Hi All,
I am hoping someone can help me out with this. I am trying to clean up a friends computer and after installing avast to help with that process, the web shield just went crazy with “…blocked a harmful webpage or file.” If I am not connected to the internet it doesn’t do it. Even if IE isn’t open, it will set and cycle through those blocks. As I am typing this, it has logged 51 blocks.

The PC is a Windows 7 Home Premium SP1, 32 bit. I know I could reinstall the OS, which would probably be easier, but since this isn’t my PC, I would prefer to not have to do that and make sure I put everything back.

So far I have tried:
Avast
Malwarebytes
CCleaner
Microsoft Security Essentials
combofix

Malwarebytes picked up on a lot of things, I quarantined them, then ran CCleaner to finish cleaning registry issues. Avast found nothing, nor did MSE. Combofix appeared to clean some things up. After Combofix rebooted the PC, the Avast popups started right back up with blocking things. I am not really sure what else to try on this. Seems like this malware is set in and ready to fight. Any ideas?

Thanks Much,
Sam

attach Malwarebytes and combofix logs…

then run OTL and attach logs http://forum.avast.com/index.php?topic=53253.0

I am new to the site, maybe im missing something, but is the attach button hidden, or am I too new?

just below the box you write in Attachments and other options

nvm, I could be blind

running OTL, be back shortly

Combofix should only be run with a qualified person with you. Not solo.

Monitoring the situation. Looks like another Blackbeard issue. Attach the OTL.txt and Extras.txt when done.

I know I probably shouldn’t have gone solo with combofix, maybe not a great judgment call, but the PC still works so I must not have done too bad. Anyway, here are the other files. Sorry for the delay, got distracted with other stuff.

Please be patient while I analyze you logs. Since I am a mentee my replies need to be approved by an expert here to ensure you the best result. Thank you for your forbearance.

thank you all very much for taking this time to help me out. Maybe I can learn a thing or two. Viruses, malware, etc. are definitely not my specialty. Thanks again.

Sam

Mentee means Trainee by the way

I have submitted my fix for you to my teacher and will post it here after his approval.

@Michael, I love playing with words. ;D

Hi samlemx,
If you still experience avast! alerts, it is normal. Stay with me till the end.

[*]Step #1 Fix with OTL
[*]Re-run OTL by right clicking and choosing Run as administrator;
[*]Under the Custom Scans/Fixes Box copy and paste the following contents inside the code box.

:Commands
[createrestorepoint]

:OTL
IE - HKU\S-1-5-21-2670899690-1136335791-712615611-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80798&lng=en
IE - HKU\S-1-5-21-2670899690-1136335791-712615611-1000\..\SearchScopes\{EF4312C2-87D6-40DE-BDF0-C47FDF81B391}: "URL" = http://websearch.shopathome.com?user_id=%guid&q={searchTerms}
[2014/04/01 18:44:22 | 000,000,064 | ---- | M] () -- C:\Windows\System32\eclydv.own
[2014/04/01 18:44:22 | 000,000,000 | ---- | M] () -- C:\Windows\System32\ulwhr.cso
[2014/04/01 18:27:53 | 000,299,344 | --S- | M] () -- C:\Windows\System32\dxhceav.baq
[2014/04/01 18:27:53 | 000,000,000 | --S- | M] () -- C:\Windows\System32\cdmfnjy.ysk
[2014/04/01 18:27:53 | 000,000,000 | --S- | M] () -- C:\Windows\System32\aaaj.mcg
[2014/04/01 18:55:58 | 000,000,078 | ---- | C] () -- C:\Windows\System32\fkzzesn.pqa
[2013/10/04 18:02:35 | 000,000,000 | -HSD | M] -- C:\Users\Compouter\AppData\Local\Google\Desktop\Install\{0e3585e8-09d9-6293-7dbb-44df52dc6ea4}\❤≸⋙\Ⱒ☠⍨\<U+202E>ﯹ๛\{0e3585e8-09d9-6293-7dbb-44df52dc6ea4}\L
[2013/10/04 18:02:35 | 000,000,000 | -HSD | M] -- C:\Users\Compouter\AppData\Local\Google\Desktop\Install\{0e3585e8-09d9-6293-7dbb-44df52dc6ea4}\❤≸⋙\Ⱒ☠⍨\<U+202E>ﯹ๛\{0e3585e8-09d9-6293-7dbb-44df52dc6ea4}\U
[2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

:Commands
[emptytemp]

[*]Click on “Run Fix” and let the program run unhindered;
[]Your PC will reboot automatically and a log will be opened;
[]Please attach it in your next reply.
[/list][/list]

[*]Step #2 Run ComboFix Script
Make sure that you still have Combofix on your Desktop. If not, download it from here.
[list][*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad –

FCopy::
c:\windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_6bd245e79c221747\rpcss.dll | c:\windows\System32\rpcss.dll
Reboot:: 

[list]
[*]Click on File > Save as…
[list][*]Inside the File Name box type CFScript.txt;
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Make sure your security programs are disabled while performing the actions. If you have difficulties, peruse this thread;
[*]Drag CFScript.txt into ComboFix.exe as shown in the screenshot below –

http://users.telenet.be/bluepatchy/miekiemoes/images/CFScript.gif
[/list]
ComboFix will now run a scan on your system. After the scan finishes, it will execute the script and reboot your computer automatically. Don’t reboot your computer manually, let ComboFix do it. Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please attach the C:\ComboFix.txt in your next reply.

[*]Step #3 Scan with Farbar Recovery Scan Tool
[*]Please download Farbar Recovery Scan Tool by Farbar to your Desktop from the link below.
Download link for 32 bit system
Download link for 64 bit system
[*]Right-click on the program and choose Run as administrator;
[*]Put tick-mark on all boxes under Whitelist and Optional Scan;
[*]Click on Scan;
[]After the scan two notepad files will be opened –
[list][]FRST.txt;
[]Addition.txt[]Attach the contents of the logs in your next reply.[/list]

[*]Step #4 Scan with RogueKiller
[*]Download Rogue Killer from one of the suitable links below to your Desktop.
Download link for 32 bit system
Download link for 64 bit system
[*]Let the pre-scan finish. After that click on Scan;
[*]The scan won’t take long;
[*]A log has been created on your Desktop;
[*]Attach the content of the log in your next reply.

[*]Required Log(s):
[]OTL Fix Log;
[]ComboFix Log;
[]Farbar Recovery Scan Tool Log(s)–
[list][]FRST.txt;
[]Addition.txt
[]RogueKiller Report
[/list]

Regards,
Valinorum

Hi Valinorum,
Thank you for the post. Sorry for my delay. Trying to do this after work and the PC was running pretty slow. I did know the reference to being a “Mentee”

Per your request, I have attached the logs produced by the various programs. 4 attachments on this one, since that is the max, I will have another post.

Just to note, Avast has stopped going crazy with blocking those connections and the PC does seem to be running smoother, or I have just adapted to it’s slowness. It looked like Rogue Killer picked up on some items though. Let me know where to go next.

Thanks,
Sam

Rogue Killer log.

Thanks,
Sam

Hi,
I have submitted my fix to an Expert here and will post here after his approval. Thank you for your patience.

Hi samlemx,

We have one more big fish to fry.

[*]Step #5 Fix with RogueKiller
[*]Re-run RogueKiller. If you do not have it on your Desktop download it from the suitable link below.
Download link for 32 bit system
Download link for 64 bit system

[*]Let the pre-scan finish. After that click on Scan and wait for the scan to finish;
[*]Click on Delete;
[*]Now again click on Scan and wait for the scan to finish;
[*]Click on Report and a log file will open;
[*]Attach the report in your next reply.

[*]Step #6 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad –

Start
BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
C:\Windows\system32\fkzzesn.pqa
C:\Windows\system32\eclydv.own
C:\Windows\System32\ulwhr.cso
C:\Windows\System32\dxhceav.baq
C:\Users\Compouter\AppData\Local\Google\Desktop\Install
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[]Attach the log in your next reply.[/list]

[*]Required Log(s):
[]RogueKiller Report;
[]FRST Fix Log

Regards,
Valinorum

Hi Valinorum,
I have attached the reports you requested. It looks like Rogue Killer cleaned up it’s findings. Avast has been quiet too. I know an absence of symptoms doesn’t mean it is in the clear, but it is certainly behaving better. Thank you again for your help. I have to ask, does it annoy you that this PC’s name is “compouter”? It sure bugged me when I first started working on this. ;D

Thanks,
Sam

How is your system running? I have seen weird usernames.