Recourring popups from avast

Hi

Not entirely sure what to do, i keep getting avast popups telling me i have a trojan horse blocked and also a malware. it’s discovering these files

c:\users\NAME\AppData\Local\Temp\windowsupdate.exe
c:\windows\system32\services.exe
c:\windows\installer{a6c7be3e-817e-5880-5561-c80d90d965d0}\U\000000cb.@

i have run malwarebytes, adwcleaner, and avast boot time scan. Still getting the popups. I also noticed when i first booted up it said Windows 7 Non Genuine, which is not right and it has never said that before, since it is genuine :slight_smile: Anyone able to assist me with this? Thank you in advance. If i have not provided enough information just let me know what i need to post. Thank you! :cry:

Hi,
can you post MBAM,adwcleaner logs?
Thanks

here is the adwcleaner log, i’m not sure where to find the log for malewarebytes

Hi,it should be located at C:\ProgramData\Malwarebytes\Malwarebytes’ Anti-Malware\Logs\mbam-log-yyyy-mm-dd .

there is nothing in that directory… ;/ i’m performing a re-scan with it now i will make sure to save and upload the log.

Hi,
i will wait for you to post the log before i sleep.
Philip,

sorry about the delay, my computer is not running at top performance at the moment with this stuff going on. malwarebytes log, OTL, aswmbr, and roguekiller logs attached.

Did not clean with these programs, only scan as i am not sure totally as to what i’m doing.

also here is my FSS scan log. again no cleaning or anything just scan.

Hi tweaker,

Your system has been infected by one or more Rootkits/Backdoor Trojans.

This may allow hackers to remotely control your computer, steal critical system information and Download and Execute files

More information on Remote Access Trojans can be found here.

I strongly suggest you do the following immediately:

[*] From a known clean computer, change all your online passwords – for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
[*] DO NOT change passwords or do any transactions while using the infected computer until it has been cleaned.

.
This tool should take care of most of it. We’ll check the services later and see which need to be fixed.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1 to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your [u]desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, before you save it to your desktop, rename Combofix to jgh.exe

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link [color=green]to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.


[*]Right click on ComboFix.exe (jgh.exe in your case), click Run as Administrator & follow the prompts.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If after running combofix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.

Please post back with
[*]combofix log
How is the computer?

Thanks

Well, so far since running combofix i have not had any warnings yet. the log is attached. this is the only pc i have access to, when will it be safe to go and change all my passwords?
Any other scans i should run and post hte logs to be sure?

thanks

Hi tweaker,

Looks pretty good, Depending on what shows up in this scan you should be able to use your computer for changing the passwords.

Open OTL. Copy and paste the text in the code box into the window under Custom Scans/Fixes then click the Quick Scan button. Please post the log produced.


/md5start
MpSvc.dll	 
/md5stop


Next

Rerun Farbar Service Scanner Make sure all the boxes are checked.

Please post back with
[]OTL.txt
[
]FSS log

Ok thank you for the help. here are the 2 log files requested. ;D

Hi tweaker,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click on this link

VirusTotal

Use the Choose a file button to navigate to the following file(s) (one at a time if more than one file is listed)

click on the file, it should appear in the box. Click Scan it!

C:\Program Files\Microsoft Security Clientrenamed\MpSvc.dll
C:\Program Files\Windows Defender\MpSvc.dll

Wait for the results and post them in your next reply. A link will be okay.

If it says the file has all ready been analysed please click Reanalyse.

Please note [i]that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.

Next, Right click on OTL.exe and chose Run as Administrator to run it
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :


:Services

:Files
C:\Windows\Installer\{a6c7be3e-817e-5880-5561-c80d90d965d0}\L
C:\Windows\Installer\{a6c7be3e-817e-5880-5561-c80d90d965d0}\U
C:\Windows\Installer\{a6c7be3e-817e-5880-5561-c80d90d965d0}

:Commands
[emptytemp]
[createrestorepoint]
[Reboot]

Then click the Run Fix button at the top

[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
Please post the OTL fix log and the VitusTotal results.

https://www.virustotal.com/en/file/f79d79d1ab950d2b917a1543004d417fd9dcc8830062729578a9a7b492d451d4/analysis/1368400644/ this is the first file
the second one my pc would not give me permission to scan it it. under the advanced permissions it says this:

No permissions have been assigned for this object.

Warning: this is a potential security risk because anyone who can access this object can take ownership of it. The object’s owner should assign permissions as soon as possible.

i tried to take ownership but seems that i don’t know what to put in for object name.

will post otl log after reboot

Hi Tweaker,

Did you ever have Microsoft Security Essentials installed?

Please post the log from the OTL fix. It can be found at C:_OTL\MovedFiles. The log will be named with a series of numbers that reflect the time you ran it. Yours will be similar to 05122013_163456.log

Sorry for the delay i have been extremely busy… yes, i did have that installed at one time. I have not noticed any popups since i ran combofix. Here is the log. thanks again and sorry for the delay.

Hi Tweaker,

No problem. We may have a sneaky one on our hands. Please copy and paste the text in the code box into a notepad.

CD \
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
START JunctionPoints.txt
EXIT

In the notepad click file > save as
[*]Make sure the Save as box is set to Desktop
[*]In the filename box type junction.bat
[*]click save
You should now have a file on your desktop named junction.bat. It will have an icon with a couple of gears in it.
[*]Right click the file and click run as Adminstator
[*]ok the UAC
[*]a black window will open
[*]when the window closes (it may take a minute or 2) a notepad named junctionpoints.txt will open
[*]it will also be saved to your desktop
Please post the contents of junctionpoints.txt

Here it is –

Thanks

Hi tweaker,

Haven’t forgotten about you. You are infected with a newer infection. There are also some strange entries in the log which I need to dig into a bit more so we can safely remove the infection.

Please bear with me while I come up with a safe way of doing this. Is your computer a Dell by any chance?

hi thanks for getting back to me. no its a hp. if theres any of the entries i might be able to shed some light on ask away. glad i’m at least not getting any popups from avast telling me of infection