Frequent 'Threat Detected' popups, but can't find the threat

system · November 19, 2015, 10:25pm

Hi, thanks for any help you can offer.

Our PC has been repeatedly getting THREAT DETECTED popups for probably a week or two but I hadn’t noticed until I used the machine; the primary user had mentioned it but not how frequent it is (every 5-10 minutes).

At first I thought it was a good thing b/c I figured it was blocking bad things from getting onto the computer when she was browsing. I ran a system scan on Avast and a malwarebytes scan which turned up a few things and figured that got rid of it. But it kept happening and I realized recently it happens anytime, not just when browsing. All of the warnings reference either wvydeo or xmlka, both of which seem to be common.

Hard to say if it’s connected or not but since this began this computer has been slow to communicate with the printer and as of right now does not appear to be printing at all.

I’ve got my most recent scans attached:
-screencap of the popup message with file name & process
-malwarebytes, tonight + the one from 11-11 which turned up a few things
-farbar FRST log

looks like I maxed out on attachments, will do a second post with additional attachments.

Any help is vastly appreciated.

Thanks,

Dan

TwinHeadedEagle · November 19, 2015, 10:26pm

Hello,

You’re missing Addition.txt report.

system · November 19, 2015, 10:34pm

Yep, it only let me post 4… ADDITION is attached here along with an aswmbr.txt log as well.

I also ran Hitman Pro at the suggestion of another forum and it found bunch of things. No idea where the log got saved though, can’t fin it but could easily run another if necessary.

Thanks,

Dan

Eddy · November 19, 2015, 10:44pm

Still missing is FRST.txt (created by Farbar)

system · November 20, 2015, 3:04pm

Sorry, thought. I had it attached to the first post

Should be attached here, if not I’ll just post the text into another reply.

Thanks!

Dan

Pondus · November 20, 2015, 3:21pm

Sorry, thought. I had it attached to the first post

You did, Eddy probably used wrong glasses 8)

Eddy · November 20, 2015, 3:24pm

avast & Windows Defender enabled :
https://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/2670/

system · November 20, 2015, 4:43pm

I assume that means I should turn off Defender then? (Being not very technically competent, I can use directions as specific as possible…) I had no idea it was on/enabled/whatever.

Will do and will let you know if threats keep on being detected…

system · November 20, 2015, 4:51pm

this one labeled as a redirect, slightly more alarming than it’s been so far.
Printer use still impaired from the probably-infected machine.

Screencap of the latest popup attached.

TwinHeadedEagle · November 20, 2015, 6:37pm

Before we begin, is this enterprise/business machine?

system · November 20, 2015, 6:41pm

It is, primarily email/correspondence and accounting… small office, 3 machines total.

TwinHeadedEagle · November 20, 2015, 6:43pm

I volunteer my time here and I only provide help for home machines, but since this is small business, I will help you.

TwinHeadedEagle · November 20, 2015, 7:34pm

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

system · November 20, 2015, 9:24pm

Here you go

TwinHeadedEagle · November 20, 2015, 9:37pm

Omg, this stupid forum software is still doing it.

We have to do this again:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

createrestorepoint:
closeprocesses:
emptytemp:
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\...\Run: [Adlworks] => C:\Windows\SysWOW64\regsvr32.exe "C:\Users\RFG Office\AppData\Local\Ahworks\DRMcuda.dll"
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\...\MountPoints2: {af5900c8-b139-11e3-93ef-7427eadaa58a} - G:\LaunchU3.exe -a
C:\Users\RFG Office\AppData\Local\Ahworks
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=AV01
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?gws_rd=ssl
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-3423816254-719360887-4123411777-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://www.msn.com/?pc=AV01
URLSearchHook: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM -> {DCC7706A-1817-47B6-AE57-79238EE55B4E} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?q={searchTerms}&FORM=AVASDF&PC=AV01
SearchScopes: HKLM-x32 -> {DCC7706A-1817-47B6-AE57-79238EE55B4E} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {1708F3A8-376B-42CB-B38D-213F1AB0F53E} URL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=mkg114
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {30F39FE6-0456-40A4-8BE9-E45463729266} URL = hxxp://www.flickr.com/search/?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {35D3E783-11E6-4AFD-BE96-83E22887D0F0} URL = hxxp://delicious.com/search?p={searchTerms}
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {408EA6BC-A23E-46D2-98A7-D3735A17FC41} URL = hxxps://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = hxxp://127.0.0.1:4664/search&s=QvTDHjy8x8j66Y3e9UZr5X4qe_Y?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3423816254-719360887-4123411777-1000 -> {DCC7706A-1817-47B6-AE57-79238EE55B4E} URL =

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

system · November 20, 2015, 10:12pm

Thanks for your patience & help, sorry if I screwed something up… here you go

TwinHeadedEagle · November 21, 2015, 7:51am

How is your PC behaving now?

system · November 23, 2015, 6:06pm

It seems to be more or less completely better, thank you very much!

Is there some other cleanup that needs doing or should I be good to go with this?

TwinHeadedEagle · November 23, 2015, 8:42pm

Since there are no more problems, we can declare this PC clean
http://www.giraffeboards.com/images/smilies/thumbs_up_smiley.gif

Now, we can proceed with post-cleanup procedures. Let’s remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt). I don’t need it for review.

Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

[*]Simple and easy ways to keep your computer safe and secure on the Internet

Maintenance tips:

[*]Optimize Windows for better performance

Additional software that I personally use and install on all my clients devices:

[]Malwarebytes’ Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
[]Malwarebytes’ Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
[]McShield - to prevent infections spread by removable media.
[]Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
[*]Adblock - to surf the web without annoying ads!
[*]Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.
If you’re happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif

Thank you!

Stay safe,
TwinHeadedEagle

Frequent 'Threat Detected' popups, but can't find the threat

Announcements