I will post several “replies” to my own message to give you all the logs—they exceed the maximum number of characters on a message.
The other day when my Avast! Free Antivirus ran a boot scan, with “delete” selected, and the computer warned me that a virus was found in a Windows file and asked me to confirm deletion. The message said “… wininet .dll is infected by Win32 malwar –gen” and I Googled the virus name.
AdwCleaner v2.104 - Logfile created 12/29/2012 at 12:25:25
Updated 29/12/2012 by Xplode
Operating system : Windows 7 Professional Service Pack 1 (64 bits)
User : Melissa - OFFICEPC
Boot Mode : Normal
Running from : C:\Users\Melissa\Desktop\adwcleaner.exe
Option [Search]
***** [Services] *****
***** [Files / Folders] *****
Folder Found : C:\Program Files (x86)\Ask.com
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Users\Melissa\AppData\Local\APN
Folder Found : C:\Users\Melissa\AppData\Local\Conduit
Folder Found : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Found : C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgficikadnmmefckdecajlmffkbagomp
Folder Found : C:\Users\Melissa\AppData\Local\Temp\AskSearch
Folder Found : C:\Users\Melissa\AppData\LocalLow\AskToolbar
Folder Found : C:\Users\Melissa\AppData\LocalLow\Conduit
Folder Found : C:\Users\Melissa\AppData\LocalLow\PriceGong
Folder Found : C:\Windows\Installer{86D4B82A-ABED-442A-BE86-96357B70F4FE}
***** [Registry] *****
Key Found : HKCU\Software\APN
Key Found : HKCU\Software\AppDataLow\Software\AskToolbar
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Ask.com
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKCU\Software\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKCU\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall{79A765E1-C399-405B-85AF-466F52E918B0}
Key Found : HKLM\Software\APN
Key Found : HKLM\Software\AskToolbar
Key Found : HKLM\SOFTWARE\Classes\AppID{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Found : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd
Key Found : HKLM\SOFTWARE\Classes\GenericAskToolbar.ToolbarWnd.1
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Found : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3214568
Key Found : HKLM\SOFTWARE\Classes\TypeLib{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\kgficikadnmmefckdecajlmffkbagomp
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Key Found : HKLM\SOFTWARE\Classes\Interface{6C434537-053E-486D-B62A-160059D9D456}
Key Found : HKLM\SOFTWARE\Classes\Interface{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Found : HKLM\SOFTWARE\Classes\Interface{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ApnUpdater]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{D4027C7F-154A-4066-A1AD-4243D8127440}]
No, the OTL reports I posted this morning are the full reports. The one I tried to upload over the weekend was run incorrectly—it was set to scan files from the last 365 days instead of the last 30 days. So that’s why it was massive. I would have had to split it into about 20 posts to be able to attach it. LOL So I re-ran the OTL set for 30 days and attached the log and the extras log today.
I am at work now…I will post the other request log (aswBoot.txt) this evening. Thank you!!
I searched the PC for “aswBoot.txt” and it said the file was not found. Should I be looking for a different file? I am running avast! Free Antivirus on a W7 64 bit machine and definitions were just updated this morning.
Hm…
Logs looks good. I don’t see nafting bad here. Re-run avast! boot time scan once more. When avast finish scanning, try to find there and attach here aswBoot.txt logreport.
I ran an avast! boot scan and asked it to DELETE files that it finds (because in the past that was the only way it would “find” the virus I mentioned in my first message—when Windows would warn me that it was a Windows .dll file and ask me to confirm I wanted to delete it). This time, it went on past that and booted into Windows. And the log then revealed that it found a virus in Hotmail and moved it to the chest. (See attached .jpg)
I am convinced there is some kind of virus on this machine but I don’t know how to find it.
I still do not have that sub-folder under the avast folder, and do not have the text file you are asking for anywhere on my system. If I’m using the free version of Avast should I still have that file?? I don’t understand why I don’t. Thanks!
This detection is not active malware, file is detected with antivirus heruistics. Nothing to worry about, FP (false positive) simply must happen from time to time.
Detected file is related for Windows Live Messenger.
As I wrote above, all your logs are clean and no active malware here…
First let’s remove some registry remains and do some speed up of your PC.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Otl
CHR - Extension: Ask Toolbar = C:\Users\Melissa\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaandgknhidclennijgnchhaiefkmch\7.15.4.24146_0\
O3 - HKU\S-1-5-21-3172663602-4032253925-2754547789-1000\..\Toolbar\WebBrowser: (no name) - {ADCA5064-9E30-43FE-9856-58B07A3149FE} - No CLSID value found.
:Commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. You don’t need to attach that log.
Then you may remove/uninstall OTL tool:
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone. Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
I recommended you to keep Malwarebytes on your system and to add MCShield tool if you will.
You may download MCShield from one of the following links:
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
Thanks. I ran the custom fix as you suggested. I will follow the remaining steps.
I assume, then, that Avast and Malwarebytes can be on the machine simultaneously without a problem? And McShield, too?
Thanks for your help. I will continue to run boot scans and regular scans, because I still don’t understand why I got that first message about the .dll file naming the virus.