Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: mishav13 on July 09, 2011, 06:36:11 AM
-
Hello,
I have avast home edition and it keeps alerting me about IEXPLORE.exe virus like every 2 minutes. What is worse is that it messed up my internet connection. A lot of the times i cannot access the internet and when i can it redirects pages to 64.111.211.158. Or it will redirect to some other pages i completely did not want. I think this post might be similar:
http://forum.avast.com/index.php?topic=81122.0 (http://forum.avast.com/index.php?topic=81122.0)
Also I would like to mention that it made all my documents hidden.
Things I tried:
- system restore
- boot scan of avast anti virus
- safe mode scan of avast anti virus
- safe mode spy bot search and destroy
- safe mode smitfraudfix
- safe mode malwarebytes anti-malware
All of these tools found stuff which i deleted but end result did not change it still persists with that annoying popup every few minutes and all the behvaiours i described above still happen!
Things i wanted to try but could not:
- system recovery (no option at boot time)
- format by right click on c drive but keep getting message: "Windows cannot format this drive. Quit any disk utilities or other programs that are using this drive and make sure that no window is displaying the contents of the drive. Then try formatting again."
- re-install xp but i don't have the CD since windows xp came with the computer installed already
System specs:
- windows xp professional service pack 3
- Acer computer
- intel core 2 duo cpu @ 3.06 GHz
- 2.99 GB of RAM
Edit: sorry i posted in wrong section! I hardly got to this forum from all the redirects. please move. Thanks!
Edit 2: I ran combofix and attached log. The problem still did not go away after running combofix. I still see the popup IEXPLORE. After combofix avast does not seem to appear in system tray everytime i boot up computer like it did before but i do think its still running in the background from checking the processes running.
-
Have you tried running a scan with HitmanPro?
http://www.surfright.nl/en/hitmanpro
-
I just downloaded it now and ran a scan. All it found were some cookies which i deleted. Problem still persists.
-
Hi could you give a screenshot of the Avast alert please
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%SYSTEMDRIVE%\*.exe
/md5start
iexplore.exe
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
-
I couldn't upload the file from the infected computer. Kept stopping after few percent. I saved the log file on external HD and uploaded on another computer. Hopefully I can't infect the other computer doing that?
-
This is reminiscent of a TDL type infection
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY -> dD04201OlMmG04201 -> C:\Documents and Settings\All Users\Application Data\dD04201OlMmG04201
[Files/Folders - Modified Within 30 Days]
NY -> D952.378 -> C:\Documents and Settings\Alexander\Application Data\D952.378
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
THEN
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
Attached
- OTS log
- aswMBR log
Please Note: I don't see avast icon in bottom right corner where it used to be
-
There is the possibility of a TDL3 there
Please read carefully and follow these steps.
- Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
essexboy i can't seem to launch this program. I double click and nothing happens on the infected computer. I tried to launch it in safe mode and still can't launch it
-
OK that confirms that diagnosis then
Download Combofix from any of the links below. You must rename it before saving rename it to Gotcha before saving it to your desktop.
Link 1 (http://"http://download.bleepingcomputer.com/sUBs/ComboFix.exe")
Link 2 (http://"http://www.forospyware.com/sUBs/ComboFix.exe")
==================================
(http://www.hdrcgb.org.uk/g2g/Cfix_Gotcha.exe.jpg)
Double click on the renamed ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt so we can continue cleaning the system.
-
combofix log attached. I could not disable avast during the scan though
P.s. The 2 links you provided for combofix do not work for me. I simply get the message: "Oops! Google Chrome could not find "http"
-
Could you now retry TDSSKiller for me please, if it should fail again could you run a fresh OTS log for me
-
Unfortunately I still can't open TDSSKiller :(
Attached new OTS log
-
DownloadMBRCheck.exe (http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe) to your Desktop. Run the application.
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
If an infection is found, you will be presented with the following dialog:
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Attached MBR. I hit No as requested
-
Run MBRCheck.exe once again.
You will be presented with the following dialog:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Enter Y and press Enter.
The following dialog will be presented:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
Enter 2 and press Enter
The following dialog will be presented:
Enter the physical disk number to fix (0-99, -1 to cancel):
Enter >>0<< and press Enter
The following dialog will be presented:
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel
Please select the MBR code to write to this drive:
Enter >>1<< and press Enter
The following dialog will be presented:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue:
Type YES and press Enter (Must type the full word, YES). You will be inform if successfully wrote a new MBR code!
And last the following dialog will be presented:
Done! Press ENTER to exit...
Press Enter. A report will be produced on the desktop. Post that report in your next reply.
-
Attached is new MBR log. Note: TDSSKILLER still will not open
-
Could you reboot and run a further mbr check please
-
new mbr log attached
-
This has the appearance of the new TDL variant
Reboot the computer and press F8 to get to the safe mode menu
Once there select recovery console
At the command prompt type
FIXMBR
Accept the warning and then type Exit
Reboot to normal windows and run mbrcheck again please
-
When i go to recovery console it says: "A disk read error occured. Press ctrl+alt+del to restart" Pressing ctrl+alt+del does nothing. Gotta shut down computer manually by holding power button down.
-
OK this is the new variant - I will need to do a bit of reading on this, we may need to fix the MBR outside of windows, Are you able to burn a CD ?
-
i can burn a cd/dvd on my other computer.
-
Please print these instruction out so that you know what you are doing
Latest version: v3.1.46.0
OTLPENet.exe
MD5=79209302A1AFB2490808DB890A815CED
Size: 127,222,215b / 121.3MB
- Download OTLPENet.exe (http://oldtimer.geekstogo.com/OTLPENet.exe) to your desktop
- Ensure that you have a blank CD in the drive
- Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
- Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
- As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :)
- Your system should now display a Reatogo desktop.
- On the Reatogo desktop. Double click MBRFix. A command prompt will be presented. Type the following commands and press Enter after each line:
C:
cd C:\
MbrFix /drive 0 fixmbr
Exit
[/list]
-
When i typed the following in the command prompt: MbrFix /drive 0 fixmbr
I get the following error:
"MBRFIX is not recognized as internal or external command"
-
Just a small bit of info. There have been viral adverts that Mediafire occasionally use. Most likely by accident(I hope). But I thought Essexboy would want to know, as to avoid giving out this link to them. Not everyone has ad blockers.
Stay safe. Hope this issue of this thread is resolved =D
-
OK I have some further information on this now
Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif)
On completion of the scan click save log, save it to your desktop and post in your next reply
(http://public.avast.com/~gmerek/aswMBR2.png)
-
Attached new log.
As for MBRFix i think i might need to set an environment variable as changing the path to C:\ it won't recognize the command as its not found but it does exist. I'm not really sure how to do it though.
-
Lets try this first and keep our fingers crossed as I have had two successes with this so far
Re-Run aswMBR
Click Scan
On completion of the scan
Click the FIXMBR Button
(http://public.avast.com/~gmerek/aswMBR4.png)
Reboot and run a fresh aswMBR scan
Save the log as before and post in your next reply
-
new log attached
-
OK could you let me know what problems you have at the moment
-
Interesting question heh. I will need to use it for a bit to make sure everything is good but it seems to be fine now. Even the TDSSKiller program starts up now. Can you tell me what was wrong before? and what fix actually made everything work?
The only other problem i see at the moment is avast antivirus usually loaded in my system tray (bottom right corner) everytime windows boots and now it doesn't. When i double click on it on the desktop it will appear in my system tray. Once in system tray i right click start bar and select properties and click customize and change behaviour to always show. Then i restart computer and it does not show in system tray. so 2 questions: 1. how do i make it show in my system tray everytime computer starts without manually opening it everytime 2. since its not in system tray is it still running all the proper shields?
-
I would recommend a repair of Avast. This appears to be a new variant of the TDL family and the FixMBR got rid of it. At the moment we are having patchy results with the various tools at our disposal, mayhap they have not yet finalised the malware
-
by repair avast do you mean uninstall and reinstall?
Edit: NVM seems like there is repair option in add/remove
Thanks a lot for all your help!!!
-
Once you are happy let me know and I will remove my bits and bobs
-
Once you are happy let me know and I will remove my bits and bobs
Everything seems to be working good. Thanks
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Uninstall ComboFix
Remove Combofix now that we're done with it.
- Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
- Now copy/paste this: ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /Uninstall, it needs to be there.
[indent](http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/CFuninstall.gif)[/indent] - Please follow the prompts to uninstall Combofix.
- This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
- You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to[color="#FF0000"] this site[/color] (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran-1.gif)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave: