Avast blocks reddie.net

Hey people. Since today whenever i start my computer,after ~ 40 seconds avast pop ups that it blocked ttp://reddie.net/3333/SoftwareLite_142253801671892.dll mal from svchost (removed “h” from http for not recognise it as link,as someone can click it by mistake).
After this i saw on this forum some suggestions about downloading Farbar Recovery Scan Tool (64bit) from bleedingcomputer.com and also making a fixlist.txt file like this :

CreateRestorePoint:
URLSearchHook: HKU\S-1-5-21-2193451885-3061411386-3312491815-1000 - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - No File
SearchScopes: HKU\S-1-5-21-2193451885-3061411386-3312491815-1000 → {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
BHO-x32: Symantec NCO BHO → {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} → C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention → {6D53EC84-6AAE-4787-AEEE-F4628F01010C} → C:\Program Files (x86)\Norton Internet Security\Engine\17.5.0.127\IPSBHO.DLL (Symantec Corporation)
BHO-x32: No Name → {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} → No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
2015-01-27 13:29 - 2015-01-27 13:29 - 00000000 ____D () C:\Users\aguacate\AppData\Local{61760321-07AE-4CEB-99BC-12538C932C00}
2015-01-27 13:27 - 2015-01-27 13:28 - 00000000 ____D () C:\Users\aguacate\AppData\Local{BFC981B2-C861-444D-A479-386CDAC603BD}
2015-01-23 16:06 - 2015-01-23 16:06 - 00000000 ____D () C:\Users\aguacate\AppData\Local{F1AAE35C-828D-4258-AC4A-5534954115F1}
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivqqsp26hfm
EmptyTemp:
CMD: bitsadmin /reset /allusers

i ran frst.exe(in the same direction) i scan and it didn’t need a restart.
After that i downloaded Adwcleaner from bleeding computer, ran it as admin aswell, and it seemed to clean some stuff, but didn’t see anything about “reddie.net” . anyway i have also the txt files . I can’t upload them here. (how to? :P)
Anyway i restarted the pc and it continue to pop up the same message from avast.

These are the txt files… i found the way

  • for not reposting again*
    i restarted computer and i had this pop up from avast
    “ttp://epictory.com/3333/UpgraderCreator_142258482497601.dll” (removed “h” for the same reason as previously)

edit 2
the FIRST log of adwCleaner that founded some stuff…since then i did another 2 scans without founding anything

After this i saw on this forum some suggestions about downloading Farbar Recovery Scan Tool (64bit) from bleedingcomputer.com[b] and also making a fixlist.txt file like this :[/b]
then i guess you did see the WARNING about not run the fix as it is made for that specific computer

essexboy will create a fix based on your logs when he is online … may be a few hours

Start with removing Chrome.
Malware has changed it into a developer version that makes it possible to install all kinds of malicious things with you noticing it.

Maybe in a few hours? Anyway i did see that but any person who had problem didn’t send any log in the first place.They just said that they had that problem (pop up about reddie.net) and he always said that answer.He even used the same lines

And no,i dont have chrome. Also no such a addon-plugin for firefox and IE

Hi TheJohn :slight_smile:

If you read that contants of that fix you see it is very specific in what it does/removes, so it can’t be a general fix for something.
Lets hope it didn’t damage anything.

You didn’t see the attached logs from the post(s) you mentioned because, looking at your post count, you were not a forum member than and/or not logged in.
You have to be logged in to see attachments.

That said : We still need your Malwarebytes Anti-Malware log https://forum.avast.com/index.php?topic=53253.0

Greetz, Red.

Let me know if this cures the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.coolsearches.info/?pid=23216&r=2015/04/06&hid=209045210545547335&lg=EN&cc=GR&unqvl=85 SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.coolsearches.info/?l=1&q={searchTerms}&pid=23216&r=2015/04/06&hid=209045210545547335&lg=EN&cc=GR&unqvl=85 SearchScopes: HKLM-x32 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.coolsearches.info/?l=1&q={searchTerms}&pid=23216&r=2015/04/06&hid=209045210545547335&lg=EN&cc=GR&unqvl=85 FF DefaultSearchEngine,S: WebSearch FF DefaultSearchUrl: hxxp://websearch.coolsearches.info/?pid=23216&r=2015/04/06&hid=209045210545547335&lg=EN&cc=GR&unqvl=85&l=1&q= FF SearchEngineOrder.1: WebSearch FF SearchEngineOrder.1,S: WebSearch FF SelectedSearchEngine: WebSearch FF SelectedSearchEngine,S: WebSearch FF Keyword.URL: hxxp://websearch.coolsearches.info/?pid=23216&r=2015/04/06&hid=209045210545547335&lg=EN&cc=GR&unqvl=85&l=1&q= 2015-04-10 21:40 - 2015-04-11 18:16 - 00003136 _____ () C:\Windows\System32\Tasks\{A6D30104-9744-4DA4-A9CA-FBB21FEEC4A6} 2015-04-08 05:27 - 2015-04-08 05:27 - 00098253 _____ () C:\ProgramData\1428459923.bdinstall.bin 2015-04-08 05:25 - 2015-04-08 05:25 - 00037671 _____ () C:\ProgramData\1428459922.bdinstall.bin 2015-04-08 05:20 - 2015-04-08 05:20 - 00203990 _____ () C:\ProgramData\1428459591.bdinstall.bin 2015-04-08 05:19 - 2015-04-08 05:19 - 00047339 _____ () C:\ProgramData\1428459580.bdinstall.bin 2015-04-06 08:50 - 2015-04-06 08:50 - 00000000 ____D () C:\ProgramData\e026dfa300005396 2015-04-06 08:38 - 2015-04-10 09:44 - 00000000 ____D () C:\ProgramData\{74f51e21-efd5-6da8-74f5-51e21efd7887} 2015-04-01 22:31 - 2015-04-06 03:11 - 00000000 ____D () C:\ProgramData\{cc1215e4-d4f8-6909-cc12-215e4d4f5793} 2015-03-30 00:24 - 2015-03-30 00:24 - 00000000 ____D () C:\ProgramData\b1bc96e000070bb 2015-03-30 00:21 - 2015-03-30 00:21 - 00000000 ____D () C:\ProgramData\5518239815551400590 2015-03-30 00:20 - 2015-04-06 03:11 - 00000000 ____D () C:\ProgramData\{813072ca-4cb9-aa8d-8130-072ca4cbcb29} 2015-03-29 15:56 - 2015-03-29 15:56 - 00003178 _____ () C:\Windows\System32\Tasks\{810C40AC-B573-4701-ACE1-F0E80F6A6C1E} 2015-03-29 11:16 - 2015-03-29 11:16 - 00000000 ____D () C:\Windows\29d2a935ad8ad83f8375 2015-03-29 10:17 - 2015-03-29 10:17 - 00000000 __SHD () C:\Users\Giannis\AppData\Local\EmieUserList 2015-03-29 10:17 - 2015-03-29 10:17 - 00000000 __SHD () C:\Users\Giannis\AppData\Local\EmieSiteList 2015-03-29 10:17 - 2015-03-29 10:17 - 00000000 __SHD () C:\Users\Giannis\AppData\Local\EmieBrowserModeList Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Program Files (x86)\Google\Update Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

it made my computer 20 sec to start and it showed a black screen in the beggining,i was terrified. :stuck_out_tongue:
By the way ,at the previous -wrong (i recognise i did something stupid;p) - fixlist.txt i didnt click “fix” . Just scan. And afterwards i just ran the adwcleaner. I dont think that this messed up my system ,right? (hope so)

-Also until now no pop up by avast- last time o start up my computer before the fix from FRST64 was showing another one url (neither epictory or reddie).
Here i have to make this question.How all this happens (first time in my life)? i try to understand what happened with the computer (and many ppl out there these days),how they infected. And what all these things do ? Thank you anyway :slight_smile: :slight_smile:

Many times it is not possible to (easy) backtrack where something came from.
If I have to guess, I would say it came with something you installed for one of the games you seem to play.

Two other things I would like to comment on:
I see OpenOffice.
I suggest to remove it and get LibreOffice.
OpenOffice is frankly not maintained anymore.

I also see Winrar.
That is not free and I suggest to replace it with 7zip.

The black screen was FRST finalising the cleaning :slight_smile:

As to where this comes from your guess is as good as mine :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Thank you very much my friend :slight_smile: