Avast WEBforum

Other => Viruses and worms => Topic started by: Adii Moreira on August 21, 2011, 11:21:28 PM

Title: Help ...
Post by: Adii Moreira on August 21, 2011, 11:21:28 PM
Hi. I have exactly the same problem that she had: "I can't open the Avast! user interface, can't boot in safe mode, can't access facebook.
Screencaps: http://tinypic.com/r/2itim3r/7  http://tinypic.com/r/hvwbpt/7

I'm certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?" Please help =|
Title: Re: Help ...
Post by: Pondus on August 21, 2011, 11:24:35 PM
Quote
I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?"
that would be a good first start..... hope you updated it before you started ?   and you only have to run a quick scan

post scan log when done




Quote
My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash.
NEVER click links, videos, pic you recive on Facebook
Title: Re:
Post by: Adii Moreira on August 21, 2011, 11:31:25 PM
Oh i'm sorry i copied too much, i just meant until "How do I get rid of this?" I'm not running anything  :-X
Title: Re: Help ...
Post by: Pondus on August 21, 2011, 11:41:53 PM
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when posted...
Title: Re: Help ...
Post by: Adii Moreira on August 21, 2011, 11:47:31 PM
Okk sorry =)
Title: Re: Help ...
Post by: essexboy on August 21, 2011, 11:57:18 PM
Monitoring - but I am going offline shortly.  I will look tomorrow 
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 01:20:38 AM
Hi essexboy. I've done the same thing that you told that girl to do, so here it is the RoughKiller report and the OTS it's below.


RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Adriana [Admin rights]
Mode: Remove -- Date : 08/01/2011 00:01:34

Bad processes: 0

Registry Entries: 5
[BLACKLIST] HKLM\[...]\Root : LEGACY_SRVBTCCLIENT () -> DELETED
[BLACKLIST] HKLM\[...]\Root : LEGACY_SRVIECHECK () -> DELETED
[BLACKLIST] HKLM\[...]\Root : LEGACY_WXPDRIVERS () -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1       localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt




Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 11:41:31 AM
Can someone help ? I still cant access to facebook =O
Title: Re: Help ...
Post by: Pondus on August 22, 2011, 11:48:06 AM
Quote
Can someone help ? I still cant access to facebook =O
relax........the world will not end bc you are without facebook for some hours   ;D



you have to wait for essexboy..... he will be back here about 08:00 - 11:59pm  uk time



Title: Re: Help ...
Post by: DavidR on August 22, 2011, 12:38:55 PM
Can someone help ? I still cant access to facebook =O

In the meantime, you could remove these entries from your HOSTS file manually.

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware; the same is true if they want to block facebook in your case - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
 
Once open you are looking for entries with those facebook.com entries on the line, you can remove those lines and save the file. http://en.wikipedia.org/wiki/Hosts_file (http://en.wikipedia.org/wiki/Hosts_file)

Note, when saving the file, notepad may have a whinge as there is no file type for the HOSTS file; ensure that the file type is set to all files and it should comply with the fact it hasn't got a file type/extension. You may, depending on your OS have the UAC have a whinge, so you may need to run that text editor (notepad, etc.) as an administrator.
Title: Re: Help ...
Post by: essexboy on August 22, 2011, 03:22:45 PM
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Processes - Safe List]
YY -> svchostdriver.exe -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Win32 Services - Safe List]
YY -> (ddservice) ddservice [Auto | Running] -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Registry - Safe List]
< HOSTS File > ([2011-07-31 23:03:13 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "tray_ico" -> []
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\update.1\svchost.exe" -> [C:\WINDOWS\update.1\svchost.exe:*:Enabled:C:\WINDOWS\update.1\svchost.exe]
YN -> "C:\WINDOWS\update.2\svchost.exe" -> [C:\WINDOWS\update.2\svchost.exe:*:Enabled:C:\WINDOWS\update.2\svchost.exe]
YN -> "C:\WINDOWS\update.tray-7-0\svchost.exe" -> [C:\WINDOWS\update.tray-7-0\svchost.exe:*:Enabled:C:\WINDOWS\update.tray-7-0\svchost.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  WinRAR -> C:\Documents and Settings\LocalService\Application Data\WinRAR
NY ->  ufa -> C:\WINDOWS\ufa
NY ->  phoenix -> C:\WINDOWS\phoenix
NY ->  update.7.1 -> C:\WINDOWS\update.7.1
NY ->  update.2 -> C:\WINDOWS\update.2
NY ->  update.5.0 -> C:\WINDOWS\update.5.0
NY ->  WinRAR -> C:\Documents and Settings\Adriana\Application Data\WinRAR
NY ->  av_ico -> C:\WINDOWS\av_ico
NY ->  update.1 -> C:\WINDOWS\update.1
NY ->  update.tray-7-0 -> C:\WINDOWS\update.tray-7-0
NY ->  update.tray-7-0-lnk -> C:\WINDOWS\update.tray-7-0-lnk
NY ->  gPotato -> C:\Documents and Settings\All Users\Menu Iniciar\Programas\gPotato
NY ->  gPotato -> C:\gPotato
[Files/Folders - Modified Within 30 Days]
NY ->  info1 -> C:\WINDOWS\info1
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
[Files - No Company Name]
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  info1 -> C:\WINDOWS\info1
NY ->  geoiplist -> C:\WINDOWS\geoiplist
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
[Custom Scans]
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\WINDOWS\update.tray-7-0-lnk\svchost.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c
:end

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 

(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/essexboy-1-1.gif)

On completion of the scan click save log, save it to your desktop and post in your next reply

(http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif)
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 03:59:33 PM
The aswMBR just stoped at that point =| it doesnt say : Scan finished successfully ...
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 04:01:03 PM
Ups it does now LOL wasnt finished =P
Title: Re: Help ...
Post by: essexboy on August 22, 2011, 04:02:46 PM
What are your current problems ?

Please download Malwarebytes' Anti-Malware[/b] (http://www.malwarebytes.org/mbam-download.php)
 
Double Click mbam-setup.exe to install the application.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 04:17:06 PM
I dont know if there is still any problem lol i alredy can go to facebook yeehay =D thank you so much ;D i'm running Malwarebytes right now, i'll send you the report when finished.
Title: Re: Help ...
Post by: essexboy on August 22, 2011, 04:20:35 PM
Be carefull on facebook - do not accept any flash updates from there
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 04:25:26 PM
Oh i really will not do that again  ;D do you understand what the report says? It's written on portuguese ...
Title: Re: Help ...
Post by: essexboy on August 22, 2011, 04:38:34 PM
Quote
Processos de memória infectados: 0
módulos de Memória infectados: 0
Chaves do Registo Infectadas: 0
Valores do Registo infectados: 0
Itens de dados do Registo Infectados: 0
Pastas Infectadas: 0
Ficheiros Infectados: 0
That says it all  ;D

Any further problems ? If not then let me know tomorrow and I will remove my tools
Title: Re: Help ...
Post by: Adii Moreira on August 22, 2011, 04:43:06 PM
Nop i believe that problem was enough =D  i thought that thing was gonna mess my pc ...well thank you so much  ;)
Title: Re: Help ...
Post by: essexboy on August 22, 2011, 05:08:12 PM
My pleasure, if all is well tomorrow I will remove my tools and tidy you up
Title: Re: Help ...
Post by: Adii Moreira on August 24, 2011, 11:12:44 PM
Everything is working fine =D i'm glad you guys exist xD
Title: Re: Help ...
Post by: essexboy on August 24, 2011, 11:20:58 PM
Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ClearAllRestorePoints]
[Custom Items]
:files
ipconfig /flushdns /c
:end


We will now confirm that your hidden files are set to that, as some of the tools I use will change that(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

 Upgrading Java:Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).

Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe  :wave: