove Spybot.
It is by far from as good as it once was.
Nowadays we advise to use MBAM.
TY for the info! I unistalled Spybot S&D.
-
Hi bb211, :)
My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
- Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
- Please do not install any new software while we are working on this system as it may hinder our process.
- Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
- Please do not try to fix anything without being ask.
- Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
- Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
- Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
- If you are confused about any instruction, stop and ask. Do not keep on going.
- Do not repeat the steps if you face any problems.
- I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
- Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
- The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
- Step #1 Run ComboFix
Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
Download Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Download Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Donwload Link #3 (http://www.geekstogo.com/forum/files/download/197-combofix-by-subs/)
Warning
Please acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence.
***
- Disable your security software. For more information, peruse this (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/) thread;
- Right-click and choose Run as administrator to run the program.
- As a buit-in process, ComboFix will check if you system has Microsoft Windows Recovery Console installed. Let Combofix download and install Microsoft Windows Recovery Console.
- It requires an active internet connection.
- If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
- ComboFix will now scan your system for malwares and will attempt to remove them.
- Note: ComboFix performs fifty steps during this fix. Please be patient.
- After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
- Attach the log in your next reply.
Crucial Notes:
- Do not mouse-click when ComboFix is running as it may stall.
- Do not re-run ComboFix if you face a problem. Ask for my instruction here.
- ComboFix will make Internet Explorer your default browser and will change number of different Internet Explorer settings.
- ComboFix prevents autorun functions of all CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
- It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
- ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.
Regards,
Valinorum
-
My system did not auto-reboot after running combofix. So, I didn't reboot on my own.
As instructed, I've attached the log.
-
Are you still having avast! warnings?
-
So far, so good. No detections have appeared yet. When I did disk clean-ups before, it took about 2 days to start getting detections again. Is it okay to keep this thread open for a little while?
Thank you!
-
I spoke to soon.
I got a detection of URL:MAL -
http://69.39.239.161/
C:\Program Files\Internet Explorer|iexplorer.exe
Then another detection of URL:MAL -
Http://48896.bd429d.6715.5da.39.bff7c.f9b....(the rest would allow me copy)
C:\Program Files\Internet Explorer|iexplorer.exe
After this detection, I had multiple .exe's start eating a ton cpu memory. It was like a memory leak where everything was slowing in speed. They include, but are not limited to:
dplaysvr.exe
wextract.exe
upnpcont.exe
fixmapi.exe
I closed my programs, disconnected from the net, and shut down. Upon reboot, the system regained stability for now.
-
Latest detection (which was the most common before)
URL:MAL
http://www.shavethis.com/favicon.ico
C:\ProgramFiles(x86)\MSN\MSNCoreFiles\msn.exe
-
Post a fresh FRST scan log.
-
Here you go. Thanks!
-
Please uninstall Spybot - Search & Destroy for now.
- Step #2 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) to your Desktop.- Open Notepad.exe. Do not use any other text editor software;
- Copy and Paste the contents inside the code-box to your Notepad --
Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-408397430-2629080013-721727374-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-408397430-2629080013-721727374-1000 - Default Value = (value not set)
SearchScopes: HKLM-x32 -> {1E43ED7E-11D6-4C6F-B068-949A4DD67685} URL =
SearchScopes: HKLM-x32 -> {39EE7564-711E-45B6-99D0-5609954268A3} URL =
SearchScopes: HKLM-x32 -> {5B377FAC-EC59-417D-929C-10F5404D7823} URL =
SearchScopes: HKLM-x32 -> {68D0842A-2A9A-47DB-B072-F693B1948911} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {1E43ED7E-11D6-4C6F-B068-949A4DD67685} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {39EE7564-711E-45B6-99D0-5609954268A3} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {5B377FAC-EC59-417D-929C-10F5404D7823} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {68D0842A-2A9A-47DB-B072-F693B1948911} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {FB962F7A-C3E8-4FDB-B715-52410CBFFD6E} URL = http://www.mypoints.com/emp/u/mysearch.vm?q={searchTerms}&mypoints_brw=1
Toolbar: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
CMD: ipconfig /flushdns
End- Click on File > Save as...
- Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;
- Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
- After the completion, a log will be produced;
- Attach the log in your next reply.
- Step #3 Scan with RogueKiller
- Download Rogue Killer from one of the suitable links below to your Desktop.
- Download link for 32 bit system (http://www.adlice.com/softs/roguekiller/RogueKiller.exe)
- Download link for 64 bit system (http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe)
- Click on Scan;
- The scan won't take long;
- Click on Report to open the log.
- Attach the log in your next reply.
- Required Log(s):
- FRST Fix Log
- RogueKiller Scan Log
Regards,
Valinorum
-
Previously, I uninstalled Spybot S&D and found no traces of it in the add/remove programs. I was just able to delete the shortcut.
Here's the requested logs. Ty!
-
How is your PC?
-
It seems stable at the moment. I haven't had any detections since logging in (almost exactly at the time I first replied (maybe 20 mins. to follow your instructions - I didn't do any browsing).
-
Continue normal internet works and report myself the result.
-
Okay. I'll continue my standard behavior and keep you apprised.
-
Continue normal internet works and report myself the result.
Just got a detection
I just began to look at the sites that this pops up on. I've had it happen on ebay and other innocuous sites. The most recent was:
http://propstore.auctionserver.net/view-auctions/catalog/id/10/lot/1315/
&
http://slickdeals.net/forums/forumdisplay.php?f=9
Here's a pic of one of the pop-ups (will included more as they appear, but this is the most common)
(http://s10.postimg.org/oe9vn6nbt/detection1.jpg) (http://postimage.org/)
(http://postimage.org/)
I didn't get to capture another detection, but it was this:
http://bns.binachio.org/fsyap.swf [L] SWF:Malware-gen [Trj]
-
I'm being prompted to do windows updates, but they are only optional i.e. updates for Microsoft Office. Should I just ignore for now?
Also, I found some old file folders for Spybot S&D. Should I delete those?
-
Please allow the updates and report me back.
-
Getting multiple detections from shavethis.com/favicon.ico (as pictured above)
I was browsing ebay and this thread when the most recent detection popped up.
-
Are you using MSN?
-
Are you using MSN?
Correct. I use MSN Explorer 11.00.0028.1500
Also, I use Internet Explorer 10
BTW - I get detections that hit msn.exe and iexplorer.exe. It doesn't seem to matter what browser I'm utilizing at the time.
Thank you!
-
- Step #4 Fix with AdwCleaner
- Download AdwCleaner by Xplode to your Desktop from the following link.
- Download Link #1 (http://www.bleepingcomputer.com/download/adwcleaner/)
- Download Link #2 (http://general-changelog-team.fr/fr/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner)
- Right-click on AdwCleaner.exe and choose Run as administrator;
- Click on Scan and let the program run unhindered;
- When done, click on Clean and allow the system to reboot after it is done;
- A log will be opened automatically after the restart;
- Attach the log in your reply.
Regards,
Valinorum
-
Hello,
Per request, attached is the adwcleaner log.
Ty.
P.S. Still having the same favicon detection from general browsing (this site included) after the scan.
-
Please provide myself a fresh FRST scan log. Do you take part in online monetizing sites?
-
Yes, I have taken part in mypoints and inboxdollars for many years. Those were the toolbars represented in my program list. However, I haven't downloaded anything new from either of them in a few years. And, the toolbars existed on my system well before the infection (if this is, indeed, an infection).
Here's the new FRST log. I only did the scan and didn't "fix".
Ty!
-
Please re-install your MSN browser and check if you are still getting the warnings.
-
Just did a clean reinstall...will let you know if I get any detections.
-
I got another detection today.
The same favicon detection as before.
-
Are you using automatic synchronization option of the MSN browser?
-
The only option that I see checked in my browser is "Synchronize before signing out." It seems to only be for email messages. Other than that, I can't seem to find an automatic synchronization option.
This is getting frustrating.
Also, I let windows update my Internet Explorer from 10 to 11 (along with the corresponding updates to the browser).
I found these sites re: the shavethis favicon, but didn't know if it was reliable info.
http://windowsproblemshelpcenter.blogspot.com/2015/01/remove-wwwshavethiscomfaviconico-pop-up.html (http://windowsproblemshelpcenter.blogspot.com/2015/01/remove-wwwshavethiscomfaviconico-pop-up.html)
http://computervirusmanualremval.blogspot.com/2015/01/remove-wwwshavethiscomfaviconico-popup.html (http://computervirusmanualremval.blogspot.com/2015/01/remove-wwwshavethiscomfaviconico-popup.html)
P.S. I did try to uninstall and reinstall the MSN browser again. I got a detection as my email box was loading/repopulating my emails. I even got a detection when going into my control panel.
-
Can you remove the check mark and uninstall the program? Also can you try a different browser to check if the detection comes back?
-
I will do that and report back to you.
-
Ok...I did this and didn't see any detections through iexplorer.exe with casual browsing.
Upon a clean reinstall of msn, the detection came back (same as before).
-
it looks like the infection is related to MSN. Is this your main browser?
-
Yes. This is my main browser and email interface (multilpe accounts). Also, this is a paid subscription service from MSN.
Ty
-
it looks like the infection is related to MSN. Is this your main browser?
Any other ideas? Got the same detection today when browsing Ebay and this site.
P.S. During this interim, I downloaded CCleaner.
-
Are you connected to the internet via router?
-
Are you connected to the internet via router?
Yes. I use a Comcast Xfinity router.
I don't have the info on the model# in front of me, but it's the first device on this comcast link.
http://customer.comcast.com/help-and-support/internet/comcast-supported-routers-gateways-adapters/
Fyi - I do use the home wifi network feature, but keep it password protected. Also, I didn't have the device enabled or set-up for wifi until after the detections started.
Ty
-
Can you reset your router to factory setting?
-
Can you reset your router to factory setting?
Did this today...will.report back.
-
Okay. :)
-
Got the same favicon detection again today.
Ty
-
Since this problem is still persisting for over a month, do you think a reinstallation of the O/S would work? Or, will it not matter due to the msn browser being used (and possibly exploited)?
-
I'd try a different browser first. If the problem is persistent, we can try a complete re-installation.
-
It seems that I only get the detection when using the msn browser. I haven't noticed any conflicts with IE.
When I uninstalled the msn browser, I used Revo. I've read that revo doesn't support 64bit. Is it possible that infected fragments were left behind? If so, should I use advanced uninstaller pro instead and then run any scans afterwards before reinstalling? Also I use Cccleaner, but am tentative about using the registry cleaner option (there are entries listed but I'm not proficient enough to distinguish safe from garbage).
I'm just brainstorming ideas before an O/S reinstall if necessary I'm concerned that my license key to MS office may not work after reformatting (possibly used too many times on work computers) Therefore, I would have to purchase a new license. I know that there is an upgrade option with the O/S reinstall that will keep files and programs, but wasn't sure if the infection would remain. Do you believe that my computer is infected or is it a browser issue and/or otherwise?
-
I am inclined to believe it a browser issue. Please, refrain from using any kind of Registry cleaners. They do more harm than good.