system
December 18, 2014, 8:42am
1
Dear All,
I assume to have downloaded a file from the Internet (which I probably shouldn’t) and now Avast keeps showing up every few seconds when im web-surfing on chrome and with explorer lately in all user accounts. can someone help me remove this malware and return everything back to normal?
I have reviewed other threads and attaching standard logs for your review…
Please advise at the earliest as this is only my work computer in home office.
Thanks & Regards
Aswath
Asyn
December 18, 2014, 8:43am
2
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
system
December 18, 2014, 9:20am
3
Hi,
Please find the attached logs to this message
Asyn
December 18, 2014, 9:23am
4
OK, now you’ve to wait a bit…
system
December 18, 2014, 10:58am
5
Thank you … Any Luck so far !! ??
Hi there, the first priority must be to uninstall chrome , you can re-install it on completion
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\.DEFAULT -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004 -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
BHO: No Name -> {15a5ac6a-7e5a-4828-b127-323a996068f3} -> No File
BHO: No Name -> {5c085215-df6e-4166-9c09-bba7382c1e34} -> No File
BHO: No Name -> {83537b1a-1217-4dcd-a06f-f32020ab0cb4} -> No File
BHO: No Name -> {e5f6300b-03eb-4e84-a198-409c2143c2a6} -> No File
BHO-x32: No Name -> {15a5ac6a-7e5a-4828-b127-323a996068f3} -> No File
BHO-x32: No Name -> {5c085215-df6e-4166-9c09-bba7382c1e34} -> No File
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File
BHO-x32: No Name -> {83537b1a-1217-4dcd-a06f-f32020ab0cb4} -> No File
BHO-x32: No Name -> {e5f6300b-03eb-4e84-a198-409c2143c2a6} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
FF Plugin HKU\S-1-5-21-3539871907-2967287595-2481223066-1004: @talk.google.com/O1DPlugin -> C:\Users\Kodha V Innovations\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-3539871907-2967287595-2481223066-1004: @tools.google.com/Google Update;version=3 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
FF Plugin HKU\S-1-5-21-3539871907-2967287595-2481223066-1004: @tools.google.com/Google Update;version=9 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll No File
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
2014-12-17 23:30 - 2014-12-17 23:30 - 00000000 ____D () C:\Program Files (x86)\YoutuboeADBLuocke
2014-12-17 23:29 - 2014-12-17 23:29 - 00000000 ____D () C:\ProgramData\pbnioagahnebioffdhcehhnjephmnffk
2014-12-17 23:29 - 2014-12-17 23:29 - 00000000 ____D () C:\ProgramData\1012906888011600948
2014-12-17 23:29 - 2014-12-17 23:29 - 00000000 ____D () C:\Program Files (x86)\BuyNssave
2014-12-17 23:29 - 2014-12-17 23:29 - 00000000 ____D () C:\Program Files (x86)\BuoyNsave
2014-12-17 20:26 - 2014-12-17 20:26 - 05585315 _____ (Swearware) C:\Users\Aswath Laxman\Downloads\ComboFix.exe.42hcldq.partial
2014-12-13 12:19 - 2014-12-13 12:19 - 00000197 _____ () C:\Windows\system32\2014-12-13-06-49-13.045-AvastVBoxSVC.exe-3584.log
2014-12-13 03:17 - 2014-12-13 03:18 - 00000197 _____ () C:\Windows\system32\2014-12-12-21-47-54.047-AvastVBoxSVC.exe-3284.log
2014-12-11 18:31 - 2014-12-11 18:31 - 00000197 _____ () C:\Windows\system32\2014-12-11-13-01-16.084-AvastVBoxSVC.exe-1712.log
2014-12-11 03:30 - 2014-12-11 03:30 - 00000197 _____ () C:\Windows\system32\2014-12-10-22-00-03.098-AvastVBoxSVC.exe-3504.log
2014-12-01 10:59 - 2014-12-01 10:59 - 00000197 _____ () C:\Windows\system32\2014-12-01-05-29-32.038-AvastVBoxSVC.exe-3564.log
2014-11-26 17:40 - 2014-11-26 17:40 - 00000247 _____ () C:\Windows\system32\2014-11-26-12-10-10.096-aswFe.exe-6032.log
2014-11-26 17:37 - 2014-11-26 17:40 - 00000247 _____ () C:\Windows\system32\2014-11-26-12-07-12.066-aswFe.exe-1032.log
2014-11-26 17:37 - 2014-11-26 17:37 - 00000197 _____ () C:\Windows\system32\2014-11-26-12-07-08.019-AvastVBoxSVC.exe-2496.log
2014-12-18 13:27 - 2013-11-01 19:46 - 00000508 _____ () C:\Windows\Tasks\SDMsgUpdate (Local).job
2014-12-18 13:27 - 2013-11-01 19:46 - 00000500 _____ () C:\Windows\Tasks\SDMsgUpdate (TE).job
2014-12-17 15:31 - 2013-11-20 14:35 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3539871907-2967287595-2481223066-1004Core.job
CustomCLSID: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-3539871907-2967287595-2481223066-1004_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Kodha V Innovations\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
Task: {01321C93-5BEC-416A-B3BF-0B73266F2E53} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3539871907-2967287595-2481223066-1004Core => C:\Users\Kodha V Innovations\AppData\Local\Google\Update\GoogleUpdate.exe
Task: {1E8AFA32-A6E7-4916-BB74-524DBC23F74F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {47B8383E-7E35-4596-B5F1-21A558D1E6D4} - System32\Tasks\BrowserProtect => Sc.exe start BrowserProtect <==== ATTENTION
Task: {91043CC2-CF6D-45E9-B9B5-B838D131405D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {9B3BC3A8-721E-459A-A9E1-55AEBACA9B99} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3539871907-2967287595-2481223066-1004UA => C:\Users\Kodha V Innovations\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3539871907-2967287595-2481223066-1004Core.job => C:\Users\Kodha V Innovations\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3539871907-2967287595-2481223066-1004UA.job => C:\Users\Kodha V Innovations\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\SDMsgUpdate (Local).job => C:\PROGRA~2\SMARTD~1\Messages\SDNotify.exe
Task: C:\Windows\Tasks\SDMsgUpdate (TE).job => C:\PROGRA~2\SMARTD~1\Messages\SDNotify.exe
C:\Users\Kodha V Innovations\AppData\Local\Temp\_MEI47162
C:\Program Files (x86)\Google
C:\Users\Kodha V Innovations\AppData\Local\Google
C:\Users\Kodha V Innovations\Desktop\wings 2013 latest\5153\remote softwares\AA_v3 (1).exe
CreateRestorePoint:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
December 18, 2014, 3:27pm
7
Thank you Essex Boy 8) !!!Very much Appreciated … Please find the attached logs for your review …
So far I haven’t seen that message popping up with internet explorer will keep you posted when I complete testing with Chrome and in different users …
Cheers
Aswath
Let me know once you are happy