Avast WEBforum
Other => Viruses and worms => Topic started by: Wayno11 on June 08, 2012, 03:32:21 AM
-
I recently reinstalled Avast after a failed experiment with McAfee. Now Avast has found a problem with SHCHost.exe that is causing the Malicious URL popup to come up constantly. I have attached the rquired files. I apologize ahead of time for doing attachemtns, but my files went over the 10000 character limit, even if I try to break it down in to seperate posts.
-
I apologize ahead of time for doing attachemtns,
that is what you are suppose to do.....attach
also attach a malwarebytes quick scan log......make sure MBAM is updated beforew you scan
-
I have the same malware on my computer an can not get rid of it? I did not see a fix on this post?
-
I have the same malware on my computer an can not get rid of it? I did not see a fix on this post?
Start a new topic and attach your logs.
-
@ Wayno11 you have a failed zero access installation on the system so lets kill it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.mrxsmb)
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (.i8042prt)
O2 - BHO: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\S-1-5-21-1547161642-1647877149-839522115-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-1547161642-1647877149-839522115-1004\..\Toolbar\WebBrowser: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - No CLSID value found.
O3 - HKU\S-1-5-21-1547161642-1647877149-839522115-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKU\.DEFAULT..\Run: [Apple] C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\Apple Computer\Apple\bjvavobwb.dll ()
O4 - HKU\S-1-5-18..\Run: [Apple] C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\Apple Computer\Apple\bjvavobwb.dll ()
O4 - HKU\S-1-5-19..\Run: [Apple] C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\Apple Computer\Apple\bjvavobwb.dll ()
O4 - HKU\S-1-5-20..\Run: [Apple] C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\Apple Computer\Apple\bjvavobwb.dll ()
O4 - HKU\S-1-5-21-1547161642-1647877149-839522115-1004..\Run: [Apple] C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\Apple Computer\Apple\bjvavobwb.dll ()
O33 - MountPoints2\{1cbd9bd0-b399-11de-a4f2-806d6172696f}\Shell\AutoRun\command - "" = G:\Info.exe folder.htt 480 480
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
- Allow the installation of the recovery console
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Ok here is the most recent scan, with the most recent updates, from Malwarebytes. Thank you
-
essexboy,
I did everything you suggested, and I am attaching the newest otl scan. However, Combofix needed to download Recovery, and it is stuck at 22.7% download. You said not to rerun it without reposting, so I am doing so. Thanks
-
OK lets try the manual installation, if this should fail then run combofix without the recovery console
Go to Microsoft's website => http://support.microsoft.com/kb/310994 (http://support.microsoft.com/kb/310994)
Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.
Note: If you have SP3, use the SP2 package.
---------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
(http://img.photobucket.com/albums/v666/sUBs/RC1-4.gif)
- Drag the setup package onto ComboFix.exe and drop it.
- Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
(http://img.photobucket.com/albums/v706/ried7/whatnext.png)
- At the next prompt, click 'Yes' to run the full ComboFix scan.
- When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
-
Ok got it to work. Here is the combofix.txt file.
-
That killed it ;D
How is the computer behaving now ?
-
Still getting the pop up I'm afraid, although about half as frequently. And my web browser is not 100% right. I seem to be missing a lot of icons and tabs on my web pages, especially games on Facebook. One game I can not even play.
-
Could you delete your current copy of OTL please and download a fresh copy
Also could you post a screenshot of the popup
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.exe
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open one notepad window.
- Attach that log
-
Ok. I downloaded OTL again and here is the new log.
-
After the reboot from this fix could you check for alerts please
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL
(http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg)
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
[2011/12/04 18:01:54 | 000,000,469 | ---- | C] () -- C:\Program Files\1204201117015432.bat
[2011/11/09 10:14:22 | 000,002,048 | -HS- | C] () -- C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\075d3cf2\@
[2011/11/20 15:15:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\58CF0
[2008/12/06 23:44:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\Artogon
[2011/11/20 14:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\AS2ibD3pn5Q6W8R
[2011/11/20 14:37:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\avD3onG4aH
[2011/11/08 14:17:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\Awem
[2011/11/20 15:19:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\BaQH6dWK7R9TqUe
[2011/11/20 14:23:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\gqjYCekIVzN
[2011/11/20 14:25:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\I3onG4aQHsKfLgX
[2011/11/20 14:23:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\N6dEK8fRZhXjVlB
[2011/11/20 15:24:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\NK7fRL9gTqUeIrP
[2011/11/20 14:23:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\nYCwkUVrlNx0c2b
[2011/11/20 14:39:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\OL8gRZqhYwUrOtP
[2011/11/20 14:25:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\QF4pmH5sQ7E
[2011/11/20 14:23:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\qSibFmG5a
[2011/11/20 14:37:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\thYXwjUVeOtPy
[2011/11/20 15:19:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\xIBrzPNyc1v2n4
[2011/11/20 15:24:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Wayne and Marge\Application Data\Y3onG4aQHs
:Files
ipconfig /flushdns /c
C:\Documents and Settings\Wayne and Marge\Local Settings\Application Data\075d3cf2
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok, I have attached two files. One is the file created after running RUN FIX and rebooting. The other is the OTL log after running QUICK SCAN.
-
That looks good, any remaining problems ?
-
Oh yes. Still have the pop up, and IE has "red X's" all over the place. And I can't play games on Facebook.
-
Could you attach a screenshot of the popup please
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
.
-
Here are the two screen shots. One is the pop up, the other is the TDSS report. The pop up seems to have gone away since running TDSS, but I still have red X's and can't play games. I have updated both Shockwave and Flash player but they did not help.
-
Could you run TDSSKiller again please and attach the report
-
For some reason I can not copy/paste the report that is generated by TDSSKiller. In fact, right clicking the mouse gives me no pop up box to work with.
-
Could you just attach the log please
-
That's what I'm saying, I can't copy and save it to Notepad. I can hi light the log, but when I right-click my mouse I get no pop up block to work with. Does the file save some where on my PC? In a file somewhere?
-
TDSSKiller logs should be in your root directory i.e. C:\
-
Ahh thank you very much. Here you go.
-
Rerun TDSSKiller with the same parameters and when you get the following select delete :
\Device\Harddisk0\DR0 ( TDSS File System )
Once done we will look at the remaining problems
-
Ok Done here is the new report if you need it.
-
Ok list the remaining problems to be resolved ;D
-
The only remaining problem is the internet. I still have red X's and can not play games on Facebook, which I assume are related. It happened after running one of the programs during this fix, but I do not recall which one. It was near the beginning of the fix, possibly after running OTL for the first or second time. I have reinstalled Shockwave and Flash Player, but this did not help.
-
OK for flash .. We will do a full uninstal and then reinstal
Download and run the uninstaller from here http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
Then download the latest version from here http://get.adobe.com/flashplayer/
Uninstall Shockwave Player 10 via the Control Panel.
Go to Add/Remove programs, and choose Macromedia or Adobe Shockwave Player.
Download the latest version from here http://www.adobe.com/products/shockwaveplayer/
Now let me know if the problem is cured
-
Well I tried a couple of things and still no luck. First I unistalled both and then reinstalled, without a reboot. The I rebooted after uninstalling, and reinstalling. I also added a macromedia from Adobe that appeared to not be working on my system. None of this helped. I still have red X's and no games playable. I also unistalled Java and reinstalled a newer version.
-
Is this in IE ?
If so go to control panel > Internet Options
Go to the Advanced tab
Click reset to default
Reboot the computer and try again
-
Yes it is IE. I did as suggested, but still no changes.
-
Looks like I may need to do a bit of research on this one, bear with me
-
Ok thank you. I have done a bit of research on the net about this, and read quite a few times that this may be virus/malware related. When I ran TDSSKiller, there were about 14 errors found, and we repaired one of them. Could this issue be related to one of the other errors found? Should I delete those other errors?
-
I did some research on my own, and found that uninstalling IE8 and reinstalling it was a potential fix. I did this and everything seems to be working fine now. The pop up is gone, the red X's are gone, and my games work. THANK YOU SO MUCH FOR YOUR HELP!!!!!!
-
OK you beat me to that one, ;D The other files noted by TDSSKiller are not a threat. It sounds as though there may have been a corruption within IE
Any further problems ?
-
Nothing so far, after a couple of days of being fixed. Your thoughts on IE being corrupted makes sense as my web browsing has acted up recently. It was slow and had other various issues from time to time. Thank you again for your help. I'm pretty computer savy, and I was lost as to what to do to fix this.
-
No problem, a fresh set of eyes can help to see the wood for the trees ;D