Cannot Register Avast, Server not Found

I hope I am not duplicating threads here, but these forums are so extensive, and I have not seen this topic yet. I ran AVG for years, but a few months ago I started having trouble with it. So I uninstalled the AVG, and began using the Microsoft Security Center, and Microsoft Defender. Well, Predictably, I ended up with the “Vista Security 2011” hijacker. I ran an on line program called “the cleaner” by Moosoft, and downloaded and ran Malwarebytes. each of these found malware on my computer. I attempted to install AVG, and it would not install, so I did some research and discovered Avast!

I downloaded and ran Avast!, and it found and fixed over 30 infected files. I decided that I liked it, and attempted to register my free version, but when I clicked on the register button, it popped up a box, thought for a while and then just quit. Next I clicked on the off line registration button, and it opened a new tab on Firefox. The Tab said that Firefox was unable to find the server at www.avast.com . Next I just typed www.avast.com into the browser and got the same message. I can access the Avast website on other computers, but not the one in question.

Can anyone give me an idea as to why I cant access Avast website? Is this the work of Malware, or is it a setting on my Computer?

Thanks

You are still infected apparently. Read the sticky posts http://forum.avast.com/index.php?board=4.0 and attach logs.

OK,I tried to follow the directions in the referenced topic, but the malware blocked me from most of the sites listed. I did manage to go to LURKHERE==>NICEFILES and download and older version of HIJACK THIS (v 1.99.1) I ran it and attached the file below.

The main problem seems to be from the item that starts off with O4 - HKCU..\Run: [Glpgpm]

When I boot my computer, I get a pop-up from Avast advising me to run it in the sandbox. What is it, and what should I do with it?

A weird thing though… I ran HIJACK THIS a second time and the file was not on it this time. I rebooted my computer and still got the Avast pop-up saying to put it in the sandbox! What the heck is going on here?

Malwarebytes Anti-Malware v1.50.1: http://dl.dropbox.com/u/4373222/mbam-setup.exe
SUPERAntiSpyware 4.50.1002: http://dl.dropbox.com/u/4373222/SUPERAntiSpyware.exe

if it helps you.

If prompted, you obviously should run it in sandbox so that it is isolated from the rest of the system and stops reinfecting it over and over again. Press F1 and read the help on autosandbox.

@ Tom2e
HiJackThis is a waste of space, more so the older versions. It hasn’t kept pace with malware developments and much of it is able to hide from this outdated tool.

This topic is one with the more recent anti-malware analysis tools, http://forum.avast.com/index.php?topic=53253.0.

OK I am running OTS right now, will post the logs as soon as I get them.

Attached is my OTS log. Please see if it tells you anything.

Run Microsoft Fix it 50267 to fix the crap in your hosts file:

http://support.microsoft.com/kb/972034

Doktornotor, That seems to have worked! For the first time since I got infected, I am on the Avast website on MY computer. Thanks for all the help. MAB shows no infected files. Is there any way to make sure I’m clean now?

Do the OTS scan once again and attach the log here. Also, I’d recommend scheduling a boot time scan with avast.

Looks like I spoke too soon! after my last post, I took it upon myself to download and run the “SUPERanti Spyware” program that you provided the link to above. It found nearly 100 infected items, which I told it to fix. After rebooting, I find that my computer once again can no longer access the Avast site!

I ran OTS again, and attached the log here.

@ Tom2e,

I reviewed your OTS log and I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your log and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine since you have provided the log.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Let us know if you have any questions. Thank you.

I agree, the best you can do it to disconnect the box from network or better shut it down. With “nearly 100 infected items” I would personally reformat and reinstall it from scratch, otherwise follow what SafeSurf said.

Essexboy was already notified. He will respond to Tom2e in this thread. Hold off on reformatting until you hear from him since he does wonderful work. :slight_smile:

Hi here we go - the main culprit is a job that is set to run daily and re-install some malware. With SAS apart from cookies how many infected files did it find ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Settings [Prefs.js] > -> C:\Users\Tom Towhey\AppData\Roaming\Mozilla\FireFox\Profiles\mstrrki5.default\prefs.js
YN -> keyword.URL -> "http://search.avg.com/route/?d=4cbd1d8a&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q="
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\USERS\TOM TOWHEY\APPDATA\LOCAL\{76123935-1710-439E-BEB2-43F05EF60F7C}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {D4027C7F-154A-4066-A1AD-4243D8127440} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\AutoRun\command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\AutoRun\command\\"" -> [2u.com]
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\explore\Command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\explore\Command\\"" -> [2u.com]
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\open\Command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\open\Command\\"" -> [2u.com]
[Files/Folders - Modified Within 30 Days]
NY ->  hyyyi.job -> C:\Windows\tasks\hyyyi.job
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\Users\Tom Towhey\AppData\Local\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\ProgramData\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  Tqequjaxa.dat -> C:\Users\Tom Towhey\AppData\Local\Tqequjaxa.dat
NY ->  Kmegulaqocu.bin -> C:\Users\Tom Towhey\AppData\Local\Kmegulaqocu.bin
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\Users\Tom Towhey\AppData\Local\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\ProgramData\s744qe51d1d0r27pd42h21mhg08qn22
[Files - No Company Name]
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\Users\Tom Towhey\AppData\Local\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\ProgramData\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\Users\Tom Towhey\AppData\Local\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\ProgramData\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  Kmegulaqocu.bin -> C:\Users\Tom Towhey\AppData\Local\Kmegulaqocu.bin
NY ->  Tqequjaxa.dat -> C:\Users\Tom Towhey\AppData\Local\Tqequjaxa.dat
NY ->  hyyyi.job -> C:\Windows\tasks\hyyyi.job
[File - Lop Check]
NY ->  AVG10 -> C:\Users\Tom Towhey\AppData\Roaming\AVG10
NY ->  hyyyi.job -> C:\Windows\Tasks\hyyyi.job
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Essexboy,
as I cannot access this site on the affected computer, I did not receive the message not to do anything until I heard from you. I ran the Avast Boot time scan, and attempted to fix the problem it found. This was:

in file C:\HP\BIN\KillIt.exe it found WIN32:KillApp-W [PUP]

I tried to repair all, and it gave error 42060 and said it couldn’t repair it. At the recommendation of co-worker I then told it to delete all.

I am attaching another OTS log, I apologize for the miscue. Henceforth, I will not do anything without consulting this thread.

Should I still run the fix you gave me? I’ll wait to hear your response.

That is what happens when you change the default settings and or run a custom scan and ask avast to look for PUPs (Potentially Unwanted Programs).

The file is used as its name implies to Kill running Applications, so it can be used for good (HP recovery) or evil, and that is what avast is pointing out. In this location if you have an HP system it is part of the HP recovery function and legit, you have to do ‘nothing.’

You can’t repair something that isn’t a virus, e.g. remove the infected part inserted into a legit file and since the whole file has a specific function there is no repair that could have been done.

Use this one

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Win32 Services - Safe List]
YN -> (CLTNetCnService) Symantec Lic NetConnect service [Auto | Stopped] -> 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\] > -> 
YN -> HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\: URLSearchHooks\\"{A3BC75A2-1F87-4686-AA43-5347D756017C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Settings [Prefs.js] > -> C:\Users\Tom Towhey\AppData\Roaming\Mozilla\FireFox\Profiles\mstrrki5.default\prefs.js
YN -> keyword.URL -> "http://search.avg.com/route/?d=4cbd1d8a&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q="
< FireFox Extensions [Program Folders] > -> 
YY -> XULRunner -> C:\USERS\TOM TOWHEY\APPDATA\LOCAL\{76123935-1710-439E-BEB2-43F05EF60F7C}
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {D4027C7F-154A-4066-A1AD-4243D8127440} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\] > -> HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YY -> "AvgUninstallURL" -> C:\Windows\System32\cmd.exe [cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc1MjQ5NDEyLVQxOC1VODUrMS1CQSsxLUtWMys3LVhLKzEtRlA5KzYtTjFGKzEtQkFSOUcrMS1UQjkrMi1GTCs5LUYxME0rNS1CMQ"&"prod=90"&"ver=10.0.1152]
< Run [HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\] > -> HKEY_USERS\S-1-5-21-3775981552-537282619-2923529732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Glpgpm" -> C:\Users\Tom Towhey\AppData\Roaming\Glpgpm.exe [C:\Users\Tom Towhey\AppData\Roaming\Glpgpm.exe]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\AutoRun\command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\AutoRun\command\\"" -> [2u.com]
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\explore\Command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\explore\Command\\"" -> [2u.com]
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\open\Command -> 
YN -> \{20cb5e01-e9b1-11dd-8dc5-0016d4c5e452}\shell\open\Command\\"" -> [2u.com]
[Files/Folders - Modified Within 30 Days]
NY ->  hyyyi.job -> C:\Windows\tasks\hyyyi.job
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\Users\Tom Towhey\AppData\Local\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  mkr47m65w2qjrle7256w0m1xaj2e3 -> C:\ProgramData\mkr47m65w2qjrle7256w0m1xaj2e3
NY ->  Tqequjaxa.dat -> C:\Users\Tom Towhey\AppData\Local\Tqequjaxa.dat
NY ->  Kmegulaqocu.bin -> C:\Users\Tom Towhey\AppData\Local\Kmegulaqocu.bin
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\Users\Tom Towhey\AppData\Local\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\ProgramData\s744qe51d1d0r27pd42h21mhg08qn22
[Files - No Company Name]
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\Users\Tom Towhey\AppData\Local\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  s744qe51d1d0r27pd42h21mhg08qn22 -> C:\ProgramData\s744qe51d1d0r27pd42h21mhg08qn22
NY ->  Kmegulaqocu.bin -> C:\Users\Tom Towhey\AppData\Local\Kmegulaqocu.bin
NY ->  Tqequjaxa.dat -> C:\Users\Tom Towhey\AppData\Local\Tqequjaxa.dat
NY ->  hyyyi.job -> C:\Windows\tasks\hyyyi.job
[File - Lop Check]
NY ->  AVG10 -> C:\Users\Tom Towhey\AppData\Roaming\AVG10
NY ->  hyyyi.job -> C:\Windows\Tasks\hyyyi.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

THEN

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

Wrong thread. :wink:

No both fixes are the same including the user names ;D