Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast and Malware issues


  • This topic is locked This topic is locked
21 replies to this topic

#1 Bstar13

Bstar13

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 21 February 2017 - 09:53 PM

So I was on youtube and I get this pop up from avast saying they've blocked a malware. That malware is called "VBS:Malware-gen" and it tells me that it's on chrome.exe (C:Program Files(x86)\Google\Chrome\Application\chrome.exe). I've done some research on my own and I found out that this malware (VBS:Malware-gen) is a USB key malware that infects through USB keys and some downloads. Lately i've not used any USB keys and the only few downloads I made was some updates to Overwatch and widows 10 as well as downloading some files for school from my school's website. Now every few minutes I get a message telling me something got blocked only problem is when I try to scan the program that's infected it doesn't find any problem with it. As of now im doing a scan with Avast then im gonna restart my computer to see if it's not something ealse that causes the problem. I'll post back to let you know if after a restart the pop-ups kept happening



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 22 February 2017 - 10:59 AM

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 Bstar13

Bstar13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 22 February 2017 - 08:13 PM

Here are both FRST.txt and Addition.txt 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 23 February 2017 - 08:18 AM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon) <==== ATTENTION
Host App Service (HKU\S-1-5-21-1249004106-2950696070-1324742055-1001\...\SweetLabs_AP) (Version: 0.269.8.114 - Pokki)
KMSpico v9.3.1 (HKLM\...\KMSpico_is1) (Version: 9.3.1 - )
Pokki Start Menu (HKU\S-1-5-21-1249004106-2950696070-1324742055-1001\...\SweetLabs_Start_Menu) (Version: 0.269.8.114 - Pokki)
Yahoo Search Set (HKLM-x32\...\Yahoo! SearchSet) (Version: - Yahoo Inc.)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Pokki) C:\Users\Gabriel\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\Gabriel\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\Gabriel\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\Gabriel\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
???????????????????????????????????????????????????????°????????????????????????????????????????????????????????????????????'???????????????????????????????????????????????????????'??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????'???????????????????????????????????????????????????????????'????????????????????????????????????????????????????????????????'???????????????????????????????????... (long line)
SearchScopes: HKU\S-1-5-21-1249004106-2950696070-1324742055-1001 -> {AA7F7C30-B0C8-11E4-827C-F8A9636D16F6} URL = hxxp://search.homepage-web.com/?src=omnibox&partner=acer&q={searchTerms}
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\1uptun3w.default -> Web Search
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\1uptun3w.default -> Web Search
FF Homepage: Mozilla\Firefox\Profiles\1uptun3w.default -> hxxps://homepage-web.com/?s=acer&m=start
CHR HomePage: Default -> hxxp://www.search.ask.com/?gct=hp
CHR DefaultSearchURL: Default -> hxxp://www.search.ask.com/web?q={searchTerms}
CHR DefaultSearchKeyword: Default -> search.ask.com
CHR DefaultSuggestURL: Default -> hxxp://ssmsp.ask.com/query?sstype=prefix&li=ff&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => Pas de fichier
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\56.0.2924.87\PepperFlash\pepflashplayer.dll => Pas de fichier
CHR Extension: (BetterTTV) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2016-06-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
CHR HKLM-x32\...\Chrome\Extension: [eedgghdcpmmmilkmfpnklknlenbiolec] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-05-26]
CHR HKLM-x32\...\Chrome\Extension: [npdicihegicnhaangkdmcgbjceoemeoo] - hxxps://clients2.google.com/service/update2/crx
Task: {062D0F5A-D54B-4E2D-8306-55362C75EDF3} - \Safer-Networking\Spybot - Search and Destroy\Check for updates -> Pas de fichier <==== ATTENTION
Task: {1DA60354-43AB-499E-B1BC-BABA426DBEBD} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> Pas de fichier <==== ATTENTION
Task: {2F207F42-B09C-4836-9788-0978DD74C7A5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> Pas de fichier <==== ATTENTION
Task: {49ECB402-20EA-4FB6-AF53-370396A27135} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> Pas de fichier <==== ATTENTION
Task: {629DA3DB-84FD-44FB-A5DB-080FCFA4BD68} - \Safer-Networking\Spybot - Search and Destroy\Refresh immunization -> Pas de fichier <==== ATTENTION
Task: {671425DD-18CB-48BE-B376-A083496C8D22} - \Microsoft\Windows\Setup\gwx\rundetector -> Pas de fichier <==== ATTENTION
Task: {7B74296D-A6E0-4B8D-8379-8515F0E7FA73} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> Pas de fichier <==== ATTENTION
Task: {80809C1D-6E52-4208-894C-6436F81F6CF7} - \Safer-Networking\Spybot - Search and Destroy\Scan the system -> Pas de fichier <==== ATTENTION
Task: {85541735-212E-469D-BAE2-31B2FA50A1B9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> Pas de fichier <==== ATTENTION
Task: {8DBF6AC7-895A-4B43-8665-7A051BD44FEB} - System32\Tasks\SweetLabs App Platform => C:\Users\Gabriel\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe [2016-11-15] (Pokki)
Task: {8E81BCE9-7F3E-47D5-92AE-A11DFFBED15E} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> Pas de fichier <==== ATTENTION
Task: {9505AB5C-EDD7-42B6-98C6-B35D0BC6DE22} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> Pas de fichier <==== ATTENTION
Task: {9CF9BA73-01B3-44BA-93A6-6DA08F01BF32} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> Pas de fichier <==== ATTENTION
Task: {A2F00F0C-958F-4D55-9D45-9385EE8E8AB2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> Pas de fichier <==== ATTENTION
Task: {A6935CBD-9ED0-487B-B44A-12A54FC2B63E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> Pas de fichier <==== ATTENTION
Task: {B8B3EA92-E957-4777-8980-2117A6D3C7B1} - \WPD\SqmUpload_S-1-5-21-1249004106-2950696070-1324742055-1001 -> Pas de fichier <==== ATTENTION
Task: {D80108D5-93DC-4664-A903-B43D3D8AF88F} - \AutoPico Daily Restart -> Pas de fichier <==== ATTENTION
Task: {EA3C4C77-D313-4FAD-9B81-1F4ABD59076A} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> Pas de fichier <==== ATTENTION
Task: {F1BC3D4C-F899-46A3-A833-9E34CBCEBF43} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> Pas de fichier <==== ATTENTION
Task: {F3EEB429-172E-41D1-8307-D64CAAEA77C9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> Pas de fichier <==== ATTENTION
FirewallRules: [{712EDD19-722C-4E3E-A1A1-DD3634A0B9B5}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{13074284-2096-4E65-B5A4-4898FA578AC1}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{9E452D2A-A4A1-48BA-BE0B-A4692CDAE3DE}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{04DC3026-3235-4D9B-A27A-CBE456206029}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{D373BB23-BD92-427F-8449-B334C4CC9387}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{9D9C7A35-DB9D-4F68-9CCB-B43BC8DA80BE}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{483895E0-037A-4C11-92B8-F02469013A65}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{11627873-5AF8-4FE7-99F2-D9E751CE568A}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
S3 WinDivert1.1; C:\Program Files\KMSpico\WinDivert.sys [35376 2015-04-06] (Basil Projects)
C:\Users\Gabriel\AppData\Local\SweetLabs App Platform
C:\Program Files\KMSpico

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

p.s.
Your FRST log was very long and your post pas truncated.
Please run the Farbar tool one more time and post a fresh FRST log for my review.

If the log is again truncated please use two replies to report all the lines in the log.

Please let me know what problem persists with this computer.

Edited by nasdaq, 24 February 2017 - 08:08 AM.


#5 Bstar13

Bstar13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 23 February 2017 - 03:54 PM

I couldnt get rid of the amazon app it would only give me the option to install it :/

 

and here's the FRST.txt file again

 

Attached File  FRST.txt   54.63KB   4 downloads



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 24 February 2017 - 08:12 AM

Ignore the Amazon app.

Now create the Fixlist.txt file with the edited fix I did.
I only added this line
S3 WinDivert1.1; C:\Program Files\KMSpico\WinDivert.sys [35376 2015-04-06] (Basil Projects)

Run the fix and post the fixlog.txt for my review.

Let me know what problem persists.

#7 Bstar13

Bstar13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 24 February 2017 - 04:15 PM

here'S the fixlog.txt

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 25 February 2017 - 09:23 AM

How is the computer running now?

#9 Bstar13

Bstar13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 27 February 2017 - 07:45 PM

it seems like everything is okay and I didnt got any malware pop-ups but I still am scared that the virus might be lurking in the shadows of my computer



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 28 February 2017 - 08:46 AM

This scan may take an hour or two. Execute it when you know you will not need the comuuter.

Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.


Keep me posted.

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:54 PM

Posted 20 March 2017 - 10:56 AM

This topic has been re-opened at the request of the person who originally posted.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:54 PM

Posted 20 March 2017 - 11:00 AM

I reopened your topic , copied your post here.

so here's the original post https://www.bleepingcomputer.com/forums/t/640499/avast-and-malware-issues/

I didnt do the last scan cause I was away for a bit ... but now im here and I tried to do a full scan with avast and it gets blocked at 0% and im starting to freak out

I will close the other.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 21 March 2017 - 07:13 AM

Please run the Farbar tool and post fresh FRST and Addition.txt logs for my review.

In the mean time Restart the computer normally.
Check for the Latest Avast update. Run the Application to see if the problem persists.

#14 Bstar13

Bstar13
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 21 March 2017 - 01:58 PM

here are the frst and additin txt files

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:54 PM

Posted 22 March 2017 - 07:42 AM



Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon) <==== ATTENTION
KMSpico v9.3.1 (HKLM\...\KMSpico_is1) (Version: 9.3.1 - )

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
IFEO\SppExtComObj.exe: [Debugger] C:\WINDOWS\SECOH-QAD.exe
Startup: C:\Users\Gabriel\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FacebookGamesNotifier.exe.lnk [2016-06-09]
ShortcutTarget: FacebookGamesNotifier.exe.lnk -> C:\Users\Gabriel\AppData\Local\Facebook\Games\FacebookGamesNotifier.exe (Pas de fichier)
CHR Extension: (BetterTTV) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2017-03-16]
CHR Extension: (Avast SafePrice) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2017-03-16]
CHR Extension: (Avast Online Security) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2017-03-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Gabriel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-08]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
C:\WINDOWS\SECOH-QAD.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please post the logs and let me know what problem persists.

Let me know if Avast is now able to complete it's scan.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users