Avast WEBforum
Other => Viruses and worms => Topic started by: cloud302 on January 28, 2014, 04:33:12 AM
-
I keep randomly getting pinged with a "threat has been detected" from avast, just as I'm randomly browsing sites (normal ones, like Ebay, Facebook, Yahoo, Google, etc). I've tried quick scan, full scan, and boot-time scan, and avast detects nothing, and it still consistently pings me with the message once every half hour or so when I go to a new page or click on the page itself. Avast says it blocks the threat before it can do anything, but I want the threat gone permanently. Here is the link that it says is the threat (it acts as if it's coming from the internet, but since it's different sites, I'm pretty sure it's actually within my computer and is disguising itself as something internet-related) :
http://a.exchangeadvertiser.com/a?url
It also tries to open up another tab and/or page (when I try to go to another page, or click on a page I'm already on). That's when Avast says threat has been detected, and blocks it. It just happened again, and here is the full url of the page that tried to open:
http://a.exchangeadvertiser.com/a?url=075def04699a7092b050f295100f6a3647ba5a0319a0a3d8e802c5fda37f564a2d996349272f851c1151
-
follow instructions and attach logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0
we need malwarebytes / OTL / aswMBR logs
-
I've gotten this popup several times today and also got some yesterday.
When I clicked on your links I got the same popup.
If you've been getting the same popup as showed in my screenshot I wouldn't worry about it. I ran a scan yesterday also scanned with Malwarebytes and no threats were detected.
Please pardon me for posting on you thread.
-
Malwarebytes didn't pick up anything either, but the issue is still occurring. It happens over several sites, not just one, and has been going on for the past week or two (maybe three). The requested scan logs are attached.
-
Remover Notified
-
I'm on it ...
-
Hi cloud302,
Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Uninstall-List;
EmptyFoldersCheck;Delete
EmptyCLSID;
ipconfig /flushdns >> %temp%\log.txt;b
FFDefaults;
CHRDefaults;
EmptyAllTemp;
AutoClean;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
---- ---- ---- ---- ---- ----
Next, re-run OTL, hit RunScan button and post me fresh OTL.txt logreprot.
-
For the OTL scan, do I check the "Scan All Users" , "LOP Check" , and "Purity Check" boxes again? Their default state is to be unchecked. Is there anything else I should check or uncheck or check for before starting the scan?
-
No .... run as default
-
Alright, requested log files attached.
Thanks for this by the way. Your efforts are genuinely appreciated.
-
This looks much better now. :) Zoek did great job ...
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:REG
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"avg@toolbar"=-
:FILES
C:\ProgramData\AVG SafeGuard toolbar
C:\Program Files (x86)\Whilokii
C:\Users\CloudsRPGMaster
C:\Windows\*.tmp
C:\Users\CloudsRPGMaster\Desktop\*.tmp
:OTL
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@toolbar: C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.113
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:
c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
---- ---- ---- ---- ---- ---- ---- ----
Re-run Zoek as you did before ...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
QuickScan;- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Post me fresh created zoek logreprot ...
-
Okay, first off; I have a question. The last steps you just had me do moved a TON of stuff from my desktop and favorite places into the c:\_OTL\MovedFiles folder. Is it okay if I move them back, or do they have to stay there for some reason? If they do, could you explain why? The majority of those files seemed harmless. Most of them are just text or picture based, and some of a lot of them have to do with school or my job.
Second, I've attached the zoek-results file, but the OTL report file was too large (exceeded 512KB) to post here. I tried to compress it, but it wouldn't allow me to post a compressed file either. Please advise.
-
Actually, I can't find my favorite places from Mozilla Firefox anywhere in that folder. It has the ones from Internet Explorer, but I haven't actively used that in half a year at least. The favorite places for Firefox (the ones that I had in place just before I did the previous scans), were they deleted, or just relocated?
-
Hi,
The last steps you just had me do moved a TON of stuff from my desktop and favorite places into the c:\_OTL\MovedFiles folder. Is it okay if I move them back, or do they have to stay there for some reason?
It was my mistake, I do not know how it happened, I am sorry. :-[
Malware removal process sometimes known to be tricky.
For some reason, I mistakenly said to OTL to move your %username% folder (C:\Users\CloudsRPGMaster) to OTL's Quarantine folder.
My experience in malware removal is several years and very big, and this to me has not happened yet.
I can back that folder using some batch file but first please try to back by yourself.
Please first attempt to back deleted username folder by yourself;
from : C:\_OTL\MovedFiles\01282014_162437\C_Users\CloudsRPGMaster
to: C:\Users\CloudsRPGMaster
This should bass good. Do not cut folder, do copy as I want that original stays in OTL's Quarantine.
Do not worry, we'll fix the thing.
-
Any progress?
If not, I can use some advanced scripts to fix that.
-
Alright, I copied most of the stuff back to its' original location. However, that folder was huge, and now my hard drive has almost no space left (due to having copied, rather than cut). So, do those files HAVE to be in the quarantine zone, or can I delete the ones I copied, to help make space on my hard drive?
Although, even after moving everything back, my saved favorite places still haven't returned to Firefox. I know it seems like a little detail, but I was rather thorough and intricate with my saving of favorite places, and it would take days (maybe weeks) to put everything back in there from scratch. Any ideas on where they could be?
Also, is there anything else that needs to be done for the virus stuff, or am I good to go in that regard?
-
So, do those files HAVE to be in the quarantine zone, or can I delete the ones I copied, to help make space on my hard drive?
No. If you have been restore all files for shure to it's original location, you may delete files in _OTL folder.
C:\_OTL\MovedFiles\01282014_162437\C_Users\CloudsRPGMaster => ...
I'm talking only for this forest folders (CloudsRPGMaster => ... )
The rest is malware related.
Although, even after moving everything back, my saved favorite places still haven't returned to Firefox. I know it seems like a little detail, but I was rather thorough and intricate with my saving of favorite places, and it would take days (maybe weeks) to put everything back in there from scratch. Any ideas on where they could be?
Somewhere in _OTL's Quarantine.
I shall need OTL's c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log to say precisely.
Upload log here, and post here download link.
http://www.wikisend.com
Also, is there anything else that needs to be done for the virus stuff, or am I good to go in that regard?
You should be good (malware free). But right now, I now want to solve created problem.
-
Alright, here's the link to the log file:
http://wikisend.com/download/327796/01282014_162437.log
-
Ok, I shall look & continue at this tomorow. In my time it's bad time...
You make shure to restore all your files from "CloudsRPGMaster" folder by then.
Your Firefox profile should be located here:
In _OTL: ...\CloudsRPGMaster\AppData\Roaming\Mozilla\Firefox\Profiles\tob348vz.default
The contents of that (tob348vz.default) folder copy-paste here:
C:\Users\CloudsRPGMaster\AppData\Roaming\Mozilla\Firefox\Profiles\tob348vz.default
Please know this: The red flaged is usual random_named. You're going to see that like this: ...\Profiles\random.default
C:\Users\CloudsRPGMaster\AppData\Roaming\Mozilla\Firefox\Profiles\random.default
-
Hey, that didn't do it, but I found another Mozilla folder (I think it was in the "local" folder), and after I'd copied and replaced both that and the roaming folder, my favorites were restored!
Thanks a bunch! Now I just have to free up some space on my hard drive (which I've been meaning to do for a while anyway), and then I should be good.
And don't beat yourself up. Mistakes happen on occasion. It's part of being human. I'm just happy that you helped with the virus stuff. I was really uncomfortable just knowing that virus was floating around doing who knows what. I didn't want it to steal money from me, or identity information and whatnot.
If anything else odd comes up in the next few days, I'll post it here and let you know. Or if you have any other comments or questions for me, feel free to let me know.
Thanks again.
-
No I don't have. Posted logs appear clean. You may remove used tools if all is good now.
C:\_OTL folder you may delete when you think it's Ok for you to delete (because of data).