5 Simultaneous Instances of Threat Detected several times a day.

Hi Avast Community!

I’m having a wee bit of trouble lately. several times throughout the day for the past couple I am receiving messages from avast. 5 websites show up every time though not always the same ones. this happens periodically throughout the day, even if I am not currently actively using my browser. I have run a full system scan and avast finds nothing out of place, but obviously something is trying to access these websites. It says they are attempting to be accessed through Mozilla Firefox, I will list the websites here from my log file, I do NOT recommend visiting these.

LINKS REMOVED AS REQUESTED (I dont know how to disable them, so they’re gone for now.)

If anyone could help me figure out what is trying to attack my computer so I can get rid of it, I would be very very happy.

Hi, Looks like Ma;ware calling home.

Please follow this topic:

http://forum.avast.com/index.php?topic=53253.0

Please attach MBAM/OTL and aswMBR. After that I can fetch a remover to help you.

also, Remove/disable those links now please.

I removed the links, and I’m reading through yours now. I’ll reply again when I finish. Thanks!

I did as you stated and attached all the log files here. I have a couple questions;
Malwarebytes found some things and deleted them. The other post stated this does not mean I am clean. I imagine somebody will be letting me know if I am. However;

  1. I have used my thumb drive lately, will I need to format/scan it?
  2. A friend has used their thumbdrive in my laptop today, will they have to take action with their thumb drive or computer?
  3. Obviously this somehow got through my avast shields in the first place, what can I do to avoid having this issue/similar issues again?

Also, again, Thanks for all the help so far. :smiley:

1. I have used my thumb drive lately, will I need to format/scan it?
you and your friend should install MCShield USB protector www.mcshield.net

malware removers are notified, it may take some hours before they are online…

I’m on it …

@Brendavid
Install MCShield tool as Pondus recommended.
Then Start → All Programs → MCShield → Logs
Attach here → AllScans.txt logreprot.


Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:COMMANDS
[CREATERESTOREPOINT]

:FILES
dir C:\ProgramData\20345a06664467dd /c
dir C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69 /c
ipconfig /flushdns /c
C:\Program Files (x86)\Ask.com
C:\Program Files (x86)\uTorrentControl_v2
C:\Windows\*.tmp
C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\*.tmp
C:\$Recycle.bin\S-1-5-21-544822225-780793560-1627922368-1001

:OTL
IE - HKLM\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTo0.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {006ee092-9658-4fd6-bd8e-a21a348e59f5}
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=US&userid=d3bcb97e-1a8e-41f5-974f-11b9c6eed6f8&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..\URLSearchHook: {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTo0.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=US&userid=d3bcb97e-1a8e-41f5-974f-11b9c6eed6f8&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..\SearchScopes\{4BCFF20B-32AB-4F34-8708-79017ED1204C}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
O2 - BHO: (uTorrentControl_v2 Toolbar) - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTo0.dll (Conduit Ltd.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..\Toolbar\WebBrowser: (uTorrentControl_v2 Toolbar) - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTo0.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
O15 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-544822225-780793560-1627922368-1001\..Trusted Domains: sony.com ([]* in Trusted sites)
O18:[b]64bit:[/b] - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\livecall - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\msnim - No CLSID value found
O18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value found
O33 - MountPoints2\{1a60f4ac-e256-11e1-ad81-446d5752e7f6}\Shell - "" = AutoRun
O33 - MountPoints2\{1a60f4ac-e256-11e1-ad81-446d5752e7f6}\Shell\AutoRun\command - "" = E:\TL_Bootstrap.exe
O33 - MountPoints2\{2563c13b-0cb0-11e2-b632-446d5752e7f6}\Shell - "" = AutoRun
O33 - MountPoints2\{2563c13b-0cb0-11e2-b632-446d5752e7f6}\Shell\AutoRun\command - "" = F:\LaunchU3.exe

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

----- Next -----

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

----- Re-check -----

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

@Magna86

I’ve done as you’ve instructed and I’m attaching all the logs here. Sorry about it taking so long for me to get around to it, I’m a college student and it unfortunately happens to be final’s week. I went ahead and scanned both my thumb drive, and my friend’s on my computer.

Also curious as to what the OTL custom fix did. I noticed it had some stuff about utorrent and ask.com. The first two reboots my mouse was scrolling slower and I would have a black screen on startup. both of those have now gone away after the third reboot in the process.

anywho, Thanks again, and files attached! It will only let me attach 4, so I’ll split them into two posts. Here’s the stuff from the first few steps.

@Magna86

Here’s the other 2 logs from Farbar.

Posted FRST logs looks good as OTLScript did it’s job. How is your computer running now?

All seems rather well. My startup was slightly faster. Anything that seemed a little buggy after the OTL script corrected in a couple restarts. Avast hasn’t poked me lately, so I haven’t heard from whatever was trying to access those sites since I ran the malwarebytes scan. In the past this hasn’t meant I was totally clean, but I imagine that’s what all the other stuff was for. So, all seems normal on my end.

Whaddya think?

You are malware free. :slight_smile: Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.


To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

  1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
    Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

  2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
    MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

  3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
    Temp File Cleaner aka TFC by OldTimer
    TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.


How to protect yourself?

  1. Adjust avast! to target PUP software:
    Run avast! 2014 by clicking the system tray icon in the lower right corner of the screen.
    Click on Settings, in the new window that opens, click on Active Protection, then under File System Shield click on gear wheel…
    Under Sensitivity part of option check box for Scan for potentialy unwanted programs PUP.

  2. avast! Software Updater. Run avast!, click on Tools > Software Updater.
    For security reasons, make sure you do update your browser(s), Java, Flash Player, and basically every software you use often.

  3. avast! Browser Cleanup. Run avast!, click on Tools > BrowserCleanup.
    Browser Cleanup tool is an integrated tool in avast! AV that allows you the control on browsers unwanted addons.

  4. avast! Malware Scan. Run avast!, click on Scan and preform QuickScan by clicking on Start button.
    Every once in a whilere, it’s recommended to preform virus scan with avast! 2014.

@Magna86

Thank you so much for all the help. :smiley: though, Out of curiosity I ran another Malwarebytes scan, after running through my usual tasks for the day. I think I may have found where I picked up some bugs before, only to apparently have picked up more in the process. Going to be avoiding such things in the future. Letting people download on my computer is a terrible idea. Maybe even letting them use it in general. Malwarebytes found a few objects, Im going to attach the malwarebytes log in the next post (I still need to reboot), and run through the first three steps I was initially given by alan1998.

Do kind of feel like a dunce, but at least I figured it out, I think. Would you mind helping me a little further? I’m an illustration major, if you’d like, I wouldn’t mind doing a small drawing request for your continued patience and my continued, erm, ignorance to internet safety.

Your suggestions on how to protect myself seem all like great ideas, I will be adhering to them, and be a little more strict about what happens with my computer.

Here’s the logs. Guess this is round II.

MBAM has just detect the leftovers. Non-active items… OTL is clean, aswMBR doesn’t show RootKit activities. :wink:

Proceed with execution of DelFix program.

Oh, well, thank you very much. :smiley: I will do so and let you know how things are going.

I did all the extra things you suggested, cleaned up everything, changed avast settings, downloaded TFC. Everything seems to be running just fine and I haven’t gotten any alerts from Avast lately. It seems everything is in order. Thank you so so much. :smiley: I’ll take better care of my computer.

Did you want that drawing for all your help?

I’m glad I could help. :wink: