Avast Pro Trying to Comminucate with Rogue Site

Viruses and worms
1

I have Avast Internet Security 2011, Windows 7 64 bit, all lastest fixes, and was hit with malware. Avast didn’t catch it, but a scan with Malwarebyte’s did, and cleaned it out.
Here is the MWB cleaning log:

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT.exe\shell\open\command(default) (Hijack.ExeFile) → Value: (default) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Users\MyPC\AppData\Local\grb.exe” -a “C:\Users\MyPC\AppData\Local\Minefield\firefox.exe”) Good: (firefox.exe) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Users\MyPC\AppData\Local\grb.exe” -a “C:\Users\MyPC\AppData\Local\Minefield\firefox.exe” -safe-mode) Good: (firefox.exe -safe-mode) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Users\MyPC\AppData\Local\grb.exe” -a “C:\Program Files (x86)\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command(default) (Broken.OpenCommand) → Bad: (“C:\Users\MyPC\AppData\Local\grb.exe” -a “%1” %) Good: (“%1” %) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\MyPC\local settings\grb.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\MyPC\local settings\application data\grb.exe (Trojan.FakeAlert) → Quarantined and deleted successfully.

Now when I am online the Avast tray icon does not show up, and I keep getting this popup from MWB:

20:55:28 MyPC IP-BLOCK 213.131.252.251 (Type: outgoing, Port: 53306, Process: avastsvc.exe)

I see this every few minutes. I tried to uninstall Avast IS 2011, and it fails to uninstall. I can also not get the firewall to turn on, it has turned it self off.
I did a full scan, no viruses with Avast, but I am not sure it is working correctly or as it should. MWB comes up clean on a scan. Any suggestions on how to fix it, or if there is something else still running and I can’t find it with Avast or MWB?
I looked in the services and running processes and they all look normal. I am a bit worried and wondering why avastsvc.exe is trying to communicate with a site listed a s rogue site on MWB and a few other places.

2
I tried to uninstall Avast IS 2011, and it fails to uninstall.
remove with this, then install again

Uninstall Utility http://www.avast.com/en-no/uninstall-utility

3

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )

Essexboy will look at the logs when he arrive here later today…

and dont cut anything out from the log, attach all of it

4

Welcome to the forum, DCS :slight_smile:

The reason why avastsvc.exe is showing up in the log instead of actual process accessing the IP, is because avast!'s Web Shield/Network Shield intercepts the network traffic.

avast! is not actually communicating with rogue site so don’t worry about it. :slight_smile:

EDIT: You should still post the logs requested as there could be some traces of malware left behind.

5

The WebShield/Network Shield never alerted me of the connection or tried to block it. Since I have used MLB a few times and it works well with Avast to clean things out, I decided to support MLB and bought a license. It was MLB that caught it right after I installed the license.

I went ahead and ran the OTS, and it is attached. I am running through my daily backups to see how many of those have the exe files that were giving me the headaches. If needed I can restore it to a test box and rerun OTS to see what it comes up with.

6
I went ahead and ran the OTS, and it is attached.
where ???
7

It would not allow me to attach it as it is 237K. I zipped it, then the forum would tell me I already posted it. It is attached, but had to zip it and change the extension from zip to log.

8

Hi MBAM left one folder behind and 1 file association that needs repairing - otherwise it looks good

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\
YN -> .exe [@ = Reg Error: Key error.] -> Reg Error: Key error.
[Files/Folders - Modified Within 30 Days]
NY ->  d2rx8j42858nq3p3xfnu5ef6l0v -> C:\ProgramData\d2rx8j42858nq3p3xfnu5ef6l0v
[Files - No Company Name]
NY ->  d2rx8j42858nq3p3xfnu5ef6l0v -> C:\ProgramData\d2rx8j42858nq3p3xfnu5ef6l0v
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

9

you need to save OTS it as ANSI and not UNICODE…then it will also be smaller

UNICODE is just chinese gibbely gobbel so we cant read it

well i guess Essexboy solved it… ;D

10

Yep changed the extension to zip and viola it works ;D

11

you are the man ;D

early today!.. quiet at G2G ::slight_smile:

12

Aye America seems to be still in bed ;D

13

Attached is 2 latest log from running the fix. Since it generated 2 logs and they were different sizes.

14

Any further alerts or problems ?

15

Scanned full scans with Avast and MLB, both show it is clean. Thank you for all the help! :slight_smile:

16

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools page
[*]Select Performance Information and Tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Final stretch

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: