Constant avast warnings (Avast has blocked a harmful webpage or file)

Hi, guys.

I just received 70+ alerts in a few minutes. For the moment it’s randomly stopped, but I need your help anyway. Other than that, I seemed to have lost administrator privileges when it comes to certain things (my games, of all things, are affected and I need to go into the folder and allow access before opening them - this is only affecting some of the torrented games I have, Steam ones are fine; could be something else as well, but this is what I’ve noticed so far.) I have no system restore points. I’m using chrome and the first thing I noticed was that I was missing two extensions I normally use (reddit enhancement suite and reddit modtools) and in their place was an obviously bogus extension called something free2pay. I’m not sure because I disabled and deleted it immediately. I can’t add any extensions to chrome, it gives me a network error after I click on download. I’ve given my processes and services a cursory look over and I don’t see anything suspicious, but I’ll go back and do a more thorough search while I wait for replies here.

I ran malwarebytes, avast and adware and came up clean. Ran malwarebytes yesterday and it did find a few things which I cleaned so I’m including that log instead of the one from a few minutes ago (since the latter is clean and the former has the stuff found yesterday.)

I’ve attached all the logs.

Thanks a lot in advance!

Note: for the duration of me writing this post and doing all the scans, there have been no alerts. So that’s about half an hour now. I switched to Firefox for this and the only other things running were the scans so that points me to there being an issue with Chrome (which is where I first noticed the extension issue), but I’m not the expert here. :slight_smile:

Edit: Scratch that, I forgot I turned on silent mode since it was annoying. Am now at about 30 alerts and it’s been less than a minute.

Unless you installed it yourself, malware has changed Chrome to a developer version making possible to install all kinds of malware without you noticing it.

Nope, definitely didn’t do it myself. I’ll go and reinstall Chrome then. Any leftover files I should be worried about or is reinstalling enough?

Uninstall Chrome
Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

  1. If you have bookmarks, let’s save them by exporting them - Export Bookmarks
  2. Then I need you to go Google Sync and sign into your account
  3. Scroll down until you see the “Stop and Clear” button and click on the button. At the prompt click on “Ok”
  4. Now we need to uninstall chrome do this from control panel .
    Note: When asked about user data or settings you must remove this also so please check the box.
  5. We will re-install on completion

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2774810739-553482300-3206375011-1000\...\Run: [GoogleChromeAutoLaunch_9CEF9672B8F3C0025F582923A505D095] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [809288 2015-03-30] (Google Inc.) CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll No File BHO-x32: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File FF Extension: craZyloWWerpriciE - C:\Users\Petra\AppData\Roaming\Mozilla\Firefox\Profiles\7n2qxm6n.default\Extensions\bxquH@y.org [2015-04-10] CHR StartupUrls: Default -> "hxxp://start.search.us.com/v/2/?guid={46101F87-98B4-4B23-AE82-64D096D66B1E}&serpv=5", "hxxp://mysearch.avg.com?cid={6D2300EA-D31A-4198-A2A7-273D2ED8AA04}&mid=97b6ce35029a47d385dfa5b92b437ed5-7c6c5d771a5744ceb85d5cb921304a172a0a7cc8&lang=en&ds=cg011&coid=avgtbdiscg&cmpid=&pr=sa&d=2013-08-24 00:35:37&v=18.1.7.598&pid=safeguard&sg=0&sap=hp" CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter} CHR Profile: C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (YouTube) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-29] CHR Extension: (Adblock Plus) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-07-29] CHR Extension: (Pushbullet) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\chlffgpmiacpedhhbkiomidkjlcfhogd [2015-01-14] CHR Extension: (Google Search) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-29] CHR Extension: (XKit) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpfgeeomkfdefkckijiabdbogjkdaecd [2013-07-29] CHR Extension: (Avast Online Security) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-08-13] CHR Extension: (No Name) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhjpjhhkcbkmgdkahnckfboefnkgghpo [2015-04-10] CHR Extension: (No Name) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2015-04-10] CHR Extension: (Google Wallet) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22] CHR Extension: (Hover Zoom) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl [2014-09-23] CHR Extension: (No Name) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\oefddkjnflmjbclpnnoegglmmdfkidip [2015-04-10] CHR Extension: (Gmail) - C:\Users\Petra\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-29] CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-13] R2 11c21c55; c:\Program Files (x86)\LinkFoobar\LinkFoobar.dll [2282496 2015-04-07] () [File not signed] 2015-04-09 23:48 - 2015-04-10 00:03 - 00000000 ____D () C:\Program Files (x86)\marketcompaRRe 2015-04-09 23:48 - 2015-04-09 23:48 - 00000000 ____D () C:\Program Files (x86)\craZyloWWerpriciE 2015-04-09 23:47 - 2015-04-09 23:48 - 00000000 ____D () C:\Program Files (x86)\Rambler News 2015-04-09 23:46 - 2015-04-10 00:03 - 00000000 ____D () C:\Program Files (x86)\bbIuggdeala 2015-04-09 23:46 - 2015-04-09 23:48 - 00000000 ____D () C:\ProgramData\14969218108721393716 2015-04-08 15:28 - 2015-04-08 15:28 - 00000000 ____D () C:\Users\Petra\AppData\Local\Chromium 2015-04-07 23:39 - 2015-04-07 23:39 - 00000000 ____D () C:\Program Files (x86)\LinkFoobar 2015-03-24 04:35 - 2015-03-24 04:35 - 00002251 _____ () C:\Users\Administrator\Desktop\Google Chrome.lnk 2015-03-24 04:35 - 2015-03-24 04:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome 2015-04-10 18:10 - 2013-07-29 18:42 - 00000944 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Users\Petra\DSETUP.dll C:\Users\Petra\dsetup32.dll C:\Users\Petra\DXSETUP.exe C:\Program Files (x86)\Google\Chrome C:\Users\Petra\AppData\Local\Google\Chrome c:\Program Files (x86)\LinkFoobar C:\Program Files (x86)\Google\Update Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

FINALLY

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Here’s the fix log. Sorry, had to run out for a bit. No warnings since the reboot (fingers crossed!) I’ll do the final scan now and report back.

And the last log. Still okay on the warnings front. The only leftover seems to be the permissions issue, but I’m not sure if that’s related. I am able to give myself permissions by going manually into each folder, though that’s a bit tedious.

Any advice on how to prevent this from happening? I honestly have no idea where I picked it up since I usually just go to the same trusted sites. Avast is on all the time (including the Chrome plugin), malwarebytes is used every few weeks (I have the free version so it’s not realtime.) The fact that it still wasn’t picked up is a bit disconcerting.

Is it safe to reinstall Chrome now?

Thanks for all your help. :slight_smile:

Could you check whether or not you still have the permissions problems

Yes you can now re-install chrome

I do. But when I go into the folder, a pop up shows up that lets me get the permissions back. Just, like I said, it’s a bit tedious to do it one by one. For now, I’ve only noticed it with the games whose shortcuts are on my desktop since the icons have changed (see attachment.) And like I said, seems to only be affecting games that were torrented. All Steam and other legit ones are okay.

Download Windows All In One Repair from Tweaking.com to your desktop
Install the programme

Reboot to safe mode with networking
Run Windows All In One
Select Step 2
Select open Pre-repairs scan then click scan
Let that complete
Save the results to a text file on your desktop

https://dl.dropboxusercontent.com/u/73555776/waioprescan.JPG

Next select Step 5 and back up the registry

https://dl.dropboxusercontent.com/u/73555776/waioregback.JPG

Open the Repairs tab

https://dl.dropboxusercontent.com/u/73555776/waioopenrep.JPG

Select the following repair numbers :

1, 2, 10, 12

Set the system to reboot on completion
The press Start Repairs

https://dl.dropboxusercontent.com/u/73555776/waiorepair.JPG