Avast WEBforum
Other => Viruses and worms => Topic started by: annemarie185 on January 28, 2014, 06:35:47 PM
-
I am scared from a permanent Avast-Pop-up (it's there for hours and I cant removve it). It informs that malware has found and blocked. But it gives me no possibility to react, no tool, no choice as usually but only an ad to download Google Chrome.
The Computer has been scanned, everything seems to be ok. But the Pop-up wont go away, it stays there permanently and a cant work properly (it takes the important right corner of the screen).
What do I have to do?
I would very much appreciate, if someone could help me soon in this topic.
Thank's a lot.
Annemarie
-
hey and welcome to the forum
please follow this guide and attach your logs. we need the log from mbam,otl, awsmbr
http://forum.avast.com/index.php?topic=53253.0
a malware expert will help you from there.
-
can you attach a screenshot of the popup?
-
Oh, I wish I could, but I dont know how to create the necessary file type. I can only create a doc-file. I am sorry. I try to attach this, but I'm afraid, it goes through.
-
Hi what version of windows are you running ?
-
Hi, it`s Windows 7.
-
I try again with an attachment. Hope it works...?
-
part II
-
OK I was going to suggest that you use the snipping tool http://www.bleepingcomputer.com/tutorials/how-to-use-the-windows-snipping-tool/
OK lets have a look see
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Select LOP and Purity
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Hello Essexboy, the scan is done. Now I attach the report files...
-
OK lets get at it, once this has run let me know if the alerts cease
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKLM\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [String data over 1000 bytes]
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\URLSearchHook: {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\URLSearchHook: {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No CLSID value found
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\SearchScopes,DefaultScope = {BFBC099C-9CCD-42FC-9DC0-E0DE9ECBEF13}
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\SearchScopes\{BE89407B-BEC5-4D7B-84B0-948494C5E25C}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYDE&apn_uid=CCA0A93A-11D9-4E11-9C4E-0F764CD61539&apn_sauid=D677596E-8DAC-4923-A6B8-FDB92A00F84D
IE - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\SearchScopes\{BFBC099C-9CCD-42FC-9DC0-E0DE9ECBEF13}: "URL" = http://search.softonic.com/MON00015/tb_v1?q={searchTerms}&SearchSource=4&cc=
FF - prefs.js..browser.search.defaultthis.engineName: "NCH EN Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2801948&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..extensions.enabledAddons: ffxtlbra%40softonic.com:1.5.1
FF - prefs.js..extensions.enabledAddons: toolbar%40gmx.net:2.6
FF - prefs.js..extensions.enabledAddons: %7B37483b40-c254-4a72-bda4-22ee90182c1e%7D:3.18.0.7
[2013.04.03 16:17:51 | 000,000,000 | ---D | M] (NCH EN Community Toolbar) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\ka6jkldd.default\extensions\{37483b40-c254-4a72-bda4-22ee90182c1e}
[2013.04.03 16:26:42 | 000,000,000 | ---D | M] (softonic.com) -- C:\Users\User\AppData\Roaming\mozilla\Firefox\Profiles\ka6jkldd.default\extensions\ffxtlbra@softonic.com
[2013.06.23 15:13:45 | 000,571,660 | ---- | M] () (No name found) -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\extensions\toolbar@gmx.net.xpi
[2013.04.03 16:26:56 | 000,001,050 | ---- | M] () -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\searchplugins\11-suche.xml
[2013.11.15 20:02:27 | 000,002,308 | ---- | M] () -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\searchplugins\askcom.xml
[2012.02.28 12:57:56 | 000,000,915 | ---- | M] () -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\searchplugins\conduit.xml
[2012.03.13 19:34:24 | 000,002,060 | ---- | M] () -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\searchplugins\softonic.xml
O2:64bit: - BHO: (HDvid Codec V7.0) - {11111111-1111-1111-1111-110411901142} - C:\Program Files (x86)\HDvid Codec V7.0\HDvid Codec V7.0-bho64.dll (installdaddy)
O2 - BHO: (no name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found.
O2 - BHO: (no name) - {84FF7BD6-B47F-46F8-9130-01B2696B36CB} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No CLSID value found.
O3 - HKU\S-1-5-21-2790221107-3941140988-3762472147-1000\..\Toolbar\WebBrowser: (no name) - {37483B40-C254-4A72-BDA4-22EE90182C1E} - No CLSID value found.
O4 - HKLM..\Run: [Iminent] C:\Program Files (x86)\Iminent\Iminent.exe /warmup "F77F87E5-A6BD-4922-A530-EDF63D7E9F8C" File not found
O4 - HKLM..\Run: [IminentMessenger] C:\Program Files (x86)\Iminent\Iminent.Messengers.exe File not found
O4:64bit: - HKLM..\RunOnce: [MSKSSRV] rundll32.exe streamci,StreamingDeviceSetup {96E080C7-143C-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196},{3C0D501A-140B-11D1-B40F-00A0C9223196} File not found
O4:64bit: - HKLM..\RunOnce: [MSPCLOCK] rundll32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000} File not found
O4:64bit: - HKLM..\RunOnce: [MSPQM] rundll32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196} File not found
O4:64bit: - HKLM..\RunOnce: [MSTEE.CxTransform] rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},{CF1DDA2C-9743-11D0-A3EE-00A0C9223196},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install File not found
O4:64bit: - HKLM..\RunOnce: [MSTEE.Splitter] rundll32.exe streamci,StreamingDeviceSetup {cfd669f1-9bc2-11d0-8299-0000f822fe8a},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},{0A4252A0-7E70-11D0-A5D6-28DB04C10000},C:\Windows\inf\ksfilter.inf,MSTEE.Interface.Install File not found
[2014.01.18 18:17:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\HDvid Codec V7.0
[2014.01.18 18:17:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\hdvidcodec.com
[2014.01.28 18:22:00 | 000,002,224 | ---- | M] () -- C:\Windows\tasks\HDvid Codec V7.0-firefoxinstaller.job
[2014.01.28 18:18:01 | 000,001,356 | ---- | M] () -- C:\Windows\tasks\HDvid Codec V7.0-updater.job
[2014.01.28 18:18:00 | 000,001,180 | ---- | M] () -- C:\Windows\tasks\HDvid Codec V7.0-enabler.job
[2014.01.28 18:17:01 | 000,002,140 | ---- | M] () -- C:\Windows\tasks\HDvid Codec V7.0-chromeinstaller-dev.job
[2014.01.28 18:17:00 | 000,001,298 | ---- | M] () -- C:\Windows\tasks\HDvid Codec V7.0-codedownloader.job
[2013.11.28 10:22:31 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Internet-Manager
:Files
C:\Program Files (x86)\Iminent
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
Ahoi Essexboy, I did everything as advised. I did it brave and hopefully ... but the alert is still there. It popped up, as if it was there forever and if it would stay there forever. I go crazy.
I sent all the files. Plus my hope that you have any idea what else could be done to let it go...
-
Could you confirm that you only get this with firefox ?
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKCU\..\SearchScopes\{725283D3-7680-4BCA-A237-F565A6C57A5F}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2801948
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101727.dll (Amazon.com, Inc.)
[2014.01.18 18:18:42 | 000,001,368 | ---- | M] () -- C:\Users\User\AppData\Roaming\mozilla\firefox\profiles\ka6jkldd.default\searchplugins\iminent.xml
O4:64bit: - HKLM..\RunOnce: [WDM_DRMKAUD] rundll32.exe streamci,StreamingDeviceSetup {EEC12DB6-AD9C-4168-8658-B03DAEF417FE},{ABD61E00-9350-47e2-A632-4438B90C6641},{FFBB6E3F-CCFE-4D84-90D9-421418B03A8E},C:\Windows\inf\WDMAUDIO.inf,WDM_DRMKAUD.Interface.Install File not found
:Files
C:\Users\Annemarie\AppData\Local\Program Files\Amazon\MP3 Downloader
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
-
Yes, because I only use firefox. I do this algorithmus again? Should I change to anything else than firefox?
-
Run the fix, then use IE for a few minutes to see if the alert is present
-
Ok. I will try. Thank's for your advices.
-
You got it! After the fix ran, everything was fine with the Internet Explorer. No pop up.
Then I started Firefox - and it began again. In both browsers...
Closing down Firefox, stopped it.
I suppose, this is not solving the Problem. But I am so happy for the moment, just to get rid of this annoying message and to continue a bit of my work... Thank you so much!
But: what will be the be the next step? Could you help me further to bring anything on the "right way"?
No more Firefox for me? (haven't used anything else for years). Any further Reparation scans?
-
Yep the next stage will be to reset firefox and see if that stops it. If it does not we will have to do a full uninstall and get you a fresh copy
Reset Firefox :
Follow the steps on this page https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems then retry Firefox, if it still alerts let me know
-
Woohoo! It's gone. Great. I am happy.
I would'nt never found out without your help! Thanks for everything, great job!
Where are you located, you and your dragons?
-
My pleasure, me and my dragons live in darkest Cornwall where Arthur ruled with the help of Merlin :)
In that case methinks I will send you on your merry way :)
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run AdwCleaner and select uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
Clear Restore Points
Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Hello Essexdragon, you sent such a nice and detailed answer, and I haven't noticed that until today! Sorry for not reporting back, simply haven't been in the forum. Thought after a while, we were finished.
Well, my respect for your work is hereby duplicated!
I will follow all instructions and afterwards start to sharpen my weapons against malware. In both educational and digital matters...
Thank's a lot for your advice and information!
Cornwall? Seems to be a great place, when you live with dragons. Lot's of history, honest work and pure magic. And dark beauty too...
all the best,
Anne