Every 5 minutes, Avast pops up with a “threat detected” message. I get for of them for the following files and it says avast web shied has blocked a harmful webpage or file
brozblagram-c2.com/online/531
tragromest-c2.com/online/531
presscoto.pw/online/531
crownsix5.com/online/531
I qwill admit that I am a computer novice, so I do not even know where to begin to fix these issues. very annoying.
Any help would be appreciated.
Larry
Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
Monitoring …
MBAM should target this by default. Before running any scanner, you may wanna take a look at installed programs (Control Panel > Programs and Features (Add or Remove on XP) and uninstall any newer installed toolbar, add-on or any other crapware.
In any case, FRST log shall tell me all what I need to know to locate the source, target the malware or PUP and fix the problem.
Ok. working on this issue. I wen to the program manager and unistalled some coupon programs. I am down to just two threats being detected.
tragromest-c2.com/online/531
presscoto.pw/online/531
Running MBAM right now and will attach log when complete.
Thanks for the help.
Attached is the FRST file.
I ran Malwarebytes and ended up deleting over 150 newly quarantined items. It will not provide a txt file. program becomes unresponsive wen I try to export one.
Appreciate the support.
Larry
I still would like to see the MBAM logreprot if possible. Click on the History tab > Application Logs. Double click on the Scan Log which shows the date and time of just performed scan.
.
I shall need the Addition.txt logfile created by FRST as well. If there is no Addition log near FRST tool, re run the tool, check box for Addition and post me the both freshly created FRST.txt and Addition.txt logfile.
Here is the addition file from FRST.
on malwarebytes…the application log page shows a scan log with yesterdays date, I double clicked on the scan log and the history log is blank, no data.
Even if I try to export a txt file, the application goes non responsive and closes.
Larry
Ok, let’s start …
First you need to remove one of current active AntiVirus program. You should use only one AV per system.
AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
Remove one of them from Control Panel. Then, run there uninstaller program to remove any possible leftovers. Uninstaller can be downloaded from here:
http://singularlabs.com/uninstallers/security-software/
Also you need to uninstall (try to uninstall) the following AdWare (PUP) programs;
BrowseMark
CouponXplorer Toolbar
MyPC Backup
Search Protection
Reboot the computer. Next …
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start File: C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe File: C:\Windows\System32\browser.dll Hosts: HKLM\...\Run: [] => [X] AppInit_DLLs: C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll => C:\PROGRA~2\Linkey\IEEXTE~1\iedll64.dll File Not Found GroupPolicy: Group Policy on Chrome detected <======= ATTENTION HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/ HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/ SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {69B38643-8C04-4B58-A328-1E9A27FDA35E} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=100&itype=n&ver=12283&tm=313&src=ds&p={searchTerms} SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {5a1d0d31-749c-4186-a295-4106e6e7b26a} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^AFA^xdm069^S05386^us&si=101497&ptb=6FF8DAA5-2393-4DB9-8CFA-1609B3609DC9&ind=2013042008&n=77fc9558&psa=&st=sb&searchfor={searchTerms} SearchScopes: HKLM-x32 - {69B38643-8C04-4B58-A328-1E9A27FDA35E} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=100&itype=n&ver=12283&tm=313&src=ds&p={searchTerms} SearchScopes: HKCU - {5a1d0d31-749c-4186-a295-4106e6e7b26a} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^AFA^xdm069^S05386^us&si=101497&ptb=6FF8DAA5-2393-4DB9-8CFA-1609B3609DC9&ind=2013042008&n=77fc9558&psa=&st=sb&searchfor={searchTerms} SearchScopes: HKCU - {5FA756CA-A401-42EA-8730-B3ADDDD4087C} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=cmi_14_15_ie&cd=2XzuyEtN2Y1L1QzutDtDtByCzy0EtB0BtD0FyEtDtDyEtByEtN0D0Tzu0SzztAtCtN1L2XzutBtFtBtDtFtCtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StAtD0B0CyDtA0ByEtG0Azz0F0DtGtA0B0C0BtGyB0AyD0EtGtByByC0EzyzytAtByD0ByB0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyDtB0EtDtB0F0F0DtGyE0EtC0FtG0DyDtA0CtG0E0EtBtDtGtBtBtA0F0ByByC0ByEtByCyE2Q&cr=684452925&ir= SearchScopes: HKCU - {69B38643-8C04-4B58-A328-1E9A27FDA35E} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpl SearchScopes: HKCU - {7AC0F117-4769-4CE3-9B40-26089FD00F4A} URL = http://websearch.shopathome.com?user_id={309EBF13-0F1B-4412-A4DD-A0208BC59914}&q={searchTerms} SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={1F398BBA-56A4-469E-8DB7-7DF7C8E76B7A}&mid=6691207b6e0347d195d9d16fd8cfe6b3-8459a2957ccb36721f2376145fee102d5f572792&lang=en&ds=AVG&pr=fr&d=2012-07-01 09:15:15&v=11.1.0.12&sap=dsp&q={searchTerms} SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2492} URL = http://www.default-search.net/search?sid=492&aid=100&itype=n&ver=12283&tm=313&src=ds&p={searchTerms} SearchScopes: HKCU - {B0960388-C8FF-45BF-AB34-AD90F44D84BE} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=71B3B555-23A7-4091-9237-4AFE5213D6D0&apn_sauid=35726E10-41D1-41E8-8A95-398B946EDC25& SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80269&lng=en BHO: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> No File BHO-x32: No Name -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> No File BHO-x32: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> No File Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} - No File Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File FF HKCU\...\Firefox\Extensions: [{C84E2F89-F883-97B9-5382-1226EEEAD045}] - C:\Program Files (x86)\BlockAndSurfS\173.xpi CHR HKLM-x32\...\Chrome\Extension: [cnpkmcjgpcihgfnkcjapiaabbbplkcmf] - C:\Program Files (x86)\Coupons.com CouponBar\chrome\Coupons.com.crx [2012-09-10] CHR HKLM-x32\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files (x86)\AVG\AVG2012\Chrome\safesearch.crx [2014-07-06] CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION S2 BackupStack; C:\Program Files (x86)\MyPC Backup\BackupStack.exe [36392 2014-03-14] (Just Develop It) U4 eabfiltr; Task: C:\Windows\Tasks\FF Watcher {98D39D0F-2F47-407A-9164-063935A95961}.job => C:\Program Files\V-bates\PrefHelper.exe <==== ATTENTION AlternateDataStreams: C:\Users\croucher\Documents\High Council Update, Assignments & Schedule.eml:OECustomProperty EmptyTemp: C:\Program Files\V-bates C:\Program Files (x86)\Mobogenie C:\Program Files (x86)\MyPC Backup C:\Users\croucher\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk C:\Program Files (x86)\BlockAndSurfS C:\Program Files (x86)\Coupons.com CouponBar C:\Program Files (x86)\AVG End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.
Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.
As requested, I have attached the required logs.
Thanks for the continued support.
Larry
.
.
ESET Services repair tool will not start running when I attempt to “run as administrator”. A folder is created on my desktop, but it is empty. The prgram does not execute.
attached is the FSS file.
Thanks
Ok, now please run ComboFix again and post me the fresh ComboFix.txt logreport. Also, I would like to preform the additional ARK check…
.
Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:
Gmer download link
Note: file will be random named
Double-clicking to run GMER.
[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );
Please attach here Gmer’s (ARK.txt) logreports.
Attached are the files you requested.
Thanks
Hi,
Your system is clean for now. But we are not over yet. We need to preform the som e system repair …
Also, I would like to preform anather ARK scan.
ARK Scan::
Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
[i]For full instructions how MBAR works, read this article
> Doubleclick on the MBAR file (
http://www.mcshield.net/personal/magna86/Images/mbar.png
) and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
• mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.
• On the Update Database screen, click on the Update button. Once you see ‘Success: Database was successfully updated’ click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.
Notice: with some infections, you may see two messages boxes:
>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.
>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.
>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
> The following reports will be created in mbar folder:
Please post both logs in your next reply.
Repair::
1. Please download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html
[*] Install the program then run.
[*] Go to Step 2 and allow it to run Disk check
[*] Once that is done then go to Step 3 and allow it to run SFC
[*] Restart may be needed to finish the repair procedure.
Well…i completed these task and had the mbar files for upload. I rebooted my computer and now i have another problem.
When it reboots…i only get a black screen with a cursor…nothing else. I tried starting in both normal and safe modes. Windows will not start.
Frustrating to say the least.
Larry
Your system has already been damaged. That seems to be unavoidably when will it happen…
We shall try fix it …
Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.
[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.
Here you go…as requested.
Larry
Tell me will this fix your boot problem?
Open notepad.
[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[] Copy/Paste the contents of the code box below into Notepad.
LastRegBack: 2014-08-18 16:55
[*] Save it to your USB flashdrive as fixlist.txt
Boot into Recovery Environment
Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens …
[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.
Exit out of Recovery Environment and post me the log please.
Here you go. Hope I am doing this right. I am such a novice. Actually went shopping for new computer today just in case this goes bad…but I do not want to give up yet.
thanks. I continue to appreciate the support.
LARRY
So, are you able to boot in normal mode now?
Btw, you do not need to bay a new computer. In worst case, you just need to find someone to format the C:\ and install the fresh Windows OS.