Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on December 08, 2015, 01:09:29 PM
-
I have downloaded Avast Free 2016 but when I start the install it says that PC Cleaner Pro should be uninstalled first.
I have had the Laptop since new, PC Cleaner Pro has never been installed, there is no trace of the program and Malwarebytes can't find it. How do I fix this problem, has anyone else seen this who can tell me what to look for??
Any help would be appreciated.
Windows XP SP4 in case it helps.
Steve
-
Please run Farbar and attach the logs (FRST.txt and Addition.txt) to your next post.
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
-
Files attached (I hope).
Thanks for your help.
Steve
-
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: PC Cleaner Pro (Disabled - Up to date) {737A8864-C2D9-4337-B49A-B5E35815B9BB}
Essexboy will assist you when online ... very soon
PC Cleaner Pro 2014 is a paid system optimizer program that is typically added when you install another free software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this program. Very often users have no idea where did it come from, so it’s not surprising at all that most of them assume that PC Cleaner Pro 2014 is a virus. This program is also bundled within the custom installer on many reputable download sites, so if you have downloaded a software from these websites, chances are that PC Cleaner Pro 2014 was installed during the software setup process.
PC Cleaner Pro 2014 it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.
-
OK first we will get rid of the rootkit and then remove the other stuff afterwards
Download the latest version of TDSSKiller from here (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(https://dl.dropbox.com/u/73555776/tdss%20start.JPG)
- Then click on Change parameters.
(https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG)
- Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(https://dl.dropbox.com/u/73555776/tdss%20threat.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please attach its contents on your next reply.
THEN
Please run a fresh FRST scan
-
I have done the TDSS scan and have the report on screen but can't see how to attach it into the message (I must be missing something). I have attached the new FRST.txt.
Thanks for all your help.
Steve
-
I have done the TDSS scan and have the report on screen but can't see how to attach it into the message (I must be missing something).
you save it on your computer first, then attach ... if not to big you may copy and paste it here
-
I tried right click (to either copy or save) but right clicking doesn't do anything, am I missing something??
(Sorry if I am being thick)
-
log is open in notepad ? ... in top left corner, click file ... save as .. give it a name and save a place you find it, browse to it as you did with frst.txt and attach
for copy and paste, click edit at top left ... mark all (all txt should be blue) right click on the blue txt and select copy .. then paste here
-
It is not in notepad it is just the report with a green border around it. I can select the text but right click on that doesn't work.
-
look at the bottom picture posted by Essexboy .... there is a get report button in top right corner
-
I have done that and I have the report on screen but it is not in notepad, It has a green border around it and and won't allow me to right click and there seems to be no way to save it.
-
OK wait for Essexboy
-
- Open the report
- Select all text (ctrl+a)
- Copy the text (ctrl+c)
- Open notepad
- Paste the text there
- Save the notepad file
- Attach the file to your post
-
Post the bottom section if nothing else
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Task: C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\WINDOWS\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\WINDOWS\TEMP\{3205543B-3D2C-4A24-9799-5DD34CD4C69D}.exe <==== ATTENTION
HKLM\...\Run: [ApnUpdater] => C:\Program Files\Ask.com\Updater\Updater.exe [1391272 2012-01-03] (Ask)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\Av\avgrsx.exe /sync /restart
Toolbar: HKU\S-1-5-21-1039126241-2073917382-3098378779-3621 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
Toolbar: HKU\S-1-5-21-1039126241-2073917382-3098378779-3621 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
CHR Plugin: (AVG Internet Security) - C:\Documents and Settings\s.jubb\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\12.0.0.2191_0\plugins/avgnpss.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.330.3) - C:\WINDOWS\system32\npdeployJava1.dll => No File
U5 d449d21c2eaaa3bf; C:\Windows\System32\Drivers\d449d21c2eaaa3bf.sys [56832 2014-03-31] () <===== ATTENTION Necurs Rootkit?
S3 AvgAMPS; C:\Program Files\AVG\Av\avgamps.exe [615584 2015-11-20] (AVG Technologies CZ, s.r.o.)
C:\Program Files\Ask.com
C:\Windows\System32\Drivers\d449d21c2eaaa3bf.sys
AV: PC Cleaner Pro (Disabled - Up to date) {737A8864-C2D9-4337-B49A-B5E35815B9BB}
CustomCLSID: HKU\S-1-5-21-1039126241-2073917382-3098378779-3621_Classes\CLSID\{D166BD15-03AF-413A-BEFD-0679FF410B49}\InprocServer32 -> no filepath
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S0].txt as well.
-
- Open the report
- Select all text (ctrl+a)
- Copy the text (ctrl+c)
- Open notepad
- Paste the text there
- Save the notepad file
- Attach the file to your post
ctrl+a doesn't work. Apologies, I am wrestling with a delinquent ADSL router which works occasionally, this make take some time. I will read the and action the rest of your posts.
-
Here is the fixlog.
I am getting there slowly, have to reset the router every 5 minutes.
Steve
-
And here are the Adwcleaner files.
Can I proceed with the Avast installation now??.
The only problem it has thrown up is that IPC Audio shuts down but I can probably live with that.
Steve
-
No as the rootkit has not gone... I really do need to see at least the last 10 lines of the TDSSKiller log
(https://sites.google.com/site/cannedfixes/home/hosted-images-tools/MalwarebytesAntiRootkit.png) Scan with Malwarebytes' Anti-Rootkit
Please download Malwarebytes' Anti-Rootkit (http://downloads.malwarebytes.org/file/mbar/) and save the file to your desktop.
Note that the tool is still in its BETA stage, therefore not all functionalities may be added.
- Right-click on (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/MalwarebytesAntiRootkit.png) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool
- It will ask you for an extraction place - make sure you will unpack it to your desktop
- After the extraction, the tool should start itself (no action required)
- On the Introduction screen click Next
- On the Update screen click Update
- When prompted about the succesful update, click Next
- On the Scan System screen, make sure that all three options
are checked for scanning and press Scan.
Wait patiently and don't do anything on your machine while MBAR goes through your system!
- If no infection is found, just close the tool.
- If an infection is found, make sure that Create Restore Point is checked, then select Cleanup button to remove threats. The process will start and your machine will prompt you to reboot upon completion.
When finished (either with or without cleanup), please navigate to the MBAR directory.
Search there for these two files:
> mbar-log-date(time).txt
> system-log.txt
Please include the content of both files in your reply.
-
Okay, by hook or by crook I will get it to you somehow tomorrow, and I will run the Malwarebytes routine also.
I have Rkill on there from a previous problem, is that worth a try?.
Thanks
Steve
-
Finally here it is
I may be on and off today depending on how my router behaves.
Thanks
Steve
-
Just a query on Mbar, it has found malware but there is no option to create a restore point, will it do it automatically?
-
Just a query on Mbar, it has found malware but there is no option to create a restore point, will it do it automatically?
Sorry please ignore this, fixed it.
-
Mbar log files attached.
Thanks
Steve
-
Essexboy is usually online after 15:00 european time ;)
-
Okay. I am still having intermittent issues with my ADSL router but I will be on sometime this afternoon.
Steve
-
08:39:40.0156 0x0fd8 d449d21c2eaaa3bf ( Rootkit.Win32.Necurs.gen ) - skipped by user
08:39:40.0156 0x0fd8 d449d21c2eaaa3bf ( Rootkit.Win32.Necurs.gen ) - User select action: Skip
This is why I needed to see the report.. You did not remove the rootkit.
Run TDSSKiller again and select deleted for necurs
Then run a fresh FRST scan please
-
Ok, on the first instruction it said use Cure, if Cure is not available use skip but do not delete.
I will go again and use delete.
Thanks
Steve
-
TDSS Killer re run and FRST scan results attached.
Thanks
Steve
-
OK after this fix then install Avast :)
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
R1 tmtdi; C:\WINDOWS\System32\DRIVERS\tmtdi.sys [92112 2010-09-30] (Trend Micro Inc.)
2015-12-07 14:27 - 2015-11-02 11:40 - 00000000 ____D C:\Documents and Settings\s.jubb\Application Data\AVG
2015-12-07 14:27 - 2015-11-02 11:32 - 00000000 ____D C:\Documents and Settings\s.jubb\Local Settings\Application Data\Avg
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Okay, all done and file attached.
I will run the install and let you know that all is okay.
Thanks
Steve
-
All done and fully installed and working.
Many thanks for your kind help it has saved me lots of headaches.
Avast 1 v 0 AVG
Thanks Again
Steve
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Remove tools
Download and run Delfix (http://www.bleepingcomputer.com/download/delfix/)
Select the options as shown
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
If you do need to keep Java then download JavaRa (https://singularlabs.com/software/javara/javara-download/)
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version
(https://dl.dropboxusercontent.com/u/73555776/javara.JPG)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php)
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
All done.
Java disabled and Malwarebytes I already run. I am not sure why it didn't find the infection in the first place.
Many Thanks again
Steve
-
I have one small issue with this which may be something that can be changed in the settings but if you could advise please:-
When trying to open a hyperlink from within an e-mail (for example when trying to accept an invitation in Linkedin) I get the following error message:-
General failure. The URL was "https://www.linkedin.com/comm/people/invite-accept?mboxid=16
The requested lookup key was not found in any active activation context.
Any help is always appreciated.
Kind Regards
Steve
-
@Jazzman4551,
It's a question that needs to be asked about at LinkedIn:
https://help.linkedin.com/app/home (https://help.linkedin.com/app/home)
-
Just a guess, you are using IE as browser...
Perform a repair of IE and see if the problem is solved.
-
Google >> hyperlink dont work in mail
-
@Jazzman4551,
It's a question that needs to be asked about at LinkedIn:
https://help.linkedin.com/app/home (https://help.linkedin.com/app/home)
LinkedIn was just an example, it happens anytime there is a hyperlink in an e-mail. I am using Chrome as the browser.
-
@Jazzman4551,
It's a question that needs to be asked about at LinkedIn:
https://help.linkedin.com/app/home (https://help.linkedin.com/app/home)
LinkedIn was just an example, it happens anytime there is a hyperlink in an e-mail. I am using Chrome as the browser.
Has Chrome been selected as your default browser ?
If it is then any internet link (from any program) should open chrome or your default browser.
-
Chrome is the default browser.
It only with happens with hyperlinks in e-mails. My work around is to send messages to my personal e-mail address on another machine and open them from there. (AVG is the av on there).
I have never seen this problem before and it only occurred after I installed Avast.
-
I have never seen this problem before and it only occurred after I installed Avast.
https://www.google.no/search?sclient=tablet-gws&client=ms-opera-mini-android&site=webhp&source=hp&q=hyperlink+dont+work+in+mail&oq=hyperlink+dont+work+in+mail&gs_l=tablet-gws.12...4789.4789.0.5867.1.1.0.0.0.0.106.106.0j1.1.0....0...1c.2.64.tablet-gws..1.0.0.QC1KHcLK19g
-
I have never seen this problem before and it only occurred after I installed Avast.
https://www.google.no/search?sclient=tablet-gws&client=ms-opera-mini-android&site=webhp&source=hp&q=hyperlink+dont+work+in+mail&oq=hyperlink+dont+work+in+mail&gs_l=tablet-gws.12...4789.4789.0.5867.1.1.0.0.0.0.106.106.0j1.1.0....0...1c.2.64.tablet-gws..1.0.0.QC1KHcLK19g
Ah, nice link Pondus. 8)