« previous next »
Pages: [1]   Go Down

Author Topic: A few suspicious web site attemp  (Read 1293 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
A few suspicious web site attemp
« on: April 19, 2015, 10:12:01 AM »
they (like reduled.info/3333/ReactorSys_142257170520951.dll, and similar for blackled.info) are blocked by avast but dunno how to solve totally

aswMBR.exe  crashed and I can't get the log from it  :-[

very appreciate if anyone could help, thanks a lot
Logged

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: A few suspicious web site attemp
« Reply #1 on: April 19, 2015, 10:29:14 AM »
Start with removing Chrome completely.
Unless you installed a developer version yourself, malware has changed it.
This mean that anything can be installed without you knowing it.
Logged

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: A few suspicious web site attemp
« Reply #2 on: April 19, 2015, 12:56:02 PM »
Uninstall Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome via control panel.
 Note: When asked about user data or settings you must remove this also so please check the box.
5. We will re-install on completion

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
ShellIconOverlayIdentifiers: [KAVOverlayIcon] -> {014F27E2-6D75-4E42-A0E9-2A2C68498AFA} =>  No File
ShellIconOverlayIdentifiers-x32: [KAVOverlayIcon] -> {014F27E2-6D75-4E42-A0E9-2A2C68498AFA} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2015-04-09 20:18 - 2015-04-09 20:18 - 00000000 ____D () C:\ProgramData\{77ebd638-94af-9879-77eb-bd63894a58e2}
2015-04-09 20:02 - 2015-04-09 20:03 - 00000000 ____D () C:\ProgramData\331833178660016186
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {A28525C8-F8E3-4044-982F-2DCFB5200104} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-06-22] (Google Inc.)
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Users\PeTer\AppData\Roaming\TaobaoProtect\
C:\Program Files (x86)\Google\Chrome
C:\Users\PeTer\AppData\Local\Google\Chrome
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

Logged
Pages: [1]   Go Up
« previous next »