Author Topic: Avast scanning the web for pr0n  (Read 15440 times)

0 Members and 1 Guest are viewing this topic.

huerto

  • Guest
Avast scanning the web for pr0n
« on: December 08, 2013, 01:54:45 PM »
Well, this is awkward. Once my laptop has booted and before I do anything (no browser, no programs whatsoever), I check what avast is doing and see that it is checking the web. In the Statistics window, it scans and scans endless pages of pr0n pages on the internet. Occasionally a pop up window appears, saying that some process has been blocked. Always with an dmw.exe as the culrpit. This exe sits in the Lenovo-folder, i haven't found anything useful on the web for that file. then the scanning stops only to start anew half a minute later.

I did a boot-scan with avast to no avail. A malware-check too, I attach the report. Maybe someone has a clue what is going on. The avast module is in german and I have posted this in the German thread also. I hope that is okay, since there is no answer there.

Thanks.

Win 7 Pro 64
Avast 2014.9.0.2008

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast scanning the web for pr0n
« Reply #1 on: December 08, 2013, 02:02:18 PM »
You have an infection

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

propheticus

  • Guest
Re: Avast scanning the web for pr0n
« Reply #2 on: December 08, 2013, 02:25:27 PM »
By the looks of it he's got multiple infections. Web optimizer, PackageAware, etc. The probable cause is the malicious Gutschein finder Firefox plugin.

ADWcleaner already cleared a lot. You could try running Malwarebytes Anti-malware + TDSSkiller to see if they find more. TDSSkiller is a rootkit scanner, alternatively (or additionally) you can use Malwarebytes Anti-Rootkit.

Don't forget to restore Firefox (your main browser as it seems), or the plugin stays and can infect again:
  • Open firefox
  • Click the FF button (orange top left)
  • Help -> Troubleshooting information
  • Click reset Firefox and confirm the reset in the next window
  • Firefox will close and reopen and try to import your bookmarks and passwords etc. -> click finish

Online CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Avast scanning the web for pr0n
« Reply #3 on: December 08, 2013, 02:31:05 PM »
propheticus please refrain from posting or interrupting in malware removal advice topics, essexboy is quite capable of handling the problem.

propheticus

  • Guest
Re: Avast scanning the web for pr0n
« Reply #4 on: December 08, 2013, 02:42:49 PM »
I understand my help is unwanted here. Have fun on your high horses.
« Last Edit: December 08, 2013, 02:47:16 PM by propheticus »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Avast scanning the web for pr0n
« Reply #5 on: December 08, 2013, 02:45:04 PM »
Help is not unwanted here. Essexboy is an certified malware remover from the forum.

He will help him with this.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Online CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11239
  • No support PM's thanks
Re: Avast scanning the web for pr0n
« Reply #6 on: December 08, 2013, 02:51:51 PM »
I understand my help is unwanted here.
It's not that help isn't wanted, malware removal is only performed by trained qualified technicians and you haven't been approved to do so and it's also bad etiquette to butt in on already provided advice.
« Last Edit: December 08, 2013, 02:53:24 PM by craigb »

Gorg

  • Guest
Re: Avast scanning the web for pr0n
« Reply #7 on: December 08, 2013, 04:00:32 PM »
Chef 1: OK Put a teaspoon of salt in to the water.

Chef 2: You should be a tablespoon of salt in the water.

Culinary student: So which is it?

1: Teaspoon
2: Tablespoon

Student: I'm confused.

1: After you put the teaspoon of salt in the water, chop the celery and add it in.
2: After you put the tablespoon of salt in the water, chop a carrot and add it in, but also add a pinch of pepper.

Student: Who am I listening to here? They both sound good, but which one am I following? I added a teaspoon of salt and chopped up a carrot and added pepper. Is that right?

1: You didn't listen to me! That is wrong! I had a pre-planned step of events you needed to follow and now you've made it worse!
2: You didn't listen to me! That is wrong! I had a good idea on how to make this soup, but now it's ruined.

This is why more than one person helping to "make the soup" is a bad idea. If Essexboy started helping, you should have let him continue on. This is what everyone is saying. You're help isn't unwanted, it's just not needed when Essexboy took it. I hope this makes more sense now.

huerto

  • Guest
Re: Avast scanning the web for pr0n
« Reply #8 on: December 08, 2013, 04:46:29 PM »
    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs
    [/list]

    Ok, thanks for answering. Here is OTL.txt. It hasnT generated Extras.txt though. (I  used the settings you provided).

    Oh and what propheticus sais: adwcleaner has found some stuff, but I didn't pursue it, i.e I didn't click the Remove-button, because there were ever so many things also in the registry, services, etc. that I preferred to wait. Can't afford to scramble up the system right now as I am in the middle of a job.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Avast scanning the web for pr0n
    « Reply #9 on: December 08, 2013, 05:02:30 PM »
    OK lets get you tidied up now.  You appear to have a new variant of this as the running directory has changed.

    A nice little passage by Gorg showing why it is always best to have just one helper .. Cheers Gorg 

    Warning This fix is only relevant for this system and no other, using on another computer may cause problems

    Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following


    Code: [Select]
    :Commands
    [CREATERESTOREPOINT]

    :OTL
    FF - prefs.js..extensions.enabledAddons: %7Bff0f24dd-184a-42ca-9ce8-8ca6184fd0ac%7D:0.1
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ff0f24dd-184a-42ca-9ce8-8ca6184fd0ac}: C:\Program Files (x86)\Web Optimizer\weboptimizer.xpi [2013.08.27 10:52:06 | 000,009,996 | ---- | M] ()
    [2013.10.21 07:25:01 | 000,626,721 | ---- | M] () (No name found) -- C:\Users\IBM\AppData\Roaming\mozilla\firefox\profiles\b0ycpy1d.default\extensions\search@disconnect.me.xpi
    [2013.08.27 10:52:06 | 000,009,996 | ---- | M] () (No name found) -- C:\PROGRAM FILES (X86)\WEB OPTIMIZER\WEBOPTIMIZER.XPI
    O2:64bit: - BHO: (Plus-HD-3.8) - {11111111-1111-1111-1111-110311901130} - C:\Program Files (x86)\Plus-HD-3.8\Plus-HD-3.8-bho64.dll File not found
    O2 - BHO: (Web Optimizer) - {bbb1d54d-cf70-4a80-bf2f-3bafca0225ce} - C:\Program Files (x86)\Web Optimizer\weboptimizer.dll (Web Optimizer)
    O2 - BHO: (no name) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - No CLSID value found.
    O4 - HKLM..\Run: [TaskMngr] C:\Program Files (x86)\Common Files\Lenovo\data.js ()
    O8:64bit: - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm ()
    O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm ()
    O8 - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm ()
    O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm ()
    O9:64bit: - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
    O9:64bit: - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
    [2013.12.07 22:18:18 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Local\AMozilla
    [2013.12.07 22:18:08 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\AMozilla
    [2013.12.07 22:18:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Lenovo
    [2013.11.18 21:21:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D
    [2013.11.18 21:21:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sweet Home 3D
    [2013.11.18 21:00:10 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\SBS Installer
    [2013.11.18 20:45:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Web Optimizer
    [2013.11.18 20:45:48 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\Windows Net Data
    [2013.11.18 20:45:45 | 000,000,009 | ---- | M] () -- C:\END
    [2013.12.07 22:18:08 | 000,000,000 | ---D | M] -- C:\Users\IBM\AppData\Roaming\AMozilla
    [2013.11.18 20:45:48 | 000,000,000 | ---D | M] -- C:\Users\IBM\AppData\Roaming\Windows Net Data

    :Files
    C:\Program Files (x86)\Common Files\Lenovo\dmw.exe
    C:\Program Files (x86)\Web Optimizer
    C:\Program Files (x86)\Plus-HD-3.8
    C:\Program Files (x86)\Web Optimizer

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
    THEN

    Re-run AdwCleaner
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Scan.
    • After the scan is complete click on "Clean"
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    Offline polonus

    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 33891
    • malware fighter
    Re: Avast scanning the web for pr0n
    « Reply #10 on: December 08, 2013, 05:08:05 PM »
    Hi propheticus,

    On a more positive note now.  :D
    A better way here and a way where it does not interfere the ongoing cleansing routine is to PM your comments to essexboy directly.
    Also qualified removal experts can profit from some additional info or give you a clue as why your proposed method/solution is inferior.
    There you have the win win situation always, you gain insight and the qualified removal expert may not miss a point he/she overlooked....  ;D  8)

    polonus
    Cybersecurity is more of an attitude than anything else. Avast Evangelists.

    Use NoScript, a limited user account and a virtual machine and be safe(r)!

    Offline Secondmineboy

    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 3645
    Re: Avast scanning the web for pr0n
    « Reply #11 on: December 08, 2013, 05:25:21 PM »
    Good advice Pol. :D

    Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
    HUAWEI P30 Pro. Android 10

    huerto

    • Guest
    Re: Avast scanning the web for pr0n
    « Reply #12 on: December 08, 2013, 05:37:13 PM »
    Hello again.
    Attached the OTL-log and the AdwCleaner-txt.

    Upon restart a Windows Script Host Window appears stating that a script file \Programs \...\Lenovo\data.js has not been found.

    It seems my Sweet House 3D software has been removed. Didn't know this could cause trouble.
    Apparently the DVDVideoSoft-pack is not such a good idea either? I used it because I had to convert some video files to wmv, but it didn'T allow proper frame rate setting, so I could delete the whole thing too.

    Well, thank you again. As I am posting this, the avast-scanner is being quiet.  :D

    propheticus

    • Guest
    Re: Avast scanning the web for pr0n
    « Reply #13 on: December 08, 2013, 05:40:41 PM »
    Ye I thought I'd chip in because it was important to remove the Firefox plugin (gutschein) as well. Anyway, next time I won't interrupt and send tips to the person that responded first.
    I understand multiple conflicting tips can be confusing, but I didn't think I was contradicting/messing anything up. Probably ADWcleaner would've fixed most of the problems without issue if the OP would've let it clean. The whole OTL routine seemed a bit over the top to me...

    Ah well no hard feelings. We're all trying to help here.

    BTW: I'm a University Information Sciences student almost done with Bachelors and as a job on the side I work at a company fixing exactly these kind of problem for clients. That should be qualified enough right?

    Offline Secondmineboy

    • Avast Evangelist
    • Massive Poster
    • ***
    • Posts: 3645
    Re: Avast scanning the web for pr0n
    « Reply #14 on: December 08, 2013, 05:44:07 PM »
    You can ask essexboy via PM if you want to help people with malware problems.
    Maybe he will look over your work and then he will decide.

    At the moment there is an student who is watched by essexboy.
    You can see here: http://forum.avast.com/index.php?topic=53253.0
    Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
    HUAWEI P30 Pro. Android 10