Hi. I have exactly the same problem that she had: "I can’t open the Avast! user interface, can’t boot in safe mode, can’t access facebook.
Screencaps: http://tinypic.com/r/2itim3r/7 http://tinypic.com/r/hvwbpt/7

I’m certain this is a virus or malware or something of that sort. My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash. She did, the computer restarted and then the problems began. How do I get rid of this? I’m running Malwarebytes right now to see if it’ll do anything. If not, what steps should I take?" Please help =|

I'm running Malwarebytes right now to see if it'll do anything. If not, what steps should I take?"

post scan log when done

My sister was using facebook and clicked a link to a video that asked her to update Adobe Flash.

Oh i’m sorry i copied too much, i just meant until “How do I get rid of this?” I’m not running anything :-X

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTL log ) save OTL log as ANSI

Essexboy will look at the logs when posted…

Okk sorry =)

Monitoring - but I am going offline shortly. I will look tomorrow

Hi essexboy. I’ve done the same thing that you told that girl to do, so here it is the RoughKiller report and the OTS it’s below.

RogueKiller V5.3.3 [08/18/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRKgmailcom
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Adriana [Admin rights]
Mode: Remove – Date : 08/01/2011 00:01:34

Bad processes: 0

Registry Entries: 5
[BLACKLIST] HKLM[…]\Root : LEGACY_SRVBTCCLIENT () → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_SRVIECHECK () → DELETED
[BLACKLIST] HKLM[…]\Root : LEGACY_WXPDRIVERS () → DELETED
[HJ] HKLM[…]\System : EnableLUA (0) → REPLACED (1)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

Particular Files / Folders:

HOSTS File:
127.0.0.1 localhost
127.0.0.1 facebook.com
127.0.0.1 www.facebook.com
127.0.0.1 af-za.facebook.com
127.0.0.1 az-az.facebook.com
127.0.0.1 id-id.facebook.com
127.0.0.1 ms-my.facebook.com
127.0.0.1 bs-ba.facebook.com
127.0.0.1 ca-es.facebook.com
127.0.0.1 cs-cz.facebook.com
127.0.0.1 cy-gb.facebook.com
127.0.0.1 da-dk.facebook.com
127.0.0.1 de-de.facebook.com
127.0.0.1 et-ee.facebook.com
127.0.0.1 en-gb.facebook.com
127.0.0.1 es-la.facebook.com
127.0.0.1 eo-eo.facebook.com
127.0.0.1 eu-es.facebook.com
127.0.0.1 tl-ph.facebook.com
127.0.0.1 fo-fo.facebook.com
[…]

Finished : << RKreport[1].txt >>
RKreport[1].txt

Can someone help ? I still cant access to facebook =O

Can someone help ? I still cant access to facebook =O

you have to wait for essexboy… he will be back here about 08:00 - 11:59pm uk time

In the meantime, you could remove these entries from your HOSTS file manually.

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware; the same is true if they want to block facebook in your case - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there.

Once open you are looking for entries with those facebook.com entries on the line, you can remove those lines and save the file. http://en.wikipedia.org/wiki/Hosts_file

Note, when saving the file, notepad may have a whinge as there is no file type for the HOSTS file; ensure that the file type is set to all files and it should comply with the fact it hasn’t got a file type/extension. You may, depending on your OS have the UAC have a whinge, so you may need to run that text editor (notepad, etc.) as an administrator.

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> svchostdriver.exe -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Win32 Services - Safe List]
YY -> (ddservice) ddservice [Auto | Running] -> C:\WINDOWS\update.7.1\svchostdriver.exe
[Registry - Safe List]
< HOSTS File > ([2011-07-31 23:03:13 | 000,202,984 | -H-- | M] - 100098 lines) -> C:\WINDOWS\system32\drivers\etc\hosts
YN -> Reset Hosts -> 
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "tray_ico" -> []
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\update.1\svchost.exe" -> [C:\WINDOWS\update.1\svchost.exe:*:Enabled:C:\WINDOWS\update.1\svchost.exe]
YN -> "C:\WINDOWS\update.2\svchost.exe" -> [C:\WINDOWS\update.2\svchost.exe:*:Enabled:C:\WINDOWS\update.2\svchost.exe]
YN -> "C:\WINDOWS\update.tray-7-0\svchost.exe" -> [C:\WINDOWS\update.tray-7-0\svchost.exe:*:Enabled:C:\WINDOWS\update.tray-7-0\svchost.exe]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  WinRAR -> C:\Documents and Settings\LocalService\Application Data\WinRAR
NY ->  ufa -> C:\WINDOWS\ufa
NY ->  phoenix -> C:\WINDOWS\phoenix
NY ->  update.7.1 -> C:\WINDOWS\update.7.1
NY ->  update.2 -> C:\WINDOWS\update.2
NY ->  update.5.0 -> C:\WINDOWS\update.5.0
NY ->  WinRAR -> C:\Documents and Settings\Adriana\Application Data\WinRAR
NY ->  av_ico -> C:\WINDOWS\av_ico
NY ->  update.1 -> C:\WINDOWS\update.1
NY ->  update.tray-7-0 -> C:\WINDOWS\update.tray-7-0
NY ->  update.tray-7-0-lnk -> C:\WINDOWS\update.tray-7-0-lnk
NY ->  gPotato -> C:\Documents and Settings\All Users\Menu Iniciar\Programas\gPotato
NY ->  gPotato -> C:\gPotato
[Files/Folders - Modified Within 30 Days]
NY ->  info1 -> C:\WINDOWS\info1
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
NY ->  ufa.rar -> C:\WINDOWS\ufa.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
[Files - No Company Name]
NY ->  loader2.exe_ok -> C:\WINDOWS\loader2.exe_ok
NY ->  phoenix.rar -> C:\WINDOWS\phoenix.rar
NY ->  rpcminer.rar -> C:\WINDOWS\rpcminer.rar
NY ->  info1 -> C:\WINDOWS\info1
NY ->  geoiplist -> C:\WINDOWS\geoiplist
NY ->  geoiplist.rar -> C:\WINDOWS\geoiplist.rar
NY ->  unrar.exe -> C:\WINDOWS\unrar.exe
[Custom Scans]
YY ->  svchost.exe : MD5=B8F3E2AEE9E0D7BCA1691165B5A2EBA1 -> C:\WINDOWS\update.tray-7-0-lnk\svchost.exe
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Custom Items]
:files
ipconfig /flushdns /c
:end 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/essexboy-1-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

The aswMBR just stoped at that point =| it doesnt say : Scan finished successfully …

Ups it does now LOL wasnt finished =P

What are your current problems ?

Please download Malwarebytes’ Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish, so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

I dont know if there is still any problem lol i alredy can go to facebook yeehay =D thank you so much ;D i’m running Malwarebytes right now, i’ll send you the report when finished.

Be carefull on facebook - do not accept any flash updates from there

Oh i really will not do that again ;D do you understand what the report says? It’s written on portuguese …

Processos de memória infectados: 0 módulos de Memória infectados: 0 Chaves do Registo Infectadas: 0 Valores do Registo infectados: 0 Itens de dados do Registo Infectados: 0 Pastas Infectadas: 0 Ficheiros Infectados: 0

Any further problems ? If not then let me know tomorrow and I will remove my tools

Nop i believe that problem was enough =D i thought that thing was gonna mess my pc …well thank you so much

My pleasure, if all is well tomorrow I will remove my tools and tidy you up