So I got this annoying virus which replaces/modifies Chrome and opens it on every start up. Rough details are that it creates a registry file and supposedly encrypts files and folders and leaves a ransomware note. I didn’t find the note, nor any encrypted files but I’ve attached the report from Malwarebytes if that is any help. The only thing I found manually was a registry edit that was similar to “GoogleChromeAutoLaunch_RANDOMSTRINGOFCHARACTERS” and was located in “Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”.

It seems similar to: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_erebus.a which appears well documented online so I am surprised that Avast didn’t pick up on this… even full boot time scan plus the extended definitions didn’t detect anything.

I am surprised that Avast didn't pick up on this... even full boot time scan plus the extended definitions didn't detect anything.

No security program have 100% detection or zero false positives Boot scan does not give better detection, it is a specialiced tool to run if you have problems removing a infection

If you want help, follow instructions here >> https://forum.avast.com/index.php?topic=194892.0
since you already run MBAM go to step 2 and attach the two FRST diagnostic logs

Thanks for the reply.

Thankfully, despite your apparent assumptions, I’m not a complete moron and I am very aware that not every anti-virus is going to be 100% accurate nor will it detect 100% of infections. Also, my reason for running boot time scan was also to see if it picked up any issues that had already run and hidden by the time Windows had started and therefore the normal scans may not pick up. It can safely be assumed that the “additional boot-time definitions” that can optionally be downloaded when scheduling the scan will find more infections than a normal scan without those definitions.

The reason that I was surprised that Avast didn’t pick up on the definitions is infact because it is well documented online including removal and is picked up by around 15 other listed anti-virus programs. Judging by other sites reports, it isn’t a new infection either. This would lead me to believe it is a fairly common virus and not something that I’d expect paid security software such as Avast to miss, while a free program does.

I’ve attached both files requested. Perhaps in the future you could just start by suggesting I upload those files rather than telling people that antivirus software isn’t 100% accurate and insulting their intelligence. I’m trying to help other Avast users so perhaps a “thanks for notifying people of this” or something similar?

It can safely be assumed that the "additional boot-time definitions" that can optionally be downloaded when scheduling the scan will find more infections than a normal scan without those definitions.

hmmm, could start a long debate here but since that would not relate to your case i won't Since i dont know you i have no idea how intelligent you are, and you would be surprised how many that think a AV will detect evrything and are surprised when it dont

Anyway, i have notified the malware expert, it may take several hours before he is online

• Open Notepad (click Start button → type notepad.exe → press Enter)
• Copy text from code block below and paste it into Notepad

HKU\S-1-5-21-3518445708-2507918660-871776769-1001\...\Run: [GoogleChromeAutoLaunch_5FF6AB00BBDE35186384B8065B61D2BF] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [1592664 2017-12-06] (Google Inc.)
CHR HomePage: Default -> hxxp://search.conduit.com/?ctid=CT3325594&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP4146E988-CD8F-491B-A760-C3B222108CC3&SSPV=
CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx

• Go to File → Save As
• Make sure that UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

The only threats that were detected by MBAM were PUP’s.Yontoo is also classified as PUP by most AV programs.

Avast by default doesn’t detect PUP’s.So you need to enable it this way:
Open Avast->Settings->Under “General” option->Check the box that says “Scan for potentially unwanted programs(PUPs)”-> Click OK to save the settings.