Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast keeps giving me Mail Shield Security Exclusions


  • This topic is locked This topic is locked
5 replies to this topic

#1 birdhunter671

birdhunter671

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 19 July 2015 - 09:39 PM

Hello Guys,

My system:

Toshiba  / Satellite C55-A   /  Intel ® Celeron  ® N2820

64 bit Windows 8.1

I am at the end of my rope. I have tried everything. First, let me say I am not good at technical things on a computer, just enough to be dangerous. So if some things I say seem crazy, they probably are.  So here is the story. About a week ago I received a email on my go daddy webmail.  www.login.securserver.net. That is how I long into that email. Now, that is not my main email. My main email is gmail, which I use the most.

The email I received on the go daddy email was a Notice of Apperance in Court #00406341. It contained a zip file,  Court Notification 00406341.zip.   Of course being stupid, I unzipped the file, thinking it was something important, since I have some court cases ongoing for business.

With research  I think it is a Kuluoz or another one that starts with  A.  cant remember.

It put a zip file in my downloads folder  Court_Notification_00406341.doc, which shows as File Type: Java Script file, 8.84kb.  That is the only one I noticed, not sure if they are more somewhere.  Then things started getting a little weird. Nothing major, I still get emails, still send them, and my system seems to be running normally, except for Avast Mail Shield security exclusions ,  It keeps poping up at least 40 times a day, saying 

 

Now, here I used to get different info, like websites, IP address, etc. But for the last few days only thing I have been getting is a IP address for the server, and

C:\\Windows\SysWOW64\regsvr32.exe -  As the location.

 

"avast! has identified a problem with this site certificate. 
You can add this certificate as an exclusion, if you are sure about it.

Click the 'View' button for more details about the certificate.


If you want to change your certificates/exclusions, please open the Windows Certificate browser and perform the required operations directly from within the system certificate storage.


Legitimate public sites and mail servers should not ask you to do this.

 

SERVER

Location: *****


CERTIFICATE STATUS


This site attempts to identify itself with invalid information.

Problems:

The certificate is not trusted."

I always click on confirm security exclusion, I hope that was the right thing to do.

Now, next, thinking I could fix it, here are the things I have ran.

·         Spy Hunter 4 -  No cleaning, I did not pay

·         AdWare Cleaner

·         Rough Killer x64

·         Spy Bot Search and Destory

·         Free Windows Registery Cleaner

 

As per instructions I see on a forum, here is the process that i have done, and then I have done nothing else, since doing these processes. Will just wait for instruction.

 

I first ran the Malwarebytes as instructed. It was ran with Avast on.  Here is the log

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 7/20/2015

Scan Time: 6:01 AM

Logfile: MALWAREBYTES SCAN LOG.txt

Administrator: Yes

 

Version: 2.1.8.1057

Malware Database: v2015.07.19.03

Rootkit Database: v2015.07.17.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 8.1

CPU: x64

File System: NTFS

User: Philip

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 432604

Time Elapsed: 38 min, 39 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 8

PUP.Optional.Linkey.A, HKLM\SOFTWARE\CLASSES\Linkey.Linkey, Quarantined, [b3ec4a998dfd7bbb2b5e5b2e47bbe719],

PUP.Optional.Linkey.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\Linkey.Linkey, Quarantined, [1689796ae2a84ee85d2c8dfcd82a8779],

PUP.Optional.Linkey.A, HKLM\SOFTWARE\CLASSES\WOW6432NODE\Linkey.Linkey, Quarantined, [1689796ae2a84ee85d2c8dfcd82a8779],

PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATPopups, Quarantined, [3d627f64bcce9f9747966c2bd92be31d],

PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\ATUpdaters, Quarantined, [e2bdde05296160d686571186c93bad53],

PUP.Optional.TweakBit.A, HKLM\SOFTWARE\WOW6432NODE\TWEAKBIT\Google Analytics Package, Quarantined, [ffa03ba83753b5814c9384136e9606fa],

PUP.Optional.FramedDisplay.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Update Framed Display, Quarantined, [7629be2582088caa8e078103cd371ee2],

PUP.Optional.FramedDisplay.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Util Framed Display, Quarantined, [762903e0652571c5088d275dc53fcd33],

 

Registry Values: 1

Rootkit.Fileless.MTGen, HKU\S-1-5-21-2793440623-1628646824-2415799637-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^e223adc9, Quarantined, [eeb1568d3753142208eb4b44689cd22e],

 

Registry Data: 0

(No malicious items detected)

 

Folders: 7

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\Logs, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Logs, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Queue, Quarantined, [49566083701aee48dc1390733fc47f81],

 

Files: 17

PUP.Optional.InstallCore.A, C:\Users\Philip\AppData\Local\Temp\farbar-recovery-scan-tool.exe-1437339921757.exe, Quarantined, [465952919bef38fed2498c1d28d99070],

PUP.Optional.TweakBit.A, C:\Users\Philip\Downloads\fix-my-pc-setup.exe, Quarantined, [e0bfb52e7119330345ef3c2b64a12cd4],

PUP.Optional.FramedDisplay.A, C:\Users\Philip\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_api.frameddisplay.com_0.localstorage, Quarantined, [247b6b78f595999d7ea74350020234cc],

PUP.Optional.FramedDisplay.A, C:\Users\Philip\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_api.frameddisplay.com_0.localstorage-journal, Quarantined, [f0af3fa413770630f1342f649074ab55],

PUP.Optional.FramedDisplay.A, C:\Users\Philip\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.frameddisplay.com_0.localstorage, Quarantined, [188707dc117947ef0b1a6f24857f21df],

PUP.Optional.FramedDisplay.A, C:\Users\Philip\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.frameddisplay.com_0.localstorage-journal, Quarantined, [138c02e1c5c539fd28fd1e75e222e818],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\StatDB.json, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\Unfixed.err, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\Logs\CheckSerialNumber.log, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\Logs\FixMyPC.log, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\FixMyPC\1.x\Logs\FixMyPCLogic.log, Quarantined, [e1be3ba8b2d88aacc42a32d131d2bd43],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\StatDB.json, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Unfixed.err, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Logs\CheckSerialNumber.log, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Logs\PCCleaner.log, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Logs\PCCleanerLogic.log, Quarantined, [49566083701aee48dc1390733fc47f81],

PUP.Optional.TweakBit.A, C:\ProgramData\TweakBit\PCCleaner\1.x\Queue\Queue-Report.rpq, Quarantined, [49566083701aee48dc1390733fc47f81],

 

Physical Sectors: 0

(No malicious items detected)

______________________________________________________________________________

 

Next I ran the Farbar Recovery tool. You ask for the first log to be copy and pasted here, but it is very long, so i will just attach both.

 

SEE ATTACHMENTS

_____________________________________________________________________________

 

Then next I ran the , ASWmbr.exe, with avast on.  Here is the log

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software

Run date: 2015-07-20 07:19:45

-----------------------------

07:19:45.944    OS Version: Windows x64 6.2.9200

07:19:45.945    Number of processors: 2 586 0x3703

07:19:45.947    ComputerName: GREGORY  UserName: Philip

07:19:51.282    Initialize success

07:19:51.318    VM: initialized successfully

07:19:51.320    VM: Intel CPU supported virtualized

07:19:57.330    VM: supported disk I/O storport.sys

07:20:01.625    AVAST engine defs: 15071902

07:20:09.602    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000021

07:20:09.606    Disk 0 Vendor: TOSHIBA_MQ01ABF050 AM003M Size: 476940MB BusType: 11

07:20:09.741    VM: Disk 0 MBR read successfully

07:20:09.746    Disk 0 MBR scan

07:20:09.752    Disk 0 unknown MBR code

07:20:09.758    Disk 0 Partition 1 00     EE            GPT           2097151 MB offset 1

07:20:09.876    Disk 0 scanning C:\WINDOWS\system32\drivers

07:20:23.275    Service scanning

07:20:58.981    Service vkgcut C:\WINDOWS\System32\drivers\hnrradon.sys **LOCKED**

07:21:05.681    Modules scanning

07:21:05.699    Disk 0 trace - called modules:

07:21:05.756    ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll storahci.sys

07:21:05.763    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe001540c3450]

07:21:05.767    3 CLASSPNP.SYS[fffff801d2759170] -> nt!IofCallDriver -> \Device\00000021[0xffffe0015407a440]

07:21:06.863    AVAST engine scan C:\WINDOWS

07:21:09.185    AVAST engine scan C:\WINDOWS\system32

07:25:50.557    AVAST engine scan C:\WINDOWS\system32\drivers

07:26:12.382    AVAST engine scan C:\Users\Philip

07:27:20.037    Disk 0 MBR has been saved successfully to "C:\Users\Philip\Desktop\MBR.dat"

07:27:20.048    The log file has been saved successfully to "C:\Users\Philip\Desktop\aswMBR.txt"

_____________________________________________________________________________

 

So this is where I am at.. Please help.  

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 20 July 2015 - 05:27 PM

hi,

 

We will start with FRST to remove some items from the log.

 

Usually Iam only on this site once or twice per day so you may not get a reply from me until the next day.

 

Copy/paste whats below in the box into notepad. Save it as fixlist.txt in the same location you have FRST, your desktop. Click the FRST icon like before and this time click on the fix button just once. When done you will find a fixlog on your desktop. Please post the fixlog in your reply. Machine may reboot to finish the process.

HKLM\...\Run: [] => [X]
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
C:\Users\Philip\tmp2098815588907764838.exe
C:\Users\Philip\tmp3347511962698503720.exe
C:\Users\Philip\tmp7839474401173251832.exe
2014-03-10 16:57 - 2014-03-10 16:57 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
SearchScopes: HKU\S-1-5-21-2793440623-1628646824-2415799637-1001 -> {21A3F5B1-BB9E-458A-815D-54E44AA350A8} URL = 
CHR HKU\S-1-5-21-2793440623-1628646824-2415799637-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2793440623-1628646824-2415799637-1001\...\Run: [UZLmedia] => regsvr32.exe C:\Users\Philip\AppData\Local\UZLmedia\New.dll <===== ATTENTION
HKU\S-1-5-21-2793440623-1628646824-2415799637-1001\...\Run: [Udfmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Users\Philip\AppData\Local\YmbhPack\New.dll

 


How Can I Reduce My Risk to Malware?


#3 birdhunter671

birdhunter671
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 July 2015 - 05:33 PM

Hello Shelf Life,

 

Thank you so much for your effort and replying to my post. The situation has already been taken care of, I just had not had a chance to close this thread. 

 

I do thank you for your offer to help. 



#4 birdhunter671

birdhunter671
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 20 July 2015 - 05:34 PM

Can someone please close this topic, or tell me how to close it.. 

 

Thanks



#5 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 20 July 2015 - 05:37 PM

Ok. no problem. Its closed.


How Can I Reduce My Risk to Malware?


#6 shelf life

shelf life

  • Malware Response Team
  • 2,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:18 PM

Posted 20 July 2015 - 05:37 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users