"A threat has been detected"

Hello all,

Well, the title of this thread is roughly how I would translate this message that has kept popping up on my Avast for the past few days (I am a European French-speaker, hence Avast is set up in French here :-p)

The threat in question seems to be malware (a “malicious url address”) and/or a trojan horse, depending on the moment.

I have followed the advice given in the top thread of this section, i.e. I have downloaded Malwarebytes and made a full scan (after the quick scan had found nothing).

Two suspicious elements were found, which I promptly deleted.

Unfortunately, the warning message has kept coming back, so I have performed a second full scan and once again deleted the suspicious elements.

After this I have downloaded OTS, scanned my PC with it and downloaded the log (should I post it here?).

Needless to say that the “threat” keeps coming back…I even received 14 such messages consecutively at one point…

As I use this computer mainly for work, any help from you would be greatly appreciated (please bear in mind that I am not exactly a tech or computer-savvy person…so if you could keep your explanations somewhat simple and detailed, I would be doubly grateful to you :-))

Thanks in advance!

Yes, this is the place to post it. Use the attachment function (see “additional options” when you are making a post).

Thank you for your response, Gargamel.

Things are becoming even more fun in the meantime.

I made a new scan with OTS in order to have a fresh new log, but when I wanted to save the log in my appropriately created OTS file, the ANSI format was unavaliable (the box is just blank).

And when I open the OTS file or try to upload my log on here, the log doesn’t appear! The folder is empty, as if I hadn’t saved anything at all (which I guarantee I did…I even re-made a OTS scan, deleted the previous logs, saved it in several locations…but to no avail…the log get saved…but doesn’t exist :-s…

Delete

Hi Pondus,

Not sure whether that is an advice or whether you’ve deleted your own post…

If you mean that I should delete the OTS logs, I have. At least it seems so since the folder is empty when I open it…

Too bad it isn’t when I try to save a new OTS log in said folder (in that case the previous logs do appear!)…

Basically I cannot delete OTS logs that otherwise appear invisible, and when I save new ones, they become invisible too.

All very confusing…and Avast’s malware warnings keep popping up :-p

it was just me not reading your first post good enough, so i deleted the txt

anyway it will be some time before essexboy is here…he is the OTS expert
he is usually in here at 08:00pm - 11:59pm uk time

have you tried to run a boot time scan with avast first ?
if it find and remove anything, then try OTS again…could be some new malware that is blocking OTS

OBS: you should also post the log from Malwarebytes scan, so Essexboy can see what was found/removed

Thank you Pondus.

Well it seems that I can at least have access to and post the Malawarebytes log, so in the meantime here it is.

Regards,

Lib

your malwarebytes was not updated when you did the scan…
your database: 7257 Latest database: 7315

MBAM can have 10 updates on a day, so always hit the update button before you start scanning

so update scan again, post new log if anything is found/removed

Ok thanks I will do that.

Incidentally, I also have Ad-Aware on my computer from way back…is there a risk of conflict between the latter and Malwarebytes? if so, should I unisntall Ad-Aware?

Thanks in advance.

Ok so I’ve updated Malawarebytes and done a quick scan. Two more elements were found (trojans). Attached is the log.

Avast on the other hand didn’t find anything, once again…and lo and behold, I’ve just had my first “threat detected” :-p…

Hi there lets using a different variant then - this will download as a screensaver ;D so if you use firefox then right click the link and select save as - do not let Avast sandbox this programme, run it normally - Attach the logs to your next post please

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hello Essexboy,

Thank you for your reply.

I don’t use Firefox and I didn’t seem to find any link…HOWEVER this morning I am able again to download the log in ANSI format AND see it appear in its folder. So hereafter it is.

Looking forward to your precious help,

Lib

OK not a lot showing there so I will empty your temp files and check the MBR first

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Hello Essexboy,

I have performed the run fix with OTS as you recommended. After a (somewhat long) while, I received a message saying that OTS had stopped working.

I turned off my computer and upon turning it on again this log (attached) opened up automatically.

Before I proceed with the next step, could you tell me if said log is of any use to you? If not, should I retry the scan fix before downloading aswMBR?

Thanks in advance.

You had a multitude of temporary files on your system - this was why it appeared to stall

Lets run another quicker programme to clear the temps and then run aswMBR

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Good morning Essexboy,

I’ve performed the TFC scan as well as the aswMBR one.

Attached is the log relating to the latter.

I am looking forward to further useful guidance from you.

Lib

Are you still getting the alerts ?

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[
]Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Well I have been on the computer all day and I haven’t received any alert…except for one, when I visited this particular website (a football forum :-p) and was told that a trojan had been blocked. I already received this message systematically in the past few days whenever I visited that page.

But other than that, no alert whatsoever so far…does this mean that the possibility of a trojan still exists, albeit remote, or that the problem lies with that website and that I should simply not visit it anymore?

To me that suggests the website has been hacked

No need to run combofix - but let me know tomorrow if there are any further problems

If not I will remove my tools

Hello essexboy,

So far I haven’t had any problem today either. The only alert since the clean-up, as I said, was yesterday when I visited that site. So I guess I’ll just stay away from it for some time.

Again thank you very much for your help.