Harmful webpage or file.

My wife’s computer keeps getting the following popup from Avast. We have run scans and tried everything we can think of but it will pop up almost everytime she tries to access familysearch.org or ancestry.com

I have attached the popup and a log from OTL. Not sure if the OTL log will be helpful. Please tell me what I need to send you. Thanks
We would appreciate some help in getting rid of this.

Is it from Chrome?

Remover notified. Sit tight.

Hi, while you wait for a remover, please download MalwareBytes Anti-Malware Version 2.0. After successful installation.

Update Malwarebytes.

http://i.imgur.com/fL1cbNb.png

Then click “Threat Scan” and then click “Scan Now”.

http://i.imgur.com/hw24Flu.png

Then click “View Detailed Log”

http://i.imgur.com/ia7x2CF.png

Then Export it as a .txt Document.

http://i.imgur.com/vQOIP1L.png

Attach that log here.

Edit: No need to rename the log files. They are auto-saved. I’ve also fixed the pictures. First time attempting that. Bound to be Bugs.

[b]I have attached the popup[/b] and a log from OTL.
i only see the OTL log......

It is Chrome. That is correct.

I am not sure what is meant by "remover notified. "

The graphic that didn’t show up as an attachment was an Avast msg reading:

Avast Webshield has blocked a harmful webpage or file.
Object: http:/…/?g=2CCFFB5BE-1427-03339-B07E-DI
Infection: URL:Mal
Process: C:\Program Files(x86).…\chrome.exe

Haven’t had a chance to run the Malware Butes program yet. I will do that and post requested results soon.

Here is the Malware log as instructed.

That means I am not qualified to give you fixes. Only ask you to run non-invasive programs, like OTL & MBAM. So I’ve asked someone who is qualified to come help you further. Your Wife has a lot of adware.

I’d recommend you install Unchecky as it will help you keep the adware and PUP (Potentially Unwanted Programs) off her computer automatically.

Total File count of of MBAM:
Registry Data: 1
Files: 226
Folders: 30
Registry Values: 7
Registry Keys: 51
Processes: 1.

THis gives me worry. PUM.Hijack.StartMenu.

OK lets clear the decks :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV:64bit: - [2013/12/10 11:10:24 | 000,513,528 | ---- | M] () [Auto | Running] -- C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe -- (Level Quality Watcher)
IE - HKU\S-1-5-21-294548797-1883962240-970019364-1002\..\SearchScopes\{013BDC00-6AC5-488D-B3FA-3F1CF5AE8280}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3153924&CUI=UN15585073301904822&UM=2
IE - HKU\S-1-5-21-294548797-1883962240-970019364-1002\..\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3153924&CUI=UN15585073301904822&UM=2&UP=SPDB032093-02D3-4205-9226-43478C487E53&SSPV=
IE - HKU\S-1-5-21-294548797-1883962240-970019364-1002\..\SearchScopes\{63DEFFBB-DF10-45C1-9EA0-9AD25C52AFFC}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298569&CUI=UN13763544792341261&UM=2
FF - prefs.js..browser.search.defaultthis.engineName: "Connect DLCS Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&CUI=UN40475013162721409&UM=2&SearchSource=3&q={searchTerms}"
FF - prefs.js..extensions.enabledAddons: 18c66c1d-05d8-4e58-8b16-c4df04ed638e%40e204c3e4-8076-4eb9-b628-0fe8abef45e2.com:0.93.33
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}: C:\PROGRAM FILES\UPDATER BY SWEETPACKS\FIREFOX
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{8E9E3331-D360-4f87-8803-52DE43566502}: C:\PROGRAM FILES\UPDATER BY SWEETPACKS\FIREFOX
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}: C:\Program Files\Updater By SweetPacks\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{8E9E3331-D360-4f87-8803-52DE43566502}: C:\Program Files\Updater By SweetPacks\Firefox
[2014/03/18 10:32:53 | 000,000,000 | ---D | M] ("Plus-HD-7.5") -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\18c66c1d-05d8-4e58-8b16-c4df04ed638e@e204c3e4-8076-4eb9-b628-0fe8abef45e2.com
[2014/02/28 17:50:08 | 000,000,000 | ---D | M] ("Speed Dial [FVD] - New Tab Page, Sync") -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com
[2014/03/24 12:28:57 | 000,000,000 | ---D | M] (ScorpionSaver) -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\ScorpionSaver@jetpack
[2014/03/26 21:49:00 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\18c66c1d-05d8-4e58-8b16-c4df04ed638e@e204c3e4-8076-4eb9-b628-0fe8abef45e2.com\extensionData
[2014/03/26 21:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\18c66c1d-05d8-4e58-8b16-c4df04ed638e@e204c3e4-8076-4eb9-b628-0fe8abef45e2.com\extensionData\plugins
[2014/03/26 21:49:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\18c66c1d-05d8-4e58-8b16-c4df04ed638e@e204c3e4-8076-4eb9-b628-0fe8abef45e2.com\extensionData\userCode
[2014/03/05 19:17:25 | 000,000,975 | ---- | M] () -- C:\Users\Marcia\AppData\Roaming\mozilla\firefox\profiles\ywloxrws.default\searchplugins\conduit-search.xml
[2014/02/15 20:49:32 | 000,001,098 | ---- | M] () -- C:\Users\Marcia\AppData\Roaming\mozilla\firefox\profiles\ywloxrws.default\searchplugins\connect-dlcs-customized-web-search.xml
O2:64bit: - BHO: (Plus-HD-7.5) - {11111111-1111-1111-1111-110511071176} - C:\Program Files (x86)\Plus-HD-7.5\Plus-HD-7.5-bho64.dll (Plus HD)
O2 - BHO: (ScorpionSaver) - {10AD2C61-0898-4348-8600-14A342F22AC3} - C:\Program Files (x86)\ScorpionSaver\IECore.dll ()
O3 - HKU\S-1-5-21-294548797-1883962240-970019364-1002\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKU\.DEFAULT..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" File not found
O4 - HKU\S-1-5-18..\RunOnce: [SpUninstallDeleteDir] rmdir /s /q "\SearchProtect" File not found
[2014/03/24 12:28:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ScorpionSaver
[2014/03/05 19:22:34 | 000,000,000 | ---D | C] -- C:\Users\Marcia\Documents\Optimizer Pro
[2014/02/28 17:55:21 | 000,000,000 | ---D | C] -- C:\Users\Marcia\AppData\Local\Tuguu_SL
[2014/02/28 17:53:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Plus-HD-7.5
[2014/03/27 10:54:03 | 000,001,538 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-7.5-updater.job
[2014/03/27 10:54:00 | 000,001,392 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-7.5-enabler.job
[2014/03/27 10:53:03 | 000,002,356 | ---- | M] () -- C:\WINDOWS\tasks\Plus-HD-7.5-firefoxinstaller.job
[2013/05/13 12:51:18 | 000,000,106 | ---- | C] () -- C:\Users\Marcia\jobq.dat

:Files
C:\Users\Marcia\AppData\Local\Google\Chrome\User Data\Default\Extensions\oclgomenfkljhfkfflghppidonpkljjg
C:\Users\Marcia\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgpdioedihjhncjafcpgbbjdpbbkikmi
C:\Program Files (x86)\Plus-HD-7.5
C:\Program Files\Level Quality Watcher
C:\PROGRAM FILES\UPDATER BY SWEETPACKS

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

There is a file after the OTL Run Fix that was on the screen. It was 5443 KB. I tried to upload it but it kept crashing the upload.
I have attached the OTL file after the Quick Scan and the AdwCleaner file after the clean.
Not sure how to get the 5443 file to you. The first few lines are as such:

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Error: No service named Level Quality Watcher was found to stop!
Service\Driver key Level Quality Watcher not found.
File C:\Program Files\Level Quality Watcher\v1.01\levelqualitywatcher64.exe not found.
Registry key HKEY_USERS\S-1-5-21-294548797-1883962240-970019364-1002\Software\Microsoft\Internet Explorer\SearchScopes{013BDC00-6AC5-488D-B3FA-3F1CF5AE8280}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{013BDC00-6AC5-488D-B3FA-3F1CF5AE8280}\ not found.
Registry key HKEY_USERS\S-1-5-21-294548797-1883962240-970019364-1002\Software\Microsoft\Internet Explorer\SearchScopes{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}\ not found.
Registry key HKEY_USERS\S-1-5-21-294548797-1883962240-970019364-1002\Software\Microsoft\Internet Explorer\SearchScopes{63DEFFBB-DF10-45C1-9EA0-9AD25C52AFFC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{63DEFFBB-DF10-45C1-9EA0-9AD25C52AFFC}\ not found.
Prefs.js: “Connect DLCS Customized Web Search” removed from browser.search.defaultthis.engineName
Prefs.js: “http://search.conduit.com/ResultsExt.aspx?ctid=CT3153924&CUI=UN40475013162721409&UM=2&SearchSource=3&q={searchTerms}” removed from browser.search.defaulturl
Prefs.js: 18c66c1d-05d8-4e58-8b16-c4df04ed638e%40e204c3e4-8076-4eb9-b628-0fe8abef45e2.com:0.93.33 removed from extensions.enabledAddons
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}\ not found.
File C:\Program Files\Updater By SweetPacks\Firefox not found.
Registry value HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\{8E9E3331-D360-4f87-8803-52DE43566502} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{8E9E3331-D360-4f87-8803-52DE43566502}\ not found.
File C:\Program Files\Updater By SweetPacks\Firefox not found.
Folder C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\18c66c1d-05d8-4e58-8b16-c4df04ed638e@e204c3e4-8076-4eb9-b628-0fe8abef45e2.com\ not found.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\modules\bg folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\modules folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\defaults\preferences folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\defaults folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\components folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\chrome\skin\sd\skin\search\images folder moved successfully.
C:\Users\Marcia\AppData\Roaming\mozilla\Firefox\Profiles\ywloxrws.default\extensions\pavel.sherbakov@gmail.com\chrome\skin\sd\skin\search folder moved successfully.

The tail end looks like:

File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\insert\insertbase.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\insert.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskclearui.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknav.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\boxed-correct.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\boxed-delete.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\boxed-join.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\boxed-split.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\correct.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\delete.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\join.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\split.avi scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\tabskb.dll.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\TabTip.exe.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\TipBand.dll.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\TipRes.dll.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\tipresx.dll.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\ed0825d1-f618-41be-a8f7-dd5a277a26b5\Program Files\Common Files\Microsoft Shared\ink\en-us\TipTsf.dll.mui scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\UploadUI.log scheduled to be moved on reboot.

PendingFileRenameOperations files…

Registry entries deleted on Reboot…

If the file is important let me know how to get it to you, please. Thanks for all your help, I really appreciate it.

That is only a partial Log from OTL. Please upload the entire file up too www.wikisend.com

It looks as though most of the data being removed was temporary files :slight_smile: Near the bottom of the fix result will be a line showing how much was removed.

How is the computer behaving now ?

She has just begun using it this morning. So far so good. One thing I noticed is that her Speed Dial was not working. After several attempts I uninstalled it and re-installed it. It seems to be working fine now. I will try uploading the entire log. Again, thanks so much for all the help and assistance. :slight_smile:

This is the download link to wikisend : http://wikisend.com/download/549982/OTLAfterReBoot.log

Total Files Cleaned = 3,981.00 mb
Aye just a tad of junk files :)

Take it for a test browse for a few hours and if all is well I will remove my tools