Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on December 02, 2016, 07:23:45 PM

Title: Cookie773
Post by: REDACTED on December 02, 2016, 07:23:45 PM
Hi,

My sons PC seems to have an issue with the above and is getting an Avast "threat blocked" popup repeating as follows:

Object: hxxp://hiopso90teraansuu.com/cookie773.exe
Infection: URL:Mal
Process: C:\Windows\System32\wscript.exe

Also every time I boot the system it starts with Windows Firewall and Security Centre disabled. I try and re-enable both but an error says they can't be started. He tells me he isn't using any other firewall.

I check both services and see they're disabled. I set them to auto then restart them and they're back but on the next reboot they're disabled again.

Through trial and error, I discovered if I kill a wscript.exe process the threat pop up stops.

However when I reboot the threat is redetected, the wscript process is back and the firewall and security centre are disabled so I'm back to square one.

I've run full scans and cleanups with Ccleaner, Avast, Malwarebytes, Bull Guard and tweaker.com but they don't find anything that helps it.

I attach the logs as requested and would be grateful for any help even if to stop him being so grumpy!
Title: Re: Cookie773
Post by: Pondus on December 02, 2016, 08:21:33 PM
Do you have two AV Installer?  avast and Bull guard

Title: Re: Cookie773
Post by: REDACTED on December 02, 2016, 09:10:15 PM
We very briefly did out of desperation to try and detect the issue. I immediately uninstalled BG and now only have Avast again.
Title: Re: Cookie773
Post by: REDACTED on December 03, 2016, 09:09:08 AM
Any help gratefuly receieved!
Title: Re: Cookie773
Post by: dbrisendine on December 03, 2016, 09:28:44 AM

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Please attach it to your reply.

Also, please tell me how your system is running now.
Title: Re: Cookie773
Post by: REDACTED on December 03, 2016, 10:46:22 AM
Hi,

I've done as requested, please see the attached log. The system now seems clear! The threat is no longer detected, script no longer running and Security Centre and Windows Firewall are now starting as normal.

We're very grateful, thank you for your assistance!

Regards,
Mike
Title: Re: Cookie773
Post by: dbrisendine on December 04, 2016, 07:36:38 AM
Did you mean to remove the log file?


If everything else if fine for you (Avast is running / scanning with no warnings, etc.) then I will remove our tools and get you on your way ...


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

(http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png)
You can delete any log files left on your desktop as these are no longer needed.

==Some Tools to consider to help keep your system safe ==

Unchecky (http://unchecky.com/files/unchecky_setup.exe) is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing.  By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent (http://www.foolishit.com/download/cryptoprevent-installer/) is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system.  You can read the details about this program here (http://www.foolishit.com/vb6-projects/cryptoprevent/).

Also, consider keeping MalwareBytes Antimalware (http://www.malwarebytes.org/affiliates/g2g/mbam-setup.exe) in your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript (http://noscript.net/) and uBlock Origin (https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/") add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
 How did I get infected in the first place? (http://www.geekstogo.com/how-did-i-get-infected-in-the-first-place/)
and
COMPUTER SECURITY - a short quide to staying safer online (http://"http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960")

I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!
Title: Re: Cookie773
Post by: REDACTED on December 04, 2016, 09:02:30 AM
Hi,

Yes I did as I didn't realise they were still required. Thanks for the clean-up instructions, I'll implement today.

Thank you again.

Regards,
Mike