Avast Web Agent Alert on Win 8.1 Start

Hello,

I have an Avast Web Agent Alert at each stard of Windows 8.1
It tell me that it is process C:\Windows\SysWOW64\CompileFAT32Method\CompileFAT32Method.exe
and when I click on the link it give me that information :

URL hxxp://159.8.13.146/Pirrit-Desktop-CustomName-MSVC-2.4-Update.exe|{app}{code:GPPN}
Infection Win32:Downloader-VNP [Trj]

Anyone can help me ?

How to recive help instructions https://forum.avast.com/index.php?topic=53253.0

Ok here is the Malwarebytes Log

Malwarebytes Anti-Malware www.malwarebytes.org

Date de l’examen: 09/09/2014
Heure de l’examen: 20:48:13
Fichier journal:
Administrateur: Oui

Version: 2.00.2.1012
Base de données Malveillants: v2014.09.09.05
Base de données Rootkits: v2014.08.21.01
Licence: Premium
Protection contre les malveillants: Activé(e)
Protection contre les sites Web malveillants: Activé(e)
Self-protection: Désactivé(e)

Système d’exploitation: Windows 8.1
Processeur: x64
Système de fichiers: NTFS
Utilisateur: Thomas Local

Type d’examen: Examen “Menaces”
Résultat: Terminé
Objets analysés: 361758
Temps écoulé: 17 min, 59 sec

Mémoire: Activé(e)
Démarrage: Activé(e)
Système de fichiers: Activé(e)
Archives: Activé(e)
Rootkits: Désactivé(e)
Heuristics: Activé(e)
PUP: Activé(e)
PUM: Activé(e)

Processus: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Clés du Registre: 0
(No malicious items detected)

Valeurs du Registre: 0
(No malicious items detected)

Données du Registre: 0
(No malicious items detected)

Dossiers: 0
(No malicious items detected)

Fichiers: 1
PUP.Optional.SweetPage.A, C:\Users\Thomas\AppData\Local\Google\Chrome\User Data\Default\Preferences, Bon: (), Mauvais: ( “startup_urls”: [ “http://www.google.fr/”, “http://www.sweet-page.com/?type=hp&ts=1405262090&from=cor&uid=HGSTXHTS541075A9E680_JD13021X037DEK037DEKX” ],), Remplacé,[badfab40ff7c87af7017eb3e9f6613ed]

Secteurs physiques: 0
(No malicious items detected)

(end)

and rest of the logs?

Here are the FRST.tx and Additions.txt logs of Farbar Recovery Tool

And the aswmbr log

This is something new… I would like a copy of the quarantine folder when we have finished

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

ProxyServer: http=127.0.0.1:16470 SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File U2 CompileFAT32Method; C:\Windows\SysWOW64\CompileFAT32Method\CompileFAT32Method.exe [60453 2014-09-06] () [File not signed] 2014-09-07 18:21 - 2014-09-07 18:21 - 00000144 _____ () C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2014-09-07 17:19 - 2014-09-07 17:19 - 00000510 _____ () C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat 2014-09-07 16:59 - 2014-09-06 18:37 - 00000000 ____D () C:\WINDOWS\SysWOW64\CompileFAT32Method C:\Windows\Temp\UptUpdater.exe EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Could you run a fresh FRST scan

Hello,

Thank you for your answer.
Before performing your fix, I would like to explain that :
Between my last post and your answer I unistalled Avast, and installed it again. After reboot Avast found a rootkit. Then it scanned on boot.

Now everything seems fine, I have not anymore alert on Avast.

Tonight I performed all scans (Malwarebytes’ Anti-Malware, then Farbar, then aswMBR), all logs are attached.
What quarantine folder do you want to see (Malwarebytes’ Anti-Malware, Avast ?) and where can I find it ?

With help of logs can you confirm that everything is fine, or do I need to fix anything ?

Thanks again for helping :wink:

That file has come back again and I am not sure where it is from so I would like to check it out

Go to Virustotal
Click Choose File and navigate to C:\Windows\SysWOW64\CompileFAT32Method\CompileFAT32Method.exe and select it
Then press scan it

Once it has completed could you copy the link and post it here

Here is the result of virustotal

https://www.virustotal.com/en/file/619fbbdd0fb1cd161fc7da576e5b04b3f44f188f6243f785873aa200a6111b3e/analysis/1410460415/

Well to me that does look like a bad boy

What I will do now is remove it again and see what FRST tells me, please post the log that appears after the reboot

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

R2 CompileFAT32Method; C:\Windows\SysWOW64\CompileFAT32Method\CompileFAT32Method.exe [60453 2014-09-06] () [File not signed] 2014-09-07 18:21 - 2014-09-07 18:21 - 00000144 _____ () C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat 2014-09-07 17:19 - 2014-09-07 17:19 - 00000510 _____ () C:\WINDOWS\system32\{F33C3B9B-72AF-418A-B3FD-560646F7CDA2}.bat C:\Windows\SysWOW64\CompileFAT32Method EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Here it is

OK that appeared to move it could you run one further FRST scan please, I do not need additions this time

Here it is

OK that has gone, I wonder why it did not go first time

Any further problems

Thank you essexboy for your very usefull help :stuck_out_tongue:
Everything seems to be fine now 8)

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: