Failing downloads with Avast 2015.10.2.2215 in Windows 8.1 (both 32 and 64bit)

[heikwith]

See also https://forum.avast.com/index.php?topic=168376.60

All my downloads never end or are wrong with enabled Avast.
With disabled Avast no problems anymore.
I did allready a Avast clean install but no success.
Right after the clean install the automatic updates do not work and Avast tells me that Avast was "already up to date (current version 150323-0)"
Immediately after disabling Avast the automatic update to current update 150419-1 was done.
As this updates are also downloads within Avast itself, I think Avast has also download problems.

I will now run the first three programs and attach the logs resulting from running them
requested in https://forum.avast.com/index.php?topic=53253.0

[heikwith]

MBAM scan log:
Malwarebytes Anti-Malware
www.malwarebytes.org

Scandatum: 21-04-15
Scantijd: 10:54:34
Logbestand:
Beheerder: Ja

Versie: 2.01.4.1018
Malware Gegevensbestand: v2015.03.25.03
Rootkit Gegevensbestand: v2015.04.20.01
Licentie: Premium
Malwarebescherming: Ingeschakeld
Kwaadaardige Website Bescherming: Ingeschakeld
Zelfbescherming: Uitgeschakeld

Besturingssysteem: Windows 8.1
Processor: x86
Bestandssysteem: NTFS
Gebruiker: DH

Scantype: Bedreigingsscan
Resultaat: Geannuleerd
Objecten Gescand: 62314
Verstreken Tijd: 9 m, 25 s

Geheugen: Ingeschakeld
Opstarten: Ingeschakeld
Bestandssysteem: Ingeschakeld
Archieven: Ingeschakeld
Rootkits: Uitgeschakeld
Heuristiek: Ingeschakeld
POP: Ingeschakeld
POA: Ingeschakeld

Processen: 0
(Geen kwaadaardige items gedetecteerd)

Modules: 0
(Geen kwaadaardige items gedetecteerd)

Registersleutels: 0
(Geen kwaadaardige items gedetecteerd)

Registerwaardes: 0
(Geen kwaadaardige items gedetecteerd)

Registerdata: 0
(Geen kwaadaardige items gedetecteerd)

Mappen: 0
(Geen kwaadaardige items gedetecteerd)

Bestanden: 0
(Geen kwaadaardige items gedetecteerd)

Fysieke Sectoren: 0
(Geen kwaadaardige items gedetecteerd)


(end)

N.B. Avast say that FRST.exe is a virus Win32:Evo-gen [Susp] and Moved it in quarantaine
Farbar scan logs attached
AswMBR.txt attached

[bob3160]

Reported to Mods and essexboy has also been alerted.

[Eddy]

System is infected.
Chrome has been change to a developer version.
This allows the install of all kinds of malicious things without the users knowledge.

[Pondus]

N.B. Avast say that FRST.exe is a virus Win32:Evo-gen [Susp] and Moved it in quarantaine     

nope ....  Win32:Evo-gen [Susp]  = Suspicious

Anyway this happens after evry update and is mentioned in the instructions   

[heikwith]

System is infected.
Chrome has been change to a developer version.
This allows the install of all kinds of malicious things without the users knowledge.

What is the infection ?
Why is that not found by Avast, HitmanPro,  HitmanProAlert and Malwarebytes ?
Same download problems in my production system (w8.1 64bit) where never chrome Dev installed !!
What do I have to do next ?

[Eddy]

Do nothing for now.
Do not change anything on your system.
Wait for Essexboy (or one of the other malware fighters) to come in and help you.

[essexboy]

Uninstall Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome via control panel.
Note: When asked about user data or settings you must remove this also so please check the box.
5. We will re-install chrome on completion

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1313486300-383554538-1755246245-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1313486300-383554538-1755246245-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing.
2014-11-28 11:33 - 2014-11-28 11:33 - 0000038 ___SH () C:\Users\DH\AppData\Local\69ff07055291669bb2b218.72821112
2013-05-03 09:51 - 2013-05-03 09:51 - 0000037 ___SH () C:\Users\DH\AppData\Local\70149b02515b3bb20dd492.47983420
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\DH\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.25.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{1BEAC3E3-B852-44F4-B468-8906C062422E}\localserver32 -> C:\Users\DH\AppData\Local\Google\Chrome SxS\Application\44.0.2373.0\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.25.11\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.26.9\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> No File Path
CustomCLSID: HKU\S-1-5-21-1313486300-383554538-1755246245-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\DH\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File
Task: {A1C990A1-F84E-402B-938A-BFB8E6376D86} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-11-01] (Google Inc.)
Task: {E1F27315-3F97-49E7-B846-0C5BDDD44229} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-11-01] (Google Inc.)
Task: {FCD8B703-C2C3-4FAC-A458-ACC2E12FD397} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1313486300-383554538-1755246245-1001UA => C:\Users\DH\AppData\Local\Google\Update\GoogleUpdate.exe [2014-11-01] (Google Inc.)
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1313486300-383554538-1755246245-1001Core.job => C:\Users\DH\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1313486300-383554538-1755246245-1001UA.job => C:\Users\DH\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Users\DH\AppData\Local\Google\Update
C:\Users\DH\AppData\Local\Google\Chrome
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[heikwith]

essexboy,
Just to be sure, yes I did this myself.
I changed my BETA Chrome version into the Development Build.
This was a test to change Chrome builds in the flight.

Thereby I hope, you saw there was on this system also a CANARY build of Chrome.
This was a test to run two Chrome builds together (DEV and Canary) and this was successfull.
So I want to have this also in the future.

On another Vista system running in triple mode on this same hardware I have also two Chrome builds together (Beta and Stable) and this runs also without problems.
The third system on this same hardware is a windows 10 system.

So our failing download w8.1 32bit system run together in triple boot mode with this Vista and Win10.
The also failing download W8.1 64bit production system runs on separate hardware and has only a stable chrome build running.

Further I must tell you that the failing download 8.1 32bit system for what you created the above FRST statements is already changed because of automatic update changes like the automatic Avast softwareupdater and the automatic updaters of Chrome, firefox and Windowsupdate.
Sorry, but because of testing also as much as possible is done automaticly there.

To solve the download problems on my 32bit 8.1 system I am ready to loose (temp) the 2 Chrome builds (Dev and Canary).

Now you know this, can I go on with the above FRST fixlist.txt or are you going to change something.

I am writing this on that Vista system and in an hour or so I am going to boot in my failing download 32bit 8.1 test system and will read you answer.

[Endt]

Hello heikwith,

thank you for your bug report! This is definitely not expected behavior . Could you please generate support package (download link and basic how-to at https://www.avast.com/en-us/faq.php?article=AVKB33 , please don't forget to tick the option 'Automatically send to Avast') and post the package id here?

Thank you for your cooperation,
B.

[essexboy]

Nope as you are running the developer builds intentionally then do not use the fix.  Otherwise I found no malware problems

[heikwith]

Nope as you are running the developer builds intentionally then do not use the fix.  Otherwise I found no malware problems

Ok, essexboy thanks
Going to create the requested bug report

[heikwith]

Hello heikwith,

thank you for your bug report! This is definitely not expected behavior . Could you please generate support package (download link and basic how-to at https://www.avast.com/en-us/faq.php?article=AVKB33 , please don't forget to tick the option 'Automatically send to Avast') and post the package id here?

Thank you for your cooperation,
B.

What do you want ?
First the update to 2015 R2SP2 (2015_10_2_2218) or stay at Avast 2015.10.2.2215 SP1

[essexboy]

You could update to see if the problem is resolved, if not then run the support package

[Eddy]

The link that Endt posted is to a older version of the report generator.
This is the latest one:
http://public.avast.com/supp/util/avastsupportR2.exe