So I downloaded a program, ignorantly, and when I ran it, Avast basically exploded warnings at me, which I ignored because the source where I got it from said that specifically Avast would do that. Then, after using the program for about 2 minutes, Avast continued to throw warnings at me, and once I listened to them, it was too late. I noticed that whenever I opened up any given browser, there would be a warning saying “URL:Mal”, then a random website I’ve never heard of, then the rest of whatever Avast says in those warnings. >:(

First, because I feel that I need to include it, here is my PC:

Windows 8 HP Pavilion g7 Notebook PC 2012

I followed the instructions so far on the topic: https://forum.avast.com/index.php?topic=53253.0

I ran Avast first (before reading the forum topic), and it found 12 infected files, 10 of which, supposedly, were deleted. The two that weren’t said “Could not find file”. Here is a list of the file infection types:

Threat:Win32:Zbot-UUD[Trj] (deleted)
Threat:Win32:Rootkit-gen[Rtk]
Threat:Win32:Rootkit-gen[Rtk] (deleted)
Threat:Win32:Rootkit-gen[Rtk] (deleted)
Threat:Win32:Rootkit-gen[Rtk] (deleted)
Threat:Win32:Rootkit-gen[Rtk]
Threat:Win32:Agent-AUVV[Trj] (deleted)
Threat:Win32:Agent-AUVV[Trj] (deleted)
Threat:Win32:Agent-AUVV[Trj] (deleted)
Threat:Win32:Agent-AUVV[Trj] (deleted)
Threat:Win32:Adware-CFE[Adw] (deleted)
Threat:Win32:Adware-CFE[Adw] (deleted)

I have no idea what any of these mean, in terms of the Win32:… stuff. I understand what adware and trojan are, not Rtk (rootkit?). Hopefully these mean something that can help you help me.

I am running MalwareBytes right now, and I will post the log when it finishes. So far into the scan, there has been 56 items detected, unlike Avast’s 12.

Malwarebytes targets different adware type infections. Once the FRST logs are posted we will sort you out

What programme did you download ?

There’s been quite a few random things that I’ve downloaded, most of them being recommended to me by friends and they’ve used them just fine. The most recent was called Steam Unchained, I think. It was a program that was recommended to me by a friend who said I could use it to access certain Steam games to mod them without the VAC stuff, but you couldn’t use it with Steam itself. There was only one website for it, so I assumed it was pretty safe because he uses it all the time with no problems.

MalwareBytes just finished scanning. I attached the log provided. It told me that there was 57 non-malware items and 2 malicious items.

I restarted my computer, as instructed. The Avast warnings are still popping up, but I don’t feel comfortable taking the next few steps in the cleaning malware thread. There seems to be a lot of complicated things in there that I’d have to do, and I don’t want to risk bricking my computer.

mostly PUP crap … PUP = not malware / Possible Unwanted Programs, crap that comes bundled with free downloads

run Farbar Recovery Scan Tool as instructed … it will not do anything except produce two diagnostic logs that Essexboy need to create a fix for you

Okay, I will do that. In the meantime, not knowing if you need this, here is a screenshot of what keeps popping up:

http://i.imgur.com/LMebftc.png

So I ran Farbar and attached the two reports provided.

Essexboy is logged out for today, check back tomorrow. He is usually here after work hours european time

Hi there the first thing you must do is uninstall Chrome, you can re-install once we have finished

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKU\S-1-5-21-1765460921-3138580259-2685598851-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF BHO: UniDuealsi -> {ecb36a52-a797-4326-9c74-34133ccad049} -> C:\Program Files (x86)\UniDuealsi\ZAVGB3v8qoVtDv.x64.dll () BHO: No Name -> {fe0edf0a-74f0-47bc-982c-9c88e1cf7a55} -> No File BHO-x32: No Name -> {fe0edf0a-74f0-47bc-982c-9c88e1cf7a55} -> No File FF DefaultSearchEngine,S: WebSearch FF SearchEngineOrder.1,S: WebSearch FF SelectedSearchEngine,S: WebSearch FF Extension: UniDuealsi - C:\Users\rbarber1\AppData\Roaming\Mozilla\Firefox\Profiles\45yopfvo.default\Extensions\CwkB@F.com [2015-02-10] FF Extension: youtubeadblocker - C:\Users\rbarber1\AppData\Roaming\Mozilla\Firefox\Profiles\45yopfvo.default\Extensions\i@KX.net [2015-02-10] CHR Extension: (Google Slides) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-18] CHR Extension: (Google Docs) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-18] CHR Extension: (Google Drive) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-18] CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-12-18] CHR Extension: (YouTube) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-18] CHR Extension: (Adblock for Gmail) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\cobbaepnkejfnljmjgimdhoefifdhcak [2015-02-10] CHR Extension: (Google Search) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-18] CHR Extension: (Google Sheets) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-18] CHR Extension: (Avast Online Security) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-12-18] CHR Extension: (Happy Wheels) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\hpljdpjoahbnnfilkiilnfdkdbfiabfc [2014-12-18] CHR Extension: (Google Wallet) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-18] CHR Extension: (My Chrome Theme) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\oehpjpccmlcalbenfhnacjeocbjdonic [2014-12-18] CHR Extension: (Gmail) - C:\Users\rbarber1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-18] CHR Extension: (UniDuealsi) - C:\ProgramData\jbhfpebgddjakhfodnfffoiahpofpokf\ [2014-12-18] CHR HKU\S-1-5-21-1765460921-3138580259-2685598851-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-01] R2 6e95159f; c:\Program Files (x86)\IncrementFoobar\IncrementFoobar.dll [1575424 2015-02-10] () [File not signed] 2015-02-10 10:51 - 2015-02-10 10:51 - 00000000 ____D () C:\Users\rbarber1\AppData\Local\Ooh_Killum 2015-02-10 08:52 - 2015-02-10 08:52 - 00000000 ____D () C:\Program Files (x86)\IncrementFoobar 2015-02-10 08:51 - 2015-02-10 08:52 - 00000000 ____D () C:\Program Files (x86)\Adblock for Gmail 2015-02-10 08:50 - 2015-02-10 08:50 - 00000000 ____D () C:\Program Files (x86)\UniDuealsi 2015-02-10 08:49 - 2015-02-10 08:49 - 00000000 ____D () C:\ProgramData\jbhfpebgddjakhfodnfffoiahpofpokf 2015-02-10 08:48 - 2015-02-10 11:03 - 00000000 ____D () C:\ProgramData\{3d0c8581-b26c-ed96-3d0c-c8581b261606} 2015-02-02 16:49 - 2015-02-02 16:49 - 00000000 ____D () C:\WINDOWS\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP 2015-02-02 16:35 - 2015-02-02 16:35 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YTD Video Downloader 2015-02-10 14:43 - 2014-12-10 10:02 - 00000000 ____D () C:\Program Files (x86)\BuyNssavve 2015-02-10 14:43 - 2014-10-13 19:34 - 00000000 ____D () C:\ProgramData\Trusted Publisher Task: {0F2ADD2E-2906-402D-98C3-4936B40B4BC4} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1765460921-3138580259-2685598851-1001UA => C:\Users\rbarber1\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-28] (Google Inc.) Task: {48139C3F-BC06-4C59-8D4B-AFAAF0C6713F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-31] (Google Inc.) Task: {6A266028-8733-4D2E-A704-1AD7DB184CD9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-31] (Google Inc.) Task: {7220ABA5-3AEE-444A-90CB-F5352A96072C} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1765460921-3138580259-2685598851-1001Core => C:\Users\rbarber1\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-28] (Google Inc.) Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1765460921-3138580259-2685598851-1001Core.job => C:\Users\rbarber1\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-1765460921-3138580259-2685598851-1001UA.job => C:\Users\rbarber1\AppData\Local\Google\Update\GoogleUpdate.exe C:\Users\rbarber1\jagex_cl_runescape_LIVE.dat C:\Users\rbarber1\random.dat C:\Program Files (x86)\Google C:\Program Files (x86)\UniDueals C:\Users\rbarber1\AppData\Local\Google c:\Program Files (x86)\IncrementFoobar EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

So I ran FRST with your instruction. I attached the log I got back, but I’m not sure everything is correct. I had to run FRST twice, and both times it created a recovery point, then fixed for about a minute and then Windows said it stopped responding and it closed. The log looks complete, to my knowledge, but I don’t know. I’ll run then next program you gave me.

Here is the AdwCleaner logfile that I received. I actually got two logs, one with [R0] and one with [S0], so I attached both just in case.

I have taken all of these steps, and Avast hasn’t given me any messages yet, nor have any more problems come up. Does that mean everything is taken care of? I know that even if the symptoms are gone, something could still be in the system.

Did FRST appear unresponsive when it was emptying temp files ?

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

I don’t know when it decided to stop responding. The first time was right after it created the recovery file, and the second time was in the middle of fixing everything.

I ran the new program you provided. I don’t know if I’ve ever cleaned out my temp files because it said it cleaned 7,052.00 MB of files. I will post when my PC starts up again.

Started up. It said that I had 1 update when I restarted. I’m assuming this is related to cleaning out the temp files. Is it?

This is actually kind of fun. I love working with this kind of stuff, and even though I’m not the one making the magic happen (that’s you), it’s fun to see what you’re doing because it actually makes a lot of sense. How long did it take you at GeekU, or wherever you went to learn this stuff? I applied, so I’m waiting for response now.

I did my training when it was relatively easy and there were no of the complex things that I am now seeing. That took about 6 months
The update was probably happenstance

You can now re-install chrome, when you are ready could you run a fresh FRST scan for me and let me know how the computer is behaving

Everything seems to be running fine now. No Avast warnings, everything is running smooth and good as new

I ran FRST again, and it was a lot faster. The logs look good except for the Addition log, which has a lot (a LOT) of errors in the end parts. Are these of any significance?

The errors are of no import

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Sweet! All fixed! Thanks for your help, Essexboy! Hopefully I’ll be working with you someday