Author Topic: Web and Mail Shield won't start  (Read 22020 times)

0 Members and 1 Guest are viewing this topic.

shaolindan

  • Guest
Web and Mail Shield won't start
« on: August 14, 2012, 02:41:25 PM »
I have friend with a pc running Windows XP service pack 3 that started going to some weird sites on IE. It had MSE running which then stated that it was switched off and wouldn't start again. So I uninstalled and put avast free on.  I also put on super anti-spyware and malbytes malware. All 3 scanned and found various things. (spyware first, avast second, malware third). Avast then scanned again and did a boot time scan which found and quarantined about 30 things, which i then cleared out. Now chrome started to behave strangely and IE now wouldn't load any pages. So I did another set of scans which finished with a boot time avast scan - now avast says web shield and mail shield are switched off - fix now and turn on have no effect.
I have tried Kaspersky TDSSKiller, Avast Anti-Rootkit and GMER. (locked files are sptd.sys and safeboot.sys).
no joy. Tried re-installing MSE - wont connect to the net for updates - so wont work - wont scan as service isnt installed. (now uninstalled again.

I suspect this PC has quite a devious rootkit/trojan/malware combo. Can anyone help?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Web and Mail Shield won't start
« Reply #1 on: August 14, 2012, 02:59:41 PM »
When you suspect something like a rootkit, you have to exercise extreme caution as incorrect removal of malware found can have serious consequences. The more anti-virus applications you install the more likely you are going to have conflict issues even after removal there may be remnants.

The problem with the mail and web shields could be one or it could be your firewall blocking avastSvc.exe. What is the firewall on this XP system ?

Uninstall possible remnants of previously installed AVs see, http://singularlabs.com/uninstallers/security-software/, this has a collection of manufactures removal tools, so that should remove any remnants, registry, etc.

####
This probably needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #2 on: August 14, 2012, 05:35:40 PM »
Windows firewall won't start. There isn't a firewall on the router. Avast did work previously on this computer on this network.
Here are the logs from the last few days from mbam, aswmbr and otl. I will also post again in a minute with the anti spyware logs.

A new symptom - outlook won't start.

So I have now disabled the network.


shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #3 on: August 14, 2012, 05:38:55 PM »
Here are the super anti-spyware logs.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Web and Mail Shield won't start
« Reply #4 on: August 14, 2012, 05:53:35 PM »
A malware removal specialist has been informed of your topic.

Please just stick to the scans requested in the "information on Logs to assist in cleaning malware" topic or those requested by the malware removal specialist.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #5 on: August 14, 2012, 06:04:26 PM »
I thought they would be of interest as they do list 1067 files found - mostly cookies but some trojans which were removed.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Web and Mail Shield won't start
« Reply #6 on: August 14, 2012, 06:14:46 PM »
Cookies are not a security issue, you should block third party cookies in your browser and periodically clear your cookies, browser settings can be set to clear history/cookies/cache on closing the browser.  That however means some sites that require cookies to remember your settings etc. won't remember them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #7 on: August 15, 2012, 10:34:41 AM »
Any help, chaps?

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #8 on: August 15, 2012, 02:32:57 PM »
Now Outlook won't start. Turned the network adaptor back on - but it won't connect to the internet anymore. When I hit 'repair' in the adaptor it says can't access TCP/IP stack.

Run MBAM in safe mode - found nothing... :-\

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Web and Mail Shield won't start
« Reply #9 on: August 15, 2012, 03:10:32 PM »
You'll need to wait for one of the specialists.  :)



Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Web and Mail Shield won't start
« Reply #10 on: August 15, 2012, 03:17:31 PM »
The malware removal specialists are volunteers and have other commitments too (work), so in that limited time they can be very busy at times.

As irksome as it is, there will be delays due to differing time zones and availability of the volunteer malware removal specialists.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Web and Mail Shield won't start
« Reply #11 on: August 15, 2012, 04:11:14 PM »
Hi there we have a nice assortment here of various rootkits and trojans

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    SRV - File not found [On_Demand | Stopped] -- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0HTBB6X5\B-Service.exe -- (B-Service)
    SRV - File not found [Auto | Stopped] -- C:\windows\TEMP\ayvirrdbup.exe service -- (0040331241683126mcinstcleanupAlerter)
    SRV - File not found [Auto | Stopped] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\004033~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -- (0040331241683126mcinstcleanup)
    SRV - [2012/06/06 09:16:00 | 000,185,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Web Assistant\ExtensionUpdaterService.exe -- (Web Assistant Updater)
    DRV - File not found [Kernel | Auto | Stopped] -- C:\windows\system32\drivers\yfxsjiq.sys -- (tdpqhhzhczmx)
    DRV - File not found [Kernel | System | Stopped] -- system32\rbadma.sys -- (rbadma)
    DRV - File not found [Kernel | System | Stopped] -- C:\windows\system32\drivers\ilnqjbvl.sys -- (ilnqjbvl)
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox [2012/07/06 11:33:26 | 000,000,000 | ---D | M]
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\Web Assistant\Extension32.dll ()
    O2 - BHO: (CescrtHlpr Object) - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.4.17.2\bh\facemoods.dll File not found
    O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.2\facemoodsTlbr.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\S-1-5-21-3155757178-1639063472-2327323849-500\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [facemoods] "C:\Program Files\facemoods.com\facemoods\1.4.17.2\facemoodssrv.exe" /md I File not found
    O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\tbhcn.lnk = C:\Documents and Settings\Administrator\Application Data\BrowserCompanion\tbhcn.exe ()

    :Reg
    [HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
    ""="%systemroot%\system32\wbem\wbemess.dll"
    [-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}]

    :Files
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd
    C:\Program Files\facemoods.com
    C:\Program Files\Web Assistant
    C:\Documents and Settings\Administrator\Application Data\BrowserCompanion
    C:\windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    C:\Documents and Settings\LocalService\Local Settings\Application Data\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    ipconfig /flushdns /c
    netsh int ip reset c:\resetlog.txt  /c
    ipconfig /release /c
    ipconfig /renew /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks
  • Allow the installation of the recovery console




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

NEXT

Right click the link below and select Save As... to your desktop
https://dl.dropbox.com/u/73555776/BITSxp.reg
Double click the reg file and allow to merge
Reboot

FINALLY

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete



Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #12 on: August 16, 2012, 10:08:20 AM »
OTL stops at 'Killing Processes - Don't interrupt' and just sits there. I left it over night.

Should I uninstall MBAM first?

I only ask that as if I go through task manager and start killing processes, when I kill MBAM - the mouse still works but you can't click on anything or get any response from the keyboard. Maybe this is what is happening when OTL stops MBAM???!?

shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #13 on: August 16, 2012, 11:41:31 AM »
OK. It looks like it was MBAM as once I uninstalled it and rebooted - OTL ran fine.

I have attached the log files.

Computer seems a lot faster now and the browsers pop up with out incidence.

However a) Outlook still won't start - I get a window that says "Cannot start Office Outlook. Cannot open the Outlook Window. The set of folders cannot be opened. The information store could not be opened."

b) I've reinstalled Avast - Network, Mail and Web Shield will not start.


shaolindan

  • Guest
Re: Web and Mail Shield won't start
« Reply #14 on: August 16, 2012, 11:46:06 AM »
Combo fix log broken into two parts...