Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on May 10, 2016, 08:28:28 PM
-
Recently I keep getting Avast alerts about Url:Mal when browsing regular sites. I've noticed its when I'm browsing Imgur and a GIF is loading.
Thats normally when the alert happens.
Also I'm not sure if its related but my webcam has also stopped working.
-
I've looked at some similar posts and the all say to run FRST64 and ZOEK
here is the ZOEK report, and the FRST64 file is attached :)
Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by Thi on 11/05/2016 at 0:58:53.96.
Microsoft Windows 10 Home Single Language 10.0.10586 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Thi\Downloads\zoek.exe [Scan all users] [Script inserted]
==== System Restore Info ======================
11/05/2016 00:59:59 Zoek.exe System Restore Point Created Successfully.
==== Empty Folders Check ======================
C:\PROGRA~2\Lenovo deleted successfully
C:\Program Files\McAfee deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\Users\Thi\AppData\Local\ActiveSync deleted successfully
C:\Users\Thi\AppData\Local\Lenovo deleted successfully
C:\Users\Thi\AppData\Local\NetworkTiles deleted successfully
C:\Users\Thi\AppData\Local\PACE Anti-Piracy deleted successfully
C:\Users\Thi\AppData\Local\Skype deleted successfully
C:\Users\Thi\AppData\Local\ZDUbywVu deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\NetworkTiles deleted successfully
==== Deleting CLSID Registry Keys ======================
HKEY_USERS\S-1-5-21-2493981056-2368578621-3932591581-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{798F58DB-64D6-4E71-AC8A-B77AFD35CD54} deleted successfully
==== Deleting CLSID Registry Values ======================
==== Deleting Services ======================
==== Batch Command(s) Run By Tool======================
==== Deleting Files \ Folders ======================
C:\PROGRA~2\Lenovo not found
C:\Users\Thi\AppData\Local\Lenovo not found
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
==== Firefox Extensions Registry ======================
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [06/05/2016 01:43]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [06/05/2016 01:43]
==== Chromium Look ======================
Google Chrome Version: 46.0.2490.86
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eedgghdcpmmmilkmfpnklknlenbiolec - No path found[]
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[06/05/2016 01:43]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[06/05/2016 01:43]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx[29/04/2016 15:53]
Sad Panda - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\bohapeiooecafommnlaiccilacgmkaoc
Avast Online Security - Thi\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
==== Chromium Fix ======================
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_toolbar.yahoo.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_lqmwbyzusd-a.akamaihd.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_apartmentfinder.vn_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_gameslikefinder.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.savefrom.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_savelocations.wikia.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.xpgamesaves.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.moddb.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.subiz.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.foodity.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.olark.com_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_ads1.msads.net_0.localstorage-journal deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage deleted successfully
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_d2m2wsoho8qq12.cloudfront.net_0.localstorage-journal deleted successfully
==== Set IE to Default ======================
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="https://vn.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset"
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
==== All HKLM and HKCU SearchScopes ======================
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=ASU2JS
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
==== Deleting CLSID Registry Keys ======================
==== Deleting CLSID Registry Values ======================
HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{4ED1F68A-5463-4931-9384-8FFF5ED91D92} deleted successfully
==== Empty IE Cache ======================
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Thi\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
==== Empty FireFox Cache ======================
No FireFox Profiles found
==== Empty Chrome Cache ======================
C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
==== Empty All Flash Cache ======================
No Flash Cache Found
==== Empty All Java Cache ======================
Java Cache cleared successfully
==== C:\zoek_backup content ======================
C:\zoek_backup (files=65 folders=43 43231682 bytes)
==== Empty Temp Folders ======================
C:\WINDOWS\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\WINDOWS\Temp successfully emptied
C:\Users\Thi\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== EOF on 11/05/2016 at 1:19:16.83 ======================
-
if you have a screenshot of avast poup warning, post that also
expert should be online soon ...
-
Could you let me know if this stops it
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
AppInit_DLLs: C:\PROGRA~2\NVIDIA~1\3DVISI~1\NVSTIN~1.DLL => No File
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Thi\AppData\Local\MEGAsync\ShellExtX32.dll No File
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor => not found
C:\Users\Thi\AppData\Local\ZDUbywVu
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S0].txt as well.
-
# AdwCleaner v5.116 - Logfile created 11/05/2016 at 08:46:50
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 10 Home Single Language (X64)
# Username : Thi - THI-PC
# Running from : C:\Users\Thi\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum
***** [ Services ] *****
***** [ Folders ] *****
[-] Folder Deleted : C:\Users\Thi\AppData\Local\YSearchUtil
***** [ Files ] *****
***** [ DLLs ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
[-] Key Deleted : HKLM\SOFTWARE\hdcode
[-] Key Deleted : HKLM\SOFTWARE\SupDp
[-] Key Deleted : HKLM\SOFTWARE\V9
[-] Key Deleted : HKLM\SOFTWARE\winzipersvc
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\delta-homes.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.delta-homes.com
***** [ Web browsers ] *****
[-] [C:\Users\Thi\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Default_Search_Provider] Deleted : hxxp://search.delta-homes.com/webfavicon.ico
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C1].txt - [1307 bytes] - [11/05/2016 08:46:50]
C:\AdwCleaner\AdwCleaner[S1].txt - [1322 bytes] - [11/05/2016 08:43:10]
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1453 bytes] ##########
-
Thanks essexboy! Though I've just tried chrome again and the alert still pops up :(
heres a screen shot
(http://)
-
Do you have Facebook Video Downloader extension installed?
-
I don't know, I don't think so.
Should I uninstall this or make sure I have it installed.
Thankyou!
-
If you have it, uninstall and see if the popup goes away
essexboy will be back online later today
-
I looked on 'Programs and Features", 'Extensions' and did a search but no 'Facebook Video Downloader extension', so I don't think I have it
-
Nope, the much vaunted security of Chrome has failed again.. First run Chrome in Incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB
Does that stop the alerts ?
If not then :
Re-install Chrome
1. If you have bookmarks, let's save them by exporting them - Export Bookmarks (http://support.google.com/chrome/bin/answer.py?hl=en&answer=96816)
2. Go into the dashboard. Log in. https://www.google.com/settings/dashboard?hl=en
3. Scroll down to “Chrome Sync” and click Stop sync and delete data from Google link“
4. Click Stop sync and delete data from Google button
5. Now we need to uninstall chrome.
Note: When asked about user data or settings you must remove this also so please check the box.
6. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome (https://www.google.com/intl/en/chrome/browser/)
7. Import your bookmarks back into Chrome
8. Sign back in to your Chrome browser so that your bookmarks sync with your online account.
-
Ok I've done the uninstall and restarted though when I reinstalled chrome, the bookmarks were still up, there wasn't an option to remove user data or settings, just browser history.
Did I do it wrong? :S
.... and the alert still happens! -.-
Shall I just flag it as a false positive?
Was there anything malicious on my laptop?
Really appreciate the help guys, thank you for taking some time to help me
-
do you still get the alerts when you run in incogneto mode?
-
Yep unfortunately, still happens in incognito mode
-
When you uninstalled chrome did you do this
When asked about user data or settings you must remove this also so please check the box.
-
There wasn't a prompt or option, I used the "programs and features" to uninstall and it only prompted to remove browser history.
I tried a manual deletion of anything chrome related using the search function and that has seemed to work because when I reinstalled all the bookmarks and previous data seemed to have gone.
But on visiting 'www.imgur.com' the 'url:mal' still happens.
-
Does this occur on any other site ?
-
No, not so far, only the imgur site
-
DO you have an imgur add on of any description ?
-
Nope only the standard google ones, skype and he Avast online security
-
Ok I've just deleted the skype addon because I think it started around the same time I installed it.
So far no alerts have happened.
I'll keep you guys posted.
Did the skype addon have the malware?
Was there any malware to begin with?
Thanks again for your help.
-
Very possibly as Chrome addons are very easy to subvert and from the logs show no difference to an unaffected one
Run it for a while and if all is good let me know and I will tidy up
-
Thanks again essexboy! I'll browse for a while and let you know tomo.
I did a bit of googling and its all probably paranoia but it might explain why my webcam doesn't work anymore?
http://www.v3.co.uk/v3-uk/news/2446268/skype-users-warned-of-t9000-malware-threat-that-records-video-and-text-chats
Would deleting the addon be enough? I'm becoming a bit worried now since I do a lot of online banking on this laptop too :S
-
Yes delete the addon
-
Ok well I thought everything was ok.
but nope! alert again! -.-
It definitely only happens when im on imgur.
-
So it is only that site and nowhere else ?
-
Yeh, just the imgur site
-
That would tend to suggest the site is at fault, is it a specific page on the site ? Is it before or after you login
-
Its usually when a GIF is playing
-
That would tend to suggest there is some form of infection there that Chrome is susceptible to
-
ok should I be worried? It's now happening on regular browsing and its saying its attacking/flagging on avast?
(http://)
-
Could I have a fresh FRST please
-
As info for Essexboy :
IP :113.171.224.171
Host :127.0.0.1
Could be something in the hosts file.
-
According to the FRST Host is empty
-
I disabled Avast for 10 minutes
Ran the scan as administrator
Here are the results attached
-
Did you install this extension Sad Panda
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Yeh, that's one I installed, is it that thats causing the problem?
-
Here's the fix log.
-
OK we are going to have to search the registry
Start FRST and in the search box copy/paste the following :
videoplayer;113.171.224.174
Press Search Registry and attach the resultant log
-
Ok done,
I didn't turn of avast though before the search, is that necessary?
-
Essexboy in his Addition.txt
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
No clue what it is, but doesn't seem normal to me.
OpenAL (HKLM-x32\...\OpenAL) (Version: - )
Can be from Creative but there is also malware by that name.
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
No clue what it is, but doesn't seem normal to me.
PhotoScape (HKLM-x32\...\PhotoScape) (Version: - )
https://www.herdprotect.com/photoscape-3.6.5.exe-cd45d0259252e935d8e51d86bec01333d0677d2c.aspx
Perhaps running a specialized rootkit scanner is a idea.
-
OK lets try and see what happens
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
Then go to control panel > programmes and features and uninstall the following :
bl
ph
-
Hi essexboy,
On a side-note. What our friend Eddy kicks up in this thread, is a localhost address for a httpserver in Han Noi
with a certain linux-gnu nConnect issue. nServer mail issue, consuming 100% CPU?
Just passing this info for what it is worth.
Thanks to Eddy for that unconventional assist info,
would not have thought of looking there.
polonus
-
Ok followed the steps
ran the fix
uninstalled the bl and ph thing, what ever it was.
If it helps I'm currently living in Saigon (vietnam), our computers at work have been affected by viruses lately (earlier this year) which have now been fixed (I think)
I use my usb a lot (which I normally wouldn't do, knowing this) Avast doesn't flag anything, and I've assumed its been safe enough to continue.
I'll probs just start using cloud now.
thanks for the chip in of help guys
-
I can recommend to get and use McShield.
It is especially for removable devices and a good addition to avast.
http://www.mcshield.net/
-
Still getting alerts :(
-
Do any other computers that use your router experience this ?
Could you disable sad panda
-
Sad Panda removed and also no not to my knowledge.
I live in an apartment with about 11 other apartments in this building,with up to 4 people using the same router at any time.
I believe there are about 3 routers, 1 for each floor
-
What are the dns settings in the router ?
-
No idea, is there anyway to check?
-
Open the routers settings page and look them up.
-
I don't have access to the router, its managed by the apartment building manager
-
OK set your computer to use opendns https://support.opendns.com/forums/21618384 select the OS that you have and follow the instructions
Then let me know if that stops it
-
Ok, followed the instructions,
will keep you posted on results,
though one thing i noticed which seemed a bit odd is the amount of Ethernet connections i have :S
this isn't normal is it
-
If you do not use the Ethernet connections then you can delete all bar one
-
Still happening guys :(
-
Could you fully uninstall Chrome and then see if the alerts cease
-
Ok uninstalled, using Microsoft Edge now, will keep you updated,
Also just has a multitude of alerts come from "Skype tool bars" even though I thought I uninstalled it
Happened about 20 minutes after I tried using my credit card too. Coincidence?
-
No, it is something deeply embedded, at this stage I would seriously consider re-installing windows
-
Ok I'll follow your advice and do a fresh install, so far no alerts from using Microsoft Edge,
Any idea what the malware was doing? I haven't had anything unusual happen on my computer yet, besides the alerts.
-
It looks as though it was trying to download something which would probably not be very nice. Avast was blocking it but was unable to locate the file that was triggering
-
Thanks for all the help essexboy, are there any programs that you recommend to install after doing a fresh install of windows?
-
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php)
Update and run weekly to keep your system clean
Unchecky (http://unchecky.com)
Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme ;)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave:
-
Alert is still happening.
Some things fyi
So I reinstalled windows, its a laptop and I have no windows CD and used the factory default install where it deletes everything off the laptop and uses the backup windows already on the laptop I guess.
Installed avast + chrome (option included)
Laptop did some system updates (Asus liveupdate)
restart
installed malwarebytes + ran a scan (no threats detected)
Laptop did some more system updates (Asus liveupdate)
restart
**This is when I saw cmd.exe pop up and tell me 1 file was copied which I thought was odd but I assume its something to do with the asus live update**
Laptop did some more system updates (Asus liveupdate)
restart
cryptoprevent
Thats when the 4 alerts from avast happenened
-
Oh and I forgot to mention it happened on Microsoft Edge too, just before i re-installed windows. So its not just confined to chrome.
-
Pretty sure it knows what im doing :S
-
So I tried re-installing again.
Downloaded a copy of windows 8.1 onto a usb.
Booted from the USB.
Deleted and formatted all the partitions on the drive.
Installed windows.
Installed Avast.
Installed Chrome.
BOOM
Alert happens.
This time its url:mal2
Guys I'm going crazy here.
Shall I just buy a new hard drive????
-
Do you have a videoplayer addon in chrome?
-
What addons did you install in Chrome and do you have Chrome set to synch ?
-
I'm not logged into chrome or have any addons downloaded, it's a fresh install with nothing added.
Its not just confined to chrome. On my first attempt of re-installing windows, it was happening in Microsoft Edge and also for the asus system updates, I hadn't even installed chrome then :S
-
could it be a rootkit in the motherboard bios? ive read that they are rare but do exist.
-
OK could you reset your router ?
Or failing that then use OpenDNS
https://www.opendns.com/setupguide/
-
Ok I managed to figure out the admin password.
change the primary and secondary DNS server.
Do I need to reinstall windows?
And is there still something malicious on my laptop?
-
Are you still getting the alerts ?
-
(http://)
Yep :/
-
Could I have a fresh FRST log please, as a reinstall and reset of the router should have cured this. The only thing I can think of is a programme that you reinstalled after the format or something in Chromes synch
-
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-06-2016 02
Ran by Thi Tran (administrator) on Thi-Laptop (05-06-2016 21:01:53)
Running from C:\Users\Thi Tran\Downloads
Loaded Profiles: Thi Tran (Available Profiles: Thi Tran)
Platform: Windows 8.1 Single Language (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7391632 2016-06-03] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-06-03] (AVAST Software)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{6EE958FB-6FFC-497A-862C-7C4198CD23A4}: [DhcpNameServer] 192.168.0.1
Internet Explorer:
==================
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-06-03] (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-06-03] (AVAST Software)
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-06-03] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-06-03]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://forum.avast.com/index.php?topic=186338.75
CHR Profile: C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-06-03]
CHR Extension: (Google Docs) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-03]
CHR Extension: (Google Drive) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-03]
CHR Extension: (YouTube) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-03]
CHR Extension: (Google Sheets) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-06-03]
CHR Extension: (Google Docs Offline) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-03]
CHR Extension: (Gmail) - C:\Users\Thi Tran\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-03]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-06-03] (AVAST Software)
R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [370656 2016-06-03] (AVAST Software)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347880 2014-11-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-11-21] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-06-03] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-06-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-06-03] (AVAST Software)
R1 aswNetSec; C:\Windows\system32\drivers\aswNetSec.sys [536312 2016-06-03] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-06-03] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-06-03] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-06-03] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-06-03] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-06-03] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287528 2016-06-03] (AVAST Software)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S1 nvkflt; C:\Windows\system32\DRIVERS\nvkflt.sys [314816 2016-04-21] (NVIDIA Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [35856 2014-11-21] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [257880 2014-11-21] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123224 2014-11-21] (Microsoft Corporation)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-06-05 21:01 - 2016-06-05 21:02 - 00006663 _____ C:\Users\Thi Tran\Downloads\FRST.txt
2016-06-05 21:01 - 2016-06-05 21:01 - 02384896 _____ (Farbar) C:\Users\Thi Tran\Downloads\FRST64.exe
2016-06-05 21:01 - 2016-06-05 21:01 - 00000000 ____D C:\FRST
2016-06-05 19:18 - 2016-06-05 19:18 - 00000000 _____ C:\Windows\SysWOW64\last.dump
2016-06-03 22:18 - 2016-06-03 21:28 - 00000000 ____D C:\Windows\Panther
2016-06-03 22:06 - 2016-06-03 22:06 - 00000000 ____D C:\Program Files (x86)\Intel
2016-06-03 22:06 - 2016-06-03 22:06 - 00000000 ____D C:\Intel
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
2016-06-03 22:05 - 2016-06-03 22:05 - 00000000 ____D C:\Windows\LastGood
2016-06-03 22:05 - 2016-06-03 22:05 - 00000000 ____D C:\Program Files\Intel
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\ProgramData\NVIDIA Corporation
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-06-03 22:01 - 2016-06-03 22:01 - 00000000 ____D C:\Program Files (x86)\NVIDIA Corporation
2016-06-03 21:30 - 2016-06-05 19:19 - 00003946 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{F1350FB6-7D0C-4511-8A35-BD7B473DB763}
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 21:29 - 2016-06-03 21:29 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-06-03 21:28 - 2016-06-03 21:29 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\Packages
2016-06-03 21:28 - 2016-06-03 21:28 - 00001442 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-06-03 21:28 - 2016-06-03 21:28 - 00000020 ___SH C:\Users\Thi Tran\ntuser.ini
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran\AppData\Roaming\Adobe
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\VirtualStore
2016-06-03 21:28 - 2016-06-03 21:28 - 00000000 ____D C:\Users\Thi Tran
2016-06-03 21:28 - 2014-11-21 09:57 - 00000369 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-06-03 21:28 - 2014-11-21 09:57 - 00000369 _____ C:\Users\Thi Tran\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-06-03 16:06 - 2016-06-03 16:06 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2016-06-03 15:51 - 2016-06-03 15:51 - 00002287 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-03 15:51 - 2016-06-03 15:51 - 00002275 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-03 15:49 - 2016-06-03 15:56 - 00003910 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-03 15:49 - 2016-06-03 15:56 - 00003674 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-03 15:49 - 2016-06-03 15:56 - 00000938 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-03 15:49 - 2016-06-03 15:56 - 00000934 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-03 15:49 - 2016-06-03 15:49 - 00987728 _____ (Google Inc.) C:\Users\Thi Tran\Downloads\ChromeSetup.exe
2016-06-03 15:48 - 2016-06-03 15:48 - 00000000 ____D C:\Program Files\Common Files\Atheros
2016-06-03 15:43 - 2016-06-05 19:54 - 00000000 ____D C:\Users\Thi Tran\AppData\Local\Google
2016-06-03 15:43 - 2016-06-03 15:50 - 00000000 ____D C:\Program Files (x86)\Google
2016-06-03 15:43 - 2016-06-03 15:43 - 00003904 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1464943387
2016-06-03 15:43 - 2016-06-03 15:43 - 00001053 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-06-03 15:42 - 2016-06-03 15:42 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00536312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswNetSec.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00465792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-06-03 15:35 - 2016-06-03 15:35 - 00287528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00166432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00103064 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00074544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00052184 _____ (AVAST Software) C:\Windows\avastSS.scr
2016-06-03 15:35 - 2016-06-03 15:35 - 00037656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2016-06-03 15:35 - 2016-06-03 15:35 - 00003924 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Users\Thi Tran\AppData\Roaming\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-06-03 15:35 - 2016-06-03 15:35 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-03 15:34 - 2016-06-03 22:11 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-128003330-4183474367-756348430-1001
2016-06-03 15:33 - 2016-06-03 15:42 - 00000000 ____D C:\ProgramData\AVAST Software
2016-06-03 15:33 - 2016-06-03 15:42 - 00000000 ____D C:\Program Files\AVAST Software
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-06-03 22:39 - 2013-08-22 22:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-03 22:16 - 2013-08-22 22:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2016-06-03 22:06 - 2013-08-22 20:36 - 00000000 ____D C:\Windows\Inf
2016-06-03 21:29 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\rescache
2016-06-03 21:25 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-03 21:23 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-06-03 16:13 - 2013-08-22 22:20 - 00000000 ____D C:\Windows\CbsTemp
2016-06-03 15:52 - 2014-11-21 09:49 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-03 15:40 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\AppReadiness
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2016-06-03 21:19
==================== End of FRST.txt ============================
-
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-06-2016 02
Ran by Thi Tran (2016-06-05 21:03:37)
Running from C:\Users\Thi Tran\Downloads
Windows 8.1 Single Language (Update) (X64) (2016-06-03 14:28:13)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-128003330-4183474367-756348430-500 - Administrator - Disabled)
Guest (S-1-5-21-128003330-4183474367-756348430-501 - Limited - Disabled)
Thi Tran (S-1-5-21-128003330-4183474367-756348430-1001 - Administrator - Enabled) => C:\Users\Thi Tran
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Disabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Avast Premier (HKLM-x32\...\Avast) (Version: 11.2.2262 - AVAST Software)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.79 - Google Inc.)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3308 - Intel Corporation)
SafeZone Stable 1.48.2066.101 (x32 Version: 1.48.2066.101 - Avast Software) Hidden
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {411E7A85-F28B-489D-9DEF-EED751C83BAF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-03] (Google Inc.)
Task: {AC44D24D-4A7C-423F-8CDF-788969509FD1} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-06-03] (AVAST Software)
Task: {C8375E84-A417-49FA-B368-1BC1164BF86A} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-03] (AVAST Software)
Task: {E17ED678-1395-4171-AEDD-3A1B0E7ED0F4} - System32\Tasks\SafeZone scheduled Autoupdate 1464943387 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-04-15] (Avast Software)
Task: {E4420DE9-6F3D-41B1-BCD9-B3828A3BCA76} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-06-03] (Google Inc.)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
==================== Shortcuts =============================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2016-06-03 15:35 - 2016-06-03 15:35 - 00123344 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00135816 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00309912 _____ () C:\Program Files\AVAST Software\Avast\browser_pass.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 00479680 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-06-05 19:17 - 2016-06-05 19:17 - 02923008 _____ () C:\Program Files\AVAST Software\Avast\defs\16060500\algo.dll
2016-06-03 15:35 - 2016-06-03 15:35 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
==================== Alternate Data Streams (Whitelisted) =========
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 20:25 - 2013-08-22 20:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-128003330-4183474367-756348430-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{67E975FF-B9CE-4CD7-B165-05A96DFBB640}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
ATTENTION: System Restore is disabled
==================== Faulty Device Manager Devices =============
Name: NVIDIA GeForce GT 650M
Description: NVIDIA GeForce GT 650M
Class Guid: {4d36e968-e325-11ce-bfc1-08002be10318}
Manufacturer: NVIDIA
Service: nvlddmkm
Problem: : This device cannot work properly until you restart your computer. (Code14)
Resolution: Restart your computer.
Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
==================== Event log errors: =========================
Application errors:
==================
Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=71f411ae-7b4b-41bd-b68c-c519c499f950;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=71f411ae-7b4b-41bd-b68c-c519c499f950
Error: (06/03/2016 09:29:40 PM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details.
hr=0x80072EE7
System errors:
=============
Error: (06/05/2016 07:38:20 PM) (Source: DCOM) (EventID: 10010) (User: Thi-Laptop)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
Error: (06/03/2016 09:22:01 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {A47979D2-C419-11D9-A5B4-001185AD2B89}
Error: (06/03/2016 09:20:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
%%21
Error: (06/03/2016 09:19:53 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
%%1058
Error: (06/03/2016 09:19:04 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 15%
Total physical RAM: 7629.59 MB
Available physical RAM: 6443.28 MB
Total Virtual: 9485.59 MB
Available Virtual: 8173.43 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:442.72 GB) (Free:422.73 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: CDFAD22C)
Partition: GPT.
==================== End of Addition.txt ============================
-
Definitely nothing showing in Chrome
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
(https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG)
Run FRST and press Fix
On completion a log will be generated please post that
-
Fix result of Farbar Recovery Scan Tool (x64) Version:05-06-2016 02
Ran by Thi Tran (2016-06-05 21:54:20) Run:1
Running from C:\Users\Thi Tran\Downloads
Loaded Profiles: Thi Tran (Available Profiles: Thi Tran)
Boot Mode: Normal
==============================================
fixlist content:
*****************
CreateRestorePoint:
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieUserList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieSiteList
2016-06-03 21:30 - 2016-06-03 21:30 - 00000000 __SHD C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList
2016-06-03 21:30 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieUserList
2016-06-03 15:33 - 2016-06-03 15:33 - 00000000 __SHD C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList
2016-06-03 22:06 - 2013-10-01 13:02 - 00064000 _____ (Khronos Group) C:\Windows\system32\OpenCL.DLL
2016-06-03 22:06 - 2013-10-01 13:02 - 00060416 _____ (Khronos Group) C:\Windows\SysWOW64\OpenCL.DLL
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************
Restore point was successfully created.
C:\Users\Thi Tran\AppData\Local\EmieUserList => moved successfully
C:\Users\Thi Tran\AppData\Local\EmieSiteList => moved successfully
C:\Users\Thi Tran\AppData\Local\EmieBrowserModeList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieSiteList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieUserList => moved successfully
C:\Users\Thi Tran\AppData\LocalLow\EmieBrowserModeList => moved successfully
C:\Windows\system32\OpenCL.DLL => moved successfully
C:\Windows\SysWOW64\OpenCL.DLL => moved successfully
========= netsh advfirewall reset =========
Ok.
========= End of CMD: =========
========= netsh advfirewall set allprofiles state ON =========
Ok.
========= End of CMD: =========
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
========= netsh winsock reset catalog =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
========= End of CMD: =========
========= netsh int ip reset c:\resetlog.txt =========
Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
Resetting , OK!
Restart the computer to complete this action.
========= End of CMD: =========
========= ipconfig /release =========
Windows IP Configuration
No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter WiFi:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::89d0:1193:386e:f667%4
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:10a6:1cb6:3f57:ff93
Link-local IPv6 Address . . . . . : fe80::10a6:1cb6:3f57:ff93%21
Default Gateway . . . . . . . . . : ::
========= End of CMD: =========
========= ipconfig /renew =========
Windows IP Configuration
No operation can be performed on Local Area Connection* 3 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.
No operation can be performed on Ethernet while it has its media disconnected.
Wireless LAN adapter Local Area Connection* 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter WiFi:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::89d0:1193:386e:f667%4
IPv4 Address. . . . . . . . . . . : 192.168.0.108
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Ethernet adapter Ethernet:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{6EE958FB-6FFC-497A-862C-7C4198CD23A4}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:2029:3b8a:3f57:ff93
Link-local IPv6 Address . . . . . : fe80::2029:3b8a:3f57:ff93%21
Default Gateway . . . . . . . . . : ::
========= End of CMD: =========
========= netsh int ipv4 reset =========
Resetting Interface, OK!
Resetting , failed.
Access is denied.
Restart the computer to complete this action.
========= End of CMD: =========
========= netsh int ipv6 reset =========
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
Resetting , OK!
Restart the computer to complete this action.
========= End of CMD: =========
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-128003330-4183474367-756348430-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-128003330-4183474367-756348430-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
========= End of RemoveProxy: =========
========= bitsadmin /reset /allusers =========
BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
0 out of 0 jobs canceled.
========= End of CMD: =========
EmptyTemp: => 390.7 MB temporary data Removed.
The system needed a reboot.
==== End of Fixlog 21:55:13 ====
-
Just happened again
-
Totally uninstall Chrome please and ensure all remnants have gone. I believe that Revo installer would be best for this
http://www.revouninstaller.com/start_freeware_download.html
-
Done
-
So I am no longer allowed to use chrome on this laptop?
Is chromium ok to use?
If not, any browsers you'd recommend?
-
No it is not that, it is the fact that when you re-installed windows it probably left some Chrome folders behind. So when you re-installed Chrome the bad stuff was still there
Have the alerts ceased ?
-
When (re-)installing Windows, did you format the drive/partition ?
Is there just one partition on that drive or are there multiple ?
Did you check if the problem was there right after installing Windows and all drivers ? (meaning before installing any application e.g. Chrome)
-
So far nothing yet, I'll keep you guys posted
I first re-installed using a factore defaults reset. there was no option to format the partitions but a option to do a "clean install" which I chose
After installing windows I installed avast
I checked the problem asap before installing anything else
I browsed on Microsoft Edge for a bit and that's when the alert popped up
I then reinstalled again using a usb and this http://windows.microsoft.com/en-US/windows-8/create-reset-refresh-media
I deleted the partitions and then made new ones and formatted
Though I think it was a "quick" format and not a thorough one.
There are 2 main partitions and 3 extra ones for system files or something. Though they're like 200mb, 10 mb, ect and are not visible.
-
Just happened again.
This time using Microsoft Internet Explorer and while downloading NVidia drivers
-
If you live in Vietnam I was wondering if it could be your ISP as that ip adress belongs to Vietnam Posts and Telecommunications which is part of the Vietnamese Government and it could to routing internet content through their own servers.
If you dont live in Vietnam then ignore my idea.
-
I do live in Vietnam, I considered this a possibility but I've lived here for 3 years and this has only started happening recently
-
That would tie in with DNS being reset and the ISP then taking it over again after a while
As it was using different elements.. Avast, Chrome, IE and edge that indeed reinforces it although I am not sure why Open DNS does not function
-
I do live in Vietnam, I considered this a possibility but I've lived here for 3 years and this has only started happening recently
could be something they started doing recently or maybe avast decided to detect it as an issue? maybe an idea to contact your ISP and ask if its something they are doing, even if it's just to rule out them at the very least.
-
I can't thank you guys enough for your efforts.
I'm starting to consider living with it for now.
If its ISP related then I probably will since we are leaving the country soon to travel.
Some background info on Vietnam if it sheds any light on things. There have been a few protests and activists stirring things up for the government here. They blocked Facebook a couple of weeks ago to disrupt the organising of the protests and blocked any messages involving keywords on phones and computers. It wouldn't surprise me if they use malware to monitor and catch these people. It sounds all a bit far fetched but if you lived in a communist country I guess you'd believe it.
If it was something to do with the ISP they wouldn't tell you let alone change anything. Customer service is not a thing here.
It would put me at ease though knowing what its doing. Key-logging or phishing that sorta thing. I just wanna play with my steam account again :(
-
you could always use a VPN. You wont be able to do a whole lot on a free one but if it is the goverment then a VPN might stop it. But considering you did a full hard drive format and you are still getting the errors before you even get a chance to install anything kind of limits what it could be, ether malware so bad its surviving a full format somehow (ether by a rootkit in the motherboard bios or the ram or even if the router is infected) or its your ISP doing stuff. but judging the IP address its connecting to belongs to the Vietnam goverment i would personally think its the 2nd option.
-
Hi guys,
Also suffering from the same pop ups.
This problem just started happening recently - I've been in Ho Chi Minh city, Vietnam for about 4 years now.
The pop up is on multiple laptops. Each laptop is connected to a different wifi network by a different provider.
Hope this additional information can help you guys figure out how to get rid of these annoying pop ups once and for all.
Thanks :)