Today my Avast began blocking a bunch of malware, the most common of which seems to be: http://go.wvydeo.com/resultsa/…, although there are others as well.
The only other problem I noticed was that my system seemed a bit slower than usual lately and today it seems like after I install windows “important” updates, (it says successfully) they come up again to be installed.
So I found this forum, followed the steps on the “Logs to assist in cleaning malware” post and:
Found that I could not download Malwarebytes using IE (or any of the other suggested software). I get a pop-up titled “Security Alert” that says “Your current security settings do not allow this file to be downloaded”. I used Firefox instead and was able to install and run Malwarebytes (log attached). This however did not fix the issue. It seems to be frequently blocking something from fff5ee.com, outbound, from the process “C:\WIndows\SysWOW64\dllhost.exe”. The IP and port change frequently and sometimes the doman is blank.
I used firefox to download the “Farbar Recovery Scan Tool”. I ran it and the logs are attached.
I used firefox to download “aswMBR.exe” but every time I try to run it I get the blue screen of death. (copy of the windows error log attached).
Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix. If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
• Right click on the avast! system tray icon ( http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
Run ComboFix. Then, on disclaimer window, click I Agree! button.
[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[/i]
When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
=> Attach log report (ComboFix.txt) back to topic.
ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.
Combofix seems to have done some good. I am not seeing the barrage of threats being blocked by mbam and avast and everything seems to be running faster.
It may be too early to declare victory, but we are winning!
It is always recommended to change the personal passwords but your malware does not have mission (by our knowledge) to steal personal information.
Run this fix and tell me how is the computer behavior now?
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
Would you recommend running combofix or any of these other tools on a regular basis?
No without supervision. ;)
You have Malwarebytes installed on board, you may keep him, update and preform scanning. Tools like ComobFix and FRST (etc) are advanced tools and they behave differently.
• The following will implement some post-cleanup procedures:
=> Please download DelFix by Xplode to your Desktop.
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.