Not sure if I am infected.

My avast keeps even if I keep enabling it. I tried scanning my computer with malware bytes and It found a few infections and after cleaning them, I rebooted and Avast is still not working.

First copy and paste or attach the MBAM scan results that may help us get an idea of what is going one based on what it found.

How long have you had avast installed and what version are you using, 5.0.677 is the latest.

Have (or did) you another Anti-Virus installed in this system, if so what was it and how did you get rid of it ?

Here is the log from Malwarebytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4599

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/09/2010 2:12:44 AM
mbam-log-2010-09-12 (02-12-44).txt

Scan type: Quick scan
Objects scanned: 134802
Time elapsed: 2 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\searchbho.csearchbho (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{a1a1e70d-58c5-4349-83b6-be9682b9874d} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4bf423f5-1689-4003-8a05-829048c7d869} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7be8ed1-b138-48fd-bb22-9779a39130b1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{d7be8ed1-b138-48fd-bb22-9779a39130b1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7be8ed1-b138-48fd-bb22-9779a39130b1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7be8ed1-b138-48fd-bb22-9779a39130b1} (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\searchbho.csearchbho.1 (Redir.GSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2863e737-dd3f-4280-9af8-e9e79c16f312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f334c7b0-8774-4d5b-bd7a-4f448d03a1ae} (Adware.SkyLab) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2863e737-dd3f-4280-9af8-e9e79c16f312} (Adware.SkyMediaPack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SkyMedia (Adware.SkyMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{d7be8ed1-b138-48fd-bb22-9779a39130b1} (Redir.GSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Conrad\AppData\Roaming\Mozilla\Firefox\Profiles\oxrvfedc.default\extensions\SearchHelper\SearchBHO.dll (Redir.GSearch) -> Quarantined and deleted successfully.

My avast is the latest version and it was actually installed not too long ago because I reformatted my computer about 2-3 weeks ago. I even tried reinstalling avast. Avast was the only antivirus I installed after reformatting as well.

OK, looks like your google search results were being redirected according to what was found, is that correct and if so has that now stopped ?

The problem with avast stopping obviously not connected to another AV or remnants of one.

These search redirections are frequently accompanied by a rootkit (TDSS) to try and hide the redirect actions and on occasion may have another function to disable security software. Normally if it is like that it would either kill the AV or not, but I wouldn’t have thought it would act in the way you are seeing.

Did you first update MBAM before running that scan, if not I would suggest doing that and running it again.

You could also try this application - SUPERantispyware (SAS). On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Also available a portable version of SAS if malware happened to block installation, http://www.superantispyware.com/portablescanner.html, no installation required.

It could just be a problem in avast, so try a repair of avast. Add Remove programs, select 'avast! Anti-Virus,' click the Change/Remove button and scroll down to Repair, click next and follow.

Well I did a scan with superantispyware and it didn’t seem to find much. for some reason though, after i restarted my computer, it wouldnt start up and i had to perform startup repairs. After that my computer loaded fine and Avast is now working fine o_O

crudohgod,

What version of Avast are you using? Right click the orange Avast toolbar on the bottom of your screen > “About Avast” and it will tell you the version.

Update your Avast definition if they were not done so already.

Did you change any of the default setting of Avast?

  1. Update and run a FULL MBAM scan and cut and paste it here in the thread.

  2. Run a Full Avast scan and report your findings. If anything is put into the Virus Chest, leave it there…do not delete anything. If anything goes to the Chest, give us a screen shot of what is in there.

  3. If you have a 32-bit machine, then you can run a Boot-time scan (this will take a while), and report your findings on this.

Let me know if you have any questions. Thanks.

I doubt that it is related, but since you don’t say what little it did find (?) there is no way to say for sure.

All i found in the scan were the tracking cookies. For some reason after I restarted my computer once more the problem is back again =(. 5.0.677 is the version of my avast and it’s updated, so was MBAM when I did my first scan. I will do a scan with both MBAM and Avast once i get the chance.

EDIT: i also have not changed any avast settings and im on a 64 bit version of windows 7

Do you mean, you are getting the google search redirects ?
Presumably MBAM doesn’t find those items it did before.

Or do you mean something else ?

Sorry I wasn’t clear. I meant my avast is still disabled and disables whenever I attempt to enable it

  1. Are you using the Free or Pro (paid) version of 5.0.677?

  2. Do you have any other security software on your machine (antivirus, firewall, other security programs besides MBAM and SAS) either now or in the past? If you had them in the past, how did you remove them?

  3. When you say Avast is “still disabled” and “disables whenever I attempt to enable it.” What exactly is it doing? Are you getting any warning or error notifications?

  4. Is your machine acting normally now other than Avast?

  5. Since Avast is not working correctly, you need some type of antivirus protection. If you haven’t done so already, please turn on Window Defender (built into your machine), update the definitions, and turn it on as “resident” for now until we get Avast working properly.

Please let us know if you have any questions. Thank you.

Hey sorry I haven’t replied, I’ve not had time to post any information.

  1. I’m using the free version

  2. I’ve never had any other security programs since I installed Avast after reformatting

  3. What happens is there an x beside the avast icon in the task bar, when I open avast it says the antivirus is off and i need to press fix now to renable it. I press it and all is good for about 10 seconds and it reverts back to the disabled state on its own.

  4. My machine does appear to be working fine, I have noticed that the virus that was redirecting me is back and I noticed it’s only on firefox.

  5. I’ve enabled windows defender

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM FULL log (make sure you update MBAM first) and the OTL logs. Post the MBAM log and the two (2) OTL log as an attachment [Additional Options > Attach > Browse (the OTL logs will be on your desktop) > Post].

Once you have posted your logs, I will be referring you to our Certified Malware Removal expert named, Essexboy. He will give you further instructions here in this thread, so continue to check this thread after posting your logs. I will continue to monitor in the background.

Please let me know if you have any further questions. Thank you.

My extra.txt file was too big to upload along side with the OTL.txt file. Here it is now

Ugh for some reason, my first post was not posted, here is my MBAM logs and OTL.txt

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4667

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

21/09/2010 6:48:35 PM
mbam-log-2010-09-21 (18-48-35).txt

Scan type: Quick scan
Objects scanned: 137063
Time elapsed: 3 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Thank you for the logs. Although I had asked for an MBAM FULL scan and you did a Quick scan, I think Essexboy can work with your OTL logs.

Did you realize that when you installed Fox-It pdf Reader that you also installed the Ask Toolbar (adware)? They are sneaky in putting this adware in there unless you do a Custom Install and read everything you click while you are installing or preferably download the Slim or Portable Version. So next time you need an update, uninstall this version and install the versions I suggested instead. An alternative pdf reader without toolbars is Nitro pdf reader and there are others. Just something to think about once all these troubles are over.

Can you please give an explanation for Essexboy as to the problems you are currently having with your machine now.

He will analyze your logs and give you further instructions. Please check in at least daily on the forum for his instructions (he is on UK time). Thank you.

Nothing jumps out at me there - so lets investigate some other areas

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

[*]Ensure all Firefox windows are closed.
[*]To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
[*]When prompted to run the scan, click Yes.
[*]GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

I’ve done this, here are the logs.

TDSS Killer

Attached to post due to character limit

GoordFix

GooredFix by jpshortstuff (03.07.10.1)
Log created at 17:31 on 22/09/2010 (Conrad)
Firefox version 3.6.10 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [07:35 21/08/2010]
{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [01:53 02/09/2010]

C:\Users\Conrad\Application Data\Mozilla\Firefox\Profiles\oxrvfedc.default\extensions\
SearchHelper [01:55 02/09/2010]
{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [01:57 02/09/2010]
{b749fc7c-e949-447f-926c-3f4eed6accfe} [07:36 21/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

---------- Old Logs ----------
GooredFix[00.30.42_23-09-2010].txt

-=E.O.F=-

Could you attach the TDSSKiller log please as you duplicated the Gored. Do you use a router ?

Wow how did I manage to do that. Log is attached. Yes I use a router by the way.