need help with: http://differentia.ru/diff.php and http://disorderstatus.ru/

[REDACTED]

I started receiving alerts after I borrowed my friend's pendrive. How do I fix this? The alert is annoying as it keeps popping up every few seconds. Thank you in advance

[magna86]

Hello,

Please post the FRST logs and I will target them and remove. 

https://forum.avast.com/index.php?topic=53253.0

[REDACTED]

Here they are

[magna86]

Hello,

You have active malware on board and this may take some time...or not, we'll see. 

First you need to uninstall the following mal. software;
- Search App by Ask


Then let's do some cleaning ...





1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start

RemoveProxy:
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:62761;https=127.0.0.1:62761
Tcpip\Parameters: [DhcpNameServer] 122.255.99.228 122.255.99.236

CreateRestorePoint:
CMD: bitsadmin /util /setieproxy localsystem NO_PROXY RESET

CloseProcesses:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DC2EF05D-8CDB-47E1-9131-08DDEE8E7B11} - System32\Tasks\LinkBuilder-S-2151721119 => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exe <==== ATTENTION
Task: {FA4BDF02-3C78-4CD7-B0C5-2B107F229995} - \GPUP -> No File <==== ATTENTION
Task: C:\Windows\Tasks\LinkBuilder-S-2151721119.job => c:\programdata\trusted publisher\systemssupport\LinkBuilder.exeT/schedule /profile c:\programdata\trusted publisher\systemssupport\2151721119.ini <==== ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
CHR HKLM\...\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]
CHR HKLM-x32\...\Chrome\Extension: [aaaaaiabcopkplhgaedhbloeejhhankf] - C:\ProgramData\AskPartnerNetwork\Toolbar\Shared\CRX\aaaaaiabcopkplhgaedhbloeejhhankf.crx [2015-01-31]

Hosts:
c:\programdata\trusted publisher
C:\ProgramData\AskPartnerNetwork
C:\ProgramData\msvhzuru.exe

EmptyTemp:
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.







.



.




Then additional hardcoded antirootkit tool. Make shure you do run fixdamage tool as instructed no meter if malware is detected or not.



Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article


> Doubleclick on the MBAR file () and allow it to run.
•  Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
•  mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
•  After reading the Introduction, click Next if you agree.

•  On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
•  Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
-  'Could not load protection driver'. Click 'OK'.
-  'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

>>  If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>>  If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
•  The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.


>>  Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.




> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.

[REDACTED]

Sorry for the late reply, was busy with work. I can't seem to uninstall Search App by Ask because when I try to, an error pops out saying that I need to close Google Chrome in order to proceed even though Chrome isn't even open. I even tried to restart my laptop and immediately went to uninstall the program before doing anything but it didn't work. The extensions in the Chrome settings also doesn't seem to list an extension for Search App by Ask. So how do I uninstall the program?

[REDACTED]

Since there was no reply, I just went through with the steps. Here are the logs

[magna86]

Hello,

Well, in that case you should went in system tray and close Google Chrome, BC his process is still running.

You have posted MBAR's logfiles. And where is FRST's FixList logfile?

[REDACTED]

I managed to delete Search App by Ask after following your instruction. Here is the fixlog

[magna86]

Nice, Now we will preform USB cleaning and system re-check.




Please download MCShield from one of the following links:

MCShield -Official download link

• Double click on MCShield-Setup to install the application.
  Next => I Agree => Next => Install ... per installation click on Run! button.
  
• Wait a few seconds to MCShield finish initial HDD scan...
• Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
• When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.




.






Please download Zoek tool by Smeenk () from here and save it to your Desktop.
Unpack the archive...

• Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool. Please wait while the tool does not start...
  
• Click on More Options and chech box only for AutoClean;
  
• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[REDACTED]

here are the logs

[magna86]

Hello,

You did not posted the AllScans.txt logfile. Bdw, what is the situation now?