Author Topic: Help ...  (Read 8629 times)

0 Members and 1 Guest are viewing this topic.

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Help ...
« on: August 21, 2011, 11:21:28 PM »
Hi. I have exactly the same problem that she had: "I can't open the Avast! user interface, can't boot in safe mode, can't access facebook.
Screencaps: http://tinypic.com/r/2itim3r/7  http://tinypic.com/r/hvwbpt/7

I'm certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?" Please help =|

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36556
  • Weihrauch Airguns
Re: Help ...
« Reply #1 on: August 21, 2011, 11:24:35 PM »
Quote
I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?"
that would be a good first start..... hope you updated it before you started ?   and you only have to run a quick scan

post scan log when done




Quote
My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash.
NEVER click links, videos, pic you recive on Facebook
« Last Edit: August 21, 2011, 11:26:25 PM by Pondus »

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re:
« Reply #2 on: August 21, 2011, 11:31:25 PM »
Oh i'm sorry i copied too much, i just meant until "How do I get rid of this?" I'm not running anything  :-X

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36556
  • Weihrauch Airguns
Re: Help ...
« Reply #3 on: August 21, 2011, 11:41:53 PM »
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when posted...

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #4 on: August 21, 2011, 11:47:31 PM »
Okk sorry =)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Help ...
« Reply #5 on: August 21, 2011, 11:57:18 PM »
Monitoring - but I am going offline shortly.  I will look tomorrow 

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #6 on: August 22, 2011, 01:20:38 AM »
Hi essexboy. I've done the same thing that you told that girl to do, so here it is the RoughKiller report and the OTS it's below.


RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Adriana [Admin rights]
Mode: Remove -- Date : 08/01/2011 00:01:34

Bad processes: 0

Registry Entries: 5
[BLACKLIST] HKLM\[...]\Root : LEGACY_SRVBTCCLIENT () -> DELETED
[BLACKLIST] HKLM\[...]\Root : LEGACY_SRVIECHECK () -> DELETED
[BLACKLIST] HKLM\[...]\Root : LEGACY_WXPDRIVERS () -> DELETED
[HJ] HKLM\[...]\System : EnableLUA (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1       localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[...]


Finished : << RKreport[1].txt >>
RKreport[1].txt




« Last Edit: August 22, 2011, 01:22:36 AM by Adii Moreira »

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #7 on: August 22, 2011, 11:41:31 AM »
Can someone help ? I still cant access to facebook =O

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36556
  • Weihrauch Airguns
Re: Help ...
« Reply #8 on: August 22, 2011, 11:48:06 AM »
Quote
Can someone help ? I still cant access to facebook =O
relax........the world will not end bc you are without facebook for some hours   ;D



you have to wait for essexboy..... he will be back here about 08:00 - 11:59pm  uk time




Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82758
  • No support PMs thanks
Re: Help ...
« Reply #9 on: August 22, 2011, 12:38:55 PM »
Can someone help ? I still cant access to facebook =O

In the meantime, you could remove these entries from your HOSTS file manually.

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware; the same is true if they want to block facebook in your case - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.
 
Once open you are looking for entries with those facebook.com entries on the line, you can remove those lines and save the file. http://en.wikipedia.org/wiki/Hosts_file

Note, when saving the file, notepad may have a whinge as there is no file type for the HOSTS file; ensure that the file type is set to all files and it should comply with the fact it hasn't got a file type/extension. You may, depending on your OS have the UAC have a whinge, so you may need to run that text editor (notepad, etc.) as an administrator.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.565) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Help ...
« Reply #10 on: August 22, 2011, 03:22:45 PM »
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Processes - Safe List]
YY -> svchostdriver.exe -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Win32 Services - Safe List]
YY -> (ddservice) ddservice [Auto | Running] -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Registry - Safe List]
< HOSTS File > ([2011-07-31 23:03:13 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts ->
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "tray_ico" -> []
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\update.1\svchost.exe" -> [C:\WINDOWS\update.1\svchost.exe:*:Enabled:C:\WINDOWS\update.1\svchost.exe]
YN -> "C:\WINDOWS\update.2\svchost.exe" -> [C:\WINDOWS\update.2\svchost.exe:*:Enabled:C:\WINDOWS\update.2\svchost.exe]
YN -> "C:\WINDOWS\update.tray-7-0\svchost.exe" -> [C:\WINDOWS\update.tray-7-0\svchost.exe:*:Enabled:C:\WINDOWS\update.tray-7-0\svchost.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  WinRAR -> C:\Documents and Settings\LocalService\Application Data\WinRAR
NY ->  ufa -> C:\WINDOWS\ufa
NY ->  phoenix -> C:\WINDOWS\phoenix
NY ->  update.7.1 -> C:\WINDOWS\update.7.1
NY ->  update.2 -> C:\WINDOWS\update.2
NY ->  update.5.0 -> C:\WINDOWS\update.5.0
NY ->  WinRAR -> C:\Documents and Settings\Adriana\Application Data\WinRAR
NY ->  av_ico -> C:\WINDOWS\av_ico
NY ->  update.1 -> C:\WINDOWS\update.1
NY ->  update.tray-7-0 -> C:\WINDOWS\update.tray-7-0
NY ->  update.tray-7-0-lnk -> C:\WINDOWS\update.tray-7-0-lnk
NY ->  gPotato -> C:\Documents and Settings\All Users\Menu Iniciar\Programas\gPotato
NY ->  gPotato -> C:\gPotato
[Files/Folders - Modified Within 30 Days]
NY ->  info1 -> C:\WINDOWS\info1
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
[Files - No Company Name]
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  info1 -> C:\WINDOWS\info1
NY ->  geoiplist -> C:\WINDOWS\geoiplist
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
[Custom Scans]
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\WINDOWS\update.tray-7-0-lnk\svchost.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c
:end

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply



Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #11 on: August 22, 2011, 03:59:33 PM »
The aswMBR just stoped at that point =| it doesnt say : Scan finished successfully ...

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #12 on: August 22, 2011, 04:01:03 PM »
Ups it does now LOL wasnt finished =P

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: Help ...
« Reply #13 on: August 22, 2011, 04:02:46 PM »
What are your current problems ?

Please download Malwarebytes' Anti-Malware[/b]
 
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.[/b]

Offline Adii Moreira

  • Newbie
  • *
  • Posts: 11
Re: Help ...
« Reply #14 on: August 22, 2011, 04:17:06 PM »
I dont know if there is still any problem lol i alredy can go to facebook yeehay =D thank you so much ;D i'm running Malwarebytes right now, i'll send you the report when finished.