Avast WEBforum
Other => Viruses and worms => Topic started by: tanzanos on June 17, 2011, 10:17:15 AM
-
I had microsoft security essentials and it did not protect me from something that has infected my system. I uninstalled the security essentials and installed AVAST. I did a boot scan and it found a few things which were fixed. I also run malwarebytes and superantispyware. The problem persists:
I cannot get Security Center to start (something keeps disabling it) and also on both my Browsers iE and Firefox I keep getting redirected to various sites.
Here is a log from Highjackthis; PLEASE SOMEONE HELP!
-
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI
Essexboy will look at the logs when he arrive here later today...
-
Malware and superantispyware did not find anything. Avast found at bootscan the following: Trojan.Agent/Gen-Fraudpack.
I redid a boot scan and nothing else was found. Now I have this problem that even though I start security center in services it is after about 1 minute it becomes disabled and both my browsers redirect me to a site SECURE.BIDVERTISER.COM
-
was Malwarebytes updated when you scanned?
follow the guide i linked to and post the OTS log
-
All the pertinent anti malware progs were updated. I have a log of Spybot that has some entries; can I post it here? Also Java stopped working!
-
you may, but what Essexboy need is the OTS log
Modern malware will hide all, or most of itself from detection in a HijackThis log. HijackThis (HJT) is very popular, and if malware can hide from it, it has a better chance of survival. But mostly HJT fails to detect malware because, with the exception of some bug fixes and minor updates, it has not been updated in a long time.
-
Sorry for my ignorance but what is OTS?
-
Diagnostic program like HijackThis only 100 times better
click the link in my first reply
her you can read about the older version OTL
http://www.geekstogo.com/otl-by-oldtimer-a-modern-replacement-for-hijackthis/
-
you may, but what Essexboy need is the OTS log
Modern malware will hide all, or most of itself from detection in a HijackThis log. HijackThis (HJT) is very popular, and if malware can hide from it, it has a better chance of survival. But mostly HJT fails to detect malware because, with the exception of some bug fixes and minor updates, it has not been updated in a long time.
Not to mention HJT hasn't had an update in well over a year and any supposed security/analysis tool that isn't update is pretty much worthless.
-
I download OTL from sourceforge but the rar file does not contain an exe nor an install application?
-
Don't you have a software to extract it?
For example: 7-zip
You can download it here:
http://www.filehippo.com/download_7zip_32/
-
If you use the link to the guide i posted http://forum.avast.com/index.php?topic=53253.0 then scroll down to you see the blue OTS and click it
-
OK I have OTL running now; Will post the log when finished.
Thank you all very much for your help. I hope it works. By the way I had Zip installed but after the infection it disappeared?
-
When you post the OTS log could you give me a brief synopsis of your problems
-
Since the infection: Security center keeps turning off even though I start it in services. Web Browsers keep rerouting me to SECURE.BIDVERTISER.COM
Hope someone can help me ??? Thanks Guys!
-
Let me know if there are any problems after this run
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\] > -> HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command ->
YN -> \{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\Start.hta]
[Files/Folders - Modified Within 30 Days]
NY -> Xwhh.job -> C:\Windows\tasks\Xwhh.job
[Files - No Company Name]
NY -> Xwhh.job -> C:\Windows\tasks\Xwhh.job
NY -> jbVCOnAtBW3OI.vbs -> C:\Users\yiannis\AppData\Roaming\jbVCOnAtBW3OI.vbs
NY -> EWdIz4w.vbs -> C:\Users\yiannis\AppData\Roaming\EWdIz4w.vbs
NY -> 9bfPeGEvV9a4oCd.vbs -> C:\Users\yiannis\AppData\Roaming\9bfPeGEvV9a4oCd.vbs
NY -> 3Nx0EFJcDjB5Z.vbs -> C:\Users\yiannis\AppData\Roaming\3Nx0EFJcDjB5Z.vbs
NY -> m6t5X4g.vbs -> C:\Users\yiannis\AppData\Roaming\m6t5X4g.vbs
[File - Lop Check]
NY -> Xwhh.job -> C:\Windows\Tasks\Xwhh.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
-
Here it is and thanks for you help:
All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-4149854431-98036347-1619213294-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a3b6e40-f96d-11df-a960-806e6f6e6963}\shell\AutoRun\command not found.
[Files/Folders - Modified Within 30 Days]
C:\Windows\tasks\Xwhh.job moved successfully.
[Files - No Company Name]
File C:\Windows\tasks\Xwhh.job not found!
C:\Users\yiannis\AppData\Roaming\jbVCOnAtBW3OI.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\EWdIz4w.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\9bfPeGEvV9a4oCd.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\3Nx0EFJcDjB5Z.vbs moved successfully.
C:\Users\yiannis\AppData\Roaming\m6t5X4g.vbs moved successfully.
[File - Lop Check]
File C:\Windows\Tasks\Xwhh.job not found!
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\yiannis\Desktop\cmd.bat deleted successfully.
C:\Users\yiannis\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
User: All Users
-
OH! OH! Security center still turns off. If I instruct it to turn on it refuses and the only way to turn it on is through services but it reverts back to disable after about a minute.
-
OK phase two now -
Download ComboFix from one of these locations:
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
- Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
I disabled Avast but combofix keeps telling me that it is still active??? I disabled avast from the start menu and rebooted and although avast is not running combo insists it is?????
-
Right click the orange blob, select shield control, disable for one hour and then run Combofix and ignore the warnings. Do not let Avast sandbox any files during the run
-
Combo completed and made a log file. But the two problems still persist: security center disables and my browsers keep redirecting me to various shoddy sites?
-
Could you post the log please as combofix does not recognise all malware
-
This must some nasty bug! I hope you can help me get rid of it :'( I also included the spybot log but in previous logs it found: Babylon toolbar, and 2 registry entries that disable the security center, and Funwebproducts.
-
OK now thionking MBR infection, more specifically volsnap - but lets see
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 567KB ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://public.avast.com/~gmerek/aswMBR1.png)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
Hope a solution can be found. I appreciate immensely your help. Also Avast icon keeps disappearing from the toolbar and both my web brousers keep redirecting me to various sites like UNIBLUE, Casinos etc.
aswMBR version 0.9.6.399 Copyright(c) 2011 AVAST Software
Run date: 2011-06-18 19:00:40
-----------------------------
19:00:40.428 OS Version: Windows x64 6.1.7601 Service Pack 1
19:00:40.428 Number of processors: 8 586 0x1A04
19:00:40.428 ComputerName: YIANNIS-PC UserName: yiannis
19:00:41.130 AVAST engine 6.0.1125 defs: 11061800
19:00:41.130 Initialize success
19:00:44.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:00:44.500 Disk 0 Vendor: WDC_WD6400AAKS-22A7B2 01.03B01 Size: 610480MB BusType: 3
19:00:44.516 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T1L0-7
19:00:44.516 Disk 1 Vendor: WDC_WD6400AAKS-22A7B2 01.03B01 Size: 610480MB BusType: 3
19:00:44.531 Disk 0 MBR read successfully
19:00:44.531 Disk 0 MBR scan
19:00:44.531 Disk 0 Windows 7 default MBR code
19:00:44.531 Service scanning
19:00:45.623 Disk 0 trace - called modules:
19:00:45.623 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa80055b12c0]<<
19:00:45.623 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80065b5790]
19:00:45.623 3 CLASSPNP.SYS[fffff8800167243f] -> nt!IofCallDriver -> [0xfffffa8006396520]
19:00:45.623 5 ACPI.sys[fffff88000f067a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa800637e680]
19:00:45.623 \Driver\atapi[0xfffffa8006343730] -> IRP_MJ_CREATE -> 0xfffffa80055b12c0
19:00:45.639 AVAST engine scan C:\Windows\system32
19:01:47.805 Scan finished successfully
19:01:55.979 Disk 0 MBR has been saved successfully to "C:\Users\yiannis\Desktop\MBR.dat"
19:01:55.979 The log file has been saved successfully to "C:\Users\yiannis\Desktop\aswMBR.txt"
-
Yep the unknown is there, this may not run - so could you let me know as I have a reserve tool if needed
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
It found nothing? The Security centre is still being disabled and I still have this very annoying redirecting bug in my browsers. See attached report.
Once again thank you for your assistance.
-
Are the redirects in Firefox, IE or both ?
Also does anyone else using your router experience the same problem ?
Download Dr Web from here (https://www.freedrweb.com/download+cureit+free/?lng=en) Fill in the small form and download
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
-
Both browsers.
DRWeb reported after scanning that viruses were found. I have attached the report.
-
What did it find ? as that is the setup and self check log
-
I don't know as it did not mention them. All it said was "Attention, viruses have been found during the scan RC (......". Also it does not complete in order to reach the point where a scan log is made. The report I posted is all that is generated and there are no other folders in the C/USERS/..../DR Web folder apart from the report I attached. ??? Dr Web only runs after normal boot; It does not run properly in Safe boot mode.
I run tdsskiller and it found the following:
2011/06/19 09:22:19.0679 4196 Detected object count: 1
2011/06/19 09:22:19.0679 4196 Actual detected object count: 1
2011/06/19 09:22:40.0193 4196 sptd (34f974f8b3c86de03a30dcbe79091c97) C:\Windows\system32\Drivers\sptd.sys
2011/06/19 09:22:40.0193 4196 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: 34f974f8b3c86de03a30dcbe79091c97
2011/06/19 09:22:40.0193 4196 C:\Windows\system32\Drivers\sptd.sys - copied to quarantine
2011/06/19 09:22:40.0208 4196 LockedFile.Multi.Generic(sptd) - User select action: Quarantine
-
I tried Dr web once more in safe mode and this time it completed the scan and found nothing? Before it had found viruses but could not complete the scan? This is very weird. Something is disabling security center. Something is hiding the Avast icon in the toolbar and only when I run Avast again does it show up. Something is redirecting on both web browsers?
I really need to kill this bug(s). A reformat is almost out of the question!
Someone must know how to find and DESTROY this bug?
-
Lets review all your start up elements
Please RIGHT-CLICK HERE (http://www.silentrunners.org/Silent%20Runners.vbs) and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will receive a prompt:
Do you want to skip supplementary searches?
click NO[/list]
- If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
- You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
- Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and attach it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
-
I went to the registry that was pointed out by spybot and changed START from 3(manual start) to 2(automatic start) Then I uninstalled, rebooted and reinstalled Avast. now it seems that I no longer have a problem. Security centre is working. Avast is working, and I do not see any redirects in my browsers. I hope that this is not a temporary situation.
Please find attached the report you requested. EB, I truly wish to thank you for all the time and effort you have put into helping resolve my problem. Something must have worked! ;D
-
Sometimes that happens - the blindingly obvious is missed
That will be a permanent solution, but at least now you can be fairly confident that nothing is lurking
Leave it run for a day or so before I remove my tools just to be sure
-
Thanks a million mate ;D I shall wait and will let you know if this bug returns! And now for some Government virus cleaning (we are cleaning our parliament off corrupt MPs)This is the worst type of virus! It corrupts all of society!
Once more thank you!
-
Something is not right! EB, this bug must have done something to my system; when I go to this link and scroll down to the bottom I see html code?????
http://www.icrass.com/component/content/article/34-demo-category/58-international-center-for-robotics-and-advanced-space-studies.html
-
You can see it in firefox also, so it is more to do with botched code on the page not hiding that.
-
You can see it in firefox also, so it is more to do with botched code on the page not hiding that.
Confirming this.
No idea, if it's bad coding or for purpose - no time to analyse.
But it is not related to your prior problem. ;)
-
TDSSKILLER has quarantined the following file:
[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\Drivers\sptd.sys
md5: 34f974f8b3c86de03a30dcbe79091c97
Is this a false positive? If yes then how do I un-quarantine it?
-
Do you use daemon tolls ? If not then ignore it
-
You can see it in firefox also, so it is more to do with botched code on the page not hiding that.
It's like that in Chrome too.
-
Do you use daemon tolls ? If not then ignore it
Yes I use Daemon tools. Some progs don't work now. How can I un quarantine the file?
-
I would download a fresh copy from here to be on the safe side
http://www.duplexsecure.com/downloads
-
Thanks M8 ;D