getting slammed with hxxp://cdn3.movieroomreviews.com/themes/movieroomreviews/images/sprites_y_v1.png
came out of nowhere and now its almost pops up every ten seconds.
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
first I ran malware and when I tried to get a log I am not sure where it went? do I run the program again? the whole computer froze and just rebooted.
Skip MBAM and continue with the other tools.
here are the requested files
OK, now you’ve to wait a bit…
Hello squall280 and welcome to avast!. I will be working on your Malware issues.
Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.
Please stay with me until given the ‘all clear’ even if symptoms seemingly abate.
Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper
We apologize that we were unable to respond earlier, this forum is very busy
You’re launched the ComboFix, and uninstalled it after completion and none of that you shouldn’t done.
Please post here C:\ComboFix.txt logreprot for analysis.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start CreateRestorePoint: File: C:\windows\system32\epmntdrv.sys Folder: C:\windows\msdownld.tmpCloseProcesses:
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3975405500-1909171286-513800362-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-21-3975405500-1909171286-513800362-1000 → {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={938B0ACA-0D62-4CEA-A565-E4B94CF0FCFC}&mid=1752b153899747d2a6bfb1a22f30d0be-330159a919958fd1353765dfc8fa6d51b36536e6&lang=en&ds=gf011&coid=avgtbdisgf&cmpid=&pr=sa&d=2014-02-16 23:35:05&v=18.1.9.799&pid=safeguard&sg=&sap=dsp&q={searchTerms}Hosts:
AlternateDataStreams: C:\ProgramData\Temp:0B4227B4
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
FF HKLM-x32.…\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.9.799
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.9.799 [2014-08-26]
CHR Extension: (AVG Secure Search) - C:\Users\Voltron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2014-05-08]CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalogEmptyTemp:
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\ProgramData\AVG SafeGuard toolbar
C:\Users\Voltron\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.