Author Topic: enhanced protection mode  (Read 31910 times)

0 Members and 1 Guest are viewing this topic.

eustace flynn

  • Guest
Re: enhanced protection mode
« Reply #15 on: July 23, 2011, 04:33:51 PM »
Hi Essexboy

I can't believe it but I did it!
Here's the info.

http://www.mediafire.com/file/k594sh85cazjd5s/OTS.Txt

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: enhanced protection mode
« Reply #16 on: July 23, 2011, 05:17:29 PM »
OK lots and lots of temporary files to clear - so  this may take longer than normal to run  ;D
There will be a zip file within c:\_OTS\moved files could you upload that to  Mediafire  and post the sharing link please.  Once I have grabbed it you can delete the link

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (mdxgthkn) mdxgthkn [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\AUTOTELIC\Local Settings\Temp\mdxgthkn.sys
[Registry - Safe List]
< FireFox Extensions [User Folders] > ->
YY -> No name found   -> C:\Documents and Settings\AUTOTELIC\Application Data\Mozilla\Firefox\Profiles\5l78mbfx.default\extensions\{5c876f30-10ce-11dd-bd0b-0800200c9a66}\chrome\win\mozapps\extensions
< FireFox Extensions [Program Folders] > ->
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
YN -> No name found ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\] > -> HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\] > -> HKEY_USERS\S-1-5-21-606747145-1960408961-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D}" [HKLM] -> [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Drivers32 [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
YN -> "vidc.LEAD" -> [LCODCCMP.DLL]
[Files/Folders - Created Within 7 Days]
NY ->  update.2 -> C:\WINDOWS\update.2
NY ->  rpcminer -> C:\WINDOWS\rpcminer
NY ->  phoenix -> C:\WINDOWS\phoenix
NY ->  update.5.0 -> C:\WINDOWS\update.5.0
[Files/Folders - Modified Within 7 Days]
NY ->  info1 -> C:\WINDOWS\info1
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
NY ->  geoiplist -> C:\WINDOWS\geoiplist
[Files - No Company Name]
NY ->  geoiplist -> C:\WINDOWS\geoiplist
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  info1 -> C:\WINDOWS\info1
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[ZipFiles]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

saisory

  • Guest
Re: enhanced protection mode
« Reply #17 on: July 24, 2011, 03:16:00 AM »
Hi...


I have the same problem can :'( it also started in facebook.. downloading a fake flash player.. suddenly all of my protection turned off..

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3739
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: enhanced protection mode
« Reply #18 on: July 24, 2011, 03:50:27 AM »
Hi saisory, welcome to the forum :)

I am sorry you have problems, but if you need help to fix them you should start your own topic.

Greetz, Red.
OS: Win 10 / iOS 17 / Debian 12 / Tails 5
Real Time: Avast Premium Security
On Demand: Malwarebytes
VPN: NordVPN ( NordLynx ) with Threat Protection ( Lite )

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: enhanced protection mode
« Reply #19 on: July 24, 2011, 03:55:06 AM »
Hi...

I have the same problem can :'( it also started in facebook.. downloading a fake flash player.. suddenly all of my protection turned off..

You will need to start you own New Topic in the viruses and worms forum, http://forum.avast.com/index.php?board=4.0 and click the New Topic button at the top of the page.

Download and Run the OTS analysis tool mentioned in Reply #14 of this topic, http://forum.avast.com/index.php?topic=81947.msg669791#msg669791, attach the OTS log to the new topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

eustace flynn

  • Guest
Re: enhanced protection mode
« Reply #20 on: July 24, 2011, 06:50:59 PM »
Essexboy

Sorry for the delay. I got the log file you wanted (at least I hope this is it).

http://www.mediafire.com/?k594sh85cazjd5s

PS When do I stop being a "Newbie"? I hate that word!
« Last Edit: July 24, 2011, 06:56:02 PM by eustace flynn »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: enhanced protection mode
« Reply #21 on: July 24, 2011, 07:00:10 PM »
Close - but you gave me the initial run  ;D

Do you still have the enhanced protection popups ?

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

eustace flynn

  • Guest
Re: enhanced protection mode
« Reply #22 on: July 24, 2011, 07:08:05 PM »
Essexboy

Here's the zip file.
(It's a huge file)

http://www.mediafire.com/file/yzu5igmyyogre6m/07232011_175651.zip

Eustace

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: enhanced protection mode
« Reply #23 on: July 24, 2011, 07:18:29 PM »
Ta you can delete the link now  ;D

Also how is the computer behaving ?

eustace flynn

  • Guest
Re: enhanced protection mode
« Reply #24 on: July 24, 2011, 07:34:28 PM »
The scan shows I'm clean now.

The machine seems to be fine but I'll reserve final judgement until I've used it a bit.

Still can't login to Facebook (although that may not be such a bad thing).

Many Thanks

Eustace

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: enhanced protection mode
« Reply #25 on: July 24, 2011, 07:48:53 PM »
Let me know how it is running tomorrow and if it is good I will remove my tools

eustace flynn

  • Guest
Re: enhanced protection mode
« Reply #26 on: July 24, 2011, 08:52:29 PM »
Will do.

kim9

  • Guest
Re: enhanced protection mode
« Reply #27 on: July 25, 2011, 04:27:44 AM »
Hi Eustace Flynn, I got the same problem exactly like you on my computer. I followed your steps with Malwarebytes and I managed to reinstall avast. THANKS A LOT, got badly lost in between... Everything seems ok now except that like you I can't access facebook no more. Did you manage to fix that as well. Would appreciate your input if you did ! Thanks in advance.

reinvaldez

  • Guest
Re: enhanced protection mode
« Reply #28 on: July 25, 2011, 09:26:01 AM »
got the same issue here. I want to ask how to get rid of this intruder. below is the result of the quick scan of malwarebytes.

Code: [Select]
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7270

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/25/2011 2:24:33 PM
mbam-log-2011-07-25 (14-24-25).txt

Scan type: Quick scan
Objects scanned: 163753
Time elapsed: 2 minute(s), 38 second(s)

Memory Processes Infected: 8
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> 1916 -> No action taken.
c:\Windows\sysdriver32.exe (Trojan.Agent) -> 2932 -> No action taken.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> 128 -> No action taken.
c:\Windows\update.tray-14-0\svchost.exe (Trojan.Dropper) -> 2896 -> No action taken.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> 2924 -> No action taken.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> 2940 -> No action taken.
c:\Windows\systemup.exe (Trojan.Agent) -> 2948 -> No action taken.
c:\Windows\update.3\svchost.exe (Trojan.Agent) -> 2976 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvsysdriver32 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpdrivers (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wxpdrivers (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srvbtcclient (Trojan.Downloader) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32.exe (Trojan.Agent) -> Value: sysdriver32.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico0 (Trojan.Dropper) -> Value: tray_ico0 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tray_ico1 (Trojan.Dropper) -> Value: tray_ico1 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdriver32_.exe (Trojan.Agent) -> Value: sysdriver32_.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systemup (Trojan.Agent) -> Value: systemup -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wxpdrv (Trojan.Dropper) -> Value: wxpdrv -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\w_distrib.exe (Trojan.Agent) -> Value: w_distrib.exe -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wxpDrivers\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\sysdriver32.exe (Trojan.Agent) -> No action taken.
c:\Windows\update.1\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\update.tray-14-0\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\update.tray-7-0\svchost.exe (Trojan.Dropper) -> No action taken.
c:\Windows\sysdriver32_.exe (Trojan.Agent) -> No action taken.
c:\Windows\systemup.exe (Trojan.Agent) -> No action taken.
c:\Windows\services32.exe (Trojan.Dropper) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$R97H2KI.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RG3MKR6.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RPO6SZV.exe (Trojan.Agent) -> No action taken.
c:\$Recycle.Bin\s-1-5-21-3772573260-3676193357-3056770080-1000\$RSH27WV.exe (Trojan.Agent) -> No action taken.
c:\Windows\AutoKMS.exe (RiskWare.Tool.CK) -> No action taken.
c:\Windows\update.3\svchost.exe (Trojan.Agent) -> No action taken.

marko.raic

  • Guest
Re: enhanced protection mode
« Reply #29 on: July 25, 2011, 11:47:25 AM »
Ok people i have the same problem with my avast! and it all started with one message on facebook from my friend which said that she will send link with video of me.I go to that link and asked me to download flash player,i did it but after that,my computer began to restart by itself almost immideatly after i connect to the internet,and when i try to open user interface it says that it is in enhanced protection mode. i got picture of it

http://imageshack.us/photo/my-images/11/modec.jpg/