system
December 27, 2014, 6:37pm
1
Hi
Every time I go on the internet, the avast web shield keeps popping up over and over again. Not sure what has infested my computer. I have installed malwarebytes (free edition) and scanned the computer. It finds loads of stuff, does it’s thing and then next time I am on the computer, the same thing happens. I am not very technical, so any help I could get would be great.
Thanks
Sue
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
system
December 27, 2014, 8:44pm
3
Here are the scan logs. Not sure whether they sent last time. Thanks for helping
OK, now you’ve to wait. As many experts are on holiday or busy, it might take a while…
system
December 28, 2014, 5:02pm
5
Thank you. I will wait to hear back.
system
January 8, 2015, 6:49pm
6
Hi there. Has anybody had a chance to look at this yet? REally could do with some help.
Thanks
Sue
Hi sorry that we missed you
Could you let me know if this stops the alerts
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
GroupPolicyUsers\S-1-5-21-2360735211-315669688-3937860421-1078\User: Group Policy restriction detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2360735211-315669688-3937860421-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
URLSearchHook: HKU\S-1-5-21-2360735211-315669688-3937860421-1000 - (No Name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No File
URLSearchHook: HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 - (No Name) - {37483b40-c254-4a72-bda4-22ee90182c1e} - No File
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1077-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_12_other&cd=2XzuyEtN2Y1L1QzutDtDtCyDzztAtCyC0CtCtCzzyC0Czy0FtN0D0Tzu0SzztDzztN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtB0A0EtByB0ByCtGtDyBtA0AtGtC0DyEtDtG0B0AzytDtGtByEtCzy0B0ByE0DyB0FtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtAyD0FtBzzzyyEtGyDyE0DzztG0AyCyBzytGtCyEzztDtGyD0F0C0DyCyC0Dzy0AyD0B0E2Q&cr=211875779&ir=
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1077-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1077-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_12_other&cd=2XzuyEtN2Y1L1QzutDtDtCyDzztAtCyC0CtCtCzzyC0Czy0FtN0D0Tzu0SzztDzztN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyBtB0A0EtByB0ByCtGtDyBtA0AtGtC0DyEtDtG0B0AzytDtGtByEtCzy0B0ByE0DyB0FtDtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBtAyD0FtBzzzyyEtGyDyE0DzztG0AyCyBzytGtCyEzztDtGyD0F0C0DyCyC0Dzy0AyD0B0E2Q&cr=211875779&ir=
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1078-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_12_ch&cd=2XzuyEtN2Y1L1QzutDtDtCyDzztAtCyC0CtCtCzzyC0Czy0FtN0D0Tzu0SzztDyBtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StAtD0ByC0FyE0FtAtGtBtAtDtCtGtBtD0DzztG0AtC0FtDtGyE0CzyyEyByEtDtCyByDzz0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0DyC0D0EyCtAyEtGtB0FtDtCtGzz0DyEtCtGtBtB0AtAtGyD0EyB0DyEtA0BtByEzy0EyE2Q&cr=1928725118&ir=
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1078-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dsites_14_12_ch&cd=2XzuyEtN2Y1L1QzutDtDtCyDzztAtCyC0CtCtCzzyC0Czy0FtN0D0Tzu0SzztDyBtN1L2XzutBtFtCzztFtBtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StAtD0ByC0FyE0FtAtGtBtAtDtCtGtBtD0DzztG0AtC0FtDtGyE0CzyyEyByEtDtCyByDzz0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0DyC0D0EyCtAyEtGtB0FtDtCtGzz0DyEtCtGtBtB0AtAtGyD0EyB0DyEtA0BtByEzy0EyE2Q&cr=1928725118&ir=
SearchScopes: HKU\S-1-5-21-2360735211-315669688-3937860421-1078-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-2360735211-315669688-3937860421-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-2360735211-315669688-3937860421-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38}
S3 gtermddo; \??\C:\Users\nicholas\AppData\Local\Temp\gtermddo.sys [X]
Task: {02AB8792-477A-4084-B789-B520152A268E} - System32\Tasks\{28A610A1-3FB0-4D08-8D9C-C1FDB918504A} => pcalua.exe -a F:\autorun.exe -d F:\
Task: {0319B68F-E6BF-4C83-8E7E-E783DD1599FD} - \Optimizer Pro Schedule No Task File <==== ATTENTION
Task: {0EC249DA-A9E0-4F5B-B2B7-77F7D6F53F4A} - System32\Tasks\{7D03727F-ACBC-4D24-A754-CD4263D5B8C2} => pcalua.exe -a C:\Users\nicholas\Desktop\delta201Setup.exe -d C:\Users\nicholas\Desktop
C:\Users\nicholas\AppData\Local\Temp\gtermddo.sys
C:\Windows\Tasks\{E899F45A-0425-4E9C-A371-7B4B77A7B818}.job
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
January 10, 2015, 9:42am
8
Many thanks for responding.
I have completed all you suggested. Here is the log from adwcleaner
system
January 10, 2015, 9:42am
9
Sorry, I forgot to say, the alerts are still popping up.
Did you run the fix with FRST…? If so, post the log.
Could you also attach a screenshot of the Avast popup
system
January 10, 2015, 11:44am
12
Hi, here is the fixlog and also a screenshot. Each time the shield pops up, the object is different.
Do you get the same alert for IE and Firefox ?
system
January 10, 2015, 12:41pm
14
Idon’t usually use IE, but I have just tried it and they do not appear to pop up with IE. Don’t have firefox.
OK that confirmed my suspicion that it is hiding in Chrome somewhere.
First back up your bookmarks :
Export bookmarks from Chrome
1.In the top-right corner of the browser window, click the Chrome menu Chrome menu.
2.Select Bookmarks > Bookmark Manager.
3.Click the “Organise” menu in the manager.
4.Select Export bookmarks.
5.Save to the desktop
Chrome will export your bookmarks as an HTML file, which you can then import into Chrome after the reset.
Reset your browser settings :
1.In the top-right corner of the browser window, click the Chrome menu
2.Select Settings.
3.At the bottom, click Show advanced settings.
4.Under the section "Reset settings”, click Reset settings.
5.In the dialogue that appears, click Reset.
Now restart Chrome … Do the alerts still appear
system
January 10, 2015, 1:06pm
16
That appears to have worked. Marvellous, thank you very much.
Any further problems before I tidy up ?