Virus "symptoms" still present after removal

Hello!

My husband was getting virus detected messages when he tried to download files. During a boot scan of his laptop, Avast (free version 2014, just installed yesterday-- I had to put it on via flash drive from my pc since I couldn’t download it) found PUP:win32:installer-L, a virus that prevents downloads. I chose option 2, “fix all automatically.” Nothing else was detected and the scan completed. I looked at the log and saw that it was successfully moved to chest.

Afterwards, I tried to download an exe file to test it, and I couldn’t download the file. I received an error message because of a virus detected. I ran another boot scan, which came up clean.

Is there some sort of patch or fix for this? There must be something still hanging around from the installer-L. Any ideas of what to do, if not?

PS–I hope this post is not a duplicate. I had a problem the first time–didn’t realize I had to verify again before posting. Then when I did, it said the message was posted… but it wasn’t… ???

Thanks,
JB

PUP:win32:installer-L
PUP = not virus / Possible Unwanted Program usually adware/toolbar browser crap you get when downloading free software

if you want a check…

follow instructions and attach logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0

we need Malwarebytes / OTL Logs

I had to put it on via flash drive from my pc since I couldn't download it
if you use lots of removable drives among many computers, i recomend installing this.....

MCShield USB protector www.mcshield.net

Thanks Pondus.

Ok, so I stand corrected on PUP vs. virus. Sorry! I thought since the program was preventing me from doing something it was automatically a virus!

I will have to do the same thing with Malwarebytes, e.g., download it to a flash drive in order to install it on his machine, though I’m not sure it will be able to update. I hope so!

And, I see that I need to post the results of everything in a different topic area. I’ll work on that in the next day or two, including running a scan with Malwarebytes. Perhaps that will solve the issue and I won’t need to do all the rest (she said, hopefully)…

Janet B

And, I see that I need to post the results of everything in a different topic area. I'll work on that in the next day or two, including running a scan with Malwarebytes. Perhaps that will solve the issue and I won't need to do all the rest (she said, hopefully)....
since you have already started this topic here, you can attach those logs here..... and you should also attach OTL log after you have run Malwarebytes as there may be additional files that need removal ... the removal expert will see this from that log

Hello-

I replied to this today (Feb2) but keep getting error messages. This is my last try in this thread.

I’ve done the malwarebytes scan and have attached it. Now working on OTL.

JB

Hi when you have run the OTL scan here are the instructions for MCShield

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

I’m running OTL now. But I’m not sure why I need McShield at this time?

We don’t use flash drives in general, with this laptop. The only reason I’ve used one recently is to be able to download the necessary Malwarebytes and OTL exe files to my flash drive so that I can copy them to the laptop to run them. You’re probably thinking: “well how does he do backups.” Well… that particular “he” is very lax on this sort of thing, despite constant nagging!!!

Right now I cannot download any file on to that laptop!!! >:(

My understanding is that MCShield is to check the flash drive, correct?

It doesn’t seem like I need that yet–unless I’ve misunderstood what it does.

JB

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that


Or … use the new Log button on left side of MCShield :wink:

It doesn't seem like I need that yet--unless I've misunderstood what it does.
Essexboy usually have good reasons .....

No problem there! I just like to understand what I’m putting on my machine and why, before I do it.

Thanks again-
JB

Trust Essexboy…he is an expert…do a search on him if you want…not just here but on other Forums.
He has saved me in the past several times…in fact folks try to get his time on items…he is busy guy. :slight_smile:

Pondus, don’t want to hijack this thread but very curious about this “mchsield”.
How well does it work ?
Does Avast not cover me with connecting USB drives ?
Does it play well with Avast ?
I also have MBAM Pro (active protection) on…does it play well with Avast + MBAM Pro ?

Thx.

…UPDATE…
Never mind…I answered my own question…did not realize MCShield was by McAfee…I would never use their products…complete garage stuff. Ton’s of threads out there on problems with MCShield and I understand why now…McAfee
https://forums.malwarebytes.org/index.php?showtopic=94224
I’ll stick with Avast + MBAM Pro + CryptoPrevent…I know everyone has their own experience and beauty is in eye of beholder thing. I would have deleted this post but cannot find that option…do not want to de-rail thread…I apologize.

It is not by McAfee. It is a Serb group specialized in security. Two of its contributors lend their time here at the virus and worms Forum, argus and magna86. Many of us has adopted the use of this application because its usefulness and detection of worms and other kind of malware related to USB flash devises to complement avast!
http://www.mcshield.net/
http://www.mycity.rs/

Thx for clarifying…I see you also use MBAM Pro…with active protection ?
Any conflicts with MCShield ?
…also, guess MBAM does not cover the same as MCShield ?
…perhaps I should start own thread on subject…hate to hijack this one.

Hello,

I ran OTL. I configured the settings as per the example, as far as I can tell, and only one file was generated, not two. When the scan finished, only OTL.txt was open on my screen. No sign of OTL extras. I searched the computer for OTL*.* and only found the exe and the txt file, which is attached.

Please advise, before I go to the next download required.

FYI, the link to MCShield in this thread referenced within this link (posted in Pondus’s reply on Dec 23) http://forum.avast.com/index.php?topic=53253.0 gives a 404.
Likewise for the one posted by Essexboy.

For reference:
The requested URL /downloads.html was not found on this server.

Apache/2.2.16 (Debian) Server at www.mcshield.net Port 80

I’ll try tomorrow.

JB

Here is the last file you asked me to attach (other than MCShield, which can’t be done at the moment).

I await your review and any further instructions.

Thanks so much.

Janet B.

OK I believe I can see the problem. I will also attach the OTL fix as a text file if you are unable to copy it on the sick system

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2014/01/14 21:04:29 | 001,771,544 | ---- | M] (AVG Secure Search) [Auto | Running] -- C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe -- (vToolbarUpdater17.3.0)
SRV - [2013/09/06 12:29:38 | 000,235,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe -- (McComponentHostService)
DRV - [2013/11/20 15:43:41 | 000,037,664 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtpx86.sys -- (avgtp)
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=F4Ohn6C-M-oPlcU5DzTcfMvYbJw?q={searchTerms}
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={49C36A2B-0AA1-47D5-A431-23EC18CED411}&mid=95ac9ede46df74924f9140b1d0a2b11e-4e74e30fd1940bb5905c7101d2faeb3f67145431&lang=&ds=&coid=&cmpid=&pr=&d=&v=17.3.0.49&pid=avg&sg=&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-3334157229-1843940417-2705372315-1002\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:4664/search&s=wp4geEaPqFbgGrkkgy2vaDNcg6A?q={searchTerms}
FF - HKLM\Software\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin: C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\17.3.0\\npsitesafety.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
[2009/12/22 08:35:06 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG8\FIREFOX
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\17.3.0.49\AVG Secure Search_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-3334157229-1843940417-2705372315-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB (Reg Error: Key error.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
[2010/03/10 17:28:54 | 002,495,592 | ---- | C] (Amazon.com) -- C:\Users\Vic\AmazonMP3Downloader.exe
[2013/04/15 20:13:03 | 000,000,000 | ---D | M] -- C:\Users\Vic\AppData\Roaming\AVG2013
[2013/11/16 17:24:36 | 000,000,000 | ---D | M] -- C:\Users\Vic B\AppData\Roaming\AVG2013

:Files
C:\Program Files\AVG Secure Search
C:\Program Files\Common Files\AVG Secure Search
C:\Program Files\McAfee Security Scan
C:\Program Files\AVG

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

If you need to copy the text file across then copy fix.txt to the desktop of the sick computer
Run OTL and press fix, a dialogue will appear asking for the location of fix.txt
Navigate to the copy on the desktop and select it
Press run fix again to execute

On completion of the fix then try to download MCShield, it should now work

Thanks–I’ll do this in just a bit. One question… While the fix is running, “unhindered” if the screen goes dark for lack of user activity, will that hinder progress, or is it ok?

JB

…in case Essexboy is busy…
I’ve run OTL fix many times…with scripts from the experts.
Some machines you do not see any slow down…some there is.
However, trying to do anything on the machine will definitely freeze things up…in my experience.
Thus, it is best to run it and leave it alone…be patient…leave it alone…no mouse moves, nothing. :slight_smile: