Author Topic: please help me with this malware/virus?  (Read 992 times)

Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
please help me with this malware/virus?
« on: May 22, 2013, 07:25:14 PM »
Hello, and thank you very much in advance for any help provided, I am grateful!!!

I am not completely stupid when it comes to computers; I'd say I'm 'a bit above average' if you were to look at the general population, but I'm still not completely hip to all the lingo, so please bear with me if I have to ask a stupid question :)

I'll start with the history/symptoms ---

Purchased computer new less than a year ago (Nov 2012)
In the last month or so, when I go to restart the computer, often it would not boot.  Usually would boot on the 2nd or 3rd try.
Today, it would not boot at all (the computer itself would turn on as well as the monitor, but only black screen.)
I turned off the power strip, unplugged/replugged everything just to make sure something wasn't loose or a squished chord.
Tried to reboot.  Black screen again.
Reboot #2 worked.
Everything started as normal, except when I went to open Google Chrome, my regular 'dashboard' page popped up - as usual - and then a second page popped up, without me doing/clicking anything - it was hotcleaner . com.  It showed a bar saying it was checking my system and I closed it really fast.
I closed chrome, deleted all web history, cookies, etc.
Opened chrome again to come to this website.
Got a red popup from avast: 

http://turning8.info/lps/flvupdate.php?c...
Process:   C:\Program Files (x86)\Google\Chrome\App...
Infection:   URL:Mal

I ran a check on Spybot - Search & Destroy - I'll include some of the report you may find useful below.  Please let me know if I missed anything (and my apologies if I didn't post the right parts, or repeated them...) or can answer any more questions in assisting your help!!


Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #1 on: May 22, 2013, 07:27:36 PM »

------------------------------------------------------------------------------------------------------------------------

-- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---


Located: HK_LM:Run,
command:
   file:
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_LM:Run, Adobe ARM
command: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
   file: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
   size: 958576
    MD5: 48BE298F7FD1BEF4D8FBACB04D8D95C4

Located: HK_LM:Run, avast
command: "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
   file: C:\Program Files\AVAST Software\Avast\avastUI.exe
   size: 4858968
    MD5: 3F11B20D12D89365D7721BDC860CE5F0

Located: HK_LM:Run, HP Software Update
command: c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
   file: c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
   size: 49208
    MD5: C637FC4638A96165256B28D38DE7B953

Located: HK_LM:Run, PDF Complete
command: C:\Program Files (x86)\PDF Complete\pdfsty.exe
   file: C:\Program Files (x86)\PDF Complete\pdfsty.exe
   size: 658424
    MD5: 29BAD398C82369BFC1E709B536520960

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
   file: C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
   size: 253816
    MD5: D63797E8E7781EE1500A810CB6194FA6

Located: HK_CU:Run, Sidebar
  where: S-1-5-19...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
   file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
   size: 1174016
    MD5: DCCA4B04AF87E52EF9EAA2190E06CBAC

Located: HK_CU:RunOnce, mctadmin
  where: S-1-5-19...
command: C:\Windows\System32\mctadmin.exe
   file: C:\Windows\System32\mctadmin.exe
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_CU:Run, Sidebar
  where: S-1-5-20...
command: %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
   file: C:\Program Files (x86)\Windows Sidebar\Sidebar.exe
   size: 1174016
    MD5: DCCA4B04AF87E52EF9EAA2190E06CBAC

Located: HK_CU:RunOnce, mctadmin
  where: S-1-5-20...
command: C:\Windows\System32\mctadmin.exe
   file: C:\Windows\System32\mctadmin.exe
   size: 0
    MD5: D41D8CD98F00B204E9800998ECF8427E
         Warning: if the file is actually larger than 0 bytes,
         the checksum could not be properly calculated!

Located: HK_CU:Run, Magic Canvas
  where: S-1-5-21-2052497529-376305701-1047746094-1001...
command: "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\SmartCenter\SmartCenter.exe"
   file: C:\Program Files (x86)\Hewlett-Packard\TouchSmart\SmartCenter\SmartCenter.exe
   size: 6162432
    MD5: BF2D499B1F2EA456B63C1BDE47D6872B

Located: HK_CU:Run, Sidebar
  where: S-1-5-21-2052497529-376305701-1047746094-1001...
command: C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
   file: C:\Program Files\Windows Sidebar\sidebar.exe
   size: 1475584
    MD5: E3BF29CED96790CDAAFA981FFDDF53A3

Located: HK_CU:Run, Spotify Web Helper
  where: S-1-5-21-2052497529-376305701-1047746094-1001...
command: "C:\Users\ilovemustacherides\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
   file: C:\Users\ilovemustacherides\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
   size: 1105408
    MD5: F10ADB851EF1BD5144FE6D1691CD7576

Located: HK_CU:Run, SpybotSD TeaTimer
  where: S-1-5-21-2052497529-376305701-1047746094-1001...
command: C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
   file: C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
   size: 2260480
    MD5: 390679F7A217A5E73D756276C40AE887

-----------------------------------------------------------------------------------------------------------


--- Report generated: 2013-05-21 10:03 ---

Log:  Install: setupact.log (Backup file, fixed)
  C:\windows\setupact.log

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, fixed)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, fixed)
  HKEY_USERS\S-1-5-21-2052497529-376305701-1047746094-1001\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, fixed)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, fixed)
  HKEY_USERS\S-1-5-21-2052497529-376305701-1047746094-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, fixed)
  HKEY_USERS\S-1-5-21-2052497529-376305701-1047746094-1001\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, fixed)
  HKEY_USERS\S-1-5-21-2052497529-376305701-1047746094-1001\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, fixed)
  HKEY_USERS\S-1-5-21-2052497529-376305701-1047746094-1001\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [SBI $49804B54] Cookie (9) (Cookie, fixed)
 

Cache: [SBI $49804B54] Cache (19) (Cache, fixed)
 

History: [SBI $49804B54] History (70) (History, fixed)
 

Congratulations!: No immediate threats were found. (Status)

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21789
  • Gender: Male
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #2 on: May 22, 2013, 07:32:24 PM »
follow guide and attach logs.  (not copy and paste)  http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done, removal experts will be notified and help will arrive
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #3 on: May 22, 2013, 07:45:08 PM »
^^^thank you!!

here's adwcleaner

Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #4 on: May 22, 2013, 07:56:58 PM »
mbam

Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #5 on: May 22, 2013, 08:12:13 PM »
otl

Offline penguina

  • Jr. Member
  • **
  • Posts: 21
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #6 on: May 22, 2013, 08:21:23 PM »
aswmbr

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29073
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: please help me with this malware/virus?
« Reply #7 on: May 22, 2013, 09:26:51 PM »
Are you still experiencing the boot problems ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
O3 - HKU\S-1-5-21-2052497529-376305701-1047746094-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now