possible problem??

[Riggs2907]

i have used AVAST for about 3 years & today was starting to have an issue.. 

First got 3/3 messages that said " threat detected",  some Trojan threat. Ran a scan & found the virus &  "moved it to chest" like it recomended. 

Did the reboot with complete scan during boot up & found two infected files there, deleted both.  Now after start up, i get 3/3 messages again saying "threat detected"?

heres a pic of what the virus looked like




What should my next step be if i keep getting "message detected" pop ups?

[Riggs2907]

here is a picture of the message when you click on " threat detected"  more info link. 




any help is much appreciated.

[Pondus]

follow this guide and attach the logs.....not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

[Riggs2907]

you want me to post the result logs? not sure how to attach a AdwCleaner notepad log.

think aftre running the AdwCleaner & Malwarebytes' Anti-Malware may have fixed it?  since they have completed,  no " threat detected message?

[Pondus]

below the box you write in here.... "attachments and other options"

you can copy and paste logs....but OTL log must be attached bc of the size

when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see

[Riggs2907]

below the box you write in here.... "attachments and other options"

you can copy and paste logs....but OTL log must be attached bc of the size

when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see

here is the AdwCleaner log. 

# AdwCleaner v2.008 - Logfile created 11/18/2012 at 14:17:13
# Updated 17/11/2012 by Xplode
# Operating system : Windows Vista (TM) Business Service Pack 2 (32 bits)
# User : Ricky - RICKY-PC
# Boot Mode : Normal
# Running from : C:\Users\Ricky\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Ricky\AppData\Local\funmoods-speeddial.crx
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj

***** [Registry] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 --> hxxp://www.google.com

-\\ Google Chrome v23.0.1271.64

File : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [3942 octets] - [18/11/2012 14:17:13]



forgot to save the log from the Malwarebytes' Anti-Malware run.  that had 30 files in red.  All being "funmoods" that has been deleted for sometime from my system.  must be left overs?

[Pondus]

malwarebytes log is saved inside malwarebytes....you find it under the logs tab on top when you open the program

anyway...OTL is the important log

[Riggs2907]

HERE YOU GO. 

[Riggs2907]

since i did the last 3, think the problem may be gone.  Have yet to get "threat detected" message?   Thoughts?  think im in the clear?

[Pondus]

Looking at the AdwCleaner log, i may see what was your problem

Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor

also others had this
http://forum.avast.com/index.php?topic=109840.0
http://forum.avast.com/index.php?topic=109795.0

check back later to hear what the removal specialist have to say

[Riggs2907]

ok.   sound good.   Heres the last of it.  The ASWMBR log. 

thank you for your help.  really appreciate it. 

let me know if there is anything further i need to do.. 

[essexboy]

This was the problem  Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor

Checking the logs now

[essexboy]

OK not a lot left for me to kill    Let me know of any further problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

[Riggs2907]

OK not a lot left for me to kill    Let me know of any further problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

You want me to run this & copy/paste the info in the "code: {select} section, & put it into the "paste scripts here" part?

[essexboy]

Yep that will remove the last of the funmood stuff