pop up saying epictory is trying to access the host

Viruses and worms
1

Hi
Please can anyone help with a pop up from Avast saying epictory and blacklist are trying to access host.It says it has been blocked.I have done a full scan and 4 infected files were moved to chest.Unfortunately the pop up still appears and i dont know what to do now,not too technical please as not very computer savvy.
many thanks
Rachel

2

to assist we need some logs … see instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs …there will be 3 logs

3

Hi,
ok i will do,
many thanks

4

Hi,
I have finally worked out how to attach them and here they are,
thank you.

5

Hi,Another log i have attached,
thank you,
Rachel

6

you have attached wrong Malwarebytes log …we want scan log, not protection log

7

Hi,
Very sorry,i’m sure this is the right one now,
thank you
Rachel

8

thats the one … you had a nice PUP collection there :-\

now you wait for essexboy

9

Hi, the first thing you must do is uninstall Chrome, you may re-install once we have finished

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-807404376-3683995377-3266256110-1000\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKU\S-1-5-21-807404376-3683995377-3266256110-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPDTDF SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=22125&r=2015/02/13&hid=3585938884922084139&lg=EN&cc=GB&unqvl=82 SearchScopes: HKLM-x32 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=22125&r=2015/02/13&hid=3585938884922084139&lg=EN&cc=GB&unqvl=82 SearchScopes: HKU\S-1-5-21-807404376-3683995377-3266256110-1000 -> {BB82DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=22125&r=2015/02/13&hid=3585938884922084139&lg=EN&cc=GB&unqvl=82 BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-807404376-3683995377-3266256110-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-807404376-3683995377-3266256110-1000 -> No Name - {00000000-0000-0000-0000-000000000000} - No File DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455} CHR HomePage: Default -> hxxp://www.google.co.uk/ CHR StartupUrls: Default -> "hxxp://www.google.com/" CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter} CHR Profile: C:\Users\RACHEL RENFREE\AppData\Local\Google\Chrome\User Data\Default CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\RACHEL RENFREE\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-20] CHR Extension: (Google Wallet) - C:\Users\RACHEL RENFREE\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-20] CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-13] 2015-02-21 11:36 - 2015-02-21 11:36 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{ED788750-B74F-4539-96FA-5DFA51F6A136} 2015-02-18 10:40 - 2015-02-18 10:40 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{ADEE26EA-B42D-4C54-8683-6D6E6A1EE79C} 2015-02-17 14:55 - 2015-02-17 14:55 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{8CD5D791-5F94-45A8-A99C-C119A6B698D0} 2015-02-14 14:11 - 2015-02-14 14:11 - 00000000 ____D () C:\ProgramData\{27E3CF20-7761-1EA6-C6E7-6E241665BDAA} 2015-02-13 12:29 - 2015-02-14 12:52 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\Google 2015-02-13 12:15 - 2015-02-13 12:15 - 00000000 ____D () C:\Program Files (x86)\Vecteezy 2015-02-13 12:14 - 2015-02-13 12:14 - 00000000 ____D () C:\ProgramData\ophojdpchbcegpjocapbmhmapdjgkcne 2015-02-13 12:14 - 2015-02-13 12:14 - 00000000 ____D () C:\ProgramData\7417384895243743421 2015-02-13 12:14 - 2015-02-13 12:14 - 00000000 ____D () C:\Program Files (x86)\UUniDEals 2015-02-13 12:13 - 2015-02-17 14:05 - 00000000 ____D () C:\ProgramData\{d7c25f89-f6ce-a14a-d7c2-25f89f6c7e27} 2015-02-07 12:55 - 2015-02-07 12:55 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{686727B6-2991-49BD-A9AF-64C6E6BEEFDA} 2015-02-05 22:31 - 2015-02-05 22:32 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{BACB292E-5344-4BA3-9062-1167B8F434A4} 2015-02-01 22:20 - 2015-02-01 22:20 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{B57C0158-050A-45F3-9275-B63ECFF57E4A} 2015-01-31 22:50 - 2015-01-31 22:50 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{FF7765B4-BAD6-48CA-8C7E-039D45981F0A} 2015-01-28 10:57 - 2015-01-28 10:57 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{26D27E75-68EA-40EF-8938-D3323A22015D} 2015-01-23 22:28 - 2015-01-23 22:28 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Local\{B17F1D3F-B0C8-432E-9BE2-07F1F083F1F1} 2015-02-21 13:47 - 2011-07-30 17:43 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2015-02-21 13:46 - 2013-06-20 13:33 - 00000000 ____D () C:\Users\RACHEL RENFREE\AppData\Roaming\Search Protection 2015-02-19 16:57 - 2013-11-27 11:36 - 00002185 _____ () C:\Users\Public\Desktop\Google Chrome.lnk 2015-02-05 11:50 - 2011-07-30 17:43 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA 2015-02-05 11:50 - 2011-07-30 17:43 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore 2011-08-05 16:24 - 2011-08-05 16:24 - 0000000 _____ () C:\Users\RACHEL RENFREE\AppData\Local\{2B345D3E-3B4B-4952-8D8C-A327441BCC8A} 2012-01-08 14:15 - 2012-01-08 14:15 - 0000000 _____ () C:\Users\RACHEL RENFREE\AppData\Local\{4B12A5F3-CE61-4FDA-8432-BE9D7D569DD7} 2011-08-25 08:05 - 2011-08-25 08:05 - 0000000 _____ () C:\Users\RACHEL RENFREE\AppData\Local\{6DE6BF9D-F4BC-4771-A1A4-3F9CC0150001} Task: {18E00868-B677-4028-8043-27C1A5A17C46} - System32\Tasks\YTDownloaderUpd => C:\Program Files (x86)\YTDownloader\updater.exe <==== ATTENTION Task: {3E512C37-F315-4754-AE86-D17B04D1B267} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.) Task: {BBB28253-5B14-43D6-82EA-4C49825ECE11} - System32\Tasks\YTDownloader => C:\Program Files (x86)\YTDownloader\YTDownloader.exe <==== ATTENTION Task: {CD2EE4B6-282E-42B0-8C46-376401EF95B9} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.) Task: {DC142F46-3BD8-4A77-971F-8B8844488E34} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe C:\Users\RACHEL RENFREE\AppData\Local\Google\Chrome C:\Program Files (x86)\YTDownloader C:\Program Files (x86)\Pro PC Cleaner C:\Program Files (x86)\Google\Chrome EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

10

Hi,
i have unisnstalled chrome and copied and pasted to notepad.I have no idea how to run frst again.Sorry,but im no techie.
Rachel

11

No problem, ensure that FRST is on your desktop … If not then download a fresh copy to that location (both FRST and the Fixlist must be on the desktop)

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[]PressFix
[]Please attach the log generated.

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

12

Have got the box downloaded but cant save it to desktop.Also those note i copied and pasted to notepad.do you want me to add them into the FRST document.This is so tricky.

13

OK better idea… Download the attached fixlist.txt to the same location as the FRST programme (desktop)
Start FRST and then press fix :slight_smile:

14

frst programme in downloads cant get it to desktop.

15

do you have FRST.exe in your download folder?

if so right click on the file and select Cut …then go to your desktop, rightclick somwhere and select Paste

16

Yay,its on desktop.clicked fix and it says that the fixlist is not there.It is because theres an icon saying fixlist.Bet you hope you dont get too many like me.
Thanks

17

Its working now,phew.

18

No problem, I can’t dance :slight_smile: horses for courses

19

Hi,
i think i now have the log attached.

20

Looks like it is killed, just the AdwCleaner run now to clear leftovers

The Alerts should no longer be present