Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: MissTootyJones on July 25, 2011, 07:30:38 PM
-
Problem: I can't open the Avast! user interface, can't boot in safe mode, can't access facebook.
Screencaps: http://tinypic.com/r/2itim3r/7 http://tinypic.com/r/hvwbpt/7
I'm certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?
Also, my apologies if this isn't in the right section. I just need some help.
-
Yep 'tis an infection
Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
- Quit all running programs
- For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
- When prompted, type 2 and validate
- The RKreport.txt shall be generated next to the executable.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
-
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: Cristina [Admin rights]
Mode: Remove -- Date : 07/25/2011 13:44:30
Bad processes: 0
Registry Entries: 3
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]
Finished : << RKreport[1].txt >>
RKreport[1].txt
OTS Log
http://www.mediafire.com/?lvt1e08tt0ssz5b
-
I have the same problem...
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Owner [Admin rights]
Mode: Scan -- Date : 07/25/2011 20:00:54
Bad processes: 4
[SVCHOST] svchost.exe -- c:\windows\update.5.0\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.2\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-7-0-lnk\svchost.exe -> KILLED
Registry Entries: 8
[SUSP PATH] HKLM\[...]\Run : wxpdrv (C:\WINDOWS\services32.exe) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Here is my OTS scan
http://www.mediafire.com/?0aol8b5jw16fy3b
-
I have the same problem!!!!
My Rogue Killer report (RKreport.txt) is:
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User: Hugene [Admin rights]
Mode: Remove -- Date : 07/25/2011 14:26:36
Bad processes: 0
Registry Entries: 5
[SUSP PATH] HKCU\[...]\Run : cacaoweb ("C:\Users\Hugene\AppData\Roaming\cacaoweb\cacaoweb.exe" -noplayer) -> DELETED
[SUSP PATH] HKLM\[...]\Run : PLFSetI (C:\Windows\PLFSetI.exe) -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
HOSTS File:
Finished : << RKreport[1].txt >>
RKreport[1].txt
My OST link is:
http://www.mediafire.com/?5pcgz8cz3ccm6rs
Thanks
-
Guys, please don't hijack the original posters topic, it just confuses the issue when trying to help multiple users in the same topic.
So please create your own new topic, here http://forum.avast.com/index.php?board=4.0 (http://forum.avast.com/index.php?board=4.0) in the viruses and worms forum and click the New topic and post your RogueKiller and OTS logs in your own new topic.
-
Hello dear fellows, I am new to the forum but have been around 7 years steadily an Avast user, so here's the situation, I have the same problem with the Facebook thing and Enhanced security so I did everything that was told with the program RougKiller and here is the report, I did it for the seventh time and nothing changes still avast tells that it works under enhanced protection and still the connection to Fb is lost or damaged. :-X ???, Can you just tell me if you know for how long will this hacking if it can be said hacking thing to continue and is avast going to manage with the problem
-
This is a new variant malware that affects all Antivirus programmes - there is a Norton enhanced mode, a McAfee enhanced mode etc. etc.
Each fix I create will be unique to the system concerned, so each one will need to be in a seperate topic.
But again please do not get a flash player update from anywhere but adobe - period, full stop, never. 'cos you will get infected with the latest and best malware around... Until we find a way to kill it that is, then it will just get updated again
-
MissTootyJones Here is your fix...
Once this run is complete there will be a zip file in the following location C:\_OTS\moved files could you upload that to mediafire and post the sharing link please - I will then forward it to Avast. On completion of this could you also download and install a fresh copy of Avast
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Processes - Safe List]
YY -> svchost.exe -> C:\Windows\update.2\svchost.exe
YY -> svchost.exe -> C:\Windows\update.1\svchost.exe
[Win32 Services - Safe List]
YY -> (srvsysdriver32) srvsysdriver32 [Auto | Stopped] -> C:\Windows\sysdriver32.exe
[Registry - Safe List]
< HOSTS File > ([2011/07/24 22:53:08 | 000,203,160 | -H-- | M] - 100105 lines) -> C:\Windows\SysNative\Drivers\etc\hosts
YN -> Reset Hosts ->
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "14739484-loader2.exe" -> C:\Windows\TEMP\14739484-loader2.exe ["C:\Windows\TEMP\14739484-loader2.exe"]
YY -> "388915.exe" -> C:\Windows\TEMP\388915.exe ["C:\Windows\TEMP\388915.exe"]
YY -> "707159.exe" -> C:\Windows\TEMP\707159.exe ["C:\Windows\TEMP\707159.exe"]
YY -> "7835015.exe" -> C:\Users\Cristina\AppData\Local\Temp\7835015.exe ["C:\Users\Cristina\AppData\Local\Temp\7835015.exe"]
YY -> "8435151.exe" -> C:\Windows\TEMP\8435151.exe ["C:\Windows\TEMP\8435151.exe"]
YY -> "l1rezerv.exe" -> C:\Windows\l1rezerv.exe ["C:\Windows\l1rezerv.exe"]
YY -> "sysdriver32.exe" -> C:\Windows\sysdriver32.exe ["C:\Windows\sysdriver32.exe" rezerv]
YY -> "sysdriver32_.exe" -> C:\Windows\sysdriver32_.exe ["C:\Windows\sysdriver32_.exe" rezerv]
YY -> "systemup" -> C:\Windows\systemup.exe ["C:\Windows\systemup.exe" stand]
YN -> "tray_ico" -> []
YY -> "tray_ico0" -> C:\Windows\update.tray-7-0\svchost.exe [C:\Windows\update.tray-7-0\svchost.exe]
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
YY -> "wxpdrv" -> C:\Windows\services32.exe [C:\Windows\services32.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY -> update.5.0 -> C:\Windows\update.5.0
NY -> update.2 -> C:\Windows\update.2
NY -> av_ico -> C:\Windows\av_ico
NY -> update.1 -> C:\Windows\update.1
NY -> update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY -> update.tray-7-0 -> C:\Windows\update.tray-7-0
[Files/Folders - Modified Within 30 Days]
NY -> info1 -> C:\Windows\info1
NY -> sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY -> sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY -> systemup.exe -> C:\Windows\systemup.exe
NY -> geoiplist.rar -> C:\Windows\geoiplist.rar
NY -> unrar.exe -> C:\Windows\unrar.exe
NY -> loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY -> services32.exe -> C:\Windows\services32.exe
NY -> geoiplist -> C:\Windows\geoiplist
[Files - No Company Name]
NY -> systemup.exe -> C:\Windows\systemup.exe
NY -> l1rezerv.exe -> C:\Windows\l1rezerv.exe
NY -> geoiplist -> C:\Windows\geoiplist
NY -> geoiplist.rar -> C:\Windows\geoiplist.rar
NY -> unrar.exe -> C:\Windows\unrar.exe
NY -> info1 -> C:\Windows\info1
NY -> loader2.exe_ok -> C:\Windows\loader2.exe_ok
NY -> sysdriver32_.exe -> C:\Windows\sysdriver32_.exe
NY -> sysdriver32.exe -> C:\Windows\sysdriver32.exe
NY -> services32.exe -> C:\Windows\services32.exe
[File - Lop Check]
NY -> com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 -> C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1
NY -> com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 -> C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1
[Custom Scans]
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.1\svchost.exe
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0\svchost.exe
YY -> svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
YY -> svchost.exe : MD5=B29DC60E06AF2B9ED13E6C6935BC3670 -> C:\Windows\update.2\svchost.exe
YY -> svchost.exe : MD5=DDE08469DED554140851ACFFCB8F4802 -> C:\Windows\update.5.0\svchost.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
This is no sign of malfunction, do not panic!
-
Thank you so much! Everything's working fine! Zip file and log below. :]
All Processes Killed
[Processes - Safe List]
Process svchost.exe killed successfully!
C:\Windows\update.2\svchost.exe moved successfully.
No active process named svchost.exe was found!
C:\Windows\update.1\svchost.exe moved successfully.
[Win32 Services - Safe List]
Service srvsysdriver32 stopped successfully!
Service srvsysdriver32 deleted successfully!
C:\Windows\sysdriver32.exe moved successfully.
[Registry - Safe List]
HOSTS file reset successfully!
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\14739484-loader2.exe deleted successfully.
C:\Windows\TEMP\14739484-loader2.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\388915.exe deleted successfully.
C:\Windows\TEMP\388915.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\707159.exe deleted successfully.
C:\Windows\TEMP\707159.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\7835015.exe deleted successfully.
C:\Users\Cristina\AppData\Local\Temp\7835015.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\8435151.exe deleted successfully.
C:\Windows\TEMP\8435151.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\l1rezerv.exe deleted successfully.
C:\Windows\l1rezerv.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysdriver32.exe deleted successfully.
File C:\Windows\sysdriver32.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\sysdriver32_.exe deleted successfully.
C:\Windows\sysdriver32_.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\systemup deleted successfully.
C:\Windows\systemup.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico0 deleted successfully.
C:\Windows\update.tray-7-0\svchost.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico1 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico2 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico3 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\tray_ico4 deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\wxpdrv deleted successfully.
C:\Windows\services32.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\\AlternateShell deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Windows\update.5.0 folder moved successfully.
C:\Windows\update.2 folder moved successfully.
C:\Windows\av_ico folder moved successfully.
C:\Windows\update.1 folder moved successfully.
C:\Windows\update.tray-7-0-lnk folder moved successfully.
C:\Windows\update.tray-7-0 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\Windows\info1 moved successfully.
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\systemup.exe not found!
C:\Windows\geoiplist.rar moved successfully.
C:\Windows\unrar.exe moved successfully.
C:\Windows\loader2.exe_ok moved successfully.
File C:\Windows\services32.exe not found!
C:\Windows\geoiplist moved successfully.
[Files - No Company Name]
File C:\Windows\systemup.exe not found!
File C:\Windows\l1rezerv.exe not found!
File C:\Windows\geoiplist not found!
File C:\Windows\geoiplist.rar not found!
File C:\Windows\unrar.exe not found!
File C:\Windows\info1 not found!
File C:\Windows\loader2.exe_ok not found!
File C:\Windows\sysdriver32_.exe not found!
File C:\Windows\sysdriver32.exe not found!
File C:\Windows\services32.exe not found!
[File - Lop Check]
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store\#SharedObjects\CelebAlarm.swf folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store\#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.eol.www.CelebAlarm.2B123E4CD5F151A829F44ECC827710372278488B.1 folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store\#SharedObjects folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store\#ApplicationUpdater folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1\Local Store folder moved successfully.
C:\Users\Cristina\AppData\Roaming\com.zoosk.Desktop.096E6A67431258A508A2446A847B240591D2C99B.1 folder moved successfully.
[Custom Scans]
File/Folder C:\Windows\update.1\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0\svchost.exe not found.
File/Folder C:\Windows\update.tray-7-0-lnk\svchost.exe not found.
File/Folder C:\Windows\update.2\svchost.exe not found.
File/Folder C:\Windows\update.5.0\svchost.exe not found.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Cristina\Desktop\cmd.bat deleted successfully.
C:\Users\Cristina\Desktop\cmd.txt deleted successfully.
[Empty Temp Folders]
User: All Users
User: Cathy
User: Cristina
->Temp folder emptied: 244393232 bytes
->Temporary Internet Files folder emptied: 641423013 bytes
->Java cache emptied: 22912033 bytes
->Google Chrome cache emptied: 168582628 bytes
->Flash cache emptied: 2628534 bytes
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56504 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 490783749 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 147224 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 1,498.00 mb
[EMPTYFLASH]
User: All Users
User: Cathy
User: Cristina
->Flash cache emptied: 0 bytes
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 07252011_162321
Files\Folders moved on Reboot...
C:\Users\Cristina\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
Registry entries deleted on Reboot...
-
OK got it - thanks ;D could you modify your post and delete the link please
OK a sweep for orphans next, is Avast working OK ?
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
-
Bugisrb fix here http://forum.avast.com/index.php?topic=82154.new#new
Hugene fix here http://forum.avast.com/index.php?topic=82155.new#new
-
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7277
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/25/2011 5:11:41 PM
mbam-log-2011-07-25 (17-11-41).txt
Scan type: Quick scan
Objects scanned: 180994
Time elapsed: 3 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\WXPDRIVERS (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Cristina\downloads\flash-player (1).exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Cristina\downloads\flash-player.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
So am I all set now?
-
I apologize for interrupting with this OT comment.
@essexboy,
You are probably "copy+past" -ing at least some of your instructions.
If I may, at http://forum.avast.com/index.php?topic=82144.msg671104#msg671104 (http://forum.avast.com/index.php?topic=82144.msg671104#msg671104) for example (as with other posts), you wrote (copy+paste):
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.
should be "too", not "to".
I know that for users where English is the natural language that correction is "almost" unnecessary, but it may not be such for an international forum like this. I also saw other suggestions (so to improve the correct understanding from non-English speakers), but they are more related to the specific writing style.
I just mean to help. Sorry for the OT.
-
;D ;D ;D ;D ;D thank you for the light relief - rest assured I will amend my canned - fixt ;D
-
Sorry MissTootyJones I was distracted ;D
Do you have any further problems ? If not I will remove my tools
-
Hi, Ive the same problem. Only my pc is restarting automatically every 5-10 minutes.
Here's my RogueKiller:
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: Remove -- Date : 07/26/2011 09:56:25
Bad processes: 0
Registry Entries: 3
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]
Finished : << RKreport[1].txt >>
RKreport[1].txt
OTS log:
http://www.mediafire.com/?uho19bcicwmjumc
Here I attach my MBAM log too.
Hopefully you can help me, my pc is too new to format it all.
-
So here are the results from the Malwarebytes
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7278
Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514
26.7.2011 г. 07:31:06
mbam-log-2011-07-26 (07-31-06).txt
Scan type: Quick scan
Objects scanned: 164657
Time elapsed: 2 minute(s), 49 second(s)
Memory Processes Infected: 6
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 27
Memory Processes Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> 1584 -> Unloaded process successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> 1976 -> Unloaded process successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) -> 1912 -> Unloaded process successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) -> 2996 -> Unloaded process successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> 3788 -> Unloaded process successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> 3880 -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srviecheck (Backdoor.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) -> Value: tray_ico0 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\Windows\rpcminer (Trojan.BCMiner) -> Quarantined and deleted successfully.
Files Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\Temp\1837641.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\3886134.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\9013646.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Angel\downloads\flash-player.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\services32.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\systemup.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\l1rezerv.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.2\svchost.exe (Backdoor.Agent) -> Quarantined and deleted successfully.
c:\Windows\update.5.0\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinmineropencl.cl (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_10.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_11.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\bitcoinminercuda_20.cubin (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\cudart32_32_16.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\curllib.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\libeay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\libsasl.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\openldap.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-4way.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cpu.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-cuda.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\rpcminer-opencl.exe (Trojan.BCMiner) -> Quarantined and deleted successfully.
c:\Windows\rpcminer\ssleay32.dll (Trojan.BCMiner) -> Quarantined and deleted successfully.
-
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7600 ) 64 bits version
Started in : Normal mode
User: jake [Admin rights]
Mode: Remove -- Date : 07/26/2011 15:46:03
Bad processes: 8
[SVCHOST] svchost.exe -- c:\windows\update.5.0\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.2\svchost.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.tray-7-0\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
[SUSP PATH] sysdriver32_.exe -- c:\windows\sysdriver32_.exe -> KILLED
[SUSP PATH] l1rezerv.exe -- c:\windows\l1rezerv.exe -> KILLED
[SUSP PATH] systemup.exe -- c:\windows\systemup.exe -> KILLED
Registry Entries: 0
HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
-
Hi, I am having same problem:
RogueKiller V5.2.8 [07/23/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Troy & Marshe' [Admin rights]
Mode: Scan -- Date : 07/26/2011 02:33:16
Bad processes: 5
[SVCHOST] svchost.exe -- c:\windows\update.tray-7-0\svchost.exe -> KILLED
[SUSP PATH] l1rezerv.exe -- c:\windows\l1rezerv.exe -> KILLED
[SUSP PATH] systemup.exe -- c:\windows\systemup.exe -> KILLED
[SVCHOST] svchost.exe -- c:\windows\update.2\svchost.exe -> KILLED
[SUSP PATH] sysdriver32.exe -- c:\windows\sysdriver32.exe -> KILLED
Registry Entries: 17
[SUSP PATH] HKLM\[...]\Run : wxpdrv (C:\WINDOWS\services32.exe) -> FOUND
[SUSP PATH] HKLM\[...]\Run : 6602084.exe ("C:\WINDOWS\TEMP\6602084.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : sysdriver32.exe ("C:\WINDOWS\sysdriver32.exe" rezerv) -> FOUND
[SUSP PATH] HKLM\[...]\Run : sysdriver32_.exe ("C:\WINDOWS\sysdriver32_.exe" rezerv) -> FOUND
[SUSP PATH] HKLM\[...]\Run : 871009.exe ("C:\WINDOWS\TEMP\871009.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : 1195349.exe ("C:\WINDOWS\TEMP\1195349.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : 8416589.exe ("C:\DOCUME~1\TROY&M~1\LOCALS~1\Temp\8416589.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : 20451539-loader2.exe ("C:\WINDOWS\TEMP\20451539-loader2.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : l1rezerv.exe ("C:\WINDOWS\l1rezerv.exe") -> FOUND
[SUSP PATH] HKLM\[...]\Run : systemup ("C:\WINDOWS\systemup.exe" stand) -> FOUND
[SUSP PATH] HKLM\[...]\Run : 9549859.exe ("C:\WINDOWS\TEMP\9549859.exe") -> FOUND
[SUSP PATH] CD UNINSTALL SOLUTION.job : c:\docume~1\admini~1\locals~1\temp\cdrun.exe -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
HOSTS File:
127.0.0.1 localhost
127.0.0.1 vkontakte.ru
127.0.0.1 www.vkontakte.ru
127.0.0.1 login.vk.com
127.0.0.1 vk.com
127.0.0.1 www.vk.com
127.0.0.1 odnoklassniki.ru
127.0.0.1 www.odnoklassniki.ru
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
[...]
Finished : << RKreport[1].txt >>
RKreport[1].txt
-
Guys, create your own new topic and paste your logs there don't hijack this one making it confused and harder to help.
So please create your own new topic, here http://forum.avast.com/index.php?board=4.0 (http://forum.avast.com/index.php?board=4.0) in the viruses and worms forum and click the New topic and post your RogueKiller and OTS logs in your own new topic.
-
These should start slowing down a bit now as I manage to get more samples to Avast
I will check alll these new ones in their own topic please otherwise someone will end up running the worng fix ;D
-
A few more of my samples are now being detected - so I will delete them from my chest ;D
-
Been reading this topic. Great work essexboy! Thanks for helping out the members! Any further tips to be safe from this malware?
-
Watch out for social engineering tricks, as this one for most people came in the form of a pop-up on facebook saying you needed to update flash player.
Clicking update infected the system, so ignore these type of pop-up update warnings and don't update from the pop-up (you have no idea what the remote location behind it is), only update from the source, e.g. adobe in this case.
-
Thank you DavidR for the information. I will pass it on to other avast users especially the freeware users. I will also include this link so they will know.
-
Thank you very much DavidR for the information.
-
You're welcome.
The advice is general nothing specifically to do with avast and it is in the company of many other AVs that got hit by this.
It is basic common sense, don't go clicking all and sundry pop-ups in your browser/s especially those offering updates or security alerts, etc. If you are told you need an update for anything, always go to the source and check if you actually need an update or visit http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/) and that will scan for out of date applications, etc.
-
Yep 'tis an infection
Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop
- Quit all running programs
- For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
- When prompted, type 2 and validate
- The RKreport.txt shall be generated next to the executable.
- If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire (http://www.mediafire.com/) and post the sharing link.
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop
- Close ALL OTHER PROGRAMS.
- Double-click on OTS.exe to start the program.
- Check the box that says Scan All Users
- Under Additional Scans check the following:
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
- Under the Custom Scan box paste this in
%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
I have the same issue, but on a laptop Windows 7 yet i cannot connect to the internet at all, if i do my wifi router/cable modem beocmes disabled.
-
I have the same issue, but on a laptop Windows 7 yet i cannot connect to the internet at all, if i do my wifi router/cable modem beocmes disabled.
How are you connecting right now ?
Use that system to download tools and get help.
But don't reply or do that in this topic - Please create your own new topic, here http://forum.avast.com/index.php?board=4.0 (http://forum.avast.com/index.php?board=4.0) in the viruses and worms forum and click the New topic button at the top of the page and we will try and help you there.
-
I fuond a similar problame. I I did everythink which you write and I'm did the OTS scan. But I don't know what is the next station. Please help me.
The facebook is in block, but nothing else.
-
I fuond a similar problame. I I did everythink which you write and I'm did the OTS scan. But I don't know what is the next station. Please help me.
The facebook is in block, but nothing else.
As has been mentioned to so many others in this thread ( create your own topic )
-
RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Deuce [Admin rights]
Mode: Remove -- Date : 08/22/2011 00:00:46
Bad processes: 2
[SUSP PATH] 1030855424:4284780226.exe -- c:\windows\1030855424:4284780226.exe -> KILLED [TermProc]
[RESIDUE] 1030855424:4284780226.exe -- c:\windows\1030855424:4284780226.exe -> KILLED [TermProc]
Registry Entries: 0
Particular Files / Folders:
HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[...]
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
The OTS file:
http://www.mediafire.com/?exfgjcx6bzmb9tj
I had to copy and paste it in a new document because I was getting some "common language" error when trying to save through Notepad.
-
In the meantime, you could remove these entries from your HOSTS file manually.
HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware; the same is true if they want to block facebook in your case - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
Once open you are looking for entries with those facebook.com entries on the line, you can remove those lines and save the file. http://en.wikipedia.org/wiki/Hosts_file (http://en.wikipedia.org/wiki/Hosts_file)
Note, when saving the file, notepad may have a whinge as there is no file type for the HOSTS file; ensure that the file type is set to all files and it should comply with the fact it hasn't got a file type/extension. You may, depending on your OS have the UAC have a whinge, so you may need to run that text editor (notepad, etc.) as an administrator.
-
The mediafire lonk is not working
Could you re-upload again please
-
RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html
Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: Jakov [Admin rights]
Mode: Remove -- Date : 08/27/2011 12:30:42
Bad processes: 0
Registry Entries: 1
[HJ NAME] HKLM\[...]\Run : tray_ico1 (C:\Windows\update.tray-8-0\svchost.exe) -> DELETED
Particular Files / Folders:
HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[...]
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
-
apocalypso could you start your own thread please and post an OTL log along with the symptoms you are experiencing