Avast virus Unseen.

Viruses and worms
1

Avast keeps saying protected from a virus and this is what its saying it is

hxxp://getusaaall.info/?e=smsn&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&unp=Azm9CdOLv7DVDy

URL:MAIL

I have run scans and my computer isn’t picking up anything help please! “I will keep checking on the form for responses if i don’t respond immediately i will get to it asap”

2

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

3

Follow Asyn’s advice as this is not about a poll but rather a malware infection you have on your system.

Once you have run the three programs and attached the resulting logs in your next reply, a certified malware removal expert will be contacted for you.

4

Working on the scans for logs now.

5

How do i attach the logs?

6

Below The Box you Write in … Attachments and other options

7

This is what I have so far I will post the last one when it is complete and i get too it.

8

Hi,

Post me also aswMBR report and I will start assessing your logs. Should be back here later.

9

its the same attachment accidentally added twice/

10

HI. Please do this one for me.

https://sites.google.com/site/cannedfixes/batch-script/Bat_file_icon.png
Batch Script

Please download getusaaall script and save it to your desktop.
It will come as a zipped file, so you will need to unzip it. You may do it by right-clicking on it and choosing Extract All. Extract it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/batch-script/Bat_file_icon.png
icon named getusaaall and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the script.
[*]A black window will blink shortly.
[*]After that two files will be located on your desktop: scanning1 and scanning2.

Please include them both in your next reply.

11

.

12

Hi :slight_smile:

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[b] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/b]

Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type Notepad and click OK.

[*]Copy the entire content of the codebox below and paste into the Notepad document:

start
C:\Users\Owner\AppData\Local\iLivid
HKU\S-1-5-21-2572585780-1497095549-3986437272-1000\...\Run: [iLivid] => "C:\Users\Owner\AppData\Local\iLivid\iLivid.exe" -autorun
HKU\S-1-5-21-2572585780-1497095549-3986437272-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [iLivid] => "C:\Users\Owner\AppData\Local\iLivid\iLivid.exe" -autorun
AppInit_DLLs-x32: c:\progra~2\so_boo~1\assist~1.dll => "c:\progra~2\so_boo~1\assist~1.dll" File Not Found
AppInit_DLLs-x32: c:\progra~2\sw-boo~1\assist~1.dll => "c:\progra~2\sw-boo~1\assist~1.dll" File Not Found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
SearchScopes: HKLM-x32 - DefaultScope {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.fas...&cc=US&unqvl=56
SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.fas...&cc=US&unqvl=56
BHO: MySearch -> {5E0952AB-C3E0-7963-4672-6CC024B4994F} -> C:\Program Files (x86)\MySearch\aE6nMTHuc.x64.dll No File
BHO: PriceChiop -> {7DE8C77D-4B3E-AC20-C522-B9BF1784F485} -> C:\Program Files (x86)\PriceChiop\hZOVZE9v.x64.dll No File
BHO: SaVEMasss -> {C950F28F-B018-B9AA-6C3B-6B243D4A2A77} -> C:\Program Files (x86)\SaVEMasss\0EViIJZO9j.x64.dll No File
BHO: Adblocker -> {DB4D8C91-018D-D89E-4A00-0C9467CD881E} -> C:\Program Files (x86)\Adblocker\Rfnvj6K8Hn.x64.dll No File
C:\Program Files (x86)\PriceChiop
C:\Program Files (x86)\MySearch
C:\Program Files (x86)\SaVEMasss
C:\Program Files (x86)\Adblocker
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - No File
FF DefaultSearchEngine: Trovi search
FF SearchEngineOrder.1: WebSearch
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF SelectedSearchEngine: Trovi search
FF Homepage: hxxp://websearch.fastsearchings.info/?pid=2290&r=2014/07/10&hid=12690441653842002612&lg=EN&cc=US&unqvl=56
FF Keyword.URL: hxxp://websearch.fastsearchings.info/?pid=2290&r=2014/07/10&hid=12690441653842002612&lg=EN&cc=US&unqvl=56&l=1&q=
CHR DefaultSearchKeyword: trovi.search
CHR DefaultSearchProvider: Trovi search
CHR DefaultSearchURL: http://www.trovi.com...rchTerms}&SSPV=
CHR Extension: (SAAvEMass) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\anmdhmlhiebledcbfaaadbjgdmfpknoe [2014-07-10]
CHR Extension: (NextCoup) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbdnmjecfojfccnjjfemlnhimbpfljj [2014-07-10]
CHR Extension: (PriceChiop) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehniblchhmggdffcnmnmijdbngphbenc [2014-07-10]
CHR Extension: (NeXtCoupu) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbnhilmmjnippdhojjcjdooemiconeie [2014-07-10]
CHR Extension: (CuupoDOco) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggoamgeodkbccknnbkfgimhjklbjbpbp [2014-06-29]
CHR Extension: (PrIceCuhop) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeefgbgcgkmhgkdamnfknamnjcihepec [2014-07-10]
CHR Extension: (SaVEMasss) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpaahgagebhagongmlnfclnipkmklgom [2014-07-10]
CHR Extension: (SAAvEMass) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\anmdhmlhiebledcbfaaadbjgdmfpknoe\1.0 [2014-07-10]
CHR Extension: (NextCoup) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbdnmjecfojfccnjjfemlnhimbpfljj\1.0 [2014-07-10]
CHR Extension: (PriceChiop) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehniblchhmggdffcnmnmijdbngphbenc\1.0 [2014-07-10]
CHR Extension: (NeXtCoupu) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbnhilmmjnippdhojjcjdooemiconeie\1.0 [2014-07-10]
CHR Extension: (CuupoDOco) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\ggoamgeodkbccknnbkfgimhjklbjbpbp\1.0 [2014-06-29]
CHR Extension: (PrIceCuhop) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeefgbgcgkmhgkdamnfknamnjcihepec\1.0 [2014-07-10]
CHR Extension: (SaVEMasss) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpaahgagebhagongmlnfclnipkmklgom\1.0 [2014-07-10]
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-07-10 22:34 - 2014-07-11 00:08 - 00000000 ____D () C:\ProgramData\NeXtCoupu
2014-07-10 18:19 - 2014-07-10 18:19 - 00000000 ____D () C:\SUPERDelete
2014-07-10 18:16 - 2014-07-11 00:08 - 00000000 ____D () C:\ProgramData\MySearch
2014-07-10 18:15 - 2014-07-10 22:35 - 00000000 ____D () C:\ProgramData\SAAvEMass
2014-07-10 18:15 - 2014-07-10 22:28 - 00000000 ____D () C:\ProgramData\PrIceCuhop
2014-07-10 18:14 - 2014-07-10 18:14 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\EZDownloader
2014-07-10 18:13 - 2014-07-11 00:08 - 00000000 ____D () C:\ProgramData\Trusted Publisher
2014-07-10 18:12 - 2014-07-11 00:08 - 00000000 ____D () C:\ProgramData\PriceChiop
2014-06-29 18:46 - 2014-07-10 22:34 - 00000000 ____D () C:\ProgramData\c023927bd2ec3
2014-06-29 18:46 - 2014-07-01 00:53 - 00000000 ____D () C:\ProgramData\Adblocker
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Owner\AppData\Local\Torch
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Owner\AppData\Local\Packages
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Owner\AppData\Local\Comodo
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Owner\AppData\Local\Chromatic Browser
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Guest\AppData\Local\Torch
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Guest\AppData\Local\Google
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Guest\AppData\Local\Comodo
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Guest\AppData\Local\Chromatic Browser
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Guest
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Torch
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Comodo
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Chromatic Browser
2014-06-29 18:46 - 2014-06-29 18:46 - 00000000 ____D () C:\Users\Administrator
2014-06-29 18:45 - 2014-06-29 18:48 - 00000000 ____D () C:\ProgramData\InstallMate
CMD: ipconfig /release
CMD: netsh int ip reset
CMD: ipconfig /renew
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
CMD: bitsadmin /reset /allusers
REBOOT:
C:\Users\Owner\jagex_cl_runescape_LIVE.dat
C:\Users\Owner\jagex_cl_runescape_LIVE1.dat
C:\Users\Owner\random.dat
C:\Users\Owner\AppData\Local\Temp\i4jdel0.exe
C:\Users\Owner\AppData\Local\Temp\ose00000.exe
Task: {400F0FD4-1FAF-4447-BB54-F5DAD77FCF0D} - System32\Tasks\GoforFilesUpdate => C:\Program Files (x86)\GoforFiles\GFFUpdater.exe <==== ATTENTION
C:\Program Files (x86)\GoforFiles
Task: {58F522E5-34E4-443D-93C5-0DC707A441F8} - System32\Tasks\GC_Informer => %LOCALAPPDATA%\GCC\Controller.exe <==== ATTENTION
%LOCALAPPDATA%\GCC\Controller.exe
Task: {AF625D46-046E-4F50-A1EC-628367669DBD} - System32\Tasks\GC_Scheduler => %LOCALAPPDATA%\GCC\Controller.exe <==== ATTENTION
Task: {E4318DD4-BAB3-44B7-B2B3-F58EE1127F6D} - System32\Tasks\Microsoft\Windows\Maintenance\UP_Scheduler => %LOCALAPPDATA%\GCC\Controller.exe <==== ATTENTION
end

[*]Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.

https://sites.google.com/site/cannedfixes/tfc/5204fb054866c-TFC_nieuw_25x25.png
Clean Temporary Files with TFC

Please download TFC by OldTimer and save it to your desktop.
[*]Right-click on
https://sites.google.com/site/cannedfixes/tfc/5204fb054866c-TFC_nieuw_25x25.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Close any open programs and save your current work.
[*]Click the Start button to begin. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a couple of minutes.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

This tool doesn’t generate any report. Instead I recommend to keep it for good maintenance of your machine.

Update me about alerts after these steps.

13

Here is the fixlog and i will try it out for a day and post if theirs still an issue

14

Report in both cases: with/without issues. I’d like to perform some general scans for vulnerabilites to send you more secured :slight_smile:

15

I have been on all day so far no issues :slight_smile:

16

That’s great :slight_smile:

Let’s perform two more scans for any remnants and/or vulnerabilities, to send you from here more secured :slight_smile:

https://sites.google.com/site/cannedfixes/malwarebytes-anti-malware/51a46ae42d560-malwarebytes_anti_malware.png
Scan with Malwarebytes’ Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.

[*]Install the progam and select update.
[*]Once updated, click the Settings tab, in the left panel choose Detctions & protection and tick Scan for rootkits.
[*]Click the Scan tab, choose Threat Scan is checked and click Scan Now.
[*]If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
[*]Upon completion of the scan (or after the reboot), click the History tab.
[*]Click Application Logs and double-click the Scan Log.
[*]At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/security-check/51c9d14017fa0-SecurityCheck.PNG
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Follow onscreen instructions inside the black box. This scan won’t take long.
[*]Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

17

:o

18

Hi :slight_smile:

We’re nearly finished. Tell me do you have any other issues? Any concernes about your machine?

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/warning.gif
SpyBot S&D Warning

MVPS.org is no longer recommending SpyBot S&D due to very poor testing results (scroll down and read under Freeware Antispyware Products).
My advice is to get rid of this program. To do so:

[*]Press the
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/WindowsKey.png

  • R on your keyboard at the same time. Type appwiz.cpl and click OK.
    [*]Search for SpyBot, right-click the entry and click Uninstall.

This is optional, but please consider it.

https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

[*]Right-click on
https://sites.google.com/site/cannedfixes/delfix/51a5ce45263de-delfix.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[*]Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
[*]Push Run.
[*]When finished, it will display a notepad report.

Include it for my review.

19

Hello :slight_smile:

You still with me?

20

Sorry i haven’t been around the computer this is the delfix.txt and i had a one time issue today were avast said threat and it was a url:mail it has not spammed me about it like the other one did though so not sure whats up with that.