Recurring issue with malware, keeps getting blocked by web shield

system · 2015-06-07T06:05:22.000Z

Hi Everyone,

I keep getting web shield pop-ups saying that it blocked a web page. In the past week my AVAST got blocked twice by the “group policy” error. I managed to get it started but it seems the problem is not going away and is likely to cause problems again.

I have attached a recent MBAM log, FRST logs and aswMR log as well.

Please help me find a permanent solution to this problem.

essexboy · 2015-06-07T09:23:13.000Z

Let me know of any problems after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Winlogon\Notify\irnhsmk: C:\Users\Rahul Sheth\AppData\Local\irnhsmk.dll [2015-06-03] () HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION HKU\S-1-5-21-1844396264-1116966037-281102721-1001\...\Run: [MicrosoftUpdate] => C:\Users\Rahul Sheth\AppData\Roaming\ChromeUpdate\GoogleUpdate.exe HKU\S-1-5-21-1844396264-1116966037-281102721-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2014-08-16] ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.8.150\SSScheduler.exe (McAfee, Inc.) GroupPolicy: Group Policy on Chrome detected <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKU\S-1-5-21-1844396264-1116966037-281102721-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION URLSearchHook: HKLM-x32 - (No Name) - {7aeb3efd-e564-43f1-b658-5058a7c5743b} - No File BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File BHO-x32: No Name -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-1844396264-1116966037-281102721-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2015-06-03 01:59 - 2015-06-03 07:29 - 00000000 ____H C:\ProgramData\@system.temp 2015-06-03 01:59 - 2015-06-03 01:59 - 00000368 ____H C:\ProgramData\@system3.att 2015-06-03 01:54 - 2015-06-03 08:03 - 00000000 ____D C:\Users\Rahul Sheth\AppData\Roaming\ChromeUpdate CustomCLSID: HKU\S-1-5-21-1844396264-1116966037-281102721-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {6CAB088B-7A9B-4637-8B9A-F730E69FE87E} - System32\Tasks\TuneUpMedic_scan_schedule_task_619912cc-5f8b-4c60-9973-f64aa11d6650 => C:\Program Files (x86)\TuneUpMedic\TuneUpMedic.exe <==== ATTENTION Task: C:\windows\Tasks\TuneUpMedic_scan_schedule_task_619912cc-5f8b-4c60-9973-f64aa11d6650.job => C:\Program Files (x86)\TuneUpMedic\TuneUpMedic.exe <==== ATTENTION C:\Program Files (x86)\TuneUpMedic 2015-06-03 01:54 - 2015-06-03 01:54 - 00000480 ____H C:\Users\Rahul Sheth\AppData\Roaming\麽鎒駓覜 C:\Users\Rahul Sheth\AppData\Roaming\ChromeUpdate C:\Users\Rahul Sheth\AppData\Local\irnhsmk.dll Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

system · 2015-06-07T09:59:41.000Z

Hi,

Thanks for the code and instructions. Attached are the Fixlog and adwcleaner log files. How does it look?

essexboy · 2015-06-07T10:57:43.000Z

Are the alerts still present ? If so could you attach a screenshot of the Avast popup

system · 2015-06-09T02:05:43.000Z

Hi,

The alerts are gone now. Seems like you solved the problem. Thanks!!!

essexboy · 2015-06-09T08:57:08.000Z

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Announcements