system
1
Ive studied this entire site looking through the tips and stickies… Ive downloaded CCleaner done the scan as well as other things and still I cant get rid of this Avast Pop up that comes up every 5 minutes saying 213.155.31.136/serv/gate.php was blocked.
Its driving me nuts…any help is greatly appreciated.
I have the CCleaner report but it says its to much to many characters for this post.
Hi there let me see what you have
Download aswMBR.exe ( 511KB ) to your desktop.
Double click the aswMBR.exe to run it
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrscan.gif
Click the “Scan” button to start scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrsavelog.gif
On completion of the scan click save log, save it to your desktop and post in your next reply
THEN
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Hi usmcscout123,
Did you read this: http://xml.ssdsandbox.net/index.php/2dfe1699bd3fb09b140d5b95d023a275
Malware resides here: hxtp://213.155.31.136/hshhgajjsggsajd/sutra/kzkzhlipgpjvy.jar
Threat: a6a7a760c0e <<< JAVAMesdeh.D malware aka Trojan maljava
A malicious Java file that exploit one or more vulnerabilities, after essexboy’s cleansing routine you should update all the software on that computer after an online scan here: http://secunia.com/vulnerability_scanning/online/?task=load
But from the connections made, we have to conclude you probably have a SpyEye infection,
When a SpyEye bot running on an infected computer starts up, it immediately sends a message to check in with its Command & Control server. This first message contains some basic information about the bot infector and the computer it is running on. Here is an example, with the parameters highlighted.
http://(server)/gate.php?guid=uname!cname!1A2B3C4D&ver=10260&stat=ONLINE&ie=6.0
Quote source:
http://blog.fortinet.com/tag/research/ (author of article named “A Guide to SpyEye C&C Messages” by Doug Macdonald February 15, 2011)
polonus
system
4
aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-08 12:13:47
12:13:47.199 OS Version: Windows 6.0.6002 Service Pack 2
12:13:47.199 Number of processors: 2 586 0xF0D
12:13:47.199 ComputerName: OWNER-PC UserName: Owner
12:13:49.492 Initialize success
12:14:06.730 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
12:14:06.730 Disk 0 Vendor: Hitachi_ FB4O Size: 305245MB BusType: 3
12:14:06.746 Disk 0 MBR read successfully
12:14:06.746 Disk 0 MBR scan
12:14:06.761 Disk 0 scanning sectors +625139712
12:14:06.777 Disk 0 scanning C:\Windows\system32\drivers
12:14:13.469 Service scanning
12:14:15.794 Disk 0 trace - called modules:
12:14:15.809 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys
12:14:15.825 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x88652ac8]
12:14:15.825 3 CLASSPNP.SYS[8c5a28b3] → nt!IofCallDriver → [0x874b0700]
12:14:15.825 5 acpi.sys[8068e6bc] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x866e9028]
12:14:15.825 Scan finished successfully
MBR is good so lets see what OTS reveals
system
6
Wont let me post OTS because the text is too large?
system
7
upload it to rapidshare or skydrive, whatever… and give the link here 
Could you ensure it is save as ASNI and not Unicode - it should fit then
http://i1224.photobucket.com/albums/ee362/Essexboy3/Untitled.gif
system
9
Hi you have some infected USB drives and AVG has left some drivers still running ;D
On completion let me know if the problem is still apparent
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Driver Services - Safe List]
YY -> (MpKsl7bb8f3db) MpKsl7bb8f3db [Kernel | System | Running] ->
YY -> (Avgtdix) AVG TDI Driver [Kernel | Disabled | Running] ->
YY -> (Avgrkx86) AVG Anti-Rootkit Driver [File_System | Disabled | Running] ->
YY -> (AVGIDSShim) AVGIDSShim [Kernel | Disabled | Running] ->
YY -> (AVGIDSFilter) AVGIDSFilter [Kernel | Disabled | Running] ->
YY -> (AVGIDSEH) AVGIDSEH [Kernel | Disabled | Running] ->
YY -> (AVGIDSDriver) AVGIDSDriver [Kernel | Disabled | Running] ->
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> No name found -> C:\PROGRAM FILES\AVG\AVG10\FIREFOX
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> MRI_DISABLED [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\] > -> HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "AvgUninstallURL" -> C:\Windows\System32\cmd.exe [cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVMV0gtR0JZUzQtOU5USEQtUUE3WEQtQzJRSEgtTkZGS0o"&"inst=NzctNTc3NzYzMTI2"&"prod=90"&"ver=10.0.1204]
< Run [HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\] > -> HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "B8FD6570F25AE774" -> C:\ProgData\ProgData.exe [C:\ProgData\ProgData.exe]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{0ee002ea-d3c3-11dd-8bbe-001e68eb7212} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command ->
YN -> \{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL JaiJaeQ.ExE]
YN -> \{4a981831-d2df-11dd-b733-001e68eb7212} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command ->
YN -> \{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\JAiJaEq.exE]
YN -> \{6f554c96-c747-11de-8838-00238b0fe603} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command ->
YN -> \{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\LaqEG.EXE]
YN -> \{8a486086-f0b4-11de-be4c-00238b0fe603} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command ->
YN -> \{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\jaijAeQ.exE]
YN -> \{9aac6711-dd08-11de-aac1-00238b0fe603} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command ->
YN -> \{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command\\"" -> [C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\ViUoQU.eXe]
[File - Lop Check]
NY -> AVG10 -> C:\Users\Owner\AppData\Roaming\AVG10
[Custom Items]
:Files
C:\ProgData
ipconfig /flushdns /c
C:\PROGRAM FILES\AVG
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
system
11
All Processes Killed
[Driver Services - Safe List]
Error: No service named MpKsl7bb8f3db was found to stop!
Service\Driver key MpKsl7bb8f3db not found.
File not found.
Error: No service named Avgtdix was found to stop!
Service\Driver key Avgtdix not found.
File not found.
Error: No service named Avgrkx86 was found to stop!
Service\Driver key Avgrkx86 not found.
File not found.
Error: No service named AVGIDSShim was found to stop!
Service\Driver key AVGIDSShim not found.
File not found.
Error: No service named AVGIDSFilter was found to stop!
Service\Driver key AVGIDSFilter not found.
File not found.
Error: No service named AVGIDSEH was found to stop!
Service\Driver key AVGIDSEH not found.
File not found.
Error: No service named AVGIDSDriver was found to stop!
Service\Driver key AVGIDSDriver not found.
File not found.
[Registry - Safe List]
File C:\PROGRAM FILES\AVG\AVG10\FIREFOX not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{DBC80044-A445-435b-BC74-9C25C1C588A9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{DBC80044-A445-435b-BC74-9C25C1C588A9}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\MRI_DISABLED\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvgUninstallURL not found.
Registry value HKEY_USERS\S-1-5-21-3570320739-1737594718-479680718-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\B8FD6570F25AE774 deleted successfully.
C:\ProgData\ProgData.exe moved successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{0ee002ea-d3c3-11dd-8bbe-001e68eb7212}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{4a981831-d2df-11dd-b733-001e68eb7212}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{4a981831-d2df-11dd-b733-001e68eb7212}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{6f554c96-c747-11de-8838-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{6f554c96-c747-11de-8838-00238b0fe603}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{8a486086-f0b4-11de-be4c-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{8a486086-f0b4-11de-be4c-00238b0fe603}\shell\AutoRun\command not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{9aac6711-dd08-11de-aac1-00238b0fe603}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{9aac6711-dd08-11de-aac1-00238b0fe603}\shell\AutoRun\command not found.
[File - Lop Check]
C:\Users\Owner\AppData\Roaming\AVG10\cfgall folder moved successfully.
C:\Users\Owner\AppData\Roaming\AVG10 folder moved successfully.
[Custom Items]
========== FILES ==========
C:\ProgData folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
c:\Users\Owner\Downloads\cmd.bat deleted successfully.
c:\Users\Owner\Downloads\cmd.txt deleted successfully.
C:\PROGRAM FILES\AVG\AVG10\Toolbar folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10\Notification folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10\Icons folder moved successfully.
C:\PROGRAM FILES\AVG\AVG10 folder moved successfully.
C:\PROGRAM FILES\AVG folder moved successfully.
[Empty Temp Folders]
User: All Users
User: Cory
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Owner
->Temp folder emptied: 634093 bytes
->Temporary Internet Files folder emptied: 49648803 bytes
->Java cache emptied: 8149103 bytes
->FireFox cache emptied: 48404192 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 2006311 bytes
User: Public
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 62628978 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 9583937 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 456 bytes
Total Files Cleaned = 173.00 mb
[EMPTYFLASH]
User: All Users
User: Cory
User: Default
->Flash cache emptied: 0 bytes
User: Default User
->Flash cache emptied: 0 bytes
User: Owner
->Flash cache emptied: 0 bytes
User: Public
Total Flash Files Cleaned = 0.00 mb
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 04082011_134806
Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot…
To me good - but more to the point how is the system - any more alerts ?
system
14
So far so good! I will repost here in this thread if it comes back. You are a god like computer genius! ;D Thanks!
Once you are happy then run OTS and hit the cleanup button ;D