avast reports malware after cleaning

[REDACTED]

Hi
I still get malware pop ups from avast even after running avast at boot.  (movieroomreviews.com, etc) but not as often as before. 
Attaced are the files that saved IAW your instructions.

[essexboy]

Display hidden files and folders:

◾Right-click the Windows Logo button and choose Open Windows Explorer.
◾Click Organize and choose Folder and Search Options.
◾Click the View tab, select Show hidden files and folders and then clear the checkbox for Hide protected system operating files.

Then delete this file/folder C:\Users\Rein\AppData\Roaming\麽鎒駓覜

Let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM-x32\...\Run: [BrowserSafeguard] => "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe"
HKU\S-1-5-21-4017607708-2851936205-3148765964-1000\...\Run: [iLivid] => "C:\Users\Rein\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-4017607708-2851936205-3148765964-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKLM - {A25AC313-DD19-4238-ACA2-401D6BEE4321} URL =
SearchScopes: HKLM-x32 - DefaultScope {E1384B2F-615A-4862-8793-2475FE8DE196} URL =
SearchScopes: HKCU - OldDefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
SearchScopes: HKCU - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = SearchScopes: HKCU - {A25AC313-DD19-4238-ACA2-401D6BEE4321} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287811&CUI=UN12222670509600658&UM=2&UP=SP3FA21645-DFD6-406B-8DB3-F76DE4043DBE&SSPV=
SearchScopes: HKCU - {E1384B2F-615A-4862-8793-2475FE8DE196} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287811&CUI=UN12222670509600658&UM=2
FF Plugin-x32: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
CHR DefaultSearchKeyword: Default -> trovi.search
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}
CHR Extension: (VisualBee V.12) - C:\Users\Rein\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpkgnchjblgnciiopegmabnakdoapgkj [2013-11-15]
2014-10-27 12:56 - 2014-10-27 14:22 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-10-27 12:56 - 2014-10-27 14:22 - 00001368 _____ () C:\ProgramData\@system.att
2014-10-27 12:55 - 2014-10-27 14:23 - 00001104 ____H () C:\ProgramData\@system2.att
2014-10-27 12:55 - 2014-10-27 12:55 - 00000000 ___HD () C:\196f52d
2014-10-27 12:50 - 2014-10-27 12:53 - 00036487 _____ () C:\Users\Rein\AppData\Local\893686b8
2014-10-27 12:50 - 2014-10-27 12:53 - 00027562 _____ () C:\Users\Rein\AppData\Roaming\893686b8
2014-10-27 12:50 - 2014-10-27 12:53 - 00023392 _____ () C:\ProgramData\893686b8
2014-10-23 13:34 - 2014-10-23 13:34 - 00022528 _____ () C:\Users\Rein\AppData\Local\2060539dsisetup20615532.exe
2014-10-27 15:01 - 2013-11-15 17:26 - 00000000 ____D () C:\ProgramData\Conduit
CustomCLSID: HKU\S-1-5-21-4017607708-2851936205-3148765964-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {D699018E-2102-42D5-9AE8-3D1E3E0C90E8} - \AutoKMS No Task File <==== ATTENTION
C:\Users\Rein\AppData\Local\iLivid
C:\Program Files (x86)\Browsersafeguard
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

HI
You had a previous response and the result is Fixlogold.  Your latest response result is Fixlog.  Seems quiet now after the second "fix" run of FRST64.  Before running your second fix I deleted the file with the Japanese fonts you suggested.  Result was that the moviereview malware did not show up BUT lots of other sites were blocked by avast.  BTW great program.  Symtoms I had was, besides the avast pop up blockings, the harddrive was constantly searching and I could not put IE in security protected mode enable.  Would get alerts if I downloaded a file from a known good site that "your security mode prevents downloading the file".  I would check the protected mode enable, then check permit file download, then I could download the file(known good site) (without rebooting) but at reboot IE protected mode enable would be off.
Everything quiet now, I will install the ad remover now.

REALLY apreciate the help

I will check the IE security mode now

Rein

[REDACTED]

Hi

Did the AdwCleaner with log file attached.  IE protected mode stayed on, hard drive quiet  GREAT JOB. 
Can avast and Malwarebytes run at the same time?  Or just avast?  I am using windows firewall.

Rein

[REDACTED]

Hi again

BTW I was running windows security essentials (now turned of and avast on) before the original attack started.  It was a ro...  forgot the name but malwarebytes quarantined it after a second scan at boot.  Then installed avast, scaned cleaned, and then the "site blocked" popups appeared.  Still all quiet

Thank you very much

[essexboy]

Avast and MBAM are both good together.  You actually had a failed install of Torcrypto so Avast must have blocked it before it activated But, Poweliks was active, although as of yet no AV can get a handle on it

If all is well tomorrow let me know and I will tidy up

[REDACTED]

I booted up this morning and so far no popup messages from both Avast and Malewarebytes.  At boot completion Avast did show a message (not popup) that said it found IE addon "MaxWebSearch".  This has happened several times right after startup and I click "remove" and the result is Avast incountered an error and could not complete its action.  I looked at IE addons and could not find MaxWebSearch.  Again no threats have apeared and harddrive is quiet.  I am concerned about your message about powelik, maybe it will appear again at boot?
Examining Inrternet Sites: Symantic said powelik low level? and can be remove easily???

[essexboy]

I can see no sign of maxweb so it may be a stray registry entry that Avast is finding

Poweliks is easy to remove, but it can only be done manually

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:


Download and run Delfix




: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

[REDACTED]

Thanks for all the help.

I ran delfix.  All is quiet however I have a strange proplem with Gamestop site.  I click on gamestop, site appears then an add bar appears "savestop" maybe then blank page.  It happens very quickly so I am not sure of the add ware name.  It is not detected by Avast or Mbytes.  Maybe unigue to gamestop site?

Oh crypto fix site is hiding the free download very stealthy.  Could not find a link to download but the premium no problem

[essexboy]

It is right at the bottom of the page   If you only get that on one site then it is not a problem

[REDACTED]

Thank you for the link.

Now a very serious problem:  Windows Update is NOT running.  I tryed several reboots still not running.  It was running before the virus attack.  I even checked the update history..blank.

Was windows currupted?

[essexboy]

Lets check it out it may just need repairing

Download and run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[REDACTED]

Attached is FSS results.  Does not look good.  I tried to manually start windows update from the task page.  It resulted in
"The *** service is not started".  I read there is a crypto expoit that disables windows update?  I installed cryptoPrevent before trying to update windows.

[REDACTED]

For some reason windows update started working.  I installed microsoft security essentials ran a full scan and got the screen attached.  Avast is running with security essentials together.

[essexboy]

The services just need repairing.

Download the three registry entries to your desktop
Double click each in turn and allow to merge

https://dl.dropboxusercontent.com/u/73555776/wuauserv.reg
https://dl.dropboxusercontent.com/u/73555776/wscsvc.reg
https://dl.dropboxusercontent.com/u/73555776/WinDefend.reg

AutoKMS is a hack for MS Office did you install it. 

What is the full path of the other entry

Running two antivirus programmes can cause problems