Have tried everything you’ve suggested to identify or remove the virus that continues to try to disable. Give up and logs submitted. Thanks for the help.
removers are notified…
I’m on it…
Hello and welcome to avast! 8)
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
Go to this website and download Norton/Symantec AV uninstaller tool
http://singularlabs.com/uninstallers/security-software/
Step#1
I’v see in logs that you have been running Combofix.
Please read:
http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html
Go to systemroot and attach here Combofix.txt log (C:\Combofix.txt)
Step#2
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#3
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
IE - HKLM\..\SearchScopes\{70C86F76-E4B6-4E11-9B7A-9848EAA197B8}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
IE - HKU\S-1-5-21-2953605135-911462948-2874655733-1000\..\SearchScopes\{70C86F76-E4B6-4E11-9B7A-9848EAA197B8}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
O2 - BHO: (SelectionLinksBHO Class) - {300BEC06-B743-4D19-86B9-11DC711D7FFB} - C:\Program Files\OApps\SelectionLinks.dll File not found
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
:files
C:\Program Files\ESET
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Step#4
C:\Users\Jan\Desktop\adwcleaner.exe
Run AdwCleaner.
[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt
Step#5
Re-run OTL, just click on QuickScan and attach here fresh OTL.txt logreport.
I removed the Norton Symantec applications but can’t find neither the combofix log. I’m afraid I don’t know how to get to systemroot. Sorry for being such a pinhead.
I can find no sign of combofix or its log on my computer.
All other requested files are attached.
Again, thank you for your help.
Hi,
Your systemroot partition is C:
Do you have CF log (txt document) on C:\ partition? C:\Combofix.txt ?
Have tried everything you've suggested to identify or remove the virus that continues to try to disable.
What exactly problem do you have?
Why do you think you have a virus or some other malware?
Please describe your problem once more.
And, tell me how is your computer running now?
Did finally find combofix.txt. It’s an old file from October but it’s the only one on the system.
Problem is that every time the computer boots up, it goes dark then give me the notification that an application is trying to disable Avast. In addition, online activity has slowed to a crawl (maybe a quick crawl).
I’ve run MalWarebytes twice an it’s not detecting anything.
Ok, first check if you have the following avast logs:
…go to avast report folder and attach here BehaviorShield.txt and FileSystemShield.txt avast logreport
C:\ProgramData\AVAST Software\Avast\report[b]BehaviorShield.txt[/b]
… report[b]FileSystemShield.txt[/b]
…go to avast logs folder and attach here selfdef.txt avast logreport
C:\ProgramData\AVAST Software\Avast\log[b]selfdef.txt[/b]
Additional diagnostics
Go here and follow instructions for running RogueKiller
http://forum.avast.com/index.php?topic=53253.0
Attach here all RKreport.txt logreports.
Primary diagnosis 1
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
Primary diagnosis 2
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
NETSVCS
BASESERVICES
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT
[*]Then click the RunScan button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
AntiRootkit diagnosis
Download GMER , AntiRootkit tool from the link below and save it to your Desktop :
Double-clicking to run GMER .
[*] Wait for initial scan to finish - if there is any query, click No ;
[*] Click Scan and wait until the full scan is complete;
[*] Click Save … - save the report to the Desktop (called Gmer1 );
// note: the scan for Gmer1 log may take some time
[*] Right-click in the window GMER and select Options> Only non MS files - click Scan ;
[*] after a fasts scan, click Save … - save the report to the Desktop (called Gmer2 );
Attach here Gmer1 and Gmer2 logreports.
There are no Avast log files on my machine. The path is different i.e. Alwil Software/Avast 5 but I thoroughly check the system for log files related to Avast - nada
First batch of other log files attached
2nd batch of logs
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
SRV - File not found [Disabled | Stopped] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Service)
@Alternate Data Stream - 162 bytes -> C:\ProgramData\TEMP:25ADEE69
@Alternate Data Stream - 149 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 122 bytes -> C:\ProgramData\TEMP:2AEBCB5B
:files
C:\Program Files\mozilla firefox\components\coFFPlgn.dll
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
PS: If the log doesn’t appear, it can be found here:
c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
It didn’t reboot but log attached
Hi,
C:\Program Files[b]Viewpoint [/b] <---- delete folder manualy.
How is your computer running now? Any avast warnings?
Re-run OTL, just click on QuickScan and attach here fresh OTL.txt log
This is getting discouraging.
I’d seen the Viewpoint reference on one of the reports and had been looking for it - nada. There’s no trace of it on the computer.
Yesterday, after bootup there was no attempt to disable Avast shields. Today there was.
Also wondering if I don’t have a rogue toolbar issue now because when I clicked on a desktop icon, a totally random page regarding bedbugs opened. It had also not been doing this before.
OTL log attached but I totally understand if you can’t afford to waste any more time on this particularly since we seem to be falling behind the power curve.
Thank you very much for everything you have done.
If you get a chance, next time do a screenshot of that message that avast pop-ups…
Step#1
Download this file:
http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE
Double-clicking the file to run. When tool complets, it may reboot your masine.
Step#2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Combofix log attached
Will try to get you screen print tomorrow although Snipper (?) and Sh+PrtSc appear to be inaccessible when the message is displayed
Open notepad and copy/paste the text present inside the code box below:
Folder::
c:\users\Jan\AppData\Local\Coupon Companion Plugin
C:\Program Files\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
DDS::
Trusted Zone: agentxsites.com
Trusted Zone: alamode.com
Trusted Zone: almsr.com
Trusted Zone: appraiserxsites.com
Trusted Zone: bing.com
Trusted Zone: brokerxsites.com
Trusted Zone: certmail.com
Trusted Zone: doccentral.com
Trusted Zone: flexapp1003.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: inspectorxsites.com
Trusted Zone: interflood.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: listingsxpress.com
Trusted Zone: live.com
Trusted Zone: mappoint.net
Trusted Zone: mortgagexsites.com
Trusted Zone: rdesk.com
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Trusted Zone: rexplorer.net
Trusted Zone: safemls.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: topproducer8i.com\www
Trusted Zone: topproduceronline.com\www
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
Trusted Zone: xsitesnetwork.com
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
ComboFix file attached
I hope that “Coupon Companion” (which I didn’t knowingly request) plug-in may be the problem
Hi,
Do you still have avast pop-up warnings? If you do, please attach here screenshot of that pop-up so i can see what is the problem.
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
Re-run OTL, just click on RunScan button and attach here fresh OTL.txt logreport.