Author Topic: flices.biz/gate.php  (Read 23188 times)

0 Members and 1 Guest are viewing this topic.

burnside

  • Guest
flices.biz/gate.php
« on: August 15, 2012, 06:37:12 PM »
Avast has been flashing up warnings of malware with the name flices.biz/gate.php.

I have no idea if it is related but when logging into my bank account I was redirected to another site and asked for my mobile number.  My account is now locked.

On ebay, my computer was not recognised.

On Facebook, I was asked to verify my account by giving my credit card details (!)

I have updated Avast and run scans but nothing comes up

I have run Malwarebytes and still nothing.

I have not idea what is going on or what to do.

Please can someone suggest something?

Many thanks


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: flices.biz/gate.php
« Reply #1 on: August 15, 2012, 08:41:46 PM »
Well I would go for a check-up made by our qualified removal experts, becayse gate.php could mean Zeusbot, Citadel and maybe you have run into a banking trojan infection of some sort. The latest versions of SpyZeus reconstruct the admin panel, and further differentiate the admin panel files from the Command and Control gate PHP file.
So follow the instructions given up here: http://forum.avast.com/index.php?topic=53253.0
After posting the logs attached one of our qualified malware removal experts will have look, I will inform them to come an monitor your thread.
We'll sure to sort this out for you, doný worry,

polonus
« Last Edit: August 15, 2012, 08:45:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #2 on: August 15, 2012, 10:45:18 PM »
Many thanks for your reply.  I hope I have attached all the correct logs in the correct manner.

I am struggling after a long day of trying to find a solution.  It is not possible to access google so am having to use safe mode.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: flices.biz/gate.php
« Reply #3 on: August 15, 2012, 10:59:53 PM »
OK lets kill this darned thing

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
    O4 - HKU\S-1-5-21-3153830845-674630560-2875946465-1005..\Run: [Gafoas] C:\Documents and Settings\Tricia\Application Data\Cyyz\ruvee.exe ()
    [2012/08/14 23:17:09 | 000,489,472 | ---- | C] (Andrew Zhezherun) -- C:\Documents and Settings\Tricia\Application Data\larat.dll
    [2012/08/14 23:16:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Oqkia
    [2012/08/14 23:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Zaqu
    [2012/08/14 23:16:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Cyyz
    [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Viek
    [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Iqococ
    [2012/07/28 22:52:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Tricia\Application Data\Adqu
    [2012/08/14 23:15:14 | 000,169,984 | -HS- | M] () -- C:\Documents and Settings\Tricia\Application Data\bspse.dll

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

FINALLY

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #4 on: August 16, 2012, 12:25:41 AM »
Many thanks!

I had started a reply but PC froze during the Combofix scan (no, I did not touch anything) and I had to switch off.  System recovery took ages and then this came up

RUNDLL
Error loading C:Documents and settings\Tricia\Application Data\bspse.dll
The specified module could not be found

Also, TDSSKiller found 17 threats but I could not find a way to copy the report - right clicked, tried to copy and paste - but nothing would work.

It is very late here in wet and windy Scotland so I had better stop for now and look at it all again when I am feeling more alert.

I look forward to more instructions re Combofix.

Many thanks, one again

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: flices.biz/gate.php
« Reply #5 on: August 16, 2012, 12:55:18 AM »
Hi burnside,

"Haste ye back",

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #6 on: August 16, 2012, 11:15:20 AM »
Okay - this morning I am still receiving the warning -

RUNDLL
Error loading C:Documents and settings\Tricia\Application Data\bspse.dll
The specified module could not be found

Can you tell me how to fix this?

I have worked out how to copy and paste a TDSSKiller report - should I run the programmme again?

What should I do re ComboFix?

Is the problem fixed?  I managed to logon on to something today with no problem but am wary of accessing bank accounts and online client files.

So far, today, no Url:Mal from Avast.

Can anyone enlighten me as to how I managed to aquire the problem - Win32:Zeroot -B?  I have fully paid up Avast and Malaware but neither of them flagged up the culprit.

How do I avoid "receiving" this problem again?

Apologies for all the questions and for being such a dunce.  Wish I had the time to learn how to do all this for myself and am in awe of you!

BW


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89015
  • No support PMs thanks
Re: flices.biz/gate.php
« Reply #7 on: August 16, 2012, 01:21:12 PM »
The error is most likely generated because there is a registry entry (or other command) trying to register the bspse.dll file. This dll file in that location I would say is highly suspect (plus zero hits on a google search for this file, other than this topic) and has probably been removed, but the orphan registry entry/command is still trying to register it, so you get this error.

Essexboy will be on-line later this afternoon (now 12:20pm in the UK) after work, so until then you have my best guess on why you are getting the error.
« Last Edit: August 16, 2012, 01:38:48 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #8 on: August 16, 2012, 01:26:46 PM »
Thanks for this suggestion.  I think I understand and hope that we can sort it.

Meantime, I have rerun TDSSKiller (now 18 threats) and have attached the report.

Meant to say last night that there was no option to "cure" so just skipped.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: flices.biz/gate.php
« Reply #9 on: August 16, 2012, 04:16:31 PM »
That was my fault I missed out the run key for the bad boy

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Quote
    :OTL
    O4 - HKLM..\Run: [bspse] C:\Documents and Settings\Tricia\Application Data\bspse.dll ()
    O4 - HKCU..\Run: [Gafoas] "C:\Documents and Settings\Tricia\Application Data\Cyyz\ruvee.exe" File not found
    O4 - HKLM..\Run: [bspse] rundll32.exe "C:\Documents and Settings\Tricia\Application Data\bspse.dll",SwapMultiple File not found

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please re-run Combofix, from safe mode if necessary

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #10 on: August 16, 2012, 06:54:02 PM »
Thank you for coming back to help me.  Why is nothing simple?  I have rerun OTL and have attached the log.

Then I reran Combofix in safe mode.  The first hurdle was

'Microsoft Windows recovery console not installed.  Combofix wants to download/install'

Then

'failed to download required files.  Aborting ....  Shall continue scanning for malware'

The Autoscan then ran and I left it for over an hour but nothing happened.  The whole system froze; even the clock had stopped.  So.....what am I doing wrong?  Do I have a major problem here?

On the plus side - no Avast popups today.

Once again, I will wait for you assistance.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: flices.biz/gate.php
« Reply #11 on: August 16, 2012, 07:30:39 PM »
OK lets try a different programme if Combofix is playing hard to get

  • Download RogueKiller  and save it on your desktop
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ... 
  •     Click on Scan
   
 
  • Wait for the end of the scan. 
  • The report has been created on the desktop. 
  • Click on the Delete button.
     
  • The report has been created on the desktop.
  • Next click on the ShortcutsFix   

  • The report has been created on the desktop.
Please post:    All RKreport.txt text files located on your desktop.

burnside

  • Guest
Re: flices.biz/gate.php
« Reply #12 on: August 16, 2012, 10:29:10 PM »
I am sooo pleased that you know what you are doing!  This is scary stuff - all the deleting and not knowing what is happening!

I have attatched 3 reports and await your reponse.

I am extremely grateful to you for all this assistance.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: flices.biz/gate.php
« Reply #13 on: August 16, 2012, 11:33:05 PM »
Hi burnside,

Yes, essexboy knows what he is doing where malware cleansing is concerned. With him you are in the best of hands,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: flices.biz/gate.php
« Reply #14 on: August 17, 2012, 12:18:48 AM »
OK we will need to move outside of windows now as there is the possibility of a file infector that we need to check out

Please download the following programmes to your desktop:

Dr Web Live CD

ImgBurn

Install IMGBurn
  • Double click Dr Web
  • IMGBurn will open
  • Burn the ISO to a cd
  • Reboot the infected computer with the CD in the drive
  • Ensure that the first boot device is CD - If you are not sure about that then see this page for instructions
  • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.


  • Use arrow keys to select  DrWeb-LiveCD (Default)
  • When the system is loaded, check the disks or folders you want to scan, and click on “Start”.


  • The programme will now scan for and cure/delete any malware that it finds.  Allow it to do so 
  • Once completed reboot to normal windows
  • No log is produced so once in normal windows run a fresh OTL scan and let me know if the problems persist