Hi,

I’ve been getting the same unrelenting avast alerts that many are experiencing. It tells me that “Avast has blocked a harmful webpage or file”.

Object: http://forteen-meters7.me/task/3038 (sometimes it lists a different website)
Infection: URL: Mal2
Process: c:\Windows\System32\svchost.exe
and when I click on “more details” button on the alert it takes me to a avast website that lists “Infekce zablokovana…”

It seems like they pop up every 5 minutes or so without me even going on the Internet. So far I’ve ran malware bytes multiple times. I ran ccleaner. I also ran AdwCleaner. But still getting the alerts. I’ve ran farbar recovery scan tool, and attached the addition and first txt files. Could I get help with this? Your assistance is much appreciated!!

Hi there, I will need to do an additional 2 runs for this to replace a system file

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks Essex! I will give it a try.

Hi Essex,

I ran the fixlist, using frst, and I ran combofix. Unfortunately I still have the alerts popping up.

I made a mistake with combofix - I didn’t properly disable avast or windows defender before running it. I thought I had stopped it thru task manager. Should I run combofix again (disabling the programs properly this time)? I didn’t read the link properly - my bad. I already rebooted the machine - but I haven’t done anything else yet.

You will continue with the alerts until I replace the infected file. Combofix will not replace it as it does not recognise it as infected

Unfortunately you only appear to have the infected copy so I will need to search your cab files. When OTL has finished, open the file and select save as then ensure that the encoding at the bottom is set to ANSI

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in

/md5start
rpcss.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Hi Essex,

Thank you for all your help up until now - I’m sure I speak for everyone when I say we totally appreciate the work that you do! Attached is the OTL.txt file. Unfortunately, it did not produce an extra.txt file.

Sorry, disregard earlier message. I didn’t save in ANSI. This is the correct file.

The alerts should cease after this run

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy:: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_c5bfcda3579104e3\rpcss.dll|c:\windows\system32\rpcss.dll

File::
C:\Windows\system32\dgdq.ecd

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hi Essex,

I applied the fix that you prescribed. Attached is the combofix file. I just restarted the computer and so far no alerts. I’m crossing my fingers! Thanks for all the help you’ve been providing me! I’ll let you know if I get any more alerts.

A few more pieces to kill which were revealed when the infected file was replace, this should be the last run… Once done let me know how the computer is behaving

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry:: [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "expaheme"=- "UjfiQoshi"=-

File::
c:\windows\system32\Magntend.exe

Folder::
c:\programdata\UjfiQoshi

RenV::
c:\program files (x86)\Yoics Inc\Remote Cameras\Remote Cameras .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hi Essex,

Attached is the ComboFix file. So far, before this fix I haven’t had the alerts. Hopefully it continues to stay that way. Thank you for your help!

All looks hunky dory … How is the computer behaving now ?

Sorry, just stepped out for a while - it seems ok now. Usually at the onset it is was giving me those alerts and continued throughout. So far so good! I will continue to keep you posted. Thanks again, Essex for working your magic! ;D

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Hi Essex,

I think everything is ok now - I’m almost at the 24 hour mark but I think its safe to say that its clean. No alerts at all! I will apply the delfix and cryto software. Again, thank you for all your help! You are AWESOME, dude!!! ;D

My pleasure