Avast WEBforum
Other => Viruses and worms => Topic started by: melissajkelly on December 30, 2012, 03:26:38 PM
-
I will post several "replies" to my own message to give you all the logs---they exceed the maximum number of characters on a message.
The other day when my Avast! Free Antivirus ran a boot scan, with "delete" selected, and the computer warned me that a virus was found in a Windows file and asked me to confirm deletion. The message said "... wininet .dll is infected by Win32 malwar –gen" and I Googled the virus name.
I followed the steps in this post http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) and have the logs attached here, in case anyone can help.
ADWCLEANER SCAN RESULTS
# AdwCleaner v2.104 - Logfile created 12/29/2012 at 12:25:25
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Melissa - OFFICEPC
# Boot Mode : Normal
# Running from : C:\Users\Melissa\Desktop\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
Folder Found : C:\Program Files (x86)\Ask.com
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Users\Melissa\AppData\Local\APN
Folder Found : C:\Users\Melissa\AppData\Local\Conduit
Folder Found : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Found : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Found : C:\Users\Melissa\AppData\Local\Temp\AskSearch
Folder Found : C:\Users\Melissa\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Melissa\AppData\LocalLow\Conduit
Folder Found : C:\Users\Melissa\AppData\LocalLow\PriceGong
Folder Found : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKCU\Software\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3214568
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
-\\ Google Chrome v23.0.1271.97
File : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [4892 octets] - [29/12/2012 12:25:25]
########## EOF - C:\AdwCleaner[R1].txt - [4952 octets] ##########
-
ADWCLEANER LOG AFTER ITEMS DELETED:
# AdwCleaner v2.104 - Logfile created 12/29/2012 at 12:27:33
# Updated 29/12/2012 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Melissa - OFFICEPC
# Boot Mode : Normal
# Running from : C:\Users\Melissa\Desktop\adwcleaner.exe
# Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
Deleted on reboot : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Deleted : C:\Program Files (x86)\Ask.com
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\Melissa\AppData\Local\APN
Folder Deleted : C:\Users\Melissa\AppData\Local\Conduit
Folder Deleted : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Deleted : C:\Users\Melissa\AppData\Local\Temp\AskSearch
Folder Deleted : C:\Users\Melissa\AppData\LocalLow\AskToolbar
Folder Deleted : C:\Users\Melissa\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Melissa\AppData\LocalLow\PriceGong
Folder Deleted : C:\Windows\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\AppDataLow\Software\AskToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Ask.com
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Deleted : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3214568
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
-\\ Google Chrome v23.0.1271.97
File : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
*************************
AdwCleaner[R1].txt - [5013 octets] - [29/12/2012 12:25:25]
AdwCleaner[R2].txt - [5073 octets] - [29/12/2012 12:27:15]
AdwCleaner[S2].txt - [4935 octets] - [29/12/2012 12:27:33]
########## EOF - C:\AdwCleaner[S2].txt - [4995 octets] ##########
-
I will post several "replies" to my own message to give you all the logs---they exceed the maximum number of characters on a message.
attach the logs....not copy and paste
-
Sorry--okay, I'll attach logs even though the instructions in that other message said to copy and paste.
-
I can't attach the OTL log--it says the file is too large. I can try to run that again later. But attached is the OTL extras log.
-
Log.
-
Another log.
-
And finally, the Rogue Killer reports.
-
I can't attach the OTL log--it says the file is too large. I can try to run that again later. But attached is the OTL extras log.
split the OTL log in two....
-
Also hide your email unless you like spam. :)
-
Attached is the OTL log file from yesterday.
-
And my OTL "extras" log from yesterday---that's it for logs. I sure hope someone can help!
-
the most important log is the OTL.txt ....... the one you posted seems to be only half of it..... is it or am i wrong?
malware removers are notified. it may take hours before one arrive so be patient :)
-
Hi,
Please attach aswBoot.txt logreport.
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt
-
No, the OTL reports I posted this morning are the full reports. The one I tried to upload over the weekend was run incorrectly---it was set to scan files from the last 365 days instead of the last 30 days. So that's why it was massive. I would have had to split it into about 20 posts to be able to attach it. LOL So I re-ran the OTL set for 30 days and attached the log and the extras log today.
I am at work now...I will post the other request log (aswBoot.txt) this evening. Thank you!!
-
I looked for this report, but do not have a "Report" folder in the Avast folder, and do not have this .txt file in any of the Avast folders.
C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt
I searched the PC for "aswBoot.txt" and it said the file was not found. Should I be looking for a different file? I am running avast! Free Antivirus on a W7 64 bit machine and definitions were just updated this morning.
Thanks!
-
Hm...
Logs looks good. I don't see nafting bad here. Re-run avast! boot time scan once more. When avast finish scanning, try to find there and attach here aswBoot.txt logreport.
-
I ran an avast! boot scan and asked it to DELETE files that it finds (because in the past that was the only way it would "find" the virus I mentioned in my first message---when Windows would warn me that it was a Windows .dll file and ask me to confirm I wanted to delete it). This time, it went on past that and booted into Windows. And the log then revealed that it found a virus in Hotmail and moved it to the chest. (See attached .jpg)
I am convinced there is some kind of virus on this machine but I don't know how to find it.
I **still** do not have that sub-folder under the avast folder, and do not have the text file you are asking for anywhere on my system. If I'm using the free version of Avast should I still have that file?? I don't understand why I don't. Thanks!
-
This detection is not active malware, file is detected with antivirus heruistics. Nothing to worry about, FP (false positive) simply must happen from time to time.
Detected file is related for Windows Live Messenger.
As I wrote above, all your logs are clean and no active malware here... ;)
---------------
> First let's remove some registry remains and do some speed up of your PC.
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
CHR - Extension: Ask Toolbar = C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaandgknhidclennijgnchhaiefkmch\7.15.4.24146_0\
O3 - HKU\S-1-5-21-3172663602-4032253925-2754547789-1000\..\Toolbar\WebBrowser: (no name) - {ADCA5064-9E30-43FE-9856-58B07A3149FE} - No CLSID value found.
:Commands
[CREATERESTOREPOINT]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. You don't need to attach that log.
- - - - - - -
Then you may remove/uninstall OTL tool:
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
-----------------
I recommended you to keep Malwarebytes on your system and to add MCShield tool if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://amf.mycity.rs/mcshield/)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
Thanks. I ran the custom fix as you suggested. I will follow the remaining steps.
I assume, then, that Avast and Malwarebytes can be on the machine simultaneously without a problem? And McShield, too?
Thanks for your help. I will continue to run boot scans and regular scans, because I still don't understand why I got that first message about the .dll file naming the virus. :(
-
Hi,
I assume, then, that Avast and Malwarebytes can be on the machine simultaneously without a problem? And McShield, too?
Yes. avast! is antivirus and Malwarebytes and MCShield are antimalware tools. Watch them like a great support to your current antivirus program.
I will continue to run boot scans and regular scans, because I still don't understand why I got that first message about the .dll file naming the virus.
Boot time scanning is good thing when you do have some active malware detected on the system. Otherwise, scanning from the active system is enough.
Take another look at the picture you're attach. See the detected file path?
%appdata%\local\Microsoft\WindowsLiveMessanger
As I wrote above, detection is false. It's not a malicious software nothing to worry about. You may put that detected file to ignore list.
-
Thanks. Yes, I realize that file wasn't a problem. My concern was over the virus found during the boot scan a few days ago, which started this thread:
The other day when my Avast! Free Antivirus ran a boot scan, with "delete" selected, and the computer warned me that a virus was found in a Windows file and asked me to confirm deletion. The message said "... wininet .dll is infected by Win32 malwar –gen" and I Googled the virus name.