Unending problems

[magna86]

If you get a chance, next time do a screenshot of that message that avast pop-ups....

Step#1
Download this file:
http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE

Double-clicking the file to run. When tool complets, it may reboot your masine.



Step#2
> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[jandg]

Combofix log attached

Will try to get you screen print tomorrow although Snipper (?) and Sh+PrtSc appear to be inaccessible when the message is displayed

[magna86]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Folder::
c:\users\Jan\AppData\Local\Coupon Companion Plugin
C:\Program Files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000

DDS::
Trusted Zone: agentxsites.com
Trusted Zone: alamode.com
Trusted Zone: almsr.com
Trusted Zone: appraiserxsites.com
Trusted Zone: bing.com
Trusted Zone: brokerxsites.com
Trusted Zone: certmail.com
Trusted Zone: doccentral.com
Trusted Zone: flexapp1003.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: inspectorxsites.com
Trusted Zone: interflood.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: listingsxpress.com
Trusted Zone: live.com
Trusted Zone: mappoint.net
Trusted Zone: mortgagexsites.com
Trusted Zone: rdesk.com
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: topproducer8i.com\www
Trusted Zone: topproduceronline.com\www
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
Trusted Zone: xsitesnetwork.com



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

[jandg]

ComboFix file attached

I hope that "Coupon Companion" (which I didn't knowingly request) plug-in may be the problem

[magna86]

Hi,

Do you still have avast pop-up warnings? If you do, please attach here screenshot of that pop-up so i can see what is the problem.


Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

    * When done, DDS will open two (2) logs:
        1. DDS.txt
        2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

**********************

Re-run OTL, just click on RunScan button and attach here fresh OTL.txt logreport.

[jandg]

There has been no attempt to circumvent Avast today but I was tricked by that once this week (one day off then returned the following day)

I'm sure that you're already all over this but I noticed that some of the registry keys shown on the OTL report are associated with Trojan Z.Access

Reports are attached and I hope you have a good weekend.

JanDG
Boise, ID

[magna86]

Hi,
Do you know for this regfile?

Code: [Select]

C:\Fixit50388.reg
ps: caution with this regfile to not load their values

I'm sure that you're already all over this but I noticed that some of the registry keys shown on the OTL report are associated with Trojan Z.Access

ZAccess ( akaZeroAcces or 0access) is nasty rootkit. The section that you saw in OTL.txt log is special checking for 0access rootkit in its quest for loading files and registry values.
All your listed entries&lines are legitimate.

********************


Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


Firefox::
FF - ProfilePath - c:\users\jan\appdata\roaming\mozilla\firefox\profiles\7ae7yqnj.default\
FF - prefs.js: browser.startup.homepage - hxxps://startpage.com/do/mypage.pl?prf=dcb62b2a934916af554ee73a1ceaa4dc




Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

******************

Test your mashine and tell me how is your computer running now.

[jandg]

Hi Magna,

The Fixit file is a MS attempt to reset hyperlinks damaged by the uninvited installation of Google Chrome.  BTW, it didn't work and resetting had to be done manually.

I have (indirectly) identified ib.adnxs on the machine - the urls of the popups begin with adnxs.com.  Made a few feeble attempts to remove it but it wasn't happening.  Blocked the annoyance but didn't solve the problem by installing adblock plus for FF.

This is the second day that there was no attempt to lower Avast's shields so I'm excited about that.

ComboFix file attached.  BTW, the pev.exe file was stopped working about 1/2 way through the scan but I guess that isn't unusual with ComboFix.

Again, thank you for all the time you've spent on this.  It is my unqualified opinion that all of the crap that has found its way to my computer was download at the same time from the same site.

JanDG

[jandg]

I ran another scan with Avast and it indicated the following virus

MPPT97:Shell Code-O [Expl]
Path:  D\hpapps\APP05660\src\setup\setup\APP\IDSDefs\sigs\DAT

I have no idea whether this is a real virus or not but I moved it to the "chest"

[magna86]

Hi,

Path:  D\hpapps\APP05660\src\setup\setup\APP\IDSDefs\sigs\DAT

It's not the system root partition so,  detection is heuristics related.

------------------------

Step#1
Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:files
c:\users\jan\appdata\roaming\mozilla\firefox\profiles\7ae7yqnj.default\extensions\plugin@selectionlinks.com
:files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

**********************************

Step#2

  Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

***************************
Step#3

reset firefox to default:
note: before this action just for precaution backup your bookmarks.

I want you to reset firefox back to defaults, to do this I need you to do this

At the top of the Firefox window, click the "Firefox" button,
go over to the "Help" sub-menu
(on Windows XP, click the Help menu at the top of the Firefox window) and select "Troubleshooting Information".
Click the "Reset Firefox" button in the upper-right corner of the Troubleshooting Information page.
click "Reset Firefox" in the confirmation window that opens.
Firefox will close and be reset. When it's done. Click "Finish" and Firefox will open.



___________________________
***************************


Step#4


Re-run OTL for fresh scanning...

• Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  
  Code: [Select]
  
c:\windows\system32\tzres.dll /md5


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
           
    • When the scan completes, it will open notepad OTL.Txtand it will be saved in the same location as OTL.
               
      
    • Please attach fresh OTL txt log in this thread.
  *********************
  
  Step#5
  
  ESET Online Scanner
  
  Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
  • Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
  • Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
  • Close the ESET online scan, and let me know how things are now.
  ------------------
  
  
  How is your computer running now? Any pop-ups/warning...?

[jandg]

Logs attached

ESET ran for 3.5 hours and found no viruses

The system appears to be running fine.  No further attempts to drop the shields, hard drive running much more quietly and no pop-ups or redirects.

[jandg]

Magna, attempts to drop Avast's shields began again this morning.

I give up.  Whatever this is, we're not going to get at it.

One question though.  Is there anything I can do to minimize the possibility of this happening again.  Since it slipped past Avast (and probably every other anti-virus checker out there) would running MalWare Bytes (or any other product you might recommend) with Avast make any difference?

Anyhow, thanks again for everything you've done.

[magna86]

Hi,

I see some new malware and leght entries... These entries in past logsdoesn't been there. Somehow, machine has re-infected.
You might have running or doing something with machine, and unconscious you do re-infections.

-----------------------------------------------------

  It's time to upgrade from avast5 to avast7. 

No more sense to trying disinfect system with the old AV Engine.

-----------------------------------------------------

1. Delete old Combofix ( drag&drop to recycle bin)
Download new&fresh Combofix from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


KillAll::

Driver::
LAJKB
GXR

File::
C:\Users\Jan\AppData\Local\Temp\LAJKB.exe
C:\Users\Jan\AppData\Local\Temp\GXR.exe

ClearJavaCache::



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

----------------------------------------------------

> Re-run OTL. Just click on RunScan button and attach here fresh OTL.txt logreport.


***********************


...if after avast upgrade & fix you still have some pop-up, do a screenshot of that error/pop-ups so i may see what is it.

[jandg]

Nope, I'm running Avast 7 with the most current updates - 7.0.1474 and 180205-0.  The path indicated i.e. \Alwil\Avast5 is a source of confusion to me.

After yesterday's 3.5 hour virus check, I only visited 2 or 3 sites and then shut down for the day.  The sites I visit are fairly benign but yesterday I did do a Java update but from their site, not from a pop-up or reminder.  If there is a tool available where I can check the URLs I visited yesterday for malware downloads, I'll check them out.

Logs attached.

[magna86]

Please go to systemroot and attach Combofix.txt log now for review. ( C:\ComboFix.txt )

> Your system should be malware free now, because I do not see active malware in last OTL log. 
Whatever makes that pop-up/warning, should not the malicious origin. But I really want to know what is the problem...

We need to get the answer directly from avast ( your AV ).

******************************

Nope, I'm running Avast 7 with the most current updates ...

Hm...

>Uninstall avast from control panel > add or remove programs.
reboot your system...
Then download avast uninstall tool from here:
http://singularlabs.com/uninstallers/security-software/
Run the tool to remove all posible AV leftovers ...
reboot system

> Download fresh avast setup ( you may download fresh avast from here: http://www.filehippo.com/download_avast_antivirus/ )
 ...and do a nice and clean install.

- Leave it on&active for ~ two days.
In the meantime, if you get a warning or pop-up, warnings or somting like before from Avast, so a screenshot!

---------------------------------
After ~two days, attach here the following:
- screenshot of warning:

- Navigate to avast report folder and attach here BehaviorShield.txt and FileSystemShield.txt avast logreport

C:\ProgramData\AVAST Software\Avast\report\BehaviorShield.txt
                                                          ...  report\FileSystemShield.txt


...go to avast logs folder and attach here selfdef.txt avast logreport
C:\ProgramData\AVAST Software\Avast\log\selfdef.txt