PITA "Threat Detected" alarms

[ehargett]

OTL.txt attached.

Yes, it is still google analytics.

NOTE: Avast ran and encountered WIN32:Rloader-B again, and I deleted it, again. It also detected a Win32:Simda-FX[Trj] which, not knowing what that is I moved to the chest. Thought I'd let you know since this is new, and I'm not sure entirely from where it came.

Thanks again,
~E

[essexboy]

Obviously they have more addresses than I have found so far

There is an opt out addon here for all browsers... According to the blurb it disables it https://tools.google.com/dlpage/gaoptout
There is also an adsense opt out as well http://www.google.com/ads/preferences/

All taken from this page http://www.howtogeek.com/howto/18936/keep-google-from-tracking-your-every-move-online/

If you could try those and let me know the result

[ehargett]

Un-bleeping- believable....
Had to manually type in the address.. Installed, restarted FF, STILL getting the alarm.

Not all url mal alarms start with google analytics, btw. Some just start out hXXp://www.google.com/search?q.....
So my question is :would uninstalling anything else work?

[essexboy]

Do you use a router ?  Are any other computer affected ?

[ehargett]

Yes, we use a router, but no, of the three computers, this is the only one with alarms being sent out. I just don't get it...

[essexboy]

Could you do the following:

Run IE and firefox with all addons disabled... Do you still get the alerts ?

 

[ehargett]

Will do in the morning. Not only have I had a headache for the last several days, but we' ve had storms on and of today, do I've d/c our internet, so I'm responding to you right now from my Droid..
I will do as you ask, however, I thought I had tried that already.
Btw, I'm East Coast, USA, just for "morning" reference....
~E

[essexboy]

No we have not run FF in safe mode yet 

[ehargett]

Sorry I did not respond in the morning as I previously said I would.. Had an appointment that could not be avoided.  Maybe these new meds will bring my BP back down ( was 182/110!!-no wonder i had such a terrible headache, although I'm sure this annoying computer problem has not helped!  )

Anyway... Ran both IE and FF in safe mode, still get the threat detected alarms. I manually went in to both FF and IE and also made sure that each add-on was disabled before opening them back up only to get the alarm. Both will open the yahoo homepage, but will send up and alarm when anything is typed into the search field. Neither browser likes the igoogle home page and will not even load it. Neither browser will do searches using any of the popular search engines ( google, yahoo, bing), but I can access webpages if typed CORRECTLY an COMPLETELY into the address bar, if that makes sense. Avast still send up the alarm, but will actually open a webpage when the address is typed into the address field.
Ex: If Ityped "avast" into the search field, I get an  alarm, and a page not loaded message..
     If I typed "forum.avast.com" in the address field, I get an alarm, but the page will load..

Sure that doesn't help, but thought I'd tell you anyway..

Elizabeth

[essexboy]

So it is Igoogle - what happens if you deselect Igoogle as your home page

Lets see where your dns sends you

Please download SINO by Artellos.

• Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
  
• Then please check the following checkboxes:

System Info
Services
Boot Check
Tasklist
Startup Items
Event Log
Ipconfig
Ping
Netstat
Hosts file
Shares
Routing Table

• Once checked, hit the Run Scan! button and wait for the program to finish the scan.
  
• A notepad window will pop up. Please copy all of the content into your next reply.

Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.

[ehargett]

I am so sorry it had been a few days since I last responded. I actually spent Mother's Day in the hospital bc of my blood pressure. Hopefully we have things worked out.. with me, at least if not the computer.

So, you asked what happens when I deselect igoogle as the home page. Well. I get a simple Mozilla homepage with a big Google search bar in the middle. However, anything typed into that bar sends up a "Threat Detected" alarm. The yahoo home page will load, as well, but you can not "search" for anything without an alarm being sent up and the page being blocked from view. However, I can type a URL address into the address field, and if typed correctly I actually will get to the page, but I still get an alarm. See my last post for an example.
I am attaching the SINO file you requested.
Thanks for continuing to work with me on this!
Elizabeth

[essexboy]

OK time for the really big boy, as all the network connections look to be good

When you generate the Analysis zip folder could you upload it to a file sharing site like Mediafire please and I will collect it from there.  The forum does not allow attachment of zip files

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 


 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload and attach to your next post 
 

[ehargett]

OK here is the txt file, and I'll have to figure out how to upload the zip, and I'll get back with you once that's done

Thanks,
Elizabeth

[ehargett]

And here is a link to the zip in my Dropbox:
hXXps://www.dropbox.com/s/ps09untl8kky510/avptool_sysinfo.zip

I modified link to make it inactive. LMK if you have any trouble.
Elizabeth

[essexboy]

Let me know if this kills it

• Re-run AVPTool 
• Select the Manual Disinfection tab and press Script execution
  
  
  
  
• Where it states  Insert text  script in the following box copy the below script and press Run script
  Copy from Begin until End
  
  
  
  

Code: [Select]

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('30197298.sys','');
 DeleteService('30197298');
 StopService('30197298');
 QuarantineFile('89263039.sys','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\30197298.sys','');
 DeleteFile('C:\WINDOWS\system32\DRIVERS\30197298.sys');
 BC_DeleteFile('C:\WINDOWS\system32\DRIVERS\30197298.sys');
 DeleteFile('89263039.sys');
 BC_DeleteFile('89263039.sys');
 BC_DeleteSvc('30197298');
 DeleteFile('30197298.sys');
 BC_DeleteFile('30197298.sys');
 DeleteFile('C:\Documents and Settings\david102\Local Settings\Temp\_uninst_40728990.bat');
 BC_DeleteFile('C:\Documents and Settings\david102\Local Settings\Temp\_uninst_40728990.bat');
 DeleteFile('C:\Documents and Settings\david102\Local Settings\Temp\_uninst_89263039.bat');
 BC_DeleteFile('C:\Documents and Settings\david102\Local Settings\Temp\_uninst_89263039.bat');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Your system will reboot on completion, if it does not please do so yourself   
• On completion please run another analysis scan and attach the zip file