Avast randomly popped up and told me: “Suspicious files have been detected (using a heuristic method). This may be a sign of malware infection.”
Short of deleting this and probably having to reinstall my OS what should I do?
Also, when I scan this file, specifically, with avast, or the entire systems32 folder, no threat is ever found, it was only this once that Avast randomly told me it may have a malware infection? Is this something to be worried about.
Man you got a real long name. Please do not use your e-mail as nickname. BTW welcome to Avast! forums.
A screenshot of the alert would be helpful. Also the name of the file that Avast! detected.
Is the file popping up continuously or just that one time ? How is the comp. behaving ?
Have you done a full scan with avast! ? Did it find anything ?
Follow this guide: http://forum.avast.com/index.php?topic=53253.0
and attach ( Do not copy/paste ) logs for AdwCleaner, malwarebytes’, OTL, and aswMBR.exe.
An expert in the removal of malware will help you.
Some time may pass before getting help due to time zone differences. Meanwhile do your scans and attach the logs.
Explorer.exe? hhhmmm…try to copy that file into another computer with the same Operating System and version. that was the trick I’ve used. worst scenario, you have to format your computer. you must put into habit of Creating a restore point with windows. so that you have a backup plan when your computer crashes. most of the user here don’t know how to use that special function of Windows.
No need to format your OS AdoptablePeach, just attach the logs and let a specialist to look at them.
Ok so here is the initial log after downloading adwcleaner.
C:\Users\Everett\AppData\Roaming\Mozilla\Firefox\Profiles\pvm8n7zl.default\user.js … Deleted !
[OK] File is clean.
File : C:\Users\Ethan\AppData\Roaming\Mozilla\Firefox\Profiles\jwetvlj6.default\prefs.js
Deleted : user_pref(“browser.search.defaulturl”, “hxxp://search.gboxapp.com/?q=”);
Deleted : user_pref(“browser.startup.homepage”, “hxxp://search.gboxapp.com/”);
Deleted : user_pref(“extensions.4fa188d75bf14.scode”, "(function(){try{if('aol.com,mail.google.com,mystart.inc[…]
Deleted : user_pref(“keyword.URL”, “hxxp://search.gboxapp.com/?q=”);
Deleted : user_pref(“sweetim.toolbar.previous.browser.search.defaultenginename”, “”);
Deleted : user_pref(“sweetim.toolbar.previous.browser.search.defaulturl”, “”);
Deleted : user_pref(“sweetim.toolbar.previous.browser.search.selectedEngine”, “”);
Deleted : user_pref(“sweetim.toolbar.previous.browser.startup.homepage”, “”);
Deleted : user_pref(“sweetim.toolbar.urls.homepage”, “hxxp://home.sweetim.com”);
-\ Google Chrome v24.0.1312.57
File : C:\Users\Roy\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
File : C:\Users\Zack\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.866] : homepage = “hxxp://home.sweetim.com/?crg=3.1010000.10004”,
Deleted [l.1352] : urls_to_restore_on_startup = [ “hxxp://home.sweetim.com/?crg=3.1010000.10004”, "hxxp://www.g[…]
File : C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
File : C:\Users\Ethan\AppData\Local\Google\Chrome\User Data\Default\Preferences
Deleted [l.8] : homepage = “hxxp://search.conduit.com/?SearchSource=10&ctid=CT3201318”,
Deleted [l.12] : urls_to_restore_on_startup = [ “hxxp://search.gboxapp.com/” ]
Deleted [l.42] : search_url = “hxxp://search.gboxapp.com/?q={searchTerms}”,
Deleted [l.43] : suggest_url = “hxxp://search.gboxapp.com/?q={searchTerms}”
Deleted [l.1094] : homepage = “hxxp://search.conduit.com/?SearchSource=10&ctid=CT3201318”,
Deleted [l.1421] : urls_to_restore_on_startup = [ “hxxp://search.gboxapp.com/” ]
AdwCleaner[S1].txt - [307 octets] - [05/02/2013 23:32:30]
AdwCleaner[S2].txt - [19719 octets] - [06/02/2013 16:44:31]
########## EOF - C:\AdwCleaner[S2].txt - [19780 octets] ##########
My malwarebytes scan.
Internet Explorer 9.0.8112.16421
Everett :: DESKTOP [administrator]
Protection: Enabled
06/02/2013 5:01:16 PM
mbam-log-2013-02-06 (17-01-16).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 352343
Time elapsed: 25 minute(s), 40 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 1
HKCR\CLSID{0696f815-a3a9-490a-bb14-9ec3350b1276} (PUP.MyWebSearch) → Quarantined and deleted successfully.
Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|ShopperReports 3.1.69.0 (Adware.HotBar) → Data: → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform|SRS_IT_E879077FBD765C5534AE96 (Malware.Trace) → Data: → Quarantined and deleted successfully.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 10
C:\ProgramData\OptimizerPro1\OptimizerPro1.exe (Trojan.Dropper) → Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-BC69E.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) → Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-JA7JO.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) → Quarantined and deleted successfully.
C:\Users\Everett\AppData\Local\Temp\is-QSU73.tmp\DealioToolbar-stub-1.exe (PUP.Dealio.TB) → Quarantined and deleted successfully.
C:\Users\Zack\AppData\Local\Temp\ICReinstall\Facemoods.exe (Adware.InstallCore) → Quarantined and deleted successfully.
C:\Users\Everett\Local Settings\Temporary Internet Files\Content.IE5\CJP1QB9U\uninstaller[1].exe (PUP.Offerware) → Quarantined and deleted successfully.
C:\Users\Everett\Local Settings\Temporary Internet Files\Content.IE5\N43Y57YF\agent_setup[1].exe (PUP.Offerware) → Quarantined and deleted successfully.
C:\Program Files (x86)\Framework.dll (Spyware.OnlineGames) → Quarantined and deleted successfully.
C:\Program Files (x86)\OIS.dll (Spyware.OnlineGames) → Quarantined and deleted successfully.
C:\Program Files (x86)\SkseProxy.dll (Spyware.OnlineGames) → Quarantined and deleted successfully.
(end)
No need to copy/paste log results. Attach the log text file. How to attach logs see my image below.
Still need OTL and aswMBR.exe
Specialists were notified.
This is a print screen of what appears.
My OTL.txt and Extras.txt
Hi,
I need aswMBR.txt logreport. Run aswMBR.exe AntiRootkit tool.
http://forum.avast.com/index.php?topic=53253.0
Go to control Panel > add or remove programs and uninstall OptimizerPro
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Re-run OTLScan
[*] Make sure all other windows are closed and to let it run uninterrupted.
[*] Click on Scan All Users
[*] Paste this into Custom Scans/Fixes box at the bottom
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
/md5stop
CREATERESTOREPOINT
[*] Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*] When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*] Please attach them in this thread.
Ok, will do. Here’s my aswMBR. Sorry I don’t think it finished.
After restarting my computer my profile no longer displays. I can log in but it’s just a black screen. I have to open this through task manager can I fix this, or do I have to bring it in to a shop?
Hi,
Did you run Combofix? If you have, i need to see Combofix.txt log. (C:\Combofix.txt)
If you dont’t have Combofix log, then delete current and download fresh Combofix and re-run.
Can you load windows safe mode? Anyway i need to see COmbofix log as your system is infected.
I can’t see any part of my desktop. How do I disable the shields permanently without the icon on the bottom right? I have to go through my files to do anything.
Ok here is the combofix log.
Hi,
It is necessary that you follow instructions that is given …
Step#1
Open notepad and copy/paste the text present inside the code box below:
KillAll::
File::
c:\windows\Tasks\OptimizerProUpdaterTask{C216DF16-E33C-4CF7-AFAD-7D410EF1B4B1}.job
Folder::
c:\programdata\Premium\OptimizerPro
ClearJavaCache::
DDS::
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Step#2
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#3
My TDSSKILLER log.
The new combofix text.
New OTL text, I didn’t get an Extra.txt file this time.
Also my desktop is back up I can see my profile.