The pop-ups always appear when I try to access Gmail and Google+, also when starting Chrome. I’ve done an Avast full system scan and it traced the problem to a tmp file in “avast” folder located in windows temp files folder and a “History index 2009-2011” file in Chrome. I moved the infected files to the chest and thought the problem was resolved, but the popups keep appearing.
I’m not sure what to do anymore and where this infection even came from. I’ve used ComboFix, HiJackThis, MBAM, TDSSKiller but I’m not sure how to interpret the log files. Would appreciate any experienced help I can get on this.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Ok, I ran the fix and rebooted. I’m still getting this alert whenever I try to load Gmail, Google+ and apparently also with GTalk too (I only noticed this now):
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Ok, I ran the new fix and I’m still getting the same alert popups with same triggers.
A new one popped out though right after Windows loaded, but I wasn’t able to copy the process. It seems to be related to Avast itself. This particular popup is rarer than the other ones I’ve posted because I’ve only seen it now and it hasn’t showed up again since the system started:
I’ll also post the details of the two infected files that were removed earlier when I did a full system scan with Avast, might come in handy:
Name: History index 2009-2011
Original Location: C:\Users\Evan Yap\AppData\Local\Google\Chrome\User Data\Default
Last changed: 9/25/2011 5:35:15AM
Virus: HTML:Script-inf
Name: unp39816800.tmp
Original location: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp_avast_
Last changed: 5/18/2011 2:58:21 PM
Virus: JS:ScriptPE-inf [Trj]
FYI: I haven’t deleted these from the system. From what I know, keeping them in the chest already prevents viruses from working. But will permanently deleting these two files from the virus chest help?
It would appear that someone has placed a corrupt wpad file in the path of the site you are accessing. Avast is stopping the file being executed, but there seems to be a copy lurking on your system that is accessed every time you start to browse, thus triggering your avast av again.
Essexboy will certainly get rid of all the remnants of it. All temp internet files should be searched on your computer for any wpad.* files and then deleted,
I tried unchecking “automatically detect settings” under LAN settings in Chrome, and then I reloaded Gmail, Google Plus, etc. The popups don’t appear at all when I do that. But when I activate “auto detect settings”, I get the alert popups.
I did a scan using hijack this if it will provide more useful info
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I’m having some trouble logging into the router. I think the network administrator changed the default password and has forgotten the password. I will get back to you as soon as I switch the DNS to Comodo secure DNS.
Can you please explain why I’m changing the DNS? Will this help fix my problem with the wpad file that Avast keeps detecting?
I saw you had that installed from inside the HJT log you provided. In another similar cleansing routine this also helped towards the final solution of this (where it was an infected site update that was at the culprit of this issue). Anyway as it is not interfering in any way with essexboy’s cleansing routines I put that suggestion forward. On the other hand you should follow essexboys’ instructions to the dot, and after he is done, you might also need some additional crap cleaning and a check for corrupted system files, but that is for him to decide. This particular malware does not belong to the real easy ones to cleanse, but essexboy is a renowned malware cleanser, and everything will be OK,
