Pups computer infected by adware and not detected by avast

I am computer my aunt that this slow due adware and Pups. scan custom found 26 infected files moved to chest, but also found installed the following programs in Baidu 2014, Baidu pc faster, a fake installer adobe flash player a FAKEAV not detected activeris antimalware, a change in the initial page of Hao123 browser.

avast not detected

Win32:Adware.Win32.PriceMeter

https://www.virustotal.com/en/file/8d2e4efcadb731f2d7792a60b8a68940abe16ce6fe04e79c1162b36379d58589/analysis/1416507784/

Adware.Agent.NYA

https://www.virustotal.com/en/file/b76ccebbaa253ab8e144cfe891cef5985535eb7a5e6d10701c0f54d6019b2b29/analysis/1414695944/

MSIL/AdvancedSystemProtector

https://www.virustotal.com/en/file/c4da288b94bb7f7af46e2b71df16b2b7287a6f0047987bced0ff9aef213ae2aa/analysis/1422062054/]

send for analysis , and then resume the procedures for cleaning.

attached the logs below
malwarebytes, Additions.txt, aswmbr.

thanks

Hola, first could you uninstall the following programmes before running the FRST fix :

AVG 2013
Baidu Antivirus
Baidu PC Faster
FastAgain PC Booster
MediaPlayer+
NewTabs Uninstall
Norton Security Scan
Software Plate
SpeedUpMyPC
Sweet Page
WPM18.8.0.304

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Download the attached fixlist.txt, to the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Could you run a fresh FRST scan to ensure that I have missed nothing

Hi

norton security scan tried the control panel does not work, I used the revo uninstaller to uninstall. attached fixlog, adwcleaner[S0].txt .

How is the computer behaving now, any problems ?

The performance is normal.
I get an error during OS
is not possible to load file or assembly ‘sorttbls.npl’ or one of its dependencies system can not find the file specified.

“C: \ Program Files (x86) \ ATI Technologies \ ATI.ACE \ Core-Static \ MOM.exe” Restart

found a behavior of a possible Trojan this file, the icon has changed and place the same

C: \ Users \ AppData \ Local \ Google \ Chrome \ Application

see attached

Lets have a fresh FRST scan to see if I can locate that problem. You may need to re-install ATI catalyst (I think)

Ok, I couldn’t resist this one:

The performance is normal.
The user is not ;D

this computer is not mine, so here found programs unnecessary and games that make computer slow. :slight_smile:

the new FRST.

The proxy setting has come back, could you go to internet options after this fix and check that the proxy has gone

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:49929;https=127.0.0.1:49929 2015-01-30 15:51 - 2014-05-12 11:34 - 00000000 ____D () C:\Users\victoria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ragnarok 2015-01-30 15:07 - 2014-05-12 11:39 - 00000000 ____D () C:\Users\Todos os Usuários\Baidu Security 2015-01-30 15:07 - 2014-05-12 11:39 - 00000000 ____D () C:\ProgramData\Baidu Security 2015-01-30 14:59 - 2014-06-14 18:35 - 00000000 ____D () C:\Users\Public\Documents\Baidu Security 2015-01-30 14:58 - 2014-06-14 18:36 - 00000000 ____D () C:\Users\victoria\AppData\Roaming\Baidu Security 2012-12-15 10:16 - 2012-12-15 10:15 - 0150889 _____ () C:\Users\victoria\AppData\Local\speeddial.crx 2015-01-28 16:01 - 2015-01-28 16:01 - 00016262 ____H () C:\Windows\SysWOW64\binary_prog_stub 2015-01-30 15:07 - 2014-05-12 11:39 - 00000000 ____D () C:\Users\Todos os Usuários\Baidu Security 2015-01-30 15:07 - 2014-05-12 11:39 - 00000000 ____D () C:\ProgramData\Baidu Security 2015-01-30 14:59 - 2014-06-14 18:35 - 00000000 ____D () C:\Users\Public\Documents\Baidu Security 2015-01-30 14:58 - 2014-06-14 18:36 - 00000000 ____D () C:\Users\victoria\AppData\Roaming\Baidu Security EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

the computer is currently using with wifi and this set to detect the internet explorer settings, there is an authentication server with login and password, dial-up and broadband in configuration, but do not know the password. Downloading the driver there was a BSODs (blue screen) and had to go back a previous restore point.

Was this the ATI driver ?

Yes.Driver is as outdated , I used this program to auto-detect and install the appropriate version from then, but the installer failed (corrupted), so I decided to download the most current.then during the process was OK, while trying to install the blue screen came.

http://support.amd.com/en-us/download/mobile?os=Windows+7+-+64

I use slim drivers (do a custom install of this programme)

Download Slimdrivers to your desktop
Install the programme and on completion run
On the first page select Start Scan

https://dl.dropboxusercontent.com/u/73555776/slimdriver.JPG

Once it has completed click the download link on the right hand side (you can only download one driver at a time)

https://dl.dropboxusercontent.com/u/73555776/slimdriverscan.JPG

Allow the creation of a restore point prior to downloading and installing.
The driver will now be downloaded and backed up for safety. A reboot will be required on completion

Repeat as required for the necessary drivers

the first driver has been blocked after the creation of the restore point avast WebShield as filerepsnxclass, I had to disable avast to be able to install, we found 6 outdated drivers.Unfortunately did not work with AMD driver sata controller, it gave blue screen during the application update the computer has restarted, a window appeared boot correction had to make this repair and restore a previous system restore point.
with this Realtek driver PCLE family controller more able to install normally.

http://i.imgur.com/yJXORAg.png

http://i.imgur.com/Nl24Mnq.png

many false positive, since it has been deleted than file is moved to chest.

compressed the raganarok.lnk file within the folder, confirms what I said is really a threat, only the kaspersky detected yesterday as HEUR: Trojan.WinLNK.StartPage.gena
and I see that today was added another antivirus.
I will send this threat to be analyzed.
did a scan and return with the kaspersky virus removal tool results.

https://www.virustotal.com/en/file/75da357d38898e4dc1bcb8b78c98cabe0b2a18bec4c3a9829c33f449b553d666/analysis/1422905433/

Trojan-FakeAV.Win32.Agent

https://www.virustotal.com/en/file/a805ed5668e79cbc71454631b2483ada34cc1fe98453adde247c0028c7212577/analysis/1422906518/

see attached.

AdwCleaner normally gets that file as a matter of course

What problems are apparent now ?

the scan found this file located in the C:\Windows\system32\Roboot64.exe.
It was also found on the FRST quarantine and adwcleaner elsewhere.

Hmm intriguing

Could you run a fresh FRST and I will check that nothing was left over to regenerate that

Ok here is the new scan
FRST.

That looks OK … What error do you get when you try to download ?