Avast WEBforum
Other => Viruses and worms => Topic started by: Guts717 on September 23, 2012, 03:38:40 AM
-
Hi! I'm very, very new here and new to posting to forums like this. But I'm a bit at a loss on what I should do about my current problem. For the last couple of weeks my browser has had pop-ups in the right and left corner of the page, on sites that have never and would never have such pop-up's.
I used malware bytes and super anti-spyware to remove it all and thought it was over. But they keep coming back and now things are WAY worse. Not only to they keep coming back, I keep getting redirected to other, completely unrelated websites. Everything is running slow and some times I just can't get it to work at all.
I ran Microsoft security essentials recently and found out that I had two Trojans, it removed them but I'm still having issues. I tried running avast, but to no avail. I'm not even sure what the problem is, if all of these things (ran separately over the course of a couple of weeks. ) can not find what the problem is and even safe mode is experiencing similar issue's, then it's all just way over my head.
Any and all help would be greatly appreciated! I can provide answers to anything anyone would need to know, in order to help me.
-
Hi and welcome to the Forum
Let’s ask Essexboy, our Malware Expert to have a look inside.
Please follow this guide and attach (not copy and paste ) the requested logs. http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0)
AdwCleaner
Malwarebytes
OTL
aswMBR
Please be patient as the time zone difference. Response will come tomorrow ;) :)
-
Thank you so very much for the fast reply! I've tried to do as you have suggested, but it won't let me run aswMBR or even open up some websites. I'll post the logs I have so far, but i might have to do it one at a time. so, here we go.
-
here's the next one.
-
The next one is the extra file for the otl. But, the forum won't let me post the main log. It say's it's too big for the attachment size. The attachment limit is 200 KB, and it's a 240 kb file.
-
The next one is the extra file for the otl. But, the forum won't let me post the main log. It say's it's too big for the attachment size. The attachment limit is 200 KB, and it's a 240 kb file.
did you save it as ANSI .... if still to big use some file share site like http://www.mediafire.com/ and post the download link here
you may try to run aswMBR in safe mode
-
I tried running the aswMBR in safe mode but it still wouldn't run. I'm going to upload the otl log if i can get it saved as a ANSI. Right now it's a text document.
-
I'm going to upload the otl log if i can get it saved as a ANSI. Right now it's a text document.
ANSI is also txt ...see in essexboys guide how to
-
I just got it to work and was heading here to post it when I saw your reply back. Thank you for the help. :)
-
OK, most of the removal experts are on european time....so in bed now, so check back tomorrow ;)
-
Will do! Thanks again!
-
Hi are you missing any files/folders/menus ?
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
- Click on the Delete button.
(https://dl.dropbox.com/u/73555776/RKDelete.GIF)
- The report has been created on the desktop.
- Next click on the ShortcutsFix
(https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF)
- The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
THEN
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = %3clocal%3e:80
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O4 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000..\Run: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe" File not found
[2012/09/18 16:36:07 | 000,000,000 | ---D | C] -- C:\Users\The Pharmacist\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/18 16:36:09 | 000,000,136 | ---- | C] () -- C:\ProgramData\-ruWXPTPZImp0ILr
[2012/09/18 16:36:08 | 000,000,136 | ---- | C] () -- C:\ProgramData\-ruWXPTPZImp0IL
[2012/09/18 16:36:04 | 000,000,368 | ---- | C] () -- C:\ProgramData\ruWXPTPZImp0IL
:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
I am missing some little short cut's that used to sit on my task bar on the left hand side of my screen right next to my start menu. Things like firefox. Other then that, I seem to be fine. I did have a virus that was hiding some files, but I seemingly got rid of that problem and was just left with what I have now.
After I have done as was suggested in your post, I do seem to be able to visit sites that were difficult to access or just completely unresponsive for me. Right now, it's still running a tad slower then it should, but I can at least make to the site in less then a 2-5 minutes. It still takes about 15-30 seconds though, when it normally loaded in at least 5 seconds. But that's all I've noticed so far.
Here are the requested file logs. Thank you very much for taking this time to help me. First up is the rouge killer file, then the otl file, and finally the combo fix log.
-
OK there will be at least another two runs to kill this as there is an MBR infection as well
To be on the safe side I will run just one at a time
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(http://dl.dropbox.com/u/73555776/TDSSFront.JPG)
- Then click on Change parameters.
(http://dl.dropbox.com/u/73555776/TDSSConfig.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(http://dl.dropbox.com/u/73555776/TDSSFound.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(http://dl.dropbox.com/u/73555776/TDSSEnd.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
-
I just downloaded the program and I'm having the same problems as I did with the aswMBR. It act's like I'm opening it up, but then nothing else happens. I tried opening it up in safe mode, but it did absolutely nothing in that as well.
Alos, I'm noticing that my Avast program is blocking a lot of harmful sites. Even when I'm just starting up the pc and haven't got a browser open. Also, I don't know if it helps at all, but when I try to shut down my pc, it Tell's me it's waiting on a program to shut off. But, unlike every other program that it's ever had to wait on, it doesn't tell me what this program is that it's waiting on.
And I hadn't mentioned this before, but I had forgot about it. If I leave my pc idle while it's running something like super anti spyware or malware bytes, My pc might turn it self off completely. It's never done it while I've been sitting at it, and it doesn't always do it when I leave it alone to idle.
-
OK I will reverse the order of my fixes
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\services.exe.8924842A9B75BE9F
c:\windows\system32\drivers\ilcmxdxa.sys
c:\windows\system32\services.exe.0033B18275FEDB62
c:\windows\system32\services.exe.6DBFD142BA226F8D
c:\windows\system32\services.exe.C81440A147EC482D
c:\windows\system32\services.exe.C9A62BC68A76D16D
c:\windows\system32\services.exe.D070384C43052D6E
c:\windows\system32\services.exe.18CBE06FAB4A4B18
c:\windows\system32\drivers\vkwqboja.sys
c:\windows\system32\services.exe.7CC78F41CD9BDA22
c:\windows\system32\services.exe.A24116A8480A5B67
c:\windows\system32\services.exe.E6C3985694C3C40C
c:\windows\system32\services.exe.C40FF2BC95A06385
c:\windows\system32\services.exe.60EB0703A38CC965
c:\windows\system32\services.exe.9EE25D89C1A79A9F
c:\windows\system32\services.exe.F0A28DC33AF95ED7
c:\windows\system32\services.exe.86F6AFF59CC8008A
c:\windows\system32\services.exe.9D3FCDBC5A7338A9
c:\windows\system32\services.exe.15B52FAE7B414254
c:\windows\system32\services.exe.F89C6578CD369B48
c:\windows\system32\services.exe.6088442F0979929E
c:\windows\system32\services.exe.84CA2FC7AD7BCBA2
c:\windows\system32\services.exe.8A937F506CA44F54
c:\windows\system32\drivers\jcxmmwef.sys
c:\windows\system32\drivers\nccicidz.sys
Driver::
jcxmmwef
nccicidz
vpodkgqw
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
-
Ok, Here is the new log file. And I'm noticing that some site's are once again becoming difficult to visit. I had looked around to see if any of the problems were still there.
-
Update: firefox just crashed on me and then windows did shortly after. I got a blue screen telling me that it had encountered a serious problem and had to shut down.
-
Could you now retry TDSSKiller please, download a fresh copy but rename it to winlogon .. If it fails I will need a look at the mbr
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
-
OK, I ran the program again and it say's it found two more files on my pc. I didn't delete them or anything yet, i only got the file and am posting it in this reply.
-
Did TDSSKiller run ?
-
Sorry, I did do that and it didn't run.
-
Could you download the following programme to a USB stick please
Listparts64 (http://www.bleepingcomputer.com/download/listparts/dl/78/)
The reboot the computer and immediately press then hold F8
Is there an option called "Repair my Computer"
If so select that
If not let me know and I will give some links to make the USB bootable
Insert the USB
- Select Command Prompt
- In the command window type in notepad and press Enter.
- A Notepad window will open. Under File menu select Open.
- Select "Computer" and find your flash drive letter and then close Notepad.
- In the command window type e:\listparts64 (64bit) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- Press Scan button.
- When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes on the flash drive.
-
Ok, I used another pc to download the program to a usb drive just to be safe. But, when i put the usb drive into my pc and then select repair computer, it say's:
Windows faied to start. A recent hardware or software change might be the problem:
1. insert your windows installation disc and restart your computer.
2. choose your language settings, and then click "next."
3. click "repair your computer."
if you do not have this disc, contact your system administrator or computer manufacturer for assistance.
status 0 cx000000f
info: the boot selection failed because a required device is inaccessible.
What should I do now?
-
OK lets use the same USB but this time we will put the recovery console on to it as well
Download the following three programmes to your desktop :
1. WiNTBootIc (https://dl.dropbox.com/u/73555776/WiNToBootic.exe)
2. Windows 7 64bit RC (http://www.forum.probz.net/index.php?/files/file/19-windows-7-recovery-environment-iso/)
3. Farbar Recovery Scan Tool x64 (http://download.bleepingcomputer.com/farbar/FRST64.exe)
Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot
(http://dl.dropbox.com/u/73555776/wintoboot.JPG)
Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It
You will see it progressing
(http://dl.dropbox.com/u/73555776/usb%20progress.JPG)
It will let you know when it is done
Then copy FRST to the same USB
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG)
Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://pcsupport.about.com/od/fixtheproblem/ss/bootorderchange.htm)
When you reboot you will see this although yours will say windows 7. Click repair my computer
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg)
Select your operating system
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg)
Select Command prompt
(http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg)
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
Ok, I downloaded all of that on to another pc and tried to perform the first step. But, once I run that program and press do it, it runs just for a few seconds and then says:
drive formatted.
flashing failed.
-
Sounds like the USB is not compatible, this does not happen often enough to warrant a warning .. Do you have another USB drive ?
-
I will have to buy a new one I'm afraid. Which, won't be till later tonight. :( But, I'll let do as you instructed as soon as I get it and have the post hopefully updated before tomorrow. Thank you for all of your help so far! :)
-
And.. I got it! ;D
-
I see it ;D
Download the attached fixlist.txt to the same USB drive as FRST
Restart the computer as before to the recovery console
Run FRST and click Fix
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FRST2.gif)
A log will be generated on the USB drive
Reboot to normal windows
Once there then please run TDSSKiller and attach the log along with the FRST fix log
-
Ok, I did all of that but I can't run the tdsskiller still. And when i try to open up the usb drive on my infected pc, it say's i need to format it before i can use it.
-
OK go back to the recovery console Command prompt using the USB and type in the following pressing enter after each line
Bootrec /fixmbr
Bootrec /fixboot
The reboot and try TDSSKiller once more
-
The first line worked out fine, but the second one say's.
the volume does not contain a recognized file system. please make sure that all required file system drivers are loaded and that the volume is not corrupted.
-
OK could you now retry TDSSKiller please
-
It finally ran! But, It said that it didn't find anything.
-
;D
OK how is the computer behaving now ?
-
Page's are loading as fast as they should be, but I occasionally get redirected to another web page. But, avast is not popping up near as much as it was, I haven't noticed it in the last hour or so.
-
OK could you run a final OTL scan please to make sure that nothing remains
-
OK, the scan just finished.
I also had a question about the error i received earlier, about there being missing drivers. is that something I should fix?
-
Did you have the USB drive plugged in at the time that you got the error ?
All looks good now any remaining problems ?
-
yeah, I had the usb plugged in.
And it all looks good. The only remaining problems seems to be the two time's I got a redirect and the one time the page didn't load at all. But, the page not loading could just be normal and unrelated to the problem I was having.
-
OK run the system as normal and if all is well tomorrow I will remove my tools
-
OK, I'll let you know if anything comes up. Thank you so much for all of your help!
-
So far, I've been redirected to a site twice. But other then that, everything seems fine.
-
Is that in Firefox ? There is one reg entry that states file not found, lets confirm that
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
[1832/11/29 00:34:33 | 000,004,804 | ---- | M] () (No name found) -- C:\USERS\THE PHARMACIST\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I9AYAXGS.DEFAULT\EXTENSIONS\IKBAOCDWHL@IKBAOCDWHL.ORG.XPI
:Files
C:\USERS\THE PHARMACIST\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I9AYAXGS.DEFAULT\EXTENSIONS\IKBAOCDWHL@IKBAOCDWHL.ORG.XPI
:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
OK, I just ran the scan and here is the log it made.
-
Any further redirects ?
-
It was pretty rare after we fixed the majority of the issue, So it might take me a day or two before I notice a redirect anywhere. I'll let you know if I see anything. And again, I can't thank you enough!
-
OK once you are happy let me know and I will tidy up
-
So far, so good!
-
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix
- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Go to control panel
- Select folder options (Appearance > Folder options in category view)
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Go to this site (http://java.com/en/) and click Do I have Java
- It will check your current version and then offer to update to the latest version
SPRING CLEAN
To manually create a new Restore Point
- Go to Control Panel and select System
- Select System
- On the left select System Protection and accept the warning if you get one
- Select System Protection Tab
- Select Create at the bottom
- Type in a name i.e. Clean
- Select Create
Now we can purge the infected ones
- GoStart > All programs > Accessories > system tools
- Right click Disc cleanup and select run as administrator
- Select Your main drive and accept the warning if you get one
- For a few moments the system will make some calculations
- Select the More Options tab
- In the System Restore and Shadow Backups select Clean up
- Select Delete on the pop up
- Select OK
- Select Delete
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
- Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
OK, I did everything you just told me to do. Java said I had the most up to date version, but just needed to remove an older version. And I downloaded the file hippo program, but it say's that a device attached to the system is not functioning.
-
Typical, there is always the odd sytem that does not like a programme for no real reason that can be found. It looks like you and filehippo are in that category
-
OK, So that means that we are finished and every thing is cleaned up now?
-
As long as you are happy, you are good to go ;D
-
Woo! Thanks! Thanks a lot!