Need help with constant popups

Viruses and worms
1

On one of our business computers we have been having Avast for a couple of years now. Well somehow some Malware or a virus got past Avast. I have no idea how it happened, but we are always getting popups for objects such as tpsearch.me, search-world.biz, nemo-finder.me… Lately we have been having a lot of issues with this machine and now it barely works and we can’t even use our POS system. What should I do to fix this?

2

follow instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total

see below the box you write in … Attachments and other options

3

Here we go—ADMIN. ACCOUNT

4

Not a great deal showing there

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File 2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieUserList 2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieSiteList 2015-09-01 18:59 - 2015-04-14 13:56 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieBrowserModeList RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

5

fixlog—ADMIN.

6

adw—ADMIN.

7

How is the computer behaving now ?

8

Works fine under admin., but if we log in to this branch’s profile then the Avast warning popups start popping up constantly. Everything seems to be tied to this profile. Still Finding Nemo or whatever, a couple other ones I was able to write down real quick are:

Object: http://fff5ee.com/q
Infection: MAL
Process: c:\windows\syswow64\dllhost.exe

Object: the-search-panet.info/search.php?query=anti+aging+products
Infection: MAL
Process: c:\programfiles\internetexplorer\iexplore.exe

9

Could you run a scan under that profile please

10

Sorry, I forgot that the profiles act almost like different machines and are mostly independent of one another.
—HOUMA STORE

11

This will cure it :slight_smile:

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2768183970-1955982448-509404506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CustomCLSID: HKU\S-1-5-21-2768183970-1955982448-509404506-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

12

Now it’s happening to the admin. account.

13

How many separate accounts are there ?

Could you run FRST on each and name them so that you know which is which

14

There are only 2 accounts on this system. Why it was done this way, I wish I could tell you. Originally it was the HOUMA STORE account that was messing up. Admin was fine. I ran everything here under both accounts that we did them for. So far so good (knock on wood). Here are the final logs from the Houma store account.

—HOUMA STORE

15

Did you run the fixlist on the HOUMA account as the log you have just posted appears to be the original rather than the log generated after the fix

16

This should be right. Everything is working fine now. No issues as of yet. Thank you for all of the help.

17

Let me know when you are happy and I will tidy up