Go Back   Cockos Incorporated Forums > REAPER Forums > REAPER General Discussion Forum

Reply
 
Thread Tools Display Modes
Old 11-10-2015, 03:03 PM   #1
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default Help with a potential trojan/virus on laptop - MSIL9.AFQI

Hi all

I feel like a complete arse doing this....! After having problems with my DAW PC and receiving great help on this forum, I'm now having trouble on my girlfriend's laptops which I sometimes also use. So I'm back again for more PC help! Neither my previous thread nor this one is strictly speaking DAW related, let alone Reaper related. But everyone was so kind and helpful last time (especially innuendo - thanks again mate) that I turn to you again this time....

If this is not the right forum for this kind of stuff, I'm more than happy to move on....

OK, so here's the problem:

1. Twice today I have had an AVG window come up to tell me I have some Trojan Horses. They are named MSIL9.AFQI, and then there is a list of several .dll files in AppData > Local > Temp. However, when I navigate to this folder I cannot see any of the files there. Also, if I open AVG there is no mention of any of this in the program. It is only mentioned on this pop up window. I thought this was strange so I did not click on "Fix" in case it is not genuine. I just couldn't understand why the info/warning would not be visible when I actually open AVG.

2. Because of this, I have been digging about on my laptop. In Program Files there is a folder called AVG Web TuneUp. Control Panel says it was installed on 05/10/2015. I don't think it was me who installed it and so I'm wondering if this might have anything to do with it? Even if it has not, it would still be good to know how it go there and what I should do about it.

3. In System Config > Start Up there is an item: VProtect Application. It says manufacturer Unknown. Again, could this be anything to do with it, and if not is it the sign of any problem?

I posted about all this on the AVG forum about an hour or so ago. I have since received an email from them offering to help me via remote support: "You will be able to watch the progress and chat with the technician until the issue is resolved to your satisfaction." It all seems legit, but it just does not add up that I would receive such an offer so quickly from them, especially seeing as I use the free version only.

So I feel a bit lost and am starting to get a bit paranoid about it all. I've no idea if all of mine and my girlfriend's data and - more importantly - bank log on details etc are safe. I'm not sure if it is all some kind of hoax or a real trojan horse/virus. And I've no idea why AVG support is being so amazingly effective and kind (being paranoid I turned down the offer for remote support and chose to go for email support instead).

Any help would be most gratefully received.

Many thanks

Max
Bob Headroom is offline   Reply With Quote
Old 11-10-2015, 03:16 PM   #2
jonesg
Human being with feelings
 
Join Date: Mar 2015
Posts: 47
Default

No, you're doin it all wrong. Trojans are not that obvious , they get buried deeper into the system.

Download malwarebytes (free) and run it, it will clean all the adware up.
http://www.downtoad.com/landing/yaho...w=Malwarebytes
jonesg is offline   Reply With Quote
Old 11-10-2015, 03:23 PM   #3
LightOfDay
Banned
 
Join Date: Jun 2015
Location: Lower Rhine Area, DE
Posts: 964
Default

dont know for sure - of course - but that all looks like someone has hijacked your computer. these messages all do surely not come from AVG. and a folder "AVG web tuneup" or similar is not from AVG. the call you got might be fake also. would post that story on the AVG-forum as well. this all looks like a fraud and you shouldnt let them have access to your computer.

what you can do is running malwarebytes at first. that should give you some insight or solve the problem at all.

another thing you can run is hijackthis.

that the real AVG hasnt rang an alarm makes it possible, that AVG itself was hijacked and compromised.

if you encounter that you cant download malwarebytes or cant run it, then you are in serious trouble, what means, that the laptop is probably compromised beyound any chance of repair. what means: clean new install. but thats a wild guess at this stage.

first try malwarebytes. after that you know for sure whats up.
LightOfDay is offline   Reply With Quote
Old 11-10-2015, 03:25 PM   #4
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default

Hi there

I already have that. I ran it, along with the AVG scan and SUPERAntiSpyware scan. None of them found anything.... And since running the scans, the warning popped up for the second time.

An update also: I have had an email back from AVG. They said they cannot offer the support via email but that they can fix the problem via remote support. The penny then dropped and I presumed there would be a massive charge for it. So I asked and have been told the service is free. Are AVG really this good as a company? Letting me use their free software for many years and then offer me FREE remote support within ONE HOUR of me posting a question in their forums? Is this for real? Am I too sceptical?
Bob Headroom is offline   Reply With Quote
Old 11-10-2015, 03:25 PM   #5
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

This seems a bad one. The name is not known to AV scanners. Might be a scam.

1) It probably already disabled parts of your AV scanner.

2) I think this is part of a webscan.

3) That's part of AVG.

i don't know about the mail. I've never experienced that level of support from them, but I don't visit their forum either. Post headers?

EDIT: disregard the "howtoremove guide" website. The site itself is a scam, stealing content from legitimate sites and then directing you to download malware. See:

http://phishlist.com/howtoremove-guide/

Last edited by cyrano; 11-10-2015 at 03:34 PM.
cyrano is offline   Reply With Quote
Old 11-10-2015, 03:35 PM   #6
grinder
Human being with feelings
 
grinder's Avatar
 
Join Date: Jan 2009
Location: New Zealand
Posts: 2,905
Default

AVG Web Tuneup seems legit on a google search

VProtect Application Brings up nothing that relates to computer software on a google search that I could see.

Grinder
grinder is offline   Reply With Quote
Old 11-10-2015, 03:37 PM   #7
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

Quote:
Originally Posted by Max Dread View Post
I have had an email back from AVG. They said they cannot offer the support via email but that they can fix the problem via remote support. The penny then dropped and I presumed there would be a massive charge for it. So I asked and have been told the service is free. Are AVG really this good as a company? Letting me use their free software for many years and then offer me FREE remote support within ONE HOUR of me posting a question in their forums? Is this for real? Am I too sceptical?
i don't think you're being to sceptical since the only mention of a trojan by that name on the entire internet comes from 1 scam site...

Mail info@avg yourself? They might be interested to hear someone is using their name in a scam?

Also, is your email visible on the AVG forum? If not, how did the scammers get it?

Whatever you do, don't allow remote access. You'll probably end up paying 150 $ to get the key to some cryptoware locker.
cyrano is offline   Reply With Quote
Old 11-10-2015, 03:49 PM   #8
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default

Hmmmm... strange indeed.

I've just come across this page where in the comments it seems some other people have had the same thing happen today:

http://www.avgthreatlabs.com/ww-en/v...ion/info/msil/

With regard the emails from AVG.... Just to be clear, I went to their forums first to post my concerns and seek help. Here's the link:

https://support.avg.com/answers?dt=l...00000008rKCAAY

It was after that that they emailed me, as per post 4 ("I have sent you an email to fix this issue").

@cyrano - post headers? What and how should I do this?

@grinder. Yeah, I looked and found also that AVG Web Tuneup seems legit. I've just got no idea how it ended up on the laptop. Neither of us installed it. Certainly not last month! The only thing I can think is that it might have been installed as part of AVG a longer while ago and that the date it is showing for "installed on" is wrong.

VProtect Application - I've only looked into it briefly as I'm buzzing around at the moment like a moth around a light bulb. I think some people say it is legit and part of AVG, while others disagree. I'll have to look into that some more.

@cyrano - it seems the guy on the forum is also the guy emailing the support. As mentioned above, he even says in the forum thread that he is going to email me. It's all very weird. If it is a scam, then the guy is doing a damn good job of disguising himself as a AVG support rep.

Thanks guys. This Reaper forum never ceases to amaze and impress me.
Bob Headroom is offline   Reply With Quote
Old 11-10-2015, 03:51 PM   #9
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

Another site that crops up that is absolutely to be avoided:

"ransomwareanalysis dot com".

Promises stuff like a cryptoware remover that is just another RAT.

You've been hit by a large scam operator, not a virus.
cyrano is offline   Reply With Quote
Old 11-10-2015, 04:05 PM   #10
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

Quote:
Originally Posted by Max Dread View Post
@cyrano - post headers? What and how should I do this?
It's a view option in your email client. Just a bunch of technical stuff that MIGHT show where the email cam from.

But the mail offer from AVG seems legit. So, headers won't teach us anything.

Quote:
VProtect Application - I've only looked into it briefly as I'm buzzing around at the moment like a moth around a light bulb. I think some people say it is legit and part of AVG, while others disagree. I'll have to look into that some more.
Has been a part of AVG since the beginning, many moons ago.

Quote:
@cyrano - it seems the guy on the forum is also the guy emailing the support. As mentioned above, he even says in the forum thread that he is going to email me. It's all very weird. If it is a scam, then the guy is doing a damn good job of disguising himself as a AVG support rep.
If it's a scam, they've taken over the AVG forum. That would be new


Try MS sec scanner as a second opinion:

http://www.microsoft.com/security/scanner/

It knows this trojan, if it is really Msil Agent under a new name (MSIL9.AFQI). I think it's just a scam, a popup from some site. Restart the laptop and see if you get other popups.

Also, try another browser if you're using Internet Explorer.
cyrano is offline   Reply With Quote
Old 11-10-2015, 04:08 PM   #11
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

The best way to avoid this kind of panic, is to install a recent modern browser and load an adblocker/tracker defense. That should get rid of 99% of these scams, because they usually stem from a malicious Flash ad.

Disabling Flash is another venue, if you don't need it. But then there's still Java.
cyrano is offline   Reply With Quote
Old 11-10-2015, 05:28 PM   #12
innuendo
Human being with feelings
 
Join Date: Nov 2013
Location: Jerusalem, Israel
Posts: 659
Default

There are quite a few forums specifically designed to help with disinfection. Unfortunately, I can not comment on what's the best one and overall how good they are. Just that they exist.
That said, seeking help on a specialized malware-related forum will probably produce a better result than what can be expected from a DAW-related forum, not the least because you will receive directions only from authorized team members there, which should greatly reduce confusion and focus the effort in the right direction. Also because they employ specialized tools designed specifically to collect necessary information from your system and then perform fixes.
So overall while chances are that Reaper collective mind will be able to eventually help you with this, IMHO specialized forum is a better option.

You can try this one:
http://www.bleepingcomputer.com/foru...-removal-logs/

Just make sure to read the relevant stickies before you post your request.
innuendo is offline   Reply With Quote
Old 11-10-2015, 06:00 PM   #13
innuendo
Human being with feelings
 
Join Date: Nov 2013
Location: Jerusalem, Israel
Posts: 659
Default

Quote:
Originally Posted by Max Dread View Post
1. Twice today I have had an AVG window come up to tell me I have some Trojan Horses. They are named MSIL9.AFQI, and then there is a list of several .dll files in AppData > Local > Temp. However, when I navigate to this folder I cannot see any of the files there. Also, if I open AVG there is no mention of any of this in the program. It is only mentioned on this pop up window. I thought this was strange so I did not click on "Fix" in case it is not genuine. I just couldn't understand why the info/warning would not be visible when I actually open AVG.
Programs storing permanent data or autorun entries in appdata\local\temp are usually malware.

You can not see these files for 2 possible reasons:
1) These files are hidden. By default, Windows Explorer won't show you files that have a "hidden" flag set. You can enable viewing hidden files if (in Windows Explorer window, instructions for Win7) you go to Menu (if you do not see the menu, press and release the Alt button)-> Tools->Folder Options->View->"Show hidden files, folders and drives"
Some malware is sophisticated enough to monitor this option and turn it off as soon as you turn it on (or maybe they lock the relevant registry entry), so to make sure this is not the case, after closing this dialog, open it again and check whether the option remained enabled.
2) Because AVG actually did remove them. They keep coming back because there is another active malware module that recreates them and which AVG does not detect.

I'm not familiar enough with AVG interface, but you might find some log of previous issues it found and cleaned.

Quote:
Originally Posted by Max Dread View Post
2. Because of this, I have been digging about on my laptop. In Program Files there is a folder called AVG Web TuneUp. Control Panel says it was installed on 05/10/2015. I don't think it was me who installed it and so I'm wondering if this might have anything to do with it? Even if it has not, it would still be good to know how it go there and what I should do about it.

3. In System Config > Start Up there is an item: VProtect Application. It says manufacturer Unknown. Again, could this be anything to do with it, and if not is it the sign of any problem?
AVG has a product called AVG Web Tuneup, and this product (according to some prompt googling) runs via the vprot.exe executable.

However something else might be masquerading as AVG's product to look legit. You can try uploading the executable to virustotal.com to find out whether it is malware. If virustotal says that the file is infected then it probably is. If it says the file is clean, then this is better than nothing but still not a guarantee that it is clean indeed.

Quote:
Originally Posted by Max Dread View Post
I posted about all this on the AVG forum about an hour or so ago. I have since received an email from them offering to help me via remote support: "You will be able to watch the progress and chat with the technician until the issue is resolved to your satisfaction." It all seems legit, but it just does not add up that I would receive such an offer so quickly from them, especially seeing as I use the free version only.

So I feel a bit lost and am starting to get a bit paranoid about it all. I've no idea if all of mine and my girlfriend's data and - more importantly - bank log on details etc are safe. I'm not sure if it is all some kind of hoax or a real trojan horse/virus. And I've no idea why AVG support is being so amazingly effective and kind (being paranoid I turned down the offer for remote support and chose to go for email support instead).
Yep, it is a little weird that they offer free support. However probably this is legit, since it is their official forum. Possibly they hope to convince you to buy their paid product, or intend to offer additional support which won't be free.
innuendo is offline   Reply With Quote
Old 11-11-2015, 03:52 AM   #14
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default

Quote:
Originally Posted by cyrano View Post
If it's a scam, they've taken over the AVG forum. That would be new
So with that in mind, should I allow them remote access to the laptop?

Quote:
Originally Posted by cyrano View Post
Try MS sec scanner as a second opinion:

http://www.microsoft.com/security/scanner/
Thanks for that. I shall download it and give it a go. So far I have run the AVG Scanner, Malwarebytes Anti-Malware, SUPERAntiSpyware Free Edition, and CCleaner. None of the scanner found anything. But I'll try this one as well.

Quote:
Originally Posted by cyrano View Post
It knows this trojan, if it is really Msil Agent under a new name (MSIL9.AFQI). I think it's just a scam, a popup from some site. Restart the laptop and see if you get other popups.

Also, try another browser if you're using Internet Explorer.
OK, I'll get the laptop running now. I'll download and run MS sec scanner and then keep an eye on it. So far the pop up has come twice.

Chrome is the browser being used. IE is on the machine (by default) but has not been used for quite a long time now.

Quote:
Originally Posted by cyrano View Post
The best way to avoid this kind of panic, is to install a recent modern browser and load an adblocker/tracker defense. That should get rid of 99% of these scams, because they usually stem from a malicious Flash ad.

Disabling Flash is another venue, if you don't need it. But then there's still Java.
Chrome automatically updates so I guess is about as modern as it gets.

Funnily enough, we put Adblock Plus on the machine just a couple of days ago. It did lead me to wonder whether this might have even CAUSED the problem. It's the only thing/sw that has been installed recently. I went directly to the Chrome webstore page and added it to Chrome there. So I guessed it was totally safe. Just seemed a touch coincidental!


Thanks cyrano for the great posts and help.
Bob Headroom is offline   Reply With Quote
Old 11-11-2015, 03:55 AM   #15
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default

@innuendo. Nice to hear from you again. Sorry it is so soon, and sorry it is with more computer related woes rather than stories of joy and/or music making!

Thanks for the Bleeping Computer suggestion. I'll check that out. I'm hoping to find a forum or two to help not only with this but with any future computer but not DAW related queries.

Just reading through your second post now... Will work though it after the above suggestions and then post back.

Many thanks to you also, and to everyone else who has helped.
Bob Headroom is offline   Reply With Quote
Old 11-11-2015, 05:16 AM   #16
Bob Headroom
Human being with feelings
 
Join Date: Apr 2008
Location: UK
Posts: 262
Default

OK chaps, before I get stuck into this and follow some of the above suggestions, do you think I should allow AVG remote access to see if they can solve the problem?

Just to re-iterate, it *seems* like the whole AVG thing is legit. I posted for advice on their forum, they responded in the forum saying they would email me. They have since done that offering the support. Oh, and in case it is useful I'll post the header from their most recent email below.

So, would you allow them remote access?

I should just add that my ultimate goal here is to be safe. My partner does all her internet banking, shopping etc etc on the laptop. She has changed all of her passwords. But she is still panicking. It will nice to get a clean bill of health, but knowing that all of her bank information etc has not fallen into the wrong hands will be a massive relief.

Huge thanks


From "support@help.avg.com" Wed Nov 11 12:04:02 2015
X-Apparently-To: ***???@yahoo.co.uk; Wed, 11 Nov 2015 12:04:03 +0000
Return-Path: <support=help.avg.com__0-49oux67kopu0ct@7c0ubfz7gg119w.b-z3sfeak.eu2.bnc.salesforce.com>
Received-SPF: pass (domain of 7c0ubfz7gg119w.b-z3sfeak.eu2.bnc.salesforce.com designates 136.146.128.77 as permitted sender)
Y29uY2Vybi4gQnV0IGl0IGlzIG9idmlvdXMgdGhhdCB3ZSBjYW 4gbm90IGFz
c3VyZSB5b3UgYWJvdXQgeW91ciBQQyBzZWN1cml0eSB3aXRob3 V0IGNoZWNr
aW5nIGl0LiBTbyBJIHdvdWxkIHJlcXVlc3QgeW91IHRvIGNvbn RhY3Qgb3Vy
IHJlbW90ZSBzdXBwb3J0IHRlYW0gc28gdGhhdCB0aGV5IGNhbi BhbmFseXpl
IHlvdXIgUEMgZm9yIHZpcnVzIHdpdGggb3VyIGFkdmFuY2VkIA EwAQEBAQN0
ZXh0L3BsYWluAwMwAgN0ZXh0L2h0bWwDAzIy
X-YMailISG: .st1LhIWLDuTUv9GB.KZ_S2cvQNtT6pa3ZAE.VPAqfGeV7zj
Ehpk4neGBeYPtZFaOp.qtwfTVWGaqZU5..fGom19bNg0r8k4gU 6weqW7TOlK
qNydYxG5fH5._qQpKBG2Q_VDUu1OH85z8eFCIrG4BwRgUUVPBR EIuDIbQZxz
tPixS6AaeoWJJ0IPUpvF1HRy_ZG88cBf8gtvBJbz8nvX70fMks aS9Je7hMYO
krPB4YuavP.lNp11VeqDvmXUORJ4nU1Xy9c_4Npf_MFyr1vtP3 h_bOtxeSbD
dfVQRmBc8kuY.MEbJnUN0hOWHxaXCq5UIKaAD.ymCPmem2yL9n ZyB6Bn1RRJ
9cvZO1ZXj_NtUDM1UDQXgswLP97ioOSaCM76ylvsP3eINXRrEc 9pkogFfAlv
i4wGopXZjw7d9_mn4CQSFKO0Mw9iXPvfYe7Z0VhXu395x6EI.I KkuBEkT19F
e8iwKaGDRf99EiuDSE7mTwkaXdiqmi.yNa7h.C73E.esx8in2v GgdR0jRfhg
6.s_ZUJG17FkhEk_xYe9fgQwYTj9eALKWkL5SXsy1zt5Mk__Ns Jj32M3G4yc
3YUYyxe7PrhED3jQCoeLEq22CS6rxGtX2lfapihy0zh2NL0AeB Xs31kuNpa6
ED0Kr_pNQnGfD7PVQaodN3XPnLKvoBO_DDYXNIruijmbHKlPfK weQM8saqqQ
dqzIaaBiGUcJH6ryOryi8sbzaOT88VyaFCq_IdAXnUwlzA5oPy UzbhknumZq
ftpKGJoZtDR20YaaRAGRH6FHfmlPADVE37JnsStkHNX9Q5ZVDX IC54GNDe2D
9ZLmdDxCfh3RHfzUeoD2lGP_u8a4wcUeVy2OYaQQH5XoWVlVT7 lK3A0A3o6G
nMr3ytzgFucputnnNql50vG1ong5NAO6ZtpIjkBhJES8UxHza4 NYxRqKa1Qk
VQ5cUHMCbuA1.54L1rD1dX2xA1jhXg4fJ2txqRpKX0p3AgcBOg JZy4NwwZ_i
0f2DVZWCVcs5rlJtZahn3TYG2abIeRKIb7LMjxF_zlaofXBy4T 1h8puZ12S4
VLMyMiSjjN2.s3B8H02zbo8.EM_pjktv.qrnJ7a4PBNC_ZbbVp mrrIySz4Xo
2Mf4yqEuYuGfbEspp11v5ZL1LH6_ONPQbSfbkbeESsh0t8W_tG h_kZL81MEe
ZfUOlZcRH4Xg5xWGR4Lq7YRusAtj7MwLzJgM2Q0wdexsDe544z 4t4LNF3B63
c72dgi.KTyMhcsZszFDRmNGmh3GxBjW.ucJc47XaX4XwkC7n9g IqrGqjQCLh
OBsMEANUO6F6oW.RDs4RNc6ikfL_EhEuIvqosQMq8bj5M8Y.GC f1UiqZC2N.
gCk6qmdv0Jy63xQ1KQekv1fIbmVHz4kE5UB7YM4sapAdY8290O k6BMtbz5DM
GHwukpwFkIMgMAmI9PxkZxLNsieuwxfSW1jev0qldm5gnk5yHn lWd0JHlkFM
jkqpdHO_wLToeghk2XG3d_oBl1LW_EEIb2VE0ydTtP3kJra9JO iA5EVHRYYC
a4W3qmKkTjVb.c9VgBXSMZctm.zqN_6wLzKw.nRKBktnKXm7DF 8MvtKdn3GO
8LRjpsdIrSsgLhWC40wbdw6ZGo5eF3oL37zNUZ9ejZ55SqDQ8A S.2DkGpdtz
iz9M9drrbmBhsAioHjTiSVG2k98BarDAlwaIgNJZIUHE1mB1jD SuPhHvHh75
tTKWxRFhCUp5KqukORip6M4Ba2KXLbuGA2ueDhI69E1uFjMM0e 4wHqh3
X-Originating-IP: [136.146.128.77]
Authentication-Results: mta1087.mail.ir2.yahoo.com from=help.avg.com; domainkeys=neutral (no sig); from=help.avg.com; dkim=pass (ok)
Received: from 127.0.0.1 (EHLO smtp14-lon.mta.salesforce.com) (136.146.128.77)
by mta1087.mail.ir2.yahoo.com with SMTPS; Wed, 11 Nov 2015 12:04:03 +0000
Return-Path: <support=help.avg.com__0-49oux67kopu0ct@7c0ubfz7gg119w.b-z3sfeak.eu2.bnc.salesforce.com>
DKIM-Signature: v=1; a=rsa-sha256; d=help.avg.com; s=help; c=relaxed/simple;
q=dns/txt; i=@help.avg.com; t=1447243442;
h=From:Subjectate:To:MIME-Version:Content-Type;
bh=darPKt7LxxjKUS1mCRcESc4h0ZJ+3Gi5a1euVntaYsI=;
b=LqIz4yHPX9aXxEK30ZGTTwceJqiZWk5PEmQxFyEKHs8/EJ42cifDbWYMX1YPIw4/
G9tkMEbvYUQLHO4nPYT2/gIcBrXEhyiV5nV+9hZCFFcb9mtzUmEmzrwjiePEOJRs
zyW6G2zAkyRgbTj7bvghkgt0kNHL3Hb5SdCXbKUsuBk=;
Received: from [10.244.68.13] ([10.244.68.13:53855] helo=eu2-app1-2-lon.ops.sfdc.net)
by mx2-lon.mta.salesforce.com (envelope-from <support=help.avg.com__0-49oux67kopu0ct@7c0ubfz7gg119w.b-z3sfeak.eu2.bnc.salesforce.com>)
(ecelerity 3.6.8.47404 r(Core:3.6.8.0)) with ESMTPS (cipher=DES-CBC3-SHA)
id 4F/1B-09426-2BE23465; Wed, 11 Nov 2015 12:04:02 +0000
Received: from [206.24.49.1] by eu2.salesforce.com via HTTP; Wed, 11 Nov 2015 04:04:02 -0800
Date: Wed, 11 Nov 2015 12:04:02 +0000 (GMT)
From: "support@help.avg.com" <support@help.avg.com>
To: "***???@yahoo.co.uk" <***???@yahoo.co.uk>
Message-ID: <P1f1L00000000000000000000000000000000000000000000 0NXNG6Q00LnOloKTwRVGbLnURok6SYA@sfdc.net>
Subject: AVG Customer Care - Request #02440281 [
ref:_00Db0Z3Sf._500b0SNl0c:ref ]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_112732_2121871616.1447243442708"
X-SFDC-LK: 00Db0000000Z3Sf
X-SFDC-User: 005b0000002hFS9
X-Sender: postmaster@salesforce.com
X-mail_abuse_inquiries: http://www.salesforce.com/company/abuse.jsp
X-SFDC-TLS-NoRelay: 1
X-SFDC-EmailCategory: emailPublisherEmail
X-SFDC-EntityId: 500b000000SNl0c
X-SFDC-Binding: 1WrIRBV94myi25uB
X-SFDC-Interface: internal
Content-Length: 29516

Last edited by Bob Headroom; 11-13-2015 at 02:12 AM.
Bob Headroom is offline   Reply With Quote
Old 11-11-2015, 05:24 AM   #17
LightOfDay
Banned
 
Join Date: Jun 2015
Location: Lower Rhine Area, DE
Posts: 964
Default

Quote:
Originally Posted by Max Dread View Post
I shall download it and give it a go. So far I have run the AVG Scanner, Malwarebytes Anti-Malware, SUPERAntiSpyware Free Edition, and CCleaner. None of the scanner found anything. But I'll try this one as well.
if they all found nothing, than it is probably a simple scam.

run REVO uninstaller, sort the installed software list to date (latest installation on top) and see, what is suspicious of the software installed within the last week.

choose "uninstall" and follow the advices on the screen. that way you should get rid of the scam-folders.

I think there is no trojan, but they want to make you to believe there is so can can nmake some money of "repairing" your computer. so they installed some folders and made some alerts up.
LightOfDay is offline   Reply With Quote
Old 11-11-2015, 08:42 AM   #18
Magicbuss
Human being with feelings
 
Join Date: Jul 2007
Posts: 1,957
Default

RE: MSIL9.AFQI

Malwarebytes used to have a tab for file assasin but i think they broke it out into a separate free app now. Anyway, if the file in question is on your laptop but hidden it will find it and remove it.
https://www.malwarebytes.org/fileassassin/

Also a desktop search like search everything should find hidden files too
http://www.voidtools.com/

I like to run hitman pro along with Malwarebytes. It uses multiple engines and can sometimes find things others miss.
http://www.surfright.nl/en/hitmanpro

FWIW and IMO AVG is garbage. For free I use Panda. If I was going to pay it'd be Kaspersky or bit defender.
Magicbuss is offline   Reply With Quote
Old 11-11-2015, 01:00 PM   #19
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 5,246
Default

Quote:
Originally Posted by Magicbuss View Post
FWIW and IMO AVG is garbage. For free I use Panda. If I was going to pay it'd be Kaspersky or bit defender.
FWIW and IMO: they all suck. When you look at the results, only four or five out of the 54 or so on virustotal know recent malware. Even older adware doesn't get recognized as malware by all of them. I just avoid Symantec at all cost.

I've had a look at the headers. Seems legit. It also seems as if AVG has outsourced sales to a company using salesforce.com. That's OK, but I doubt you are mailing with an AVG person. More like a 3rd party sales droid.

Personally, I wouldn't give them remote access, since you already have AVG free installed. So what could they offer more?

Anyway, get a second opinion first. Both of the MS products seem to know the trojan. Or use anything else to your taste. There are several online scanners available for free.

I really doubt if this is the real trojan. It's just malvertising, imho.
cyrano is offline   Reply With Quote
Old 11-12-2015, 12:37 PM   #20
innuendo
Human being with feelings
 
Join Date: Nov 2013
Location: Jerusalem, Israel
Posts: 659
Default

Quote:
Originally Posted by Max Dread View Post
Funnily enough, we put Adblock Plus on the machine just a couple of days ago. It did lead me to wonder whether this might have even CAUSED the problem. It's the only thing/sw that has been installed recently. I went directly to the Chrome webstore page and added it to Chrome there. So I guessed it was totally safe. Just seemed a touch coincidental!
That deserves a check. There are extensions in the chrome store masquerading as Adblock Plus, bearing similar names and logos. They are there obviously to defraud people. Make sure that what you installed is the actual legit thing.
innuendo is offline   Reply With Quote
Old 11-12-2015, 12:49 PM   #21
JHughes
Banned
 
Join Date: Aug 2007
Location: Too close to Charlotte, NC
Posts: 3,554
Default

I second Hitman Pro, it has found things for me nothing else did.
JHughes is offline   Reply With Quote
Old 11-12-2015, 01:07 PM   #22
innuendo
Human being with feelings
 
Join Date: Nov 2013
Location: Jerusalem, Israel
Posts: 659
Default

Reg. remote access by avg, as cyrano mentioned, the email appears to originate from salesforce.com. Don't know whether it is wise to give them access.
Overall I would suggest to post on bleepingcomputer or any other well-known disinfection help forum and let them help you. Better to do that sooner rather than later, not the least because it might take a few days before you get a reply. Keep in mind though that as soon as you post there, you should not make any changes to your system unless instructed to, until they say that it's done, including installing and uninstalling programs and running AV tools.
If you do not intend to do that immediately, I would suggest to scan your computer with a few additional tools, such as aforementioned Hitman Pro, Eset online scanner (which can take a few hours), and AdwCleaner (which is very quick).
innuendo is offline   Reply With Quote
Old 11-12-2015, 01:37 PM   #23
Quasar
Human being with feelings
 
Join Date: Feb 2007
Posts: 966
Default

Quote:
Originally Posted by innuendo View Post
Reg. remote access by avg, as cyrano mentioned, the email appears to originate from salesforce.com. Don't know whether it is wise to give them access.
Overall I would suggest to post on bleepingcomputer or any other well-known disinfection help forum and let them help you. Better to do that sooner rather than later, not the least because it might take a few days before you get a reply. Keep in mind though that as soon as you post there, you should not make any changes to your system unless instructed to, until they say that it's done, including installing and uninstalling programs and running AV tools.
If you do not intend to do that immediately, I would suggest to scan your computer with a few additional tools, such as aforementioned Hitman Pro, Eset online scanner (which can take a few hours), and AdwCleaner (which is very quick).
ADWCleaner is a great 1st stop. It's not a comprehensive solution, but it is very fast, very good and it should give you a general idea of what you are up against. Get it from bleepingcomputer, so you can trust that it is clean.
Quasar is offline   Reply With Quote
Old 11-12-2015, 01:57 PM   #24
Magicbuss
Human being with feelings
 
Join Date: Jul 2007
Posts: 1,957
Default

Quote:
Originally Posted by Quasar View Post
ADWCleaner is a great 1st stop. It's not a comprehensive solution, but it is very fast, very good and it should give you a general idea of what you are up against. Get it from bleepingcomputer, so you can trust that it is clean.
Thats a good cleaner but is specifically for browser hijacks. it doesnt clean anything else.
Magicbuss is offline   Reply With Quote
Old 11-12-2015, 02:39 PM   #25
innuendo
Human being with feelings
 
Join Date: Nov 2013
Location: Jerusalem, Israel
Posts: 659
Default

Also I would recommend you to censor your full email address from the email header you posted so it doesn't get picked up by spammers.
innuendo is offline   Reply With Quote
Old 12-03-2015, 08:32 AM   #26
Gregsom
Human being with feelings
 
Join Date: Nov 2015
Posts: 1
Default manual guides

some issues cannot qualify as malware. Thereby, antimalware do not spot and destroy relevant bugs, for instance, Aqovd redirect http://sureshotsoftware.com/guides/aqovd/. In such case, manual removal shall apply
Gregsom is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 04:11 AM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.