system
1
I have brought the computer to my home to fix it, so not connected to a network. When it was connected, there were many Pop-ups saying The avast Web Shield has blocked harmful webpage or file. One example of this is:
Object: http://rfargoost6.in/task/35/
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe
I attached logs per the instructions at: forum.avast.com/index.php?topic=53253.0
THank you in advance!
Pondus
2
Malware experts are notified… it may take some hours before they are online
Hi I think I know what this is
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select both shortcut and additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach all 3 logs generated.
system
4
Thank you essexboy, I have attached the Farbar logs.
I see you have run Combofix, I will need you to run it again but download a fresh copy. Please do not use Hitmanpro until I have finished as I will need to repair a system file and HMP would probably try to delete it
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
system
6
Attached Combofix log.
I have not put this machine on my network yet. It is someone else’s machine that I am fixing. In order for pop-ups to occur, it must be connected to the network. It has a static IP address, so if I put it on my network, I will have to change to DHCP. Do you want me to do that?
OK I can confirm the problem but I need to locate a spare copy of RPCSS as you do not have one in your dllcache. Hopefully OTL will find a spare in the service packs that I can use
No requirement to connect
Run OTL
https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif
[*]Select All Users
[]Select LOP and Purity
[]Under the Custom Scan box paste this in
/md5start
rpcss.*
/md5stop
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open one notepad windows. [b]OTL.Txt.
[*]Attach this log and ensure that it is saved as ASNI
system
8
Attached OTL.txt in ANSI format.
What is this Malware called?
It is a variant on the blackbeard/zero access Trojan Avast can block its affect however, the file is subtly altered so that no AV detects it
After this the alerts should cease could you let me know please
-
Close any open browsers.
-
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-
Open notepad and copy/paste the text in the quotebox below into it:
Fcopy::
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
system
10
As soon as I changed adapter to DHCP and plugged in the network cable, I got pop-ups.
One of them was:
Object: http://rtortern3.biz/task/35/
Infection:Mal
Process: C:\Windows \System32\svchost.exe
Attached Combofix.txt
OK now I need to kill the payload files
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
[2014/05/29 15:10:06 | 000,000,064 | ---- | M] () -- C:\Windows\SysNative\rgmv.iil
[2014/05/29 15:10:06 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\wxlk.iux
[2014/05/29 14:54:13 | 000,310,760 | --S- | M] () -- C:\Windows\SysNative\iaqk.gvy
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
system
12
Results of QuickScan attached.
What is your best guess as to how this PC got infected? I would like to tell the user if it was a certain type of website they went to…
This is usually received via e-mail and/or torrented movies/cracked programmes
Could you now reboot and let me know how the computer is behaving
system
14
The PC appears to be running well. Avast updated it’s definitions and no pop-ups.
This has been the worst Malware I have seen. A very time consuming removal as well, for you and me, both! I assume we are done, unless you want me to do anything else? If so, thank you for taking the time to help me, I appreciate it!
Julie
No problem, this one is complex as if you remove the files in the wrong order then you have a nice little door stop to play with. However, Avast blocked it from calling home so the system was safe
Subject to no further problems 
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Malwarebytes.
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe 
system
16
Thank you, essexboy! I am following your final directions now! I, again, appreciate your time in helping me!
Julie