Web Shield popus all the time since skype bot

system · July 31, 2014, 6:55pm

Hi

Yesterday morning i received a skype message that i foolishly answered and resulted in a porn bot. I had closed the window, and proceed to block and report the user.

Since then im receiving a lot of “avast webshield has block a harmful webpage or file” all the time, even at google.com Pointing to hxxp:// “lot of addresses here” / “lot of numbers here”

I runned a Comodo and Avast full scan but both give clear results with nothing found.

After that i can use Maxthon almost without problems, but if i use Firefox the popup starts to show immediately and then in both browsers.

Here are my logs from AMB, OTL and aswMBR

Pondus · July 31, 2014, 7:05pm

Comodo and avast … so you have two AV installed?

Why Using Multiple Antivirus Programs is a Bad Idea http://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

system · July 31, 2014, 7:08pm

Comodo Firewall and Avast! Antivirus

Pondus · July 31, 2014, 7:12pm

[b]I runned a Comodo and Avast full scan[/b] but both give clear results with nothing found.

Then how did you manage to run a scan with a firewall ?

SRV:[b]64bit:[/b] - [2014/03/25 14:22:18 | 002,264,280 | ---- | M] (COMODO) [On_Demand | Stopped] -- C:\Program Files\[b]Antivirus\COMODO\COMODO Internet Security[/b]\cmdvirth.exe -- (cmdvirth)

system · July 31, 2014, 7:15pm

Comodo Firewall have a “scan” button, i dont know what or how it scans, but i used it.

Anyway, all this about Comodo doesnt have any relation with my problem. I had used this avast & comodo config for years without problems.

essexboy · July 31, 2014, 7:17pm

Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=aw_14_19_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtDtBtA0CyCtD0B0F0F0EtN0D0Tzu0SzzyDzztN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByD0D0B0EyD0EtAtG0DyD0EtDtGyDyCyDyDtGzztBzyyBtGtCyByByC0CyE0BzyyEzytC0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCzzzzzy0FyEtBtDtGzztAtB0CtGyCyE0EzztGtCyCtC0FtGyDyCtAyCtCyB0AyDtDzz0Ezz2Q
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=aw_14_19_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtDtBtA0CyCtD0B0F0F0EtN0D0Tzu0SzzyDzztN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByD0D0B0EyD0EtAtG0DyD0EtDtGyDyCyDyDtGzztBzyyBtGtCyByByC0CyE0BzyyEzytC0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCzzzzzy0FyEtBtDtGzztAtB0CtGyCyE0EzztGtCyCtC0FtGyDyCtAyCtCyB0AyDtDzz0Ezz2Q
IE - HKU\S-1-5-21-1245750549-1891514023-2855287717-1001\..\SearchScopes\{8EEAC88A-079B-4b2c-80C1-7836F79EB40A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=aw_14_19_ch&cd=2XzuyEtN2Y1L1Qzu0CzzyCtDtDtDtDtBtA0CyCtD0B0F0F0EtN0D0Tzu0SzzyDzztN1L2XzutBtFtBtDtFyCtFtDtN1L1CzutCyEtDtAtDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StByD0D0B0EyD0EtAtG0DyD0EtDtGyDyCyDyDtGzztBzyyBtGtCyByByC0CyE0BzyyEzytC0A2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCzzzzzy0FyEtBtDtGzztAtB0CtGyCyE0EzztGtCyCtC0FtGyDyCtAyCtCyB0AyDtDzz0Ezz2Q
[2014/07/30 13:46:45 | 000,002,785 | ---- | M] () -- C:\Users\Doktor Mostro\AppData\Roaming\mozilla\firefox\profiles\92rlnyqn.default\searchplugins\Mysearchdial.xml
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · July 31, 2014, 7:49pm

I made both steps without result, i just opened Firefox and the popup show on… Then using Maxthon to check this forum. Same at firefox.exe process

Here are my OTL and adwCleaner logs

essexboy · July 31, 2014, 8:13pm

OK I will need to run another programme to check a different area

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

system · July 31, 2014, 8:22pm

Thanks a lot for helping me! =)

Ready

essexboy · July 31, 2014, 8:40pm

Do you get the same problem in IE ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR Extension: (saVe on) - C:\Users\Doktor Mostro\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgjiefbnbidcnbpnndjklcmkhihfjemg [2014-06-10] CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

system · July 31, 2014, 9:00pm

The problem is not present in IE or Maxthon (while FF closed), just Firefox or while FF is opened.

There is the log

system · August 1, 2014, 1:40am

I found that this happens just while Firefox is opened, if i click in the avast popup it sends me to this link http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_90_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_vir=VVJMOk1hbA&p_prc=C:\Program%20Files%20(x86)\Network\Mozilla%20Firefox\firefox.exe&p_obj=aHR0cDovL3RoaXNpcy15b3VyYXBwLmluZm8vc3luYy8_cT1oZlo5b2ZWOUNTaEVBZW4wckhDNnRNcUxEZTQ5Q05VMGpsWU1DTWxOaGQ5RnFkYTdyamFFcVRuNnJUbk1BZTRVb2pzN3JqWUVySGs5clRyN3JUQzZyVFVHckhnTUM2cVVvanc1cmprN3FqckVyallFcWRZNXBkZ0VyVGE5dE5oVkNUOTR0TTBIQWVuMHFUYUh0TVpQaGQ5RnFUdzdxSGE2clRzNnJqQ0Vyalk1ckhzSHJTaFNDSDlG&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-default&p_elm=7&p_lex=88&p_lid=en-us&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_bld=empty&p_vep=9&p_ves=0&p_vbd=2021&p_hid=30b7494c-58f2-4ef4-9417-19c38f453531&p_ram=16329&p_cpu=8.1

Its not just some kind of avast message trying to make me pay for the complete edition? ???

essexboy · August 1, 2014, 10:40am

No it is not Avast trying to make you buy anything

Could you run Firefox in safe mode and let me know if the alerts still appear https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

system · August 1, 2014, 2:18pm

Last night i had uninstalled Firefox, ran adwCleaner, manually deleted all Mozilla related folders and registry keys and turned the PC off… Today i turned on the PC, installed Firefox and now the problem is gone

essexboy · August 1, 2014, 3:39pm

It was in all probability a hidden extension

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Web Shield popus all the time since skype bot

Announcements