scan logs
Do you have more info…
i’m sorry, kinda new to all this…
The reason I’ve grown suspicious is because of several odd incidents involving Avast! firewall randomly turning itself off and forcing me to do a clean install because I was unable to turn it back on, after doing a clean install I was warned by Avast that “a program is trying to make changes to avast”, which lead me to look into my network connections where I found a random connection to a website that goes by “mark.handbookforhandymen.com” with the IP of 198.105.212.228. It connects every time my computer makes a connection to the web, which I found very strange. It’s a website i’ve never visited or even looked up. After noticing this I set my firewall to “ask” whenever a program tried to phone home, after doing so I noticed several programs disguised as windows processes trying to get through, all of which were unsigned. I also noticed several new windows firewall rules for programs I don’t use & never have, I checked it the night previous and none of the rules were present they just appeared out of no where the next day.
Mallow
Did you install Privacy Internet access ? As that is making a lot of connections and there are some concerns about it https://www.privateinternetaccess.com/forum/discussion/790/questions-regarding-the-backround-network-scans-of-rubyw-exe
Otherwise I can see nothing of import on your system
Hey Essex!
Thanks so much for your reply & thanks for the link, made for a good read. Sadly PIA isn’t the culprit in this case, I tested it with PIA completely disabled and for whatever reason it was still pinging that damn website. Might be a new form of Mal or Trojan, is it possible I’ve become victim to some sort of custom attack? Because what i’ve been experiencing doesn’t seem typical of “normal” malware. My main concern was a possible back door trojan/remote attack, if this is the case what kind of measures can I take to figure out if this is the case. I’m in no rush to reformat my system since the problem has persisted through two clean installs. I did a google search and I noticed another Avast! member is experiencing the same http connection/ https://forum.avast.com/index.php?topic=159284.0
Mallow
EDIT: Since the logs show nothing of great importance is it possible to delete them?
This worked for the other user
Download Avast Uninstall Utility to your Desktop.
Download the correct version of Avast
Avast Free
Avast Pro
Avast Internet Security
Avast Premier
Disconnect from the net
Uninstall Avast via control panel
[]Run the uninstall tool and accept the reboot to safe mode
[]Once complete reboot your system
[*]Reinstall Avast
Essex!
Thanks, that worked like a charm for a few days. Just today something hijacked my Avast! again! after doing the clean install I noticed how clean my network was, even with PIA running. I’ve made it a habit to check the NetConnect every time I reboot my computer, for a few days it was smooth sailing but today sh-t hit the fan! Once again Avastsvc.exe was showing a List of all sorts of random connections including the infamous mark.handbookforhandymen/com. I can’t figure out what the catalyst is, something must be causing this. One thing I did notice was the black driver screen just before the windows splash screen counted 4-5 time, usually it only does a 3 count and splash. After noticing this I ran a boot-time scan & two different rescue disc with zero results, this is all on a Fresh install of windows. Has the Avast team looked into what could be causing this?
The thing is Avastsvc is basically a proxy for all traffic irrespective of where it originates as it scans it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
FRST fix log.
I probably should of noted that I already did a clean install before posting, don’t know if that makes a difference?
Hey Essex!
I believe i’ve found the catalyst, it’s a MBR or spyware of some sort, altho I can be SURE. I’ve been doing all sort of stuff to recreate the event and it only seems to occur after every other system re-boot, this might explain some of the random restart messages I’ve been getting. It’s loading a system restore point to roll my pc back to the point of infection. Whenever this occurs everything on Avast is reset,Firewall, webshields etc, and so are things on my pc/browser. When Avast is running as it should the UI states “secure DNS cannot run on this network” and when it doesn’t say that, its usually an indication to me that mark.thehandyman is back, HA. I’ve done clean installs of windows & secure erases of all my drives, yet this issue still persist’s. Somethings gotta give, I’ve figured out the cause & effect but how can we go about finding the source? I most certainly think this is worth some investigation by avast!
Also, I ran another Farbar system report after I triggered the event, it came up with less info than the first one.
BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
0 out of 0 jobs canceled.
========= End of CMD: =========
EmptyTemp: => Removed 46.8 MB temporary data.
The system needed a reboot.
==== End of Fixlog ====
Do you know why it is restoring ? Is there any indication on the warning ?
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
[*]Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
Hey Essex,
Again, thank you for your time. I don’t have the slightest clue why it’s restoring, no warnings or anything. Only thing i’ve noticed is the number of drivers it loads at the black screen just before splash, on a typical or normal boot it does a 3 count but when everything gets reset it does a 4-5 count and the screen with flash blue then black, which doesn’t occur usually.
here’s the report, for once something actually turned up. I ran is a few times before this showed.
EDIT: It doesn’t offer a “Cure” option, it only shows skip, quarantine, Delete? ill wait for your instructions.
Nothing untoward there, could you disable secure DNS in Avast please
Essex,
Disabled secure DNS.
Is it normal for that audio service to have no digital signature considering it comes from a reputable source? The rest of the creative files are Signed.
Yes that one has never been signed for some reason