system
November 18, 2012, 7:28pm
1
i have used AVAST for about 3 years & today was starting to have an issue…
First got 3/3 messages that said " threat detected", some Trojan threat. Ran a scan & found the virus & “moved it to chest” like it recomended.
Did the reboot with complete scan during boot up & found two infected files there, deleted both. Now after start up, i get 3/3 messages again saying “threat detected”?
heres a pic of what the virus looked like
http://i818.photobucket.com/albums/zz101/Riggs290731RCR/junk%20pics/tn-2.jpg
What should my next step be if i keep getting “message detected” pop ups?
system
November 18, 2012, 7:50pm
2
here is a picture of the message when you click on " threat detected" more info link.
http://i818.photobucket.com/albums/zz101/Riggs290731RCR/TTM%20autos/u.jpg
any help is much appreciated.
Pondus
November 18, 2012, 7:52pm
3
follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
system
November 18, 2012, 8:31pm
4
you want me to post the result logs? not sure how to attach a AdwCleaner notepad log.
think aftre running the AdwCleaner & Malwarebytes’ Anti-Malware may have fixed it? since they have completed, no " threat detected message?
Pondus
November 18, 2012, 8:37pm
5
below the box you write in here… “attachments and other options”
you can copy and paste logs…but OTL log must be attached bc of the size
when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see
system
November 18, 2012, 8:47pm
6
below the box you write in here… “attachments and other options”
you can copy and paste logs…but OTL log must be attached bc of the size
when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see
here is the AdwCleaner log.
AdwCleaner v2.008 - Logfile created 11/18/2012 at 14:17:13
Updated 17/11/2012 by Xplode
Operating system : Windows Vista ™ Business Service Pack 2 (32 bits)
User : Ricky - RICKY-PC
Boot Mode : Normal
Running from : C:\Users\Ricky\Downloads\adwcleaner.exe
Option [Delete]
***** [Services] *****
***** [Files / Folders] *****
File Deleted : C:\Users\Ricky\AppData\Local\funmoods-speeddial.crx
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
***** [Registry] *****
Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]
***** [Internet Browsers] *****
-\ Internet Explorer v9.0.8112.16421
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 → hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 → hxxp://www.google.com
-\ Google Chrome v23.0.1271.64
File : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Preferences
[OK] File is clean.
AdwCleaner[S1].txt - [3942 octets] - [18/11/2012 14:17:13]
forgot to save the log from the Malwarebytes’ Anti-Malware run. that had 30 files in red. All being “funmoods” that has been deleted for sometime from my system. must be left overs?
Pondus
November 18, 2012, 8:58pm
7
malwarebytes log is saved inside malwarebytes…you find it under the logs tab on top when you open the program
anyway…OTL is the important log
system
November 18, 2012, 9:01pm
9
since i did the last 3, think the problem may be gone. Have yet to get “threat detected” message? Thoughts? think im in the clear?
Pondus
November 18, 2012, 9:06pm
10
Looking at the AdwCleaner log, i may see what was your problem
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
also others had this
http://forum.avast.com/index.php?topic=109840.0
http://forum.avast.com/index.php?topic=109795.0
check back later to hear what the removal specialist have to say
system
November 18, 2012, 9:13pm
11
ok. sound good. Heres the last of it. The ASWMBR log.
thank you for your help. really appreciate it.
let me know if there is anything further i need to do…
This was the problem Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Checking the logs now
OK not a lot left for me to kill ;D Let me know of any further problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
system
November 18, 2012, 9:25pm
14
OK not a lot left for me to kill ;D Let me know of any further problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
You want me to run this & copy/paste the info in the "code: {select} section, & put it into the “paste scripts here” part?
Yep that will remove the last of the funmood stuff
system
November 18, 2012, 9:37pm
16
o.k. got that done. here is the log. let me know what my next step will be or if im done.
All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry value HKEY_USERS\S-1-5-21-10632349-1777486396-4087371160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SPMTray deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
User: Ricky
->Temp folder emptied: 49956963 bytes
->Temporary Internet Files folder emptied: 41481812 bytes
->Java cache emptied: 43504 bytes
->Google Chrome cache emptied: 398850101 bytes
->Flash cache emptied: 69614 bytes
User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 74367330 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 79086015 bytes
Total Files Cleaned = 614.00 mb
Restore point Set: OTL Restore Point
OTL by OldTimer - Version 3.2.69.0 log created on 11182012_152951
Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.
PendingFileRenameOperations files…
Registry entries deleted on Reboot…
That’s it ;D … Any further problems ? Or shall we do the tidy up thing
system
November 18, 2012, 9:43pm
18
Thats it. No “threat detected messages”, systems appears to be running fine ;D.
Cant thank you & Pondus for taking the time to help me out. couple of class acts!
That’s what we be here for ;D
Run AdwCleaner and press the uninstall button
Run OTL and press the cleanup button
Delete AswMBR from the desktop
All done
system
November 18, 2012, 9:54pm
20
Great! all done. again. Major thanks to you both. U2 really know your stuff. cant thank you enough.