Avast WEBforum
Other => Viruses and worms => Topic started by: Tisoran on October 26, 2013, 06:45:42 AM
-
So I've run a number of different scans since the initial Alert/block.
First it was Malwarebytes Pro that started blocking an IP: 66.45.56.109
I was starting to get a bit concerned when the same block occurred the next day. Started cleaning up and removed a significant amount of malware with malwarebytes and adwcleaner/aswMBR and thought it was overwith.
Later did I install Avast Home edition 2014, thinking it wouldn't hurt to run both programs since the 'block' had shown up more often.
However, now avast is blocking a URL: http://clickered.com/cen?ag
I've looked for any sort of toolbar or program in RevoUninstaller that looked suspicious and I came across a GigaClicks Crawler installation. I've no idea what its from or what it does. When promted to uninstall Avast kicked it and moved some process to a chest.
I stumbled upon this (http://forum.avast.com/index.php?topic=133686.0) thread. Thinking I had a similar problem I followed the instructions for OTL off of this other thread (http://forum.avast.com/index.php?topic=53253.0).
And the OTL log is attached.
Any help to get rid of this would be very appreciated.
Much thanks.
-
Hello
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKU\S-1-5-21-3516740335-3617436455-440623508-1000\..\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN14654307485881244&UM=2
O4 -
O4 - HKLM..\Run: [] File not found
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
:commands
[CREATERESTOREPOINT]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:
c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.
Please download zoek.zip or zoek.rar by smeenk ((http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png)) from here (http://hijackthis.nl/smeenk) or here (http://home.kpn.nl/stefsmeenk/zoek.exe) and save it to your Desktop.
Unpack the archive...
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
uninstall-list;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
I've run OTL and Zoek as instructed and the logs are attached, however the problem is still coming up.
Avast pops up with this:
" Object: http://clickered.com/cen?ag=a61d164abf0a767c25d33ee1a63e7473-11-3&g=BMW
Infection: URL:Mal
Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "
or this url: http://clickered.com/cen?ag=c8841473129879da1cafddf323c7ad82-11-2&g=PIG
Thank you for the quick reply.
-
Download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
- Press Start Scan
- If Suspicious object is detected, the default action will be Skip, click on Continue.
- If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
.
----------- > Next
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
-
Alerts have still been coming in however Malwarebytes Pro has been blocking the original IP however its now under an avastsvc process.
Also I've run TDSSKiller, no suspicious or malicious objects detected.
I've also ran Farbar Recovery Scan Tool and the logs are attached.
-
- Close any open browsers
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job;f
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job;f
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}];r
FFdefaults;
chrdefaults;
iedefaults;
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button.
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
I've run Zoek as instructed, I had to run it twice as I forgot to disable antivirus.
Alerts are still popping up.
I dont know if it matters but I've been watching the Shields Activity from the Avast Statistics Monitoring, I've noticed the shields spike up when something accesses something along the lines of "AppData\Temp\scoped dir_4383_25439\CRZ_INSTAL\Locales\vi\messages.json"
Logs are attached and Thank you for your quick reply.
-
Hi Tisoran,
Argus is busy these days. I will assist you.
Re-run zoek as you did before but using this script:
autoclean;
C:\Windows\SysNative\tasks\Escolade;f
C:\Users\Admin1\AppData\Roaming\iPumper;fs
Post me fresh created zoek log.
NEXT...
Re-run FRST, check box for Addition.txt and press [Scan] button. Post me fresh created FRST.txt and Additional.txt reports.
-
Alright, Thank you magna.
I've re-run Zoek and as well as FRST, the logs are attached.
-
Posted logs looks good. Just one small fix...
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Task: {2CB7B523-420B-48AF-9A35-5EA176DDF1AD} - \Escolade No Task File
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
================================
How's your computer running now?
-
I've run FRST with the fixlist.txt and the log is attached.
The system is running about as smooth as it did when I first formatted the drive however the Alerts from Avast are still coming in.
-
The system is running about as smooth as it did when I first formatted the drive however the Alerts from Avast are still coming in.
Can you please post me screenshot of that avast pop-up alert?
Also, re-run FRST and post me fresh FRST.txt log.
-
Also, re-run zoek tool with this script:
StandardSearch;
When zoek finished, post me fresh created zoek logs.
-
I've posted a screenshot of the alerts, There was an instance where Malwarebytes and Avast blocked one at the same time. Both have been included in the picture as well as what Avast was scanning while the alert hit.
Re-ran FRST and Zoek, fresh logs have been attached.
-
I don't know if it applies but I've been experiencing nearly the exact same symptoms in this thread. (http://forum.avast.com/index.php?topic=138362.0) With 2 different avast alerts back to back. The alerts range anywhere from 5-30 mins apart. I didn't notice the muting on Chrome until recently, as well as I've caught the 'spare' chrome with a radio station on mute.
-
Hi,
I see nothing active in the logs.
1. We shall deploy ComboFix. This powerful tool has useful routine for malware search + it shall clean junk, temp and cache files.
Scan with Combofix:
- Please download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) by sUBs and save it to your Desktop.
You may read how Combofix works here. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
- Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
- When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
-----------------------------------------------------
2. Let's reset Chrome settings to default:
- Close Google Chrome browser;
- Press the (http://fotkica.com/imgs2/55259_258721347_windows_key2.png)button and R.
- Copy/paste following txt:
%LOCALAPPDATA%\Google\Chrome\User Data\
- Click OK.
- Find Default folder and rename that folder in Default.old
Re-start Google Chrome.
-
I've run ComboFix aswell as renamed the Default folder to Default.old the logs are attached.
I'll let you know if any alerts come in, so far just spikes in Avast's Shields activity.
Edit: Single alerts at first, now its they're back to back again.
-
Running ComboFix via CFScript:
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::
Folder::
c:\users\Admin1\AppData\Local\lptmp1554647073
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
RegNull::
[HKEY_USERS\S-1-5-21-3516740335-3617436455-440623508-1000\Software\SecuROM\License information*]
"datasecu"=hex:1c,46,80,3f,ff,80,b1,4f,a1,c8,1a,04,2f,21,35,e5,34,32,de,90,08,
bd,10,3b,c6,c1,72,b2,d4,cd,67,38,b9,15,cd,55,a3,bf,65,29,cf,6a,2e,62,fa,e2,\
"rkeysecu"=hex:36,9e,fa,1f,34,da,ec,97,21,4d,1e,a0,6a,88,6e,f0
Save this as CFScript.txt
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
-
I've Re-run ComboFix with the script as well as uninstalled Google Chrome via Revo-uninstaller.
-
Posted logs looks good. CF did his job. Any malware alerts?
edit:
You have been installed Webroot SecureAnywhere alongside avast. This isn't good and this isn't protection.
You may use only one AV per system. One of them you must uninstall. You choose witch one...
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: Webroot SecureAnywhere *Disabled/Updated* {9C0666FC-6C7D-3E97-3C40-0C6B33FC7401}
-
I've uninstalled Webroot SecureAnywhere, I've been having it regularly disabled while using avast. Is there any way I can completely clear chrome/google from my desktop and reinstall chrome?
Re-installed chrome and alerts came back, Figure I'll just leave it uninstalled until everything is sorted out.
-
Hi,
Since I see nothing in posted logs (and we have been run&analyzed OTL,Zoek,FRST and ComboFix) and no one sees malware.
This may be avast FP's. Can't tell as you are malware free. I can only run powerfull AntiRootkit diagnosis as this checks works on a system-core level.
If you wish AntiRootkit Check, run Gmer tool:
Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:
Gmer download link (http://www2.gmer.net/download.php)
Note: file will be random named
Double-clicking to run GMER.
- Wait for initial scan to finish - if there is any query, click No;
- Click Scan button and wait until the full scan is complete;
- Click Save ... - save the report to the Desktop (named Gmer1 );
- Right-click wherever in the GMER's window and select Options > 3rd party - click the Scan button;
- Please wait until the full scan is complete;
- Click Save ... button and save report to Desktop (named Gmer2 );
note: time scan for Gmer2 log may take some time
- Click the >>> and select Autostart card;
- After quick scan, click Copy button;
- Open notepad and Paste text. Save report to the Desktop (named Gmer3 )
> Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)
-
I've run Gmer and the 3 logs are attached, it readily found a number of hidden files with just the opening search.
-
Hi,
Just to let you know, do not be alarm on Gmer's "RootKit" pop-ups at Gmer primary and 3rd party scan. These flaged drivers...well they belong to avast.
But I want to perform some additional checks + to delete some non-active value key that Gmer pointed out ...
I shall use FRST's Script for that.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
REG: reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /v "{23170F69-40C1-278A-1000-000100020000}" /f
File: C:\Windows\system32\conhost.exe
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-
Alright, I've run FRST64 and the log is attached.
-
Hi,
I've seen your PC as malware free. It is time to remove used tools.
It is necessary to uninstall ComboFix :
- Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
- In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
- then click OK (or press Enter ).
Wait for the uninstall process is complete.
------------------------------------------
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
--------------------------------------
I recommended to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
Thanks for your help, Uninstalled Combofix and ran DelFix. When installing chrome again the alerts come back, I'll try using firefox for awhile.
-
Thanks for your help, Uninstalled Combofix and ran DelFix. When installing chrome again the alerts come back, I'll try using firefox for awhile.
Sorry. I can't fix what I don't see, as I can't find any problem. Try to run these tools aswell.
But know that if these tools find something, theye are only inactive remains ... maybe some of them revolt avast to create pop-ups ...
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
- Click on the Scan button.
- After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
- Post logfile will also be saved in the C:\AdwCleaner folder.
THEN
(http://imageshack.us/a/img841/7292/thisisujrt.gif) Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/) to your desktop.
- Shut down your protection software now to avoid potential conflicts.
- Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
- The tool will open and start scanning your system.
- Please be patient as this can take a while to complete depending on your system's specifications.
- On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
- Post the contents of JRT.txt into your next message.
-
Sorry for the late reply, I've run both programs and attached both logs.
-
Just as I expected ... they find nothing.
Run AdwCleaner and hit [Uninstall] button. JRT delete manual.