Avast WEBforum
Other => Viruses and worms => Topic started by: Queenli6 on April 28, 2014, 07:10:23 PM
-
I am using another computer to send this. This morning my DH was downloading a pdf using Mozzilla Firefox. He has been having trouble lately downloading pdf's with Firefox, just hasn't had time to fix extensions or whatever is needed. He attempted to download a pdf and somehow ended up clicked on an advertisement with the green download icon that he thought would help complete the download. He clicked and the download and Avast came up with a warning. We backed out and moved it to chest and thought all was well. I switched to Googlechrome and the PDf came up just fine. He shut off the computer and went to work. I turned the computer on and Avast immediately went into the bootscan.
It is still going or sitting waiting for me to give a command. So far it has moved to the chest; win32:Dropper-gen [Drp] ,
win32:Installer-J [PUP], win32:Mindspark-A [PUP], win32:SmartBar-A [PUP].
Before it got to the question it listed: File C:\users\Herman\Desktop\Games\DosBox\DosBox-o.63-install.exe|>$INSTDIR\dosbox.exe
Error 42145 {Installer archive is corrupted.}
The Avast has stopped the scan and is asking me a question. " C:windows\Installer\4472c.msi|>Smartbar.Cab|>LinkuryExeName Is infected by win32:SmartBar-A [PUP] Move to chest:File is windows folder, are you sure? 1-yes 2-yess all 3-no esc-exit
It is just sitting with that on the screen.
Please help, just tell me what to do on the infected computer. I don't want to mess it up anymore than it is by deleting a Windows file I need without instruction how to get it back. Thank you :'( :'( :'(
-
PUP = not virus / Possible Unwanted Program .....usually crap programs that comes bundled with freeware downloads
Some info
http://www.malwarebytes.org/pup/
http://blog.malwarebytes.org/news/2013/07/malwarebytes-adopts-aggressive-pup-policy/
-
Before it got to the question it listed: File C:\users\Herman\Desktop\Games\DosBox\DosBox-o.63-install.exe|>$INSTDIR\dosbox.exe
Error 42145 {Installer archive is corrupted.}
This is just a scan error message
win32:Dropper-gen [Drp] ,
This is a real infection
If you want a check, follow instructions and attach Malwarebytes and OTL logs http://forum.avast.com/index.php?topic=53253.0
-
Thank you for the quick response. What about the question
"The Avast has stopped the scan and is asking me a question. " C:windows\Installer\4472c.msi|>Smartbar.Cab|>LinkuryExeName Is infected by win32:SmartBar-A [PUP] Move to chest:File is windows folder, are you sure? 1-yes 2-yess all 3-no esc-exit"
What do I do with this. I need to choose something?
-
It is some adware/toolbar crap
If you are unsure .... select nr 3 ..... then when done attach the logs from the guide i linked to and a malware expert will help you
-
I chose Esc-Exit
I am downloading the " Malwarebytes and OTL logs http://forum.avast.com/index.php?topic=53253.0 "
I will post logs.
-
I just tried to run Malwarbytes and I got an erron on intalling. I attached screen shot.
-
Try Safe Mode. Should prevent any active malware from loading itself.
If safemode doesn't work, skip it and move onto OTL
-
Ok, I will run in SafeMode. I ran OTL.
Extras attached
-
Ok, I will run in SafeMode. I ran OTL.
Extras attached
we need OTL.txt that is the important log
-
How do you attach 2 files?
-
How do you attach 2 files?
you click more attachments
-
Hi lets clear you up :)
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Commands
[CREATERESTOREPOINT]
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
IE - HKLM\..\URLSearchHook: {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {9C547235-5A0B-45BF-B53B-81812EE54F5E}
IE - HKLM\..\SearchScopes\{E627DC4B-8C04-4234-A2D4-1D634EE01C41}: "URL" = http://fastestwebsearch.com/search?q={searchterms}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No CLSID value found
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes,DefaultScope = {9C547235-5A0B-45BF-B53B-81812EE54F5E}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}: "URL" = http://search.coupons.com/search.asp?p=df&q={searchTerms}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{9C547235-5A0B-45BF-B53B-81812EE54F5E}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN18082061307899844&UM=2
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{E627DC4B-8C04-4234-A2D4-1D634EE01C41}: "URL" = http://fastestwebsearch.com/search?q={searchterms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}: C:\Program Files\Coupons.com CouponBar\firefox\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}\Coupons.com.xpi [2012/01/26 11:18:46 | 000,185,164 | ---- | M] ()
[2013/05/06 18:00:38 | 000,000,997 | ---- | M] () -- C:\Users\Family account\AppData\Roaming\Mozilla\Firefox\Profiles\1p54yyfv.default\searchplugins\conduit.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Swagbucks1 Toolbar) - {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O2 - BHO: (Search Assistant BHO) - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
O2 - BHO: (TBSB07898 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Swagbucks1 Toolbar) - {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\Toolbar\WebBrowser: (Swagbucks1 Toolbar) - {52A3500F-FC3E-4253-8D2F-FA6303D5F7E2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002..\Run: [LightShot] C:\Users\Family account\AppData\Local\Skillbrains\lightshot\LightShot.exe ()
O4 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
[2014/04/16 06:19:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
[2014/04/16 06:19:51 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2014/04/28 11:10:00 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\update-sys.job
[2012/10/08 11:44:49 | 000,000,394 | ---- | C] () -- C:\Windows\Tasks\update-S-1-5-21-1811611360-3008015903-2803298642-1002.job
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 4.jpeg.jpeg.jpeg.jpeg:�3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 3.jpeg.jpeg.jpeg:�3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 2.jpeg.jpeg:�3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 1.jpeg:�3or4kl4x13tuuug3Byamue2s4b
:Files
C:\Users\Family account\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
C:\Program Files\Swagbucks1
C:\Program Files\Coupons.com CouponBar
C:\windows\Installer\4472c.msi
:Commands
[resethosts]
[emptytemp]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
The computer is still scanning with Malwarebytes in Safe Mode. I will run OTL again with your custom scan fixes when it is done.
-
Okey dokey :)
-
Downloaded AdwCleaner, will post log shortly.
-
Once adwcleaner has run could you let me know of any problems
-
Adwcleaner found problems listed in Folder, Files,Registry,IE, Firefox, Chrome. Do I need to delete all of the checked items? I have not done the report. Will it delete all of the check is has listed if i do the report?
-
As essexboy instructed..... after scan click clean ..... and attach log
-
Sorry I forgot to click clean. :D Almost done.
-
Here are the two logs. Thank you again for your help.
-
How is the computer behaving now ?
-
The computer appears to be booting up and logging on faster. It had slowed when bringing up different websites and just running slower.
Would you please recommend software that we should run on the computer to keep it clean and run daily besides Avast. Right now DH only runs CCleaner. I know that is not doing the job. Other than the Avast warnings I/we did not know the computer had been infected. Thank you for all your help. So the last two files I uploaded looked pretty clean? I am glad. Thank you for your help. It was fantastic.
-
What I will do now is remove my tools. Once done you can set IE to empty browsing data on exit. I will post that at the end
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755).
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
Set IE to clear data :
Go to Control Panel > Internet Options > Select Advanced Tab
Scroll down to Security and tick Empty Temporary Internet files when closing
OK out
Then every time IE is closed all the temporary internet stuff will be gone
-
I will download Delfix. We do not use Internet Explorer. We predominately use Google Chrome and FireFox. It was the Firefox that was giving us the problem.