Avast WEBforum

Other => Viruses and worms => Topic started by: Patricia.K on February 09, 2011, 02:12:58 AM

Title: My behavior shield is going nuts,
Post by: Patricia.K on February 09, 2011, 02:12:58 AM
My behavior shield is going nuts, so I did the necessary steps and the MBAM/OTL are attached at the bottom.

Thanks in advance, for any help forthcoming.

This is what the behavior shield looks like for the past week:
(http://i1193.photobucket.com/albums/aa356/ptknight454/9Total.jpg)

This is what the behavior shield has looked like for the past month:
(http://i1193.photobucket.com/albums/aa356/ptknight454/15Total.jpg)

This is what Spybot S&D found and killed as a process:
Apparently (rcimlby.exe), is part of MS OS for the 'Remote Assistance' and may have been a false positive.
I have not tried another Remote Connection with my friend.
I have DL'd the program for MS and will reinstall it after this puter is cleaned.
Spybot S&D may have to go, too many problems with it.
(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-04_002058.jpg)

Thank you
Pat K
Title: Re: My behavior shield is going nuts,
Post by: Pondus on February 09, 2011, 07:58:28 AM
Essexboy is notified, he is usually in here 8:00pm - 11:59pm uk time
Title: Re: My behavior shield is going nuts,
Post by: Eddy on February 09, 2011, 09:03:21 AM
If you want to make sure your system is clean, please follow the instructions in the malware removal section on the site in my signature.

Spybot killed rcimlby.exe as a process.
That is correct, it should not load when booting Windows.
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 09, 2011, 06:47:44 PM
Quote from: Pondus on February 09, 2011, 07:58:28 AM
Essexboy is notified, he is usually in here 8:00pm - 11:59pm uk time

I'm -700Hrs Mountain Standard Time,,,,Sooo I'm not to sure what time it will be for Essexboy.
Title: Re: My behavior shield is going nuts,
Post by: DavidR on February 09, 2011, 07:01:13 PM
UK time now 18.00 (6pm) local.
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 09, 2011, 09:09:00 PM
Nothing is apparent in that log - are you still getting the alerts ?

If so I will use a stronger tool
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 10, 2011, 12:51:16 AM
Quote from: essexboy on February 09, 2011, 09:09:00 PM
Nothing is apparent in that log - are you still getting the alerts ?

If so I will use a stronger tool

No changes today,,,mind the fact that I've been using the laptop and not the desktop.
As it is, the desktop is so painfully slow that I don't want to use it.
My laptop is just fine, and have no problems with it, as I do not let my son use it EVER.
I've been trying to set up 3 accounts on the desktop, ADMIN(me), User(me), and GUEST(my son), as my son just clicks on and inadvertently DL's everything, without knowing it.
My son recently clicked on PCPitStop, as well as UniBlue, causing OnLine Armor to stop the pc in its tracks.
I don't know what else is in here.

And YES, please use a stronger tool and go deeper,,,, ;) ;) ;)

I'm starting to learn some new things about pc's slowly, and was wondering if these 2 entries in the OTL log are of any concern.
I only use Google with FF and seldom if ever use IE, and only have it because of of MS.
(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-09_222042.jpg)
(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-09_223312.jpg)
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 10, 2011, 01:20:16 PM
OK, so I just ran a full scan and found a lot of stuff in QUARANTINE, and don't know how to get rid of it, nothing shows up in the CHEST.
I think avast! may have a bug, part of the word DOCuments is missing.
(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-10_045817avast.jpg)
Title: Re: My behavior shield is going nuts,
Post by: lukas.hasik on February 10, 2011, 02:50:49 PM
what is your avast version? Did any alerts from BS appeared?

thx
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 10, 2011, 08:50:40 PM
Hi patricia - lets get the big boy up and running.  It looks like my websearch is under another user, the initial OTL scan was just for the main user.  If we need to run it again select all users 

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 11, 2011, 11:14:57 AM
essexboy,,,thank you for you patients with me, I will do the COMBOFIX scan 1st thing Sat morning.
FYI,,,I was in the process of setting up 3 accounts on the desktop, ADMIM(me), USER(me) and a GUEST account for my kid and his friends. Hopefully this stops some of the clicking on and inadvertently DLing stuff to the PC.

(((UPDATE)))..............
So I'm on the desktop and am at the ComboFix site, click on the DL button, and the pc freezes up, actually stops dead in its tracks. Ctrl+Alt+Del took 30 min to bring up the desktop page, and another 30 min for some the shortcuts to appear.
Some malware has this ability, from what I read in this forum.
SO,,,(not wanting to infect a 4GB USB stick) when (it's been close to 2Hrs now) the desktop shows up, I should try to do the DL in SAFE MODE with NETWORKING,,,or do the USB thing.......
Please Advise
PK
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 11, 2011, 07:10:05 PM
Use safe mode with networking and also try this different site for the download http://www.majorgeeks.com/Combofix_d6402.html
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 11, 2011, 10:06:00 PM
Quote from: essexboy on February 11, 2011, 07:10:05 PM
Use safe mode with networking and also try this different site for the download http://www.majorgeeks.com/Combofix_d6402.html

Got ComboFix to the desk top using the majorgeeks site after shutting down and restarting 2x.
Was reading HERE:http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums (http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums).
Should I......
#1) Run Combo Fix in Safe Mode?
#2) DL a copy of the Windows XP Recovery Console on the desktop if it should fail to install?
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 11, 2011, 11:24:01 PM
Yes and yes - although if you can access safe mode with networking combofix should be able to do it
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 12, 2011, 12:26:22 PM
Quote from: essexboy on February 11, 2011, 11:24:01 PM
Yes and yes - although if you can access safe mode with networking combofix should be able to do it

OK, finally got back into safe mode with networking thru the command prompt.
1) Disabled Spybot
2) Online Armor was not available in safe mode
3) All of avasts shields were disabled.
4) Started ComboFix
5) Combofix gives me an WARNING!!! that avast real time scanners are still active.
6) I try to "Disable Permanently". My pass word for avast is not accepted(same pw as the admin account).
7) I close the combofix box to disable avast from outside of safe mode and I get 2nd WARNING!!! from combofix "The above realtime scanner(s) are still active but Combofix shall continue to run. Kindly note that this is at your own risk."

What do I do.....
A) Continue to run ComboFix
B) Leave ComboFix as it is and close safe mode and disable avast from admin mode.
C) ?????
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 12, 2011, 04:08:17 PM
Run combofix even with the warning - but do not allow Avast to quarantine or delete anything whilst combofix is running.  This is because some of combofixes behaviour would appear the same as malware 
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 12, 2011, 05:02:08 PM
ComboFix ran fine with no problems from avast!
ComboFix.txt is attached at the bottom.

PK
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 12, 2011, 05:58:40 PM
Again not a lot showing there - is behaviour shield still going nuts ?  Are they related to OA I wonder ?
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 12, 2011, 06:40:59 PM
Quote from: essexboy on February 12, 2011, 05:58:40 PM
Again not a lot showing there - is behaviour shield still going nuts ?  Are they related to OA I wonder ?
I have excluded OA/Spybot/Mbam/avast! from each other. Avast!, has 3 places I exclude from, the 'On Demand Scans' the 'File system shield settings/Exclusions' and 'Behaviour Shield/Trusted Processes'.
 
,,,,,,,,,crap,,,just got a BSOD on the desktop,,,,,,,,,
"IRQL_NOT_LESS_OR_EQUAL",,,,,,,Hmmmmm

OK,,So no biggie on the BSOD.
Remove OTL and ComboFix?, try something else? GMER, TDSSKiller?

Nothing new on the Behaviour Shield.



Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 12, 2011, 06:46:01 PM
If you are happy to play I have lots of toys  ;D

Could you upload the zip file to Mediafire (http://www.mediafire.com/) and post the sharing link.

Download AVPTool from Here (http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/) to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg)

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

(http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg)
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 05:20:41 AM
MEDIAFIRE LINK: http://www.mediafire.com/?uadwayzz2zcd2mf (http://www.mediafire.com/?uadwayzz2zcd2mf)
Tried 2x to DL Kaspersky to the desktop, no go, will do try to DL in safe mode next.
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 12:38:22 PM
Here are the 2 Kaspersky scans you requested.
ZIP LINK:http://www.mediafire.com/?stk3hyuaca30bqn (http://www.mediafire.com/?stk3hyuaca30bqn)
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 13, 2011, 12:49:34 PM
OK the only thing I can see that might be causing this is Superantispyware unpacking its definitions

('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS','');
('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS','');

Could you stop SAS and see if that removes all the alerts
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 01:16:40 PM
SAS was installed after the Behavior Shield started going bonkers, Its been removed already.
I will take a look through the C:/ and remove any leftovers.
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 13, 2011, 01:46:51 PM
Looking at the alerts from page one they are all associated with SAS and Spybot

Could you do another screenshot of the current alerts
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 06:50:19 PM


Current Behavior Shield

(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-13_093629.jpg)

Current Full System Scan Log

(http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-13_0901022.jpg)

I did the SAS scan between the 1st post on the 9th and my 1st post on the 10th, that shows the SAS quarantine in the Full System Scan Log, from the 1st page of this thread.
I turned off system restore,
Turned off Spybots TeaTimer (resident shield),
Emptied out the temp file, cache etc,
Rebooted,
Ran SAS,
Ran Spybot,
Ran avast,
Ran MBAM,
Posted the log,
Later that day (10th) I deleted the SAS quarantine and SAS and it's leftovers (hope I got it all).
Emptied out the trash, rebooted, started system restore and a new restore point,
Turned on TeaTimer.
SAS must of picked up what SB/avast!/MBAM missed, only to show up in the Spybot/avast logs. Trust me on this, I thoroughly ran all of them (other than SAS) before posting here.

Spybot detected and removed the 'Cbit-Solutions.PlayGames' from the rcimlby.exe (MS Remote Assistance) file on the 7th.
Cbit-Solutions.PlayGames is associated with the 'coolwebsearch' - 'search.mywebsearch' - 'Mywebsearch Toolbar' TROJAN and it's variants, which I was infected with early last year.
This is a concern for me as 'search.mywebsearch' shows up in the OTL scan, last listing under FireFox. For some reason YAHOO is there as well and I have never had it as a search engine or browser.

So,,,where to go from here?
Title: Re: My behavior shield is going nuts,
Post by: DavidR on February 13, 2011, 07:01:45 PM
Of the ones in your image that we can see, they are all for S&D's recovery section.

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (recovery/restore) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping in S&D and delete old recovery entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

The knock on of this may also be less associated behaviour shield activity; though I rather think these are inert so shouldn't trigger the behaviour shield, as these are on-demand scan results and not related to the behaviour shield.
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 13, 2011, 07:22:57 PM
Lets kill the FF entries - and what David said, delete the Spybot backups

Run OTL
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 07:32:01 PM
Quote from: DavidR on February 13, 2011, 07:01:45 PM
Of the ones in your image that we can see, they are all for S&D's recovery section.

When you run scans with the above programs and you delete harmful entries that they detect, a copy is kept (recovery/restore) in case you need to reverse what you did. These are usually password protected, you should do some housekeeping in S&D and delete old recovery entries (older than two weeks or so), this will reduce the numbers of files that can't be scanned.

The knock on of this may also be less associated behaviour shield activity; though I rather think these are inert so shouldn't trigger the behaviour shield, as these are on-demand scan results and not related to the behaviour shield.

Sooo,,,somewhere in the archived zip files could be a problem that could not be scanned by avast. If I was to use one of them it would possibly reinfect the pc again.

OOPS,,,was going to post this and you got ahead of me essexboy.
Will delete the Spybot backups, to prevent any further infections.
Reboot, run OTL, insert commands and let it do its thing.
Post new OTL log as requested.
(my ##@%&! son better not FU this pc again!)
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 13, 2011, 07:54:02 PM
Ah but you are learning - there is always a silver lining if you look hard enough

Could you attach the log please  ;D
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 09:00:24 PM
New OTL Scan Log is attached at the bottom.

While OTL was doing it's thing I was doing some research on the 'mywebsearch' thing, I found this page http://software-testing-zone.blogspot.com/2009/08/fix-mywebsearch-hijacked-firefox.html (http://software-testing-zone.blogspot.com/2009/08/fix-mywebsearch-hijacked-firefox.html), looks like I might have to go thru the FireFox "about:config" and see if there is anything in there that shouldn't be.
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 13, 2011, 11:01:02 PM
Hi Patricia could you resave the log as ANSI please rather than unicode

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif)
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 13, 2011, 11:26:52 PM
OOPS,,,don't know how that happened,,,, ???
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 14, 2011, 07:09:59 PM
Lets remove the AVP drivers now - how is it on the behaviour shield front ?

Run OTL
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 14, 2011, 09:25:32 PM
Behavior Shield shows nothing new (attached at bottom).
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 14, 2011, 09:28:26 PM
Would you like me to remove my tools and tidy you up now - or wait a few days ?
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 15, 2011, 01:33:31 AM
How about I put this PC thru some tests, run every app and finish setting up the User and GUEST account, say Friday?
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 15, 2011, 10:38:08 PM
Just shout Madam - your wish is my command  ;D
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 26, 2011, 04:45:34 AM
Quote from: essexboy on February 15, 2011, 10:38:08 PM
Just shout Madam - your wish is my command  ;D

Anytime you are ready to give me instructions for removing the Combo Fix - OTL - Kaspersky VRT, I'm ready now.
Sorry for the delay, I've been very busy and haven't had a chance to finish the home PC.
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 26, 2011, 12:54:42 PM
Time is not a problem and on a weekend doubly so  ;D

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL again and hit the cleanup button.  It will remove all the programmes we have used plus itself.  AVPTool - just delete the programme from the desktop

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check

(http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg)


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:
Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on February 28, 2011, 12:50:48 AM
Crap,,,did the OTL script and the PC locked up.
It ran fine and stopped at 'Processing Complete' with all the green bars lit up.
Cant close OTL, cant minimize it, cant type anything into the 'Custom Scans/Fixes' box.
No desktop shortcuts on the screen, cant get into windows.

Power down, Hard reset????

(((UPDATE)))
Double Crap,,,Pc went to sleep, woke it up, logged into ADMIN account, same thing, locked up, cant do anything!

(((UPDATE)))
PC went to sleep, woke it up, I'm on the log in screen now. ADMIN account shows that there are 2 programs running, USER and GUEST show nothing.

(((UPDATE)))
Did a hard reset and the system started, .txt file showed up on the ADMIN page.

(((UPDATE)))
I can not uninstall ComboFix from Start>Run>ComboFix /Uninstall>OK
I get a pop up "Windows cannot find 'ComboFix'. Make sure you typed the name correctly, and try again. To search for a file, click the start button, and then click Search"
Soooo, what next?
Title: Re: My behavior shield is going nuts,
Post by: essexboy on February 28, 2011, 07:10:34 PM
So if I understand it, it got into some kind of loop when the final OTL ran ?

It can no longer find Combofix, that would suggest that OTL removed it

What is the current situation as I have never come across this before

Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on March 03, 2011, 12:26:28 AM
Quote from: essexboy on February 28, 2011, 07:10:34 PM
So if I understand it, it got into some kind of loop when the final OTL ran ?

It can no longer find Combofix, that would suggest that OTL removed it

What is the current situation as I have never come across this before



Still on the desktop.
RightClick>Properties>Size on disk: 4.06 MB
Title: Re: My behavior shield is going nuts,
Post by: essexboy on March 03, 2011, 08:58:50 PM
Did you run OTL and hit the cleanup button ?

Title: Re: My behavior shield is going nuts,
Post by: Patricia.K on March 10, 2011, 03:57:47 AM
Ok, finally got rid of OTL and ComboFix, after a dozen or so attempts. I just have Kaspersky left on the desktop, just deleted it as well.

Made sure that hidden file and folders are just that.

Tried to automatically update Java from FireFox update, 'Tools>Add-ons>Extensions>Find Updates' didn't work??? I will report this bug to them.
Updated Java manually.

Disk Defrag Done.

MBAM is on my PC as a permanent 'On Demand Scanner'.

File Hippo is not needed (I hope) as FireFox should do the updates for the Add-Ons and Extensions automatically (will keep an eye on this).

I have avast! 6.0 and Online Armor 4.5.1, they update automatically.

Microsoft Windows Update is set to 'Automatic - Once A Week'.

"How did I get infected in the first place?", my kid seems to think that a PC is the same as texting on his phone, he clicks on any link and surfs without paying attention to the WOT ratings. He doesn't understand that a pc needs maintenance, doesn't care ether. One more time doing all this and he's off this pc for good, he will have to purchase and maintain it himself.

Thank you for your time and effort.
Pat K.

Title: Re: My behavior shield is going nuts,
Post by: essexboy on March 10, 2011, 12:38:55 PM
No problem ..   Filehippo actually checks all programmes on your computer for updates whereas, FF only looks for firefox related items