avast threat! Java Blackcole cannot remove

system · June 21, 2012, 6:34pm

My computer is infected with Java Blackcole. My web-browsing is very slow. Avast internet security detects the threat, yet cannot delete or remove it. Please help me to get this removed. I work on my computer and cannot do anything right now. I have windows vista 64 bit, using google chrome

essexboy · June 21, 2012, 6:35pm

I will need some data first

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://dl.dropbox.com/u/73555776/aswMBRscan.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://dl.dropbox.com/u/73555776/aswMBRlog.png

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
WSHELPER.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

system · June 21, 2012, 7:03pm

Idownloaded first program, it wont run. it wont run in a new link either, just times out. I’m having trouble replying to this thread. says error.

essexboy · June 21, 2012, 7:12pm

OK I will go straight for the big boy first

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · June 21, 2012, 8:06pm

thank you. update: when I clicked the first link it immediately began to download at the bottom of my screen so i’m not sure if/ how to save to desktop unless you meant after the download. (sorry, real newbie here). Problem: the combofix exe is running slower and slower. right now it says 7 hours left. just FYI.

essexboy · June 21, 2012, 8:18pm

OK try a different link . Under my avatar is a globe, click that and it will take you to my skydrive
There you will find a file called Gotcha see if you can download that… It is a renamed combofix

Are you downloading with Firefox or IE

system · June 21, 2012, 9:11pm

this thing has messed up my ability to download and web browse. It’s lethal! Are there any step by step manual instructions to remove it , no matter how detailed? I have a back up registry saved, will that help? It will not open the link under your avatar, nor run previous programs listed. I use google chrome. do not have firefox, and i.e. cannot load any internet pages.

wait: the Gotcha file just appeared. I am trying to download now. apprears to be downloading but very very slowly. like hours long slow.

essexboy · June 21, 2012, 9:14pm

Can you disable Java and empty the cache

Unfortunately I do not have Java on my system so I cannot tell you how to do that …

Do you have access to another computer and a USB drive

system · June 22, 2012, 1:05pm

still desperate
update: combofix and gotcha will not download. computer slows it way down, time gets longer and longer and then it just stops. I don’t know how to disable java or empty the cache. I saw it under programs and deleted it and restarted. Problem still exists, my computer is barely functioning. The only other computer I can access is to go to the library. Do you have any other fixes I can try?

essexboy · June 22, 2012, 1:35pm

OK this may or may not work… We will run a clean boot this will disable everything bar the MS services

First though are you able to achieve safe mode with networking ?

Reboot the computer
Repeatedly press F8
At the menu that should appear select safe mode with networking

If that works then try to donload Combofix

If it fails

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If it is better then download combofix and run

Failing that the only way we will be able to work is if we can use a second computer for the downloads

Download the following three programmes to the second computer desktop :

Extract wintobootic to your desktop
Insert a USB drive of at least 4GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows Vista ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this .

Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

]Here[/color][/url]

system · June 22, 2012, 11:00pm

I finally got Combo fix to work.

Log

06/22/2012 16:08:44.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1982.1253 [GMT -6:00]
Running from: c:\users\lyght2\Downloads\ComboFix.exe
AV: avast! Internet Security Disabled/Updated {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Microsoft Security Essentials Disabled/Updated {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
FW: avast! Internet Security Disabled {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security Disabled/Updated {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Microsoft Security Essentials Disabled/Updated {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender Disabled/Updated {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Uninstall
c:\users\lyght2\OOo_3.1.0_Win32Intel_install_wJRE_en-US.exe
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\ndisapi.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-22 to 2012-06-22 )))))))))))))))))))))))))))))))
.
.
2012-06-22 22:20 . 2012-06-22 22:20 -------- d-----w- c:\users\saige\AppData\Local\temp
2012-06-22 22:20 . 2012-06-22 22:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-22 09:03 . 2012-05-17 22:24 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-22 09:03 . 2012-05-17 23:21 140920 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-06-22 09:03 . 2012-05-17 22:31 194560 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2012-06-22 02:07 . 2012-02-09 20:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates{749346EE-1BE5-4A22-963D-84AA04DA7A72}\gapaengine.dll
2012-06-22 02:06 . 2012-06-18 09:14 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates{E380B1D6-B7B8-436E-8B25-F275BB4AD884}\mpengine.dll
2012-06-22 01:55 . 2012-06-22 01:56 -------- d-----w- c:\program files\Microsoft Security Client
2012-06-22 01:54 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2012-06-22 01:28 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates{4CB348B2-9F1F-4426-BD54-CB05A7DD0548}\mpengine.dll
2012-06-22 01:26 . 2012-04-23 16:00 984064 ----a-w- c:\windows\system32\crypt32.dll
2012-06-22 01:26 . 2012-04-23 16:00 98304 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-22 01:26 . 2012-04-23 16:00 133120 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-22 01:22 . 2012-05-01 14:03 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-22 01:21 . 2012-05-15 19:51 2045440 ----a-w- c:\windows\system32\win32k.sys
2012-06-22 00:18 . 2012-06-22 00:18 -------- d-----w- C:\MATS
2012-06-11 17:05 . 2012-06-11 17:05 -------- d-----w- c:\users\lyght2\AppData\Local\Apps
2012-06-01 20:06 . 2012-06-01 20:06 -------- d-----w- c:\users\lyght2\AppData\Local\Graboid Inc
2012-06-01 20:06 . 2012-06-01 20:06 -------- d-----w- c:\programdata\Graboid Inc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-04 21:56 . 2009-08-27 02:23 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-03 08:16 . 2012-05-08 19:54 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-03 08:16 . 2012-05-08 19:54 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-30 12:39 . 2012-05-08 19:55 914304 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-29 13:39 . 2012-05-08 19:55 31232 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2011-06-03 22:25 . 2011-07-29 23:40 625984 ----a-w- c:\program files\Common Files\ZugoInstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@=“{472083B0-C522-11CF-8763-00608CC02F24}”
[HKEY_CLASSES_ROOT\CLSID{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray.exe”=“c:\windows\ehome\ehTray.exe” [2008-01-19 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Adobe ARM”=“c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe” [2012-01-03 843712]
“avast”=“c:\program files\AVAST Software\Avast\avastUI.exe” [2012-03-06 4241512]
“MSC”=“c:\program files\Microsoft Security Client\msseces.exe” [2012-03-26 931200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“Malwarebytes Anti-Malware”=“c:\program files\Malwarebytes’ Anti-Malware\mbamgui.exe” [2012-04-04 462408]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“EnableUIADesktopToggle”= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=“Service”
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddoctorv2]
2008-04-24 19:25 202560 ----a-w- c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-09-13 16:47 480560 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]
2007-01-08 23:53 311296 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
“AntiVirusOverride”=“”
“FirewallOverride”=“”
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
“DisableMonitoring”=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
“DisableMonitoring”=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
“DisableMonitoring”=dword:00000001
.
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 01:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the ‘Scheduled Tasks’ folder
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679515594-3204615719-744950643-1000Core.job

c:\users\lyght2\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-19 01:12]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-679515594-3204615719-744950643-1000UA.job
c:\users\lyght2\AppData\Local\Google\Update\GoogleUpdate.exe [2009-12-19 01:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - ORPHANS REMOVED - - - -
      .
      MSConfigStartUp-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
      MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_02\bin\jusched.exe
      .
      .
      .

.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-22 16:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes …
.
scanning hidden autostart entries …
.
scanning hidden files …
.
scan completed successfully
hidden files: 0
.

.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCCUJobMgr]
“ImagePath”=“"c:\program files\Norton PC Checkup\Engine\2.0.17.20\ccSvcHst.exe" /s "PCCUJobMgr" /m "c:\program files\Norton PC Checkup\Engine\2.0.17.20\diMaster.dll" /prefetch:1”
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
“BlindDial”=dword:00000000
.
Completion time: 2012-06-22 16:24:34
ComboFix-quarantined-files.txt 2012-06-22 22:24
.
Pre-Run: 48,297,439,232 bytes free
Post-Run: 48,957,014,016 bytes free
.

- End Of File - - BE4F1B42830590C8F9AFFD55424E830F

essexboy · June 23, 2012, 11:19am

How did you get it to work ?

Could you now run an OTL scan for me pleaes using the original scan

system · June 23, 2012, 4:18pm

I tried so many things that I don’t know what finally allowed me to get it downloaded. I used Mr. fix It and safe mode. Here is the log for the OTL.

essexboy · June 23, 2012, 5:27pm

OK lets get the rest… First you must uninstall Norton

Download the removal tool from here and run https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?ct=us&lg=en&product=home&pvid=f-home&version=1&docid=20080828154508EN

Then

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKU\S-1-5-21-679515594-3204615719-744950643-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Once you have completed the above let me know of any outstanding problem

system · June 23, 2012, 6:56pm

Ok, here is the OTL log after the requested steps listed.

One question- I still have this csrss.exe running in task manager that i cannot end process. should i worry about that?

and thank you for all your time.

essexboy · June 23, 2012, 7:21pm

That is a legitimate process if you stop it the computer will crash

You still need to get rid of Norton

How is the computer behaving now

system · June 24, 2012, 1:12am

The computer is running much better. It’s just really loud, like it’s running too many processes or is overheated.
I used the norton uninstall tool 2 months ago when I bought avast. I ran it again yesterday just as you said. Somehow it’s stuck in there like a bug. I believe I’m able to work now. Thank you so much for your timely responses and your knowledge.

essexboy · June 24, 2012, 10:35am

If you could run a fresh OTL quick scan I will then remove Norton for you

system · June 25, 2012, 1:56pm

here is the fresh OTL for Norton removal

essexboy · June 25, 2012, 5:45pm