Avast scanning the web for pr0n

Well, this is awkward. Once my laptop has booted and before I do anything (no browser, no programs whatsoever), I check what avast is doing and see that it is checking the web. In the Statistics window, it scans and scans endless pages of pr0n pages on the internet. Occasionally a pop up window appears, saying that some process has been blocked. Always with an dmw.exe as the culrpit. This exe sits in the Lenovo-folder, i haven’t found anything useful on the web for that file. then the scanning stops only to start anew half a minute later.

I did a boot-scan with avast to no avail. A malware-check too, I attach the report. Maybe someone has a clue what is going on. The avast module is in german and I have posted this in the German thread also. I hope that is okay, since there is no answer there.

Thanks.

Win 7 Pro 64
Avast 2014.9.0.2008

You have an infection

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

By the looks of it he’s got multiple infections. Web optimizer, PackageAware, etc. The probable cause is the malicious Gutschein finder Firefox plugin.

ADWcleaner already cleared a lot. You could try running Malwarebytes Anti-malware + TDSSkiller to see if they find more. TDSSkiller is a rootkit scanner, alternatively (or additionally) you can use Malwarebytes Anti-Rootkit.

Don’t forget to restore Firefox (your main browser as it seems), or the plugin stays and can infect again:

  • Open firefox
  • Click the FF button (orange top left)
  • Help → Troubleshooting information
  • Click reset Firefox and confirm the reset in the next window
  • Firefox will close and reopen and try to import your bookmarks and passwords etc. → click finish

propheticus please refrain from posting or interrupting in malware removal advice topics, essexboy is quite capable of handling the problem.

I understand my help is unwanted here. Have fun on your high horses.

Help is not unwanted here. Essexboy is an certified malware remover from the forum.

He will help him with this.

It’s not that help isn’t wanted, malware removal is only performed by trained qualified technicians and you haven’t been approved to do so and it’s also bad etiquette to butt in on already provided advice.

Chef 1: OK Put a teaspoon of salt in to the water.

Chef 2: You should be a tablespoon of salt in the water.

Culinary student: So which is it?

1: Teaspoon
2: Tablespoon

Student: I’m confused.

1: After you put the teaspoon of salt in the water, chop the celery and add it in.
2: After you put the tablespoon of salt in the water, chop a carrot and add it in, but also add a pinch of pepper.

Student: Who am I listening to here? They both sound good, but which one am I following? I added a teaspoon of salt and chopped up a carrot and added pepper. Is that right?

1: You didn’t listen to me! That is wrong! I had a pre-planned step of events you needed to follow and now you’ve made it worse!
2: You didn’t listen to me! That is wrong! I had a good idea on how to make this soup, but now it’s ruined.

This is why more than one person helping to “make the soup” is a bad idea. If Essexboy started helping, you should have let him continue on. This is what everyone is saying. You’re help isn’t unwanted, it’s just not needed when Essexboy took it. I hope this makes more sense now.

Ok, thanks for answering. Here is OTL.txt. It hasnT generated Extras.txt though. (I used the settings you provided).

Oh and what propheticus sais: adwcleaner has found some stuff, but I didn’t pursue it, i.e I didn’t click the Remove-button, because there were ever so many things also in the registry, services, etc. that I preferred to wait. Can’t afford to scramble up the system right now as I am in the middle of a job.

OK lets get you tidied up now. You appear to have a new variant of this as the running directory has changed.

A nice little passage by Gorg showing why it is always best to have just one helper … Cheers Gorg

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledAddons: %7Bff0f24dd-184a-42ca-9ce8-8ca6184fd0ac%7D:0.1
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ff0f24dd-184a-42ca-9ce8-8ca6184fd0ac}: C:\Program Files (x86)\Web Optimizer\weboptimizer.xpi [2013.08.27 10:52:06 | 000,009,996 | ---- | M] ()
[2013.10.21 07:25:01 | 000,626,721 | ---- | M] () (No name found) -- C:\Users\IBM\AppData\Roaming\mozilla\firefox\profiles\b0ycpy1d.default\extensions\search@disconnect.me.xpi
[2013.08.27 10:52:06 | 000,009,996 | ---- | M] () (No name found) -- C:\PROGRAM FILES (X86)\WEB OPTIMIZER\WEBOPTIMIZER.XPI
O2:64bit: - BHO: (Plus-HD-3.8) - {11111111-1111-1111-1111-110311901130} - C:\Program Files (x86)\Plus-HD-3.8\Plus-HD-3.8-bho64.dll File not found
O2 - BHO: (Web Optimizer) - {bbb1d54d-cf70-4a80-bf2f-3bafca0225ce} - C:\Program Files (x86)\Web Optimizer\weboptimizer.dll (Web Optimizer)
O2 - BHO: (no name) - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - No CLSID value found.
O4 - HKLM..\Run: [TaskMngr] C:\Program Files (x86)\Common Files\Lenovo\data.js ()
O8:64bit: - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm ()
O8:64bit: - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm ()
O8 - Extra context menu item: Free YouTube Download - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytvdownloader.htm ()
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\freeytmp3downloader.htm ()
O9:64bit: - Extra Button: Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
O9:64bit: - Extra 'Tools' menuitem : Free YouTube Download - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
[2013.12.07 22:18:18 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Local\AMozilla
[2013.12.07 22:18:08 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\AMozilla
[2013.12.07 22:18:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Lenovo
[2013.11.18 21:21:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eTeks Sweet Home 3D
[2013.11.18 21:21:06 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sweet Home 3D
[2013.11.18 21:00:10 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\SBS Installer
[2013.11.18 20:45:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Web Optimizer
[2013.11.18 20:45:48 | 000,000,000 | ---D | C] -- C:\Users\IBM\AppData\Roaming\Windows Net Data
[2013.11.18 20:45:45 | 000,000,009 | ---- | M] () -- C:\END
[2013.12.07 22:18:08 | 000,000,000 | ---D | M] -- C:\Users\IBM\AppData\Roaming\AMozilla
[2013.11.18 20:45:48 | 000,000,000 | ---D | M] -- C:\Users\IBM\AppData\Roaming\Windows Net Data

:Files
C:\Program Files (x86)\Common Files\Lenovo\dmw.exe
C:\Program Files (x86)\Web Optimizer
C:\Program Files (x86)\Plus-HD-3.8
C:\Program Files (x86)\Web Optimizer

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Re-run AdwCleaner

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hi propheticus,

On a more positive note now. :smiley:
A better way here and a way where it does not interfere the ongoing cleansing routine is to PM your comments to essexboy directly.
Also qualified removal experts can profit from some additional info or give you a clue as why your proposed method/solution is inferior.
There you have the win win situation always, you gain insight and the qualified removal expert may not miss a point he/she overlooked… ;D 8)

polonus

Good advice Pol. :smiley:

Hello again.
Attached the OTL-log and the AdwCleaner-txt.

Upon restart a Windows Script Host Window appears stating that a script file \Programs .…\Lenovo\data.js has not been found.

It seems my Sweet House 3D software has been removed. Didn’t know this could cause trouble.
Apparently the DVDVideoSoft-pack is not such a good idea either? I used it because I had to convert some video files to wmv, but it didn’T allow proper frame rate setting, so I could delete the whole thing too.

Well, thank you again. As I am posting this, the avast-scanner is being quiet. :smiley:

Ye I thought I’d chip in because it was important to remove the Firefox plugin (gutschein) as well. Anyway, next time I won’t interrupt and send tips to the person that responded first.
I understand multiple conflicting tips can be confusing, but I didn’t think I was contradicting/messing anything up. Probably ADWcleaner would’ve fixed most of the problems without issue if the OP would’ve let it clean. The whole OTL routine seemed a bit over the top to me…

Ah well no hard feelings. We’re all trying to help here.

BTW: I’m a University Information Sciences student almost done with Bachelors and as a job on the side I work at a company fixing exactly these kind of problem for clients. That should be qualified enough right?

You can ask essexboy via PM if you want to help people with malware problems.
Maybe he will look over your work and then he will decide.

At the moment there is an student who is watched by essexboy.
You can see here: http://forum.avast.com/index.php?topic=53253.0

Could you now run a fresh OTL scan please and select all users and I will locate the errant start entry… There will only be one log this time

Here it is.
thanks a lot for the quick help!

Did not want to go first time, lets see if it is as strong now :slight_smile:

On completion can you let me know of any problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [TaskMngr] wscript.exe "C:\Program Files (x86)\Common Files\Lenovo\data.js" File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Here txt3.

The data.js window came up again though.

And OTL asks to be run right after restart.

It does not seem to want to go… Lets get MBAM on the job :slight_smile:

Malwarebytes’ Anti-Malware
Please download Malwarebytes’ Anti-Malware from here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[*]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[*]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Attach the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.