Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Riggs2907 on November 18, 2012, 08:28:52 PM
-
i have used AVAST for about 3 years & today was starting to have an issue..
First got 3/3 messages that said " threat detected", some Trojan threat. Ran a scan & found the virus & "moved it to chest" like it recomended.
Did the reboot with complete scan during boot up & found two infected files there, deleted both. Now after start up, i get 3/3 messages again saying "threat detected"?
heres a pic of what the virus looked like
(http://i818.photobucket.com/albums/zz101/Riggs290731RCR/junk%20pics/tn-2.jpg)
What should my next step be if i keep getting "message detected" pop ups?
-
here is a picture of the message when you click on " threat detected" more info link.
(http://i818.photobucket.com/albums/zz101/Riggs290731RCR/TTM%20autos/u.jpg)
any help is much appreciated.
-
follow this guide and attach the logs.....not copy and paste
http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
-
you want me to post the result logs? not sure how to attach a AdwCleaner notepad log.
think aftre running the AdwCleaner & Malwarebytes' Anti-Malware may have fixed it? since they have completed, no " threat detected message?
-
below the box you write in here.... "attachments and other options"
you can copy and paste logs....but OTL log must be attached bc of the size
when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see
-
below the box you write in here.... "attachments and other options"
you can copy and paste logs....but OTL log must be attached bc of the size
when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see
here is the AdwCleaner log.
# AdwCleaner v2.008 - Logfile created 11/18/2012 at 14:17:13
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista (TM) Business Service Pack 2 (32 bits)
# User : Ricky - RICKY-PC
# Boot Mode : Normal
# Running from : C:\Users\Ricky\Downloads\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Users\Ricky\AppData\Local\funmoods-speeddial.crx
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
***** [Registry] *****
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16421
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 --> hxxp://www.google.com
-\\ Google Chrome v23.0.1271.64
File : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[S1].txt - [3942 octets] - [18/11/2012 14:17:13]
forgot to save the log from the Malwarebytes' Anti-Malware run. that had 30 files in red. All being "funmoods" that has been deleted for sometime from my system. must be left overs?
-
malwarebytes log is saved inside malwarebytes....you find it under the logs tab on top when you open the program
anyway...OTL is the important log
-
HERE YOU GO.
-
since i did the last 3, think the problem may be gone. Have yet to get "threat detected" message? Thoughts? think im in the clear?
-
Looking at the AdwCleaner log, i may see what was your problem
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
also others had this
http://forum.avast.com/index.php?topic=109840.0
http://forum.avast.com/index.php?topic=109795.0
check back later to hear what the removal specialist have to say
-
ok. sound good. Heres the last of it. The ASWMBR log.
thank you for your help. really appreciate it.
let me know if there is anything further i need to do..
-
This was the problem Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Checking the logs now
-
OK not a lot left for me to kill ;D Let me know of any further problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
-
OK not a lot left for me to kill ;D Let me know of any further problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
You want me to run this & copy/paste the info in the "code: {select} section, & put it into the "paste scripts here" part?
-
Yep that will remove the last of the funmood stuff
-
o.k. got that done. here is the log. let me know what my next step will be or if im done. :)
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry value HKEY_USERS\S-1-5-21-10632349-1777486396-4087371160-1000\Software\Microsoft\Windows\CurrentVersion\Run\\SPMTray deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: Ricky
->Temp folder emptied: 49956963 bytes
->Temporary Internet Files folder emptied: 41481812 bytes
->Java cache emptied: 43504 bytes
->Google Chrome cache emptied: 398850101 bytes
->Flash cache emptied: 69614 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 74367330 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 79086015 bytes
Total Files Cleaned = 614.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 11182012_152951
Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
PendingFileRenameOperations files...
Registry entries deleted on Reboot...
-
That's it ;D .. Any further problems ? Or shall we do the tidy up thing
-
That's it ;D .. Any further problems ? Or shall we do the tidy up thing
Thats it. No "threat detected messages", systems appears to be running fine ;D.
Cant thank you & Pondus for taking the time to help me out. couple of class acts! :)
-
That's what we be here for ;D
Run AdwCleaner and press the uninstall button
Run OTL and press the cleanup button
Delete AswMBR from the desktop
All done
-
That's what we be here for ;D
Run AdwCleaner and press the uninstall button
Run OTL and press the cleanup button
Delete AswMBR from the desktop
All done
Great! all done. again. Major thanks to you both. U2 really know your stuff. cant thank you enough.
-
your welcome
safe surfing ;)