What IS this?? Ideas?

I have run malware bytes a dozen times, and it found a few things and fixed them.

THIS, however, it has NOT found.

Sometimes, it pops up with four - all the same thing - one time it alerted me 18 times (NOT kidding). I have the voice-enabled alerts - which is good - I was away from the computer the one time.

I am on Windows 7 Professional. Using Avast! Free. As I said, I’ve downloaded Malware Bytes and scanned several times. The last three scans have shown nothing.
The image on the left is the alert. The image on the right is what I see when I click on “more details.”

http://www.angelfire.com/alt2/jerrodsl22/whatingayhell.jpg

http://www.angelfire.com/alt2/jerrodsl22/avastanswer.jpg

It’s tax season, I’m nearly insane. While it says I have avoided infections, I want to resolve this.

I appreciate any help. I may take a day or two to get back, so please have patience with me.

Thanks again!

Attach OTL and aswMBR logs http://forum.avast.com/index.php?topic=53253.0

Thank you, Pondus!! Attached are the requested log files.

aswMBR found something, I see. I couldn’t tell, it was in red, but ran off the screen.

15:14:19.149 File: C:\ProgramData\CA-SupportBridge\SoftwareUpdater.exe **INFECTED** Win32:Evo-gen [Susp]

Could be a false positive. Its detected as suspicious.

It is a computer associates updater, the Av must have been installed sometime and the updater remained

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..searchreset.backup.browser.search.defaultenginename: "Conduit Search"
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - Startup: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found
O4 - Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Smart Settings.lnk = File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here are the logs from the re-run of OTL and then Combofix.

I recall I did have Computer Associates - but just the anti-spam. I thought it had gotten rid of it all!

I thank you, profusely, for your assistance!

Hmm none of the usual suspects there …

Are the alerts still occurring ?

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Well, it just popped up again. Is there a way I can find out what it says after the alert disappears? I couldn’t read this one in time. It’s the Webshield that is popping up, and once they notify me, they are gone. I’ve scanned the System 32 folder several times after the alert I just got and it found nothing.

Could it be a false-positive?

I found the log for webshield. That is the ONLY one that has an alert about this freeresultsguide thing.

As it is working through svchost we need to determine what programme is initiating it

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Just an FYI - someone else has the same issue: http://forum.avast.com/index.php?topic=148769.0

I’m downloading Farbar right now.

Attached are the two requested logs.

Thank you, AGAIN, for the time you have spent helping me!

Did you upgrade this system from Vista ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

In answer to your first question, no it was not upgraded from Vista. I purchased it new on one of the last days Windows 7 was still available because I knew Windows (H)8 was coming, and didn’t want it.

The webshield went nuts while I was running the scan - screaming a fit about tdsskiller - so I disabled protection and re-scanned. Neither scan found anything.

Attached is the report.

OK I am going to revisit all the logs so bear with me

Let me know if the alerts still occur, also do they happen at a specific time i.e. when you open a certain programme

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..network.proxy.type: 4
FF - prefs.js..searchreset.backup.browser.search.defaultenginename: "Conduit Search"
O3:64bit: - HKLM\..\Toolbar: (no name) - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [] File not found
[2014/04/07 01:49:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2014/03/31 15:48:10 | 000,002,078 | ---- | M] () -- C:\Windows\EReg216.dat

:Files
C:\ProgramData\CA-SupportBridge

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks! I appreciate your time, so take what you need. :slight_smile:

We are on page 2 now :slight_smile: So I think you missed my last post

Could you run the OTL fix and let me know the result please

Sorry! I am about insane from taxes - rather from clients DEMANDING their taxes - and didn’t realize we were up to page 2! I have attached the log.

Is the alert still appearing. Insanity is something I am good at :slight_smile: