possible problem??

i have used AVAST for about 3 years & today was starting to have an issue…

First got 3/3 messages that said " threat detected", some Trojan threat. Ran a scan & found the virus & “moved it to chest” like it recomended.

Did the reboot with complete scan during boot up & found two infected files there, deleted both. Now after start up, i get 3/3 messages again saying “threat detected”?

heres a pic of what the virus looked like

http://i818.photobucket.com/albums/zz101/Riggs290731RCR/junk%20pics/tn-2.jpg

What should my next step be if i keep getting “message detected” pop ups?

here is a picture of the message when you click on " threat detected" more info link.

http://i818.photobucket.com/albums/zz101/Riggs290731RCR/TTM%20autos/u.jpg

any help is much appreciated.

follow this guide and attach the logs…not copy and paste
http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

you want me to post the result logs? not sure how to attach a AdwCleaner notepad log.

think aftre running the AdwCleaner & Malwarebytes’ Anti-Malware may have fixed it? since they have completed, no " threat detected message?

below the box you write in here… “attachments and other options”

you can copy and paste logs…but OTL log must be attached bc of the size

when done a removal specialist will check them for any infections, and remove the infection(s) if he see any
he will also fix any minor problems he see

here is the AdwCleaner log.

AdwCleaner v2.008 - Logfile created 11/18/2012 at 14:17:13

Updated 17/11/2012 by Xplode

Operating system : Windows Vista ™ Business Service Pack 2 (32 bits)

User : Ricky - RICKY-PC

Boot Mode : Normal

Running from : C:\Users\Ricky\Downloads\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Users\Ricky\AppData\Local\funmoods-speeddial.crx
Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj

***** [Registry] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{80922EE0-8A76-46AE-95D5-BD3C3FE0708D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{23C70BCA-6E23-4A65-AD2E-1389062074F1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{23D8EEF7-0E13-4000-B9C4-6603C1E912D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{295CACB4-51F5-46FD-914E-C72BAAE1B672}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{2CE5C4B9-6DBE-4528-96FA-C9FF38EF1762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{34C1FDF7-02C1-4F23-B393-F48B16E071D1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{54291324-7A3D-4F11-B707-3FB6A2C97BD9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{59C63F11-D4E5-46E7-9B8A-EE158DCA83A8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{5DA22CBD-0029-4A09-B757-CF0FAFC488ED}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{77A6E7D4-4A83-4A9B-A2A0-EF3B125DC29D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{C0585B2F-74D7-4734-88DE-6C150C5D4036}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{CA17D76B-F91D-4659-A7FD-A9F7ED375CDD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{D8242E89-2F81-484A-AE5B-BA8CAD5B7347}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{EF0588D6-1621-4A75-B8BE-F4BC34794136}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Anti-phishing Domain Advisor
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Anti-phishing Domain Advisor]

***** [Internet Browsers] *****

-\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 → hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914 → hxxp://www.google.com

-\ Google Chrome v23.0.1271.64

File : C:\Users\Ricky\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[S1].txt - [3942 octets] - [18/11/2012 14:17:13]

forgot to save the log from the Malwarebytes’ Anti-Malware run. that had 30 files in red. All being “funmoods” that has been deleted for sometime from my system. must be left overs?

malwarebytes log is saved inside malwarebytes…you find it under the logs tab on top when you open the program

anyway…OTL is the important log

HERE YOU GO.

since i did the last 3, think the problem may be gone. Have yet to get “threat detected” message? Thoughts? think im in the clear?

Looking at the AdwCleaner log, i may see what was your problem

Folder Deleted : C:\ProgramData\Anti-phishing Domain Advisor

also others had this
http://forum.avast.com/index.php?topic=109840.0
http://forum.avast.com/index.php?topic=109795.0

check back later to hear what the removal specialist have to say

ok. sound good. Heres the last of it. The ASWMBR log.

thank you for your help. really appreciate it.

let me know if there is anything further i need to do…

This was the problem Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Anti-phishing Domain Advisor

Checking the logs now

OK not a lot left for me to kill ;D Let me know of any further problems

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzuyDtD0EyDyEzy0C0B0CyD0AtByDyE0CtAtN0D0Tzu0CtCzytAtN1L2XzutBtFtCtFtDtFtAtDtC&cr=547247914
O4 - HKU\S-1-5-21-10632349-1777486396-4087371160-1000..\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" File not found

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

You want me to run this & copy/paste the info in the "code: {select} section, & put it into the “paste scripts here” part?

Yep that will remove the last of the funmood stuff

o.k. got that done. here is the log. let me know what my next step will be or if im done. :slight_smile:

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
Registry value HKEY_USERS\S-1-5-21-10632349-1777486396-4087371160-1000\Software\Microsoft\Windows\CurrentVersion\Run\SPMTray deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public

User: Ricky
->Temp folder emptied: 49956963 bytes
->Temporary Internet Files folder emptied: 41481812 bytes
->Java cache emptied: 43504 bytes
->Google Chrome cache emptied: 398850101 bytes
->Flash cache emptied: 69614 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 74367330 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 79086015 bytes

Total Files Cleaned = 614.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 11182012_152951

Files\Folders moved on Reboot…
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files…

Registry entries deleted on Reboot…

That’s it ;D … Any further problems ? Or shall we do the tidy up thing

Thats it. No “threat detected messages”, systems appears to be running fine ;D.

Cant thank you & Pondus for taking the time to help me out. couple of class acts! :slight_smile:

That’s what we be here for ;D

Run AdwCleaner and press the uninstall button
Run OTL and press the cleanup button
Delete AswMBR from the desktop

All done

Great! all done. again. Major thanks to you both. U2 really know your stuff. cant thank you enough.