spam web pages hijacking my browser! -- part deux

[FortKnox]

This is in response to http://forum.avast.com/index.php?topic=96087.msg766201#msg766201

Attached is the log from performing a quick scan.   As you can see, not very enlightening.  I think I'll run a full scan next while I shower and eat lunch...

Jeff Knox

[FortKnox]

Oh yes, and I forgot to say that even on the Avast forum pages, Avast keeps popping up for almost every page saying "threat has been detected."  Really?  I kinda find that hard to believe, so I'm updating the program & virus definitions now-- oh, huh, "already up to date" on both.  What the...  And instead of my having to remember to attempt to update my Avast software and definitions every so often, wouldn't it be GREAT if that happened automatically?  But if it keeps yapping at me that a "threat has been detected" on almost every forum page on an anti-malware site, methinks something's rotten in Denmark...

[FortKnox]

"Full system scan completed, no infected files."  Just coming to the forum to post that one sentence invoked two instances of "threat has been detected."  Ugh.

[essexboy]

Hi lets look deeper than MBAM can see

 Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 Double click the aswMBR.exe to run it  Click the "Scan" button to start scan 



On completion of the scan click save log, save it to your desktop and post in your next reply

[FortKnox]

Step 1 complete, attached are the logs. (and many much thanks for the help thus far)

[essexboy]

Does this happen no matter what browser you use ?

Could you attach a screenshot of the avast alert popup please

[FortKnox]

Step 2 complete!  As to the browser, I dunno as I'm currently only using Google Chrome, but I have other installed that I could use.  Screenshot coming right up, sahr...

[essexboy]

Yes could you try the other browsers to see if it is common to all

[FortKnox]

Here's the popup.  (whoops-- didn't like it as a half-meg BMP, let's try a 40K JPG)  I'll switch back to Firefox for awhile...

[FortKnox]

Haven't seen it in Firefox yet, but... *sigh*... "Your browser does not support all features of Google Docs. If you are having problems, try Google Chrome."

[essexboy]

OK if you do not get it in IE then it is a chrome problem.  Now the way chrome is constructed makes it very difficult to determine the actual miscreant.

In the cases where it is chrome only misbehaving the fastest and easiest way is to totally uninstall using Revo uninstaller and then reinstalling

[FortKnox]

Okay, I was totally scared since I've invested much time in installing Chrome extensions, getting the toolbar just the way I like, it had all my saved passwords, etc., etc.  But I took the plunge, uninstalled using Revo, and upon re-installation everything came back just like it had never left!  That is the bomb!  And where coming to this Avast forum post before in Chrome was setting off all kinds of Avast warnings, this time all's good, so it appears that was the needed trickery.  WHEW!  THANKS SO MUCH FOR THE HELP!  Now, in order to help make Chrome better, should I post a link to this thread anywhere?   THANKS AGAIN!

[FortKnox]

I really don't think I have.

[essexboy]

Could you wait untill tomorrow as I want to be sure that it has gone.  If you are happy I will then remove my tools and see if I can determine where the miscreant was hiding (that may require one more OTL scan for comparison)

[FortKnox]

No problem, I'm free all day tomorrow.  I may not be on the laptop all day in order to have a back-and-forth forum conversation like this, but I'll be able to spend some time on it.  Thanks again!