system
October 25, 2014, 6:11pm
1
I am getting the constant pop up: Avast - avast! Web Shield has blocked a harmful webpage or file.
It appears regardless of if I’m on the internet or not.
Various Objects have appeared: go.wvydeo.com/results . . ., and xmlka.com/click?app . . ., and cdn1.movieroomreview.com/themes . . ., among others
The infection is always URL:Mal
Process C:\Program Files.…\iexplorer.exe, and PID 11260,
I have updated and ran/full scanned several times this week with Avast and adaware - isn’t happening as often as it was 10/23/14 but it still does happen. How can I get rid of this?
Asyn
October 25, 2014, 6:12pm
2
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
system
October 25, 2014, 9:04pm
3
I downloaded and ran Malwarebytes
I have Windows Home Premium 64 bit so downloaded 64 bit – when try to rt click and install get: …\Downloads\FRST64.exe is not a valid WIN32 application
So downloaded 32 bit and when rt click to install it get: “This version of FRST is not compatible with your OS. Please use FRST64
Also I can’t download in explorer – get a message saying settings won’t allow it – downloaded using chrome.
Attached file is after scan but before reboot - couldn’t figure out how to access log to export after reboot
For FRST when you download the 64bit version temporarily disable the Avast shields
system
October 26, 2014, 2:26am
5
ok - but I was able to download it - just won’t run
system
October 26, 2014, 2:38am
6
downloaded with shields off - same result
Malwarebytes pop ups saying Malicious Website blocked and Avast pop ups saying Web Shield has blocked harmful web page or file are popping up about every 5 seconds - which I don’t understand since I turned the shields off
system
October 26, 2014, 2:44am
7
tried again and got it - now will run farbar
system
October 26, 2014, 3:15am
9
computer is locked up now - took attached photo of aswMBR.exe scan
Stop AswMBR and reboot please.
I notice that you are also running Adaware anti virus this is not good policy and it should be uninstalled
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
HKU\S-1-5-21-1750282702-2339257603-2008339345-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
CHR HKLM-x32\...\Chrome\Extension: [ihogoofdaifgdkdilopkeahfcnifkajn] - C:\Users\Albaughs\AppData\Local\CRE\ihogoofdaifgdkdilopkeahfcnifkajn.crx [2013-09-08]
2014-10-25 22:08 - 2014-10-25 22:08 - 00070656 _____ () C:\Windows\system32\kpmbdq.dll
2014-10-25 22:08 - 2014-10-25 22:08 - 00003858 _____ () C:\Windows\System32\Tasks\{E9FDAAAE-4ACB-E8F1-880C-D5D7DF520FD7}
2014-10-25 22:08 - 2014-10-25 22:08 - 00000000 _____ () C:\Windows\system32\mhaxlrk.dll
2014-10-20 19:00 - 2014-10-20 19:00 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{D916FD19-F18F-461F-B888-2E090102842C}
2014-10-18 19:12 - 2014-10-18 19:12 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{DE556472-438D-47E9-80B8-FFA364519B1D}
2014-10-16 16:39 - 2014-10-16 16:39 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{68785AD5-61CE-4F0E-BC8F-5B044F6E0E18}
2014-10-12 15:39 - 2014-10-12 15:39 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{E1527873-88E2-4997-98DE-D64B54953156}
2014-10-11 15:49 - 2014-10-11 15:49 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{A3A5B97A-84BE-4286-B593-9D11CECED036}
2014-10-08 15:48 - 2014-10-08 15:48 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{C5441493-72F4-45D4-81BE-0375C901054F}
2014-10-07 15:34 - 2014-10-07 15:34 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{221CE38C-1C74-4E14-8B11-2CA61B2C1795}
2014-10-05 10:25 - 2014-10-05 10:25 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{AC7E8516-2431-477F-886F-D1DB9BC75AD0}
2014-10-04 11:29 - 2014-10-04 11:29 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{03E117F3-2FFB-4A97-9750-FF47686AEABD}
2014-10-03 16:52 - 2014-10-03 16:52 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{74DAF23E-EC0B-4EDB-B3C3-D8A32E5551BE}
2014-09-29 15:52 - 2014-09-29 15:52 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{A93C239B-40C4-47D2-9D58-F6FDD0CA218E}
2014-09-28 12:01 - 2014-09-28 12:01 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{2FA31DE9-171D-4588-81C2-668F47B4D2EC}
2014-09-27 16:57 - 2014-09-27 16:57 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{01427056-91D5-46CE-863F-A07347FA8485}
2014-09-25 15:25 - 2014-09-25 15:25 - 00000000 ____D () C:\Users\Albaughs\AppData\Local\{B1B51BF2-A192-4A39-A1BF-4E49BE56FA90}
2014-10-25 16:09 - 2014-04-18 17:12 - 00000000 ____D () C:\ProgramData\Search Protection
2014-10-25 16:06 - 2013-09-15 15:48 - 00000000 ____D () C:\ProgramData\Conduit
2014-10-25 13:56 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
CustomCLSID: HKU\S-1-5-21-1750282702-2339257603-2008339345-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
Task: {FFD0696D-8DFC-4367-B469-92F790B04955} - System32\Tasks\{E9FDAAAE-4ACB-E8F1-880C-D5D7DF520FD7} => C:\Windows\system32\kpmbdq.dll [2014-10-25] ()
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
system
October 26, 2014, 2:31pm
11
is it ok to download it again? I had several frst.exe files - the one that worked before disappeared when I went to run it - it’s not in my recycle bin either
Yes but ensure you save it to your desktop
system
October 26, 2014, 2:57pm
13
farbar is “fixing” but malwarebytes is running - I forgot to stop it - will that be a problem? malwarebyte popups are occuring
Stop MBAM during the FRST fix as it will try to block the programme
system
October 26, 2014, 3:58pm
15
how long should the frst fix take? it’s been over an hour so far
If it has generated a fix log then stop FRST we have been experiencing some problems with the emtytemp command hanging
After AdwCleaner has run could you let me know how the computer is behaving and any outstanding problems
system
October 26, 2014, 5:57pm
19
ok
Adwcleaner generated 2 files - attached
How is the computer behaving now, what problems remain ?