Author Topic: Avast Web shield  (Read 47692 times)

0 Members and 1 Guest are viewing this topic.

Hermite15

  • Guest
Re: Avast Web shield
« Reply #15 on: January 04, 2011, 08:24:27 PM »
edit: I'm googling that...

did mbam remove it as well?
« Last Edit: January 04, 2011, 08:26:56 PM by Logos »

Hermite15

  • Guest
Re: Avast Web shield
« Reply #16 on: January 04, 2011, 08:30:57 PM »
oups, someone says here that mbam can detect it but not remove it
http://social.answers.microsoft.com/Forums/en-US/vistasecurity/thread/2250456c-1a67-464c-ae2d-583bf531b064

edit: just notified Essexboy (he's a malware specialist here).


« Last Edit: January 04, 2011, 08:35:06 PM by Logos »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Avast Web shield
« Reply #17 on: January 04, 2011, 09:26:09 PM »
Hi lets have a quick look see at your system to see if we can resolve this

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

DAV2

  • Guest
Re: Avast Web shield
« Reply #18 on: January 04, 2011, 10:06:01 PM »
Thanks. Ots.txt is attached as requested. Mbam removed Trojan.FakeMS from this computer earlier today. Rescan says clean. Trojan.FakeMS is still in Mbam Quarantine. Thanks for your help.
« Last Edit: January 04, 2011, 10:22:00 PM by DAV2 »

Hermite15

  • Guest
Re: Avast Web shield
« Reply #19 on: January 04, 2011, 10:14:47 PM »
oh okay, if mbam already removed it then... thought it didn't, just detected. Anyway if any remnant of that are still in your system, OTL will tell.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Avast Web shield
« Reply #20 on: January 04, 2011, 10:22:09 PM »
Hi looks like MBAM did it right this time

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  #ISW.FS# -> C:\Users\DAV\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

DAV2

  • Guest
Re: Avast Web shield
« Reply #21 on: January 04, 2011, 10:32:03 PM »
Thanks. Do I paste this into all the computers that had Trojan.fakeMS removed by Mbam or is there a simpler way to finish cleaning?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Avast Web shield
« Reply #22 on: January 04, 2011, 10:34:31 PM »
Ah there was more than one ?

No this was specific to the one machine I saw - it may be different for the others

Hermite15

  • Guest
Re: Avast Web shield
« Reply #23 on: January 04, 2011, 10:44:41 PM »
@ Essexboy: don't think that it matters, anyway I noticed in the OTS report that there were several unmounted/unloaded drives (truecrypted or bitlockered)... is it very unlikely that the malware could have affected data on those drives?

« Last Edit: January 04, 2011, 10:47:34 PM by Logos »

DAV2

  • Guest
Re: Avast Web shield
« Reply #24 on: January 04, 2011, 10:47:40 PM »
So what do I do with the others? I run Mbam almost daily. I do not know how this got onto so many non connected computers. They share a router, but they are all configured not to talk to each other and they are all 2 way firewalled. How do these programs (OTS)find all the places I can not find to hide files? I see 0104211etc in notepad, but it is lost to me. It says all processes killed etc.
« Last Edit: January 04, 2011, 10:49:22 PM by DAV2 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Avast Web shield
« Reply #25 on: January 04, 2011, 10:49:35 PM »
As they are encrypted drives it would be highly unlikely, not impossible but improbable  ;D

Are you getting redirects on th esystems ?

Run OTS on each system and post the logs (naming each system) and then I can do a specific fix if required

Hermite15

  • Guest
Re: Avast Web shield
« Reply #26 on: January 04, 2011, 10:51:31 PM »
As they are encrypted drives it would be highly unlikely, not impossible but improbable  ;D

well they must be mounted/unlocked off and on, and then they're vulnerable like any other drive ;)

edit: well if encrypted volumes aren't mounted at boot time and the malware can only hit when the system boots, then they're safe ;D
« Last Edit: January 04, 2011, 11:00:52 PM by Logos »

DAV2

  • Guest
Re: Avast Web shield
« Reply #27 on: January 04, 2011, 11:40:01 PM »
OK. Here is another that had Trojan.FakeMS just removed today. Does it need a fix code? Thanks.
« Last Edit: January 04, 2011, 11:47:43 PM by DAV2 »

DAV2

  • Guest
Re: Avast Web shield
« Reply #28 on: January 04, 2011, 11:43:42 PM »
Is this Trojan.FakeMS a key logger?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Avast Web shield
« Reply #29 on: January 04, 2011, 11:45:30 PM »
No it is not a keylogger it is a trigger to download other malware - similar fix for this one

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  #ISW.FS# -> C:\Users\I7\AppData\Roaming\#ISW.FS#
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.