Avast detects WIN32 Adware

Viruses and worms
1

Hello Avast Support Team,

I am using Windows 10. Yesterday every few minutes I would get the pop us stating that WIN32 Adware threat has been detected.

  • I had run a full scan and 5 infected items were found, Avast asked me to restart the computer and scanned it again. Then asked me to move the infected items to the Chest as I was unable to delete them.
  • today my computer was working with tons of difficulties (run slow, different pop ups, music started by itself)
  • I have my computer in safe mode at the moment (restarted in windows safe mode)

How can I remove the virus?

Thank you very much!

2

https://forum.avast.com/index.php?topic=53253.0

3

here are the Malwarebytes Logs

4

Also, Eddy should I delete all the items detected in the Malwarebytes and placed in the Quarantine?
Thank you!

5

Provide the Farbar logs and do not change anything on the system.
Wait tll a malware remover guides you.

6

Here are the Farbar logs

7

here is a screenshot of the Malawarebytes. It has the option to select all items and delete. Should I leave it as is for now?
Thank you

8

Eddy, I am doing the aswMBR.exe step now

9

here is the aswMBR.exe log

10

Perfect. Now you’ve to wait a bit.

11

Yes allow MBAM to delete all it finds

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File BHO-x32: IeWebtoptimumPlugin.BHO -> {314cc13e-2027-44ca-838b-546591a01fda} -> C:\Windows\SysWOW64\mscoree.dll [2015-10-30] (Microsoft Corporation) BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security\Engine64\22.6.0.142\coIEPlg.dll No File Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\coIEPlg.dll No File S1 MPCKpt; system32\DRIVERS\MPCKpt.sys [X] 2016-05-13 23:56 - 2016-05-13 23:56 - 00001648 _____ C:\WINDOWS\SysWOW64\apply.reg 2016-05-13 23:56 - 2016-05-13 23:56 - 00000089 _____ C:\WINDOWS\SysWOW64\apply.bat 2016-05-12 17:07 - 2016-05-13 06:55 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner 2016-05-12 17:05 - 2016-05-12 17:15 - 00000000 ____D C:\Program Files (x86)\Windriver 2016-05-12 17:05 - 2016-05-12 17:06 - 00000000 ____D C:\Program Files (x86)\Sysdriver ShortcutWithArgument: C:\Users\stela\Desktop\Blackboard Humber.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" --disable-quic ShortcutWithArgument: C:\Users\stela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Blackboard Humber.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" ShortcutWithArgument: C:\Users\stela\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk -> C:\Program Files\AVAST Software\SZBrowser\launcher.exe (Avast Software) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" --disable-quic ShortcutWithArgument: C:\Users\Public\Desktop\Avast SafeZone Browser.lnk -> C:\Program Files\AVAST Software\SZBrowser\launcher.exe (Avast Software) -> "hxxp://trustedsurf.com/?ssid=1463087018&a=1003478&src=sh&uuid=36ab49da-165e-4f00-aece-424be631e8cf" C:\Windows\system32\DRIVERS\MPCKpt.sys C:\Windows\SysWOW64\soft.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

12

Sorry! Will do it in 2 hours. Not at home right now.

13

here is FRST fixlog

14

How is the system behaving now ?
Are there still problems ?

15

Hi Eddy,

when I tried to open Chrome I get this message and I needed to press ok, to open browser. Here is the screenshot and ADW Cleaner log.

16

other than than computer is working faster now (like it was before virus), no more pop-ups when opening browser so far

17

also this pop up just appeared after opening the browser

18

I am not very computer savvy, but I keep seeing new item creating in Temp folder. Here is a screenshot. This folder was appearing originally in Avast warnings about virus and I see something new appearing every time I open it.

Thank you for your help!

19

as of now when opening Chrome, it still shows some popups, like my Adobe needs update, I didn’t click ok and didn’t downloaded nothing.

20

essexboy will be back online tomorrow :wink: