Hi,
I seem to be getting a regular occurance of ‘threats detected’…
I have attached the logs.
Unfortunately I couldn’t run aswMBR.exe as all I got was ‘threat detected’ and it doesn’t run.
thanks.
Stuart.
Let me know if the alerts still occur after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-382737026-2727596878-3765197734-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CHR HKU\S-1-5-21-382737026-2727596878-3765197734-1000\...\Chrome\Extension: [apdfllckaahabafndbhieahigkjlhalf] - C:\Users\Stuart\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx [Not Found] CHR HKU\S-1-5-21-382737026-2727596878-3765197734-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path 2014-12-16 21:58 - 2014-12-16 21:58 - 00000000 ____D () C:\Users\Stuart\AppData\Local\{AE29DD41-5350-4831-A8E6-4CEFAB523703} Task: {9A72972C-4268-4EED-AA03-B2F495E80164} - System32\Tasks\{7145A162-97B2-4E2A-A262-2679AC02A797} => pcalua.exe -a D:\install.exe -d D:\ C:\Users\Stuart\webphonecfgb.dat EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Thanks for the quick reply!
The script did exit with an error - I’ve attached the log.
So far so good though, I haven’t seen the ‘threat detected’ again yet.
If all is well tomorrow let me know and I will tidy up
Hi again,
It came back 
I still have the same behaviour now as before…
Could you run a fresh FRST scan for me please
Sure. Here it is.
and a screen shot of the error. (I think it’s trying to connect to the same IP as before, but the rest of the text just changes as to what I was doing at the time…)
OK time for a bigger hammer
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Ok, avast & spybot & defender all disabled and then combofix was run, followed by a reboot.
Logfile attached.
Could you let me know if they stop after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: C:\Users\Stuart\AppData\Local\EmieUserList C:\Users\Stuart\AppData\Local\EmieSiteList EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
Thanks, I ran that.
Looking at the log file, it doesn’t look like it did anything(?)
The alerts are still appearing ?
This will generate a Zip file which I will need. Could you upload it to a file sharing site or dropbox for me to collect
Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG
When the tool opens select “File” > “Standards scripts”
https://dl.dropboxusercontent.com/u/73555776/avz1.jpg
Place a tick in :
3. Advanced System Analysis with malware removal mode enabled
5. Update signature database
Then press “Execute selected scripts”
https://dl.dropboxusercontent.com/u/73555776/avz2.JPG
There will be several warnings, OK them all and the system will reboot on completion of the analysis
After the reboot look in the folder AVZ4 on your desktop
Open the LOG folder
Attach KL_syscure.zip to your next post