Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on August 09, 2014, 05:13:47 PM
-
I'm getting avast blocked by group policy on my home pc, Ive done some basic poking around but dont really understand how to go about getting rid of whatever is casuing this, its also blocked system restore which I got back by running registry editor and unlocking it, however it has removed all my prior restore points, I'm at a loss as to what to do next, any advice?
-
Follow the instructions and ATTACH the logs to your next post:
https://forum.avast.com/index.php?topic=53253.0
-
Attach your basic logs. (MBAM, FRST and aswMBR..!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
-
Just run FRST initially and I will use that to get Avast back up and running
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Select additions at the bottom
- Press Scan button.
(https://dl.dropboxusercontent.com/u/73555776/frst.JPG)
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach both logs generated.
-
its scanning now, will post logs as soon as scans are complete, so far there are loads of detected items in the malware bytes, I guess this is what I get for letting my mother inlaw use this laptop, I swear she breaks everything she touches
should I stop this scan and just run FRST?
-
1. ...I guess this is what I get for letting my mother inlaw use this laptop, I swear she breaks everything she touches
2. should I stop this scan and just run FRST?
1. :-X ;D
2. Essexboy will tell you...
-
Complete with MBAM seeing as you have started once done run FRST and attach all logs :)
-
logs are attatchred I havent taken any actions to clean or remove anything yet
-
OK Adware city... I see you are running THREE antiviruses : Comodo, Avast and TrendMicro, two of these will need to go. More is not better
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software\Avast <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Trend Micro <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Trend Micro\Titanium <====== ATTENTION
ShortcutTarget: FancyStart daemon.lnk -> C:\Windows\Installer\{C944B4C5-1C4D-4D95-8AC0-7CEF13914131}\_77B5857C27147149171BE7.exe ()
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={17153397-CA55-11E2-B11C-10BF48033E4C}
SearchScopes: HKLM-x32 - DefaultScope {E7D9ED11-9085-4FE4-BF0A-5D6F482BC1AB} URL =
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={17153397-CA55-11E2-B11C-10BF48033E4C}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3320569&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SPB22C78CE-0BEB-4CF5-B34C-6A0F288AA84A&q={searchTerms}&SSPV=
SearchScopes: HKCU - {8EEAC88A-079B-4b2c-80C1-7836F79EB40A} URL = http://us.search.yahoo.com/search?p={searchTerms}&fr=chr-comodo
SearchScopes: HKCU - {E7D9ED11-9085-4FE4-BF0A-5D6F482BC1AB} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3304783&CUI=UN42909943661554224&UM=2
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://mysearch.sweetpacks.com?src=6&q={searchTerms}&barid={17153397-CA55-11E2-B11C-10BF48033E4C}&crg=3.5000006.10042&st=23
BHO-x32: Shopping Assistant Plugin -> {1631550F-191D-4826-B069-D9439253D926} -> C:\Program Files (x86)\PriceGong\2.6.4\PriceGongIE.dll (PriceGong)
BHO-x32: No Name -> {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} -> No File
BHO-x32: Funmoods Helper Object -> {75EBB0AA-4214-4CB4-90EC-E3E07ECD04F7} -> C:\PROGRA~2\Funmoods\1.5.23.22\bh\escort.dll No File
BHO-x32: Define -> {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} -> C:\Users\Derek\AppData\Local\DefineExt\temp.dat No File
BHO-x32: SweetPacks Browser Helper -> {EEE6C35C-6118-11DC-9C72-001320C79847} -> C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - Funmoods Toolbar - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - C:\PROGRA~2\Funmoods\1.5.23.22\escorTlbr.dll No File
Toolbar: HKLM-x32 - SweetPacks Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files (x86)\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF user.js: detected! => C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\user.js
FF SearchPlugin: C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\searchplugins\conduit-search.xml
FF Extension: Ant Video Downloader - C:\Users\Derek\AppData\Roaming\Mozilla\Firefox\Profiles\dtz74td9.default\Extensions\anttoolbar@ant.com [2014-07-30]
FF Extension: Define Ext - C:\Program Files (x86)\Mozilla Firefox\extensions\zgvstddqqjlabihif@opvrjrelhkc.org [2013-09-07]
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM\...\Firefox\Extensions: [{8E9E3331-D360-4f87-8803-52DE43566502}] - C:\Program Files\Updater By SweetPacks\Firefox
FF Extension: Freemake Video Downloader Plugin - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox [2012-09-24]
FF HKLM-x32\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{8E9E3331-D360-4f87-8803-52DE43566502}] - C:\Program Files\Updater By SweetPacks\Firefox
FF HKCU\...\Firefox\Extensions: [{8A9386B4-E958-4c4c-ADF4-8F26DB3E4829}] - C:\Program Files (x86)\PriceGong\2.6.4\FF
FF Extension: PriceGong - C:\Program Files (x86)\PriceGong\2.6.4\FF [2012-08-06]
CHR RestoreOnStartup: "hxxp://search.conduit.com/?ctid=CT3277370&SearchSource=48&CUI=UN21448024982487821&UM=2", "hxxp://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN41105631852184923&UM=2", "hxxp://search.conduit.com/?ctid=CT3316243&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP6A1CA703-7500-40DE-9BF2-E50464DF6D45"
CHR Extension: (Extutil) - C:\Users\Derek\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B [2014-02-22]
CHR Extension: (Managera) - C:\Users\Derek\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42 [2014-02-22]
CHR HKLM\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKCU\...\Chrome\Extension: [adopjdgphfekoiecgklciallnajkpdgn] - C:\Users\Derek\AppData\Local\CRE\adopjdgphfekoiecgklciallnajkpdgn.crx [2013-08-21]
CHR HKCU\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKLM-x32\...\Chrome\Extension: [adopjdgphfekoiecgklciallnajkpdgn] - C:\Users\Derek\AppData\Local\CRE\adopjdgphfekoiecgklciallnajkpdgn.crx [2013-08-21]
CHR HKLM-x32\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\Derek\AppData\Local\funmoods.crx [2012-07-29]
CHR HKLM-x32\...\Chrome\Extension: [bkomkajifikmkfnjgphkjcfeepbnojok] - C:\Program Files (x86)\PriceGong\2.6.4\pricegong.crx [2012-03-18]
CHR HKLM-x32\...\Chrome\Extension: [bpegkgagfojjbcpkihigfmkojdmmimdf] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2012-09-24]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-08-09 10:14 - 2014-08-09 10:14 - 00000000 ____D () C:\ProgramData\UpdateServer
2014-07-21 08:25 - 2014-07-21 08:25 - 00000000 ____D () C:\Users\Derek\AppData\Roaming\{c4a11e02-0bdb-33db-f62d-15320f1ca0b7}
2014-07-21 08:24 - 2014-07-21 08:24 - 00000000 ____D () C:\Users\Derek\AppData\Local\{c4a11e02-0bdb-33db-f62d-15320f1ca0b7}
HKU\S-1-5-21-3640260577-4127167766-859960011-1001\Software\Classes\.exe: => <===== ATTENTION!
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
fixlog
-
adware cleaner
-
am I good to try and run avast again?
-
Yep Avast should now function
Also which two antiviruses are you going to remove ?
Now re-run MBAM and allow it to quarantine all it finds
-
I'm removing comodo now, I tried running than when avast wouldnt work, what others are on the computer, I wasnt aware that there was another one other than comodo and avast
-
You also have TrendMicro, it probably came with the computer
There is a trend micro removal tool here http://esupport.trendmicro.com/solution/en-us/1037161.aspx?referral=1059018
Click this link to open it up Having problems removing Trend Micro?
-
got them both removed and re running scans now before I run avast again, since I know the inlaw is going to use this computer again and I dont want to have to bother you guys again can you reccomend some sort of install blocker that will keep this from happening again?
-
Easy, create a limited user account for her and set restrictions.
-
didnt think about that, thanks again for all your help, you guys are seriously awesome
-
How is the computer behaving now ?
-
everything seems to be back to normal, its alot faster and not lagging like it was, internet speed is also faster acording to speedtest.net
-
everything seems to be back to normal, its alot faster and not lagging like it was, internet speed is also faster acording to speedtest.net
Sounds good. Wait for Essexboy, he'll remove the used tools and offer some advice.
-
Follow Eddy's advice about a limited user account :)
In that case methinks I will send you on your merry way :)
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave: