system
February 2, 2012, 9:40pm
1
Greetings All,
I’ve been working with a friend’s Asus laptop that was infected with a fake security program.
I have been able to get Avast Internet Security (AIS) running and have removed and deleted;
(1) isecurity.exe (Fake Security App)
(2) $REEEP7L.exe described as MSIL:Dropper
and
(3) other various temp, or infected files.
I’ve had some of the same problems as others here. Trying to repair, or move consrv.dll
which causes a boot problem which needs to be repaired before troubleshooting can be resumed.
A current scan with AIS shows that only 4 files remain that need some type of “Action”.
(1)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(2)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)
(3)C:.…\RLO2j3.com High Threat: Win32:FakeAlert-BVT (Trj)
(4)C:.…\consrv.dll High Threat: Win32:Siref-HO (Rtk)
I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.
The laptop’s OS Windows 7 SP1, 64 bit.
Thanks for any help.
Al
Pondus
February 2, 2012, 9:45pm
2
I believe it is time to try and run OTL and aswMBR, but I will definitely need some guidance.
you find the guide here
http://forum.avast.com/index.php?topic=53253.0
attach the logs: lower left corner > additional options > attach
system
February 2, 2012, 10:19pm
4
Thanks for link.
Results for MalwareBytes scan and repair.
OTL is on my Desktop. 8)
++++++++
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.02.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Jwoww :: J-PC [administrator]
2/2/2012 1:55:30 PM
mbam-log-2012-02-02 (13-55-30).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215061
Time elapsed: 5 minute(s), 50 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Windows\System32\RLO2j3.com (Trojan.Krypt) → Quarantined and deleted successfully.
C:\Windows\SysWOW64\RLO2j3.com (Trojan.Krypt) → Quarantined and deleted successfully.
C:\Users\Jwoww\Downloads\FLVPlayerSetup.exe (Adware.Agent) → Quarantined and deleted successfully.
(end)
system
February 2, 2012, 11:19pm
6
Extras.txt attached.
Note:Both files were too large in total to place both in one reply.
Should I wait for a reply to run aswMBR?
Pondus
February 2, 2012, 11:42pm
7
Should I wait for a reply to run aswMBR?
nope...run and attach log
Essexboy is logged out now. but will be back tomorrow. He is usually in here around 08:00pm - 11:59pm UK time
system
February 3, 2012, 12:09am
8
Completed aswMBR scan, and the log file is attached.
Should I “Fix”, or wait for a reply?
Or,should I just wait for Essexboy’s reply tomorrow?
THX
Al
Pondus
February 3, 2012, 12:25am
9
Should I "Fix", or wait for a reply?
you wait for Essexboy....so this is done properly ;)
OBS…that is the longest aswMBR logg i have seen
system
February 3, 2012, 12:36am
10
I thought I might have to split the log in two in order to attach. ;D
THX again.
Al
aswMBR gets better every time
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKU\S-1-5-21-72642340-1585939968-2348190475-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
[2011/11/18 23:19:20 | 000,000,000 | ---D | M] (StartNow Toolbar) -- C:\Users\Jwoww\AppData\Roaming\Mozilla\Firefox\Profiles\21lng6lc.default\extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F}
O2 - BHO: (StartNow Toolbar Helper) - {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (StartNow Toolbar) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll ()
O4 - HKLM..\Run: [StartNowToolbarHelper] "C:\Program Files (x86)\StartNow Toolbar\ToolbarHelper.exe" File not found
[2011/12/24 04:50:50 | 000,000,112 | ---- | C] () -- C:\ProgramData\k3yIM1c.dat
:Files
ipconfig /flushdns /c
C:\Program Files (x86)\StartNow Toolbar
C:\Windows\tasks\At*.job
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the
Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the
Quick Scan button. Post the log it produces in your next reply.
THEN
Re-Run aswMBR
Click Scan
On completion of the scan
Click the Fix Button
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBR_Zero.png
Save the log as before and post in your next reply
system
February 3, 2012, 8:53pm
12
Essexboy,
I started OTL 25 minutes ago (12:25 pm PST) and I got an alert box that read “Cannot create file C:\Windows\System32\drivers\etc\Hosts.” I clicked “OK” and OTL has the message at the bottom that says “Resetting HOSTS file. DO NOT INTERRUPT…” and it has had that message for over 12 minutes.
OTL may be stuck.
OK close it out and manually reboot please - do you have spybot
system
February 3, 2012, 9:04pm
14
Yes Spybot is installed on machine. I can remove if needed.
It is protecting the HOST file and it does need resetting.
So if you could uninstall when we do the final sweep OTL run
system
February 3, 2012, 9:15pm
16
Spybot is uninstalled, and machine rebooted.
Waiting to restart OTL.
OK you will notice the biggest difference when aswMBR has done its thing
system
February 3, 2012, 9:24pm
18
Don’t we need to re-run OTL with your script first before running aswMBR?
When you ran the OTL fix resetting hosts is the last element - so it did the other removals
So go straight to aswMBR fix run now please
system
February 3, 2012, 10:16pm
20
The new scan with aswMBR indicated some removals had not been accomplished with OTL.
A 2nd scan with aswMBR and “FIX” appears to have quarantined all infected files.
The “fixed” aswMBR log file is attached.
Waiting for further instructions.