Hi
I still get malware pop ups from avast even after running avast at boot. (movieroomreviews.com, etc) but not as often as before.
Attaced are the files that saved IAW your instructions.
Display hidden files and folders:
Right-click the Windows Logo button and choose Open Windows Explorer.
Click Organize and choose Folder and Search Options.
Click the View tab, select Show hidden files and folders and then clear the checkbox for Hide protected system operating files.
Then delete this file/folder C:\Users\Rein\AppData\Roaming\麽鎒駓覜
Let me know how the computer is after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKLM-x32\...\Run: [BrowserSafeguard] => "C:\Program Files (x86)\Browsersafeguard\BrowserSafeguard.exe" HKU\S-1-5-21-4017607708-2851936205-3148765964-1000\...\Run: [iLivid] => "C:\Users\Rein\AppData\Local\iLivid\iLivid.exe" -autorun HKU\S-1-5-21-4017607708-2851936205-3148765964-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! SearchScopes: HKLM - {A25AC313-DD19-4238-ACA2-401D6BEE4321} URL = SearchScopes: HKLM-x32 - DefaultScope {E1384B2F-615A-4862-8793-2475FE8DE196} URL = SearchScopes: HKCU - OldDefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} SearchScopes: HKCU - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = SearchScopes: HKCU - {A25AC313-DD19-4238-ACA2-401D6BEE4321} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287811&CUI=UN12222670509600658&UM=2&UP=SP3FA21645-DFD6-406B-8DB3-F76DE4043DBE&SSPV= SearchScopes: HKCU - {E1384B2F-615A-4862-8793-2475FE8DE196} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3287811&CUI=UN12222670509600658&UM=2 FF Plugin-x32: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP) CHR DefaultSearchKeyword: Default -> trovi.search CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter} CHR Extension: (VisualBee V.12) - C:\Users\Rein\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpkgnchjblgnciiopegmabnakdoapgkj [2013-11-15] 2014-10-27 12:56 - 2014-10-27 14:22 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp 2014-10-27 12:56 - 2014-10-27 14:22 - 00001368 _____ () C:\ProgramData\@system.att 2014-10-27 12:55 - 2014-10-27 14:23 - 00001104 ____H () C:\ProgramData\@system2.att 2014-10-27 12:55 - 2014-10-27 12:55 - 00000000 ___HD () C:\196f52d 2014-10-27 12:50 - 2014-10-27 12:53 - 00036487 _____ () C:\Users\Rein\AppData\Local\893686b8 2014-10-27 12:50 - 2014-10-27 12:53 - 00027562 _____ () C:\Users\Rein\AppData\Roaming\893686b8 2014-10-27 12:50 - 2014-10-27 12:53 - 00023392 _____ () C:\ProgramData\893686b8 2014-10-23 13:34 - 2014-10-23 13:34 - 00022528 _____ () C:\Users\Rein\AppData\Local\2060539dsisetup20615532.exe 2014-10-27 15:01 - 2013-11-15 17:26 - 00000000 ____D () C:\ProgramData\Conduit CustomCLSID: HKU\S-1-5-21-4017607708-2851936205-3148765964-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {D699018E-2102-42D5-9AE8-3D1E3E0C90E8} - \AutoKMS No Task File <==== ATTENTION C:\Users\Rein\AppData\Local\iLivid C:\Program Files (x86)\Browsersafeguard EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
HI
You had a previous response and the result is Fixlogold. Your latest response result is Fixlog. Seems quiet now after the second “fix” run of FRST64. Before running your second fix I deleted the file with the Japanese fonts you suggested. Result was that the moviereview malware did not show up BUT lots of other sites were blocked by avast. BTW great program. Symtoms I had was, besides the avast pop up blockings, the harddrive was constantly searching and I could not put IE in security protected mode enable. Would get alerts if I downloaded a file from a known good site that “your security mode prevents downloading the file”. I would check the protected mode enable, then check permit file download, then I could download the file(known good site) (without rebooting) but at reboot IE protected mode enable would be off.
Everything quiet now, I will install the ad remover now.
REALLY apreciate the help
I will check the IE security mode now
Rein
Hi
Did the AdwCleaner with log file attached. IE protected mode stayed on, hard drive quiet GREAT JOB.
Can avast and Malwarebytes run at the same time? Or just avast? I am using windows firewall.
Rein
Hi again
BTW I was running windows security essentials (now turned of and avast on) before the original attack started. It was a ro… forgot the name but malwarebytes quarantined it after a second scan at boot. Then installed avast, scaned cleaned, and then the “site blocked” popups appeared. Still all quiet
Thank you very much
Avast and MBAM are both good together. You actually had a failed install of Torcrypto so Avast must have blocked it before it activated But, Poweliks was active, although as of yet no AV can get a handle on it
If all is well tomorrow let me know and I will tidy up
I booted up this morning and so far no popup messages from both Avast and Malewarebytes. At boot completion Avast did show a message (not popup) that said it found IE addon “MaxWebSearch”. This has happened several times right after startup and I click “remove” and the result is Avast incountered an error and could not complete its action. I looked at IE addons and could not find MaxWebSearch. Again no threats have apeared and harddrive is quiet. I am concerned about your message about powelik, maybe it will appear again at boot?
Examining Inrternet Sites: Symantic said powelik low level??? and can be remove easily???
I can see no sign of maxweb so it may be a stray registry entry that Avast is finding
Poweliks is easy to remove, but it can only be done manually
Subject to no further problems
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix
https://dl.dropboxusercontent.com/u/73555776/delfix.JPG
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent install this programme to lock down and prevent crypto ransome ware
https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe
Thanks for all the help.
I ran delfix. All is quiet however I have a strange proplem with Gamestop site. I click on gamestop, site appears then an add bar appears “savestop” maybe then blank page. It happens very quickly so I am not sure of the add ware name. It is not detected by Avast or Mbytes. Maybe unigue to gamestop site?
Oh crypto fix site is hiding the free download very stealthy. Could not find a link to download but the premium no problem
It is right at the bottom of the page If you only get that on one site then it is not a problem
Thank you for the link.
Now a very serious problem: Windows Update is NOT running. I tryed several reboots still not running. It was running before the virus attack. I even checked the update history…blank.
Was windows currupted?
Lets check it out it may just need repairing
Download and run farbar service scanner
https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Attached is FSS results. Does not look good. I tried to manually start windows update from the task page. It resulted in
“The *** service is not started”. I read there is a crypto expoit that disables windows update? I installed cryptoPrevent before trying to update windows.
For some reason windows update started working. I installed microsoft security essentials ran a full scan and got the screen attached. Avast is running with security essentials together.
The services just need repairing.
Download the three registry entries to your desktop
Double click each in turn and allow to merge
https://dl.dropboxusercontent.com/u/73555776/wuauserv.reg
https://dl.dropboxusercontent.com/u/73555776/wscsvc.reg
https://dl.dropboxusercontent.com/u/73555776/WinDefend.reg
AutoKMS is a hack for MS Office did you install it.
What is the full path of the other entry
Running two antivirus programmes can cause problems
Thank you everyone. Security essentials did manage to quarantine Rogue after considerable time. Now my question is Avast did not detect this(Rogue). It was running by itself for cosiderable time before I restored security essentials. I lean toward Avast since it cleaned the major attack and essentials could not clean it (maybe I did not wait long enough?) On second thought the original attack toke over the whole PC so nothing but an on boot cleaner could isolate it.
Your honest opinion
What was the location of the rogue that MSES found ?
Rogue location is in the jpg I posted earlier C:\windows\instaler.…etc. That was all the data I have.
Thanks again. Runimg Avast and MBAM only.
Did MSES remove just the file or the whole folder ?
If it did not remove the folder could you give me the full path so that I can use FRST to kill it