I’ve been using avast for some months now, and yesterday I started getting warkings about access to unsafe urls (just like Dave at http://forum.avast.com/index.php?topic=92616.0 and Nick at http://forum.avast.com/index.php?topic=92407.0 )
Before locating those threads, I identified the offending process (update.exe in Common Files) and killed it with sysinternals process explorer. After it was killed, I didn’t receive further warnings from avast. It was very suspicious because update.exe seemed to be a firefox file, but I’ve not used firefox in months (I use chrome mainly), and had not updated it recently.
I run a complete scan just to be sure with avast, but it didn’t find anything. I also downloaded MBAM and did a scan with it but it didn’t find anything either. Since I’m quite sure there is something wrong in the PC, I also run OTL as per http://forum.avast.com/index.php?topic=53253.msg451454#msg451454
Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I’m suspecting DirectVobSub since it didn’t seem to do anything when installed (I later uninstalled it).
I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir → HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL → Virus/Win32.Xpaj.gen
I noticed that I had a wscript.exe process running with a path to a data.js in the ComObjects directory, which was spawning regularly the update.exe program. Even though I was not getting any additional warnings from Avast, I decided to uninstall firefox.
Since the wscript.exe process was still running and accessing the ComObjects directory, I killed the wscript process (nothing bad has happened yet) and moved the ComObjects directory to ComObjects_suspect.
Neither the wscript.exe nor update.exe were reported to be infected by totalvirus.
Oh, Ok, thanks, after I closed the Acrobat auto-updater the files went away anyway
Still the original problem seems to be unsolved, although I am not seeing strange behavior right now (I’m afraid of rebooting, since I killed manually the offending update.exe process).
[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
C:\Program Files\Common Files\ComObjects*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs
Done, but I just saw that the ComObjects directory is in a slightly different place.
I’m running OTL again with
C:\Program Files (x86)\Common Files\ComObjects
instead.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I’ve tried twice to run this, but the first time it didn’t seem to work correctly (on startup an error message saying it couldn’t remove a file appeared) and the second time the computer stopped responding while creating the restorepoint.
I’ll try to run it again.
the update.exe has appeared again and contacts with many unwanted urls.
Files\Folders moved on Reboot…
File move failed. C:\Users\agustin\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
Here is a screenshot of the process. It was more obvious before since I could see it connecting to bogus urls. Now it starts up, it gets killed by a cscript.exe, and after a while wscript starts it up again.
Both wscript and cscript seem to be using data.js in the ComObjects directory.