Author Topic: Recourring popups from avast  (Read 20649 times)

0 Members and 1 Guest are viewing this topic.

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #15 on: May 17, 2013, 04:52:31 PM »
Sorry for the delay i have been extremely busy.. yes, i did have that installed at one time. I have not noticed any popups since i ran combofix. Here is the log. thanks again and sorry for the delay.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #16 on: May 18, 2013, 04:27:23 AM »
Hi Tweaker,

No problem. We may have a sneaky one on our hands. Please copy and paste the text in the code box into a notepad.

Code: [Select]
CD \
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
START JunctionPoints.txt
EXIT

In the notepad click file > save as
  • Make sure the Save as box is set to Desktop
  • In the filename box type junction.bat
  • click save
You should now have a file on your desktop named junction.bat. It will have an icon with a couple of gears in it.
  • Right click the file and click run as Adminstator
  • ok the UAC
  • a black window will open
  • when the window closes (it may take a minute or 2) a notepad named junctionpoints.txt will open
  • it will also be saved to your desktop
Please post the contents of junctionpoints.txt

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #17 on: May 18, 2013, 04:58:29 AM »
Here it is --

Thanks

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #18 on: May 19, 2013, 08:47:31 AM »
Hi tweaker,

Haven't forgotten about you. You are infected with a newer infection. There are also some strange entries in the log which I need to dig into a bit more so we can safely remove the infection.

Please bear with me while I come up with a safe way of doing this. Is your computer a Dell by any chance?
« Last Edit: May 19, 2013, 08:52:01 AM by oldman »

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #19 on: May 19, 2013, 04:03:40 PM »
hi thanks for getting back to me. no its a hp. if theres any of the entries i might be able to shed some light on ask away. glad i'm at least not getting any popups from avast telling me of infection
« Last Edit: May 19, 2013, 04:10:43 PM by tweaker »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #20 on: May 19, 2013, 08:40:21 PM »
Hi tweaker,

There are what appear to be missing default junctions. Not sure if the batch we used just lost the path due to the infection or if they are being obscured by the malware.



download

Farbar Recovery Scan Tool 64-Bit  and save it to your desktop.

Next, download and save to your Desktop the attached file fixlist.txt

Next

  • Right click FRST.exe and click "Run as Administrator"
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • FRST will process the script in Fixlist.txt
  • It will make a log (fixlog.txt) on the desktop. Please copy and paste it to your reply.

Next

Please delete junctionpoints.txt from your desktop and rerun junction.bat by
  • Right click the file and click run as Adminstator
  • ok the UAC
  • a black window will open
  • when the window closes (it may take a minute or 2) a notepad named junctionpoints.txt will open
  • it will also be saved to your desktop
Please post the contents of junctionpoints.txt

Please post back with
  • fixlog.txt
  • junctionpoint.txt


tweaker

  • Guest
Re: Recourring popups from avast
« Reply #21 on: May 20, 2013, 03:09:58 AM »
ok here are the logs

thank you

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #22 on: May 20, 2013, 06:21:40 PM »
Hi tweaker,

Looks like the malware junctions have been removed. The broken default links still are broken. I haven't seen any reports of the malware causing this. Did you make any changes from the default setup of your computer or try to take ownership of some folders you couldn't open such as C:\Documents and Settings?

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Recourring popups from avast
« Reply #23 on: May 20, 2013, 06:24:49 PM »
Seems this is re-occuring: http://forum.avast.com/index.php?topic=105682.30

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Recourring popups from avast
« Reply #24 on: May 20, 2013, 07:18:17 PM »
No this is a new variant of the Siref malware family

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #25 on: May 21, 2013, 02:56:11 AM »
yes i have tried taking ownership of some files previously, i was having a lot of file permission issues.

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #26 on: May 21, 2013, 06:15:26 AM »
I THINK but don't know for sure, that this is something different than last time i posed in the link above which was some months ago. Got rid of that one and everything was fine for quite some time. Although i am certainly not an expert hence asking yall for help ;p I'm pretty sure this one is different, the infection popups did not contain the same information

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #27 on: May 21, 2013, 07:07:02 AM »
Hi tweaker,

Quote
yes i have tried taking ownership of some files previously, i was having a lot of file permission issues.

Folders such as these under C:\ProgramData

Application Data
Desktop  
Documents
Favorites
[Start Menu
Templates

are not real folders. They are junctions. Junctions are sort of like a redirect to the actual folder. Windows Vista and up uses them for backwards compatability so older programs can write to the correct location.

If you look at the last junctionspoint.txt you posted you can see the junctions go nowhere.
Quote
07/14/2009  01:08 AM    <JUNCTION>     Application Data [..]
07/14/2009  01:08 AM    <JUNCTION>     Desktop [..]
07/14/2009  01:08 AM    <JUNCTION>     Documents [..]
07/14/2009  01:08 AM    <JUNCTION>     Favorites [..]
07/14/2009  01:08 AM    <JUNCTION>     Start Menu [..]
07/14/2009  01:08 AM    <JUNCTION>     Templates [..]
They should look like
Quote
Directory of C:\ProgramData

02/11/2006 14:02 <JUNCTION> Application Data [c:\ProgramData]
02/11/2006 14:02 <JUNCTION> Desktop [c:\Users\Public\Desktop]
02/11/2006 14:02 <JUNCTION> Documents [c:\Users\Public\Documents]
02/11/2006 14:02 <JUNCTION> Favorites [c:\Users\Public\Favorites]
02/11/2006 14:02 <JUNCTION> Start Menu [c:\ProgramData\Microsoft\Windows\Start Menu]
02/11/2006 14:02 <JUNCTION> Templates [c:\ProgramData\Microsoft\Windows\Templates]
0 File(s) 0 bytes
The part in the [] is the real path. The part just in front of the [] is the junction. If you try to access the junction you will be presented with an access denied error. These are hard coded into windows and taking ownership may damage them.


Quote
THINK but don't know for sure, that this is something different than last time i posed
That looked like an MBR infection. This time it was Zero Access aka Siref. The part with the rogue junctions in the Windows Defender folder is just the latest greatest version.


reason for edit: to add the text to the first quote box
« Last Edit: May 22, 2013, 06:18:14 AM by oldman »

tweaker

  • Guest
Re: Recourring popups from avast
« Reply #28 on: May 21, 2013, 08:52:39 AM »
sooo... how do i go about fixing that?

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Recourring popups from avast
« Reply #29 on: May 22, 2013, 02:11:48 AM »
Hi tweaker,

we'll look at the junctions later. Let's make sure Windows Defender is fixed. Try starting it. Let me know how you make out.