Author Topic: Help removing the multiple windows update icons malware  (Read 741 times)

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Help removing the multiple windows update icons malware
« on: August 17, 2013, 08:46:44 PM »
Hello,

I have the same problem as this guy: http://forum.avast.com/index.php?topic=120789.0. I created a new thread because as  guy who answered in the thread I linked said, the steps are unique for each PC!

I've already run OTL for the first time as explained in the thread I linked ("with Scan all users", "include 64bit scans", "LOP check" and "Purity check" and the code pasted into the custom scans area). And it produced the anexed OTL file.

I checked the folder and it didn't produce any Extras file this time.

I've already tried malwarebytes to remove it, with no success.

Also, if that helps, I have dual boot on my pc with ubuntu...it might help if there's some removal step involved, to circunvent anything the malware did that keeps me from removing some file!

Thanks in advance

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #1 on: August 17, 2013, 09:16:03 PM »
Hi there this probably came from an infected USB

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then run the OTL fix and follow with a fresh scan

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://search.babylon.com/?affID=110808&tt=3412_1&babsrc=HP_ss&mntrId=0c226bb90000000000004c809319d44f
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\..\SearchScopes\{39B03100-137A-AE8B-BF32-5BE79FBE5FB8}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110808&tt=3412_1&babsrc=SP_ss&mntrId=0c226bb90000000000004c809319d44f
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..backup.old.browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search"
[2012/08/29 20:25:52 | 000,002,347 | ---- | M] () -- C:\Users\alberto\AppData\Roaming\mozilla\firefox\profiles\fh96mgst.default\searchplugins\Search.xml
O4 - HKLM..\Run: [ApnTBMon] C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (APN)
O4 - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000..\Run: [12] C:\Users\alberto\AppData\Roaming\044b\12.js ()
[2013/08/17 08:04:02 | 000,000,000 | -HSD | C] -- C:\Users\alberto\AppData\Roaming\044b
[2013/08/16 21:22:56 | 000,000,000 | -HSD | C] -- C:\05b1
[2012/08/29 20:25:31 | 000,384,844 | ---- | C] () -- C:\Users\alberto\AppData\Local\funmoods-speeddial.crx
[2013/07/29 15:47:37 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #2 on: August 18, 2013, 06:57:57 AM »
I anexed both logs from OTL: Fix and Quick Scan

MCShield didn't produce a log because I formated the flash drive, and when I scanned it with MCShield, it found nothing!

Thanks!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #3 on: August 18, 2013, 09:41:30 AM »
Could you confirm the alerts have ceased and the system is running normally

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #4 on: August 18, 2013, 04:36:09 PM »
No, I still get them. Avast also alerts me of the presence of malware when I startup outside of safe mode

Offline Steven Winderlich

  • Super Poster
  • ***
  • Posts: 1827
  • Gender: Male
  • Happy Easter :)
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #5 on: August 18, 2013, 04:40:54 PM »
Avast is not running in safe mode so thats why it is not giving alerts.

Please follow Essexboys instructions to clean this up. :D

Or if you want you can run a full system scan or take a screenshot of the alert please so that we can know where this is sitting.
Windows 8.1 Update 1 64-Bit, Avast 2014 Free 9.0.2018, Malwarebytes 2 PRO, MCShield

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #6 on: August 18, 2013, 04:54:47 PM »
Avast actually still alerts me of the presence of malware. I followed his instructions up until hist last post (running the OTL fix and running the OTL quick scan) but still, no luck. I'll be waiting for his next instructions!

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #7 on: August 18, 2013, 07:49:40 PM »
OK got it, one was hidden until I removed the others

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
O4 - Startup: C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48.js ()

:Files
C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #8 on: August 18, 2013, 09:50:07 PM »
Two logs anexed!

Edit: Just to report that I'm having problems with the malware :/
« Last Edit: August 18, 2013, 10:05:11 PM by PWright »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #9 on: August 19, 2013, 01:38:57 PM »
It appears that they have now hardened this, could you run the next fix from safe mode please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O4 - HKCU..\Run: [12] C:\Users\alberto\AppData\Roaming\044b\12.js ()
[2013/08/18 16:06:30 | 000,000,000 | -HSD | C] -- C:\Users\alberto\AppData\Roaming\044b
[2013/08/18 16:06:26 | 000,000,000 | -HSD | C] -- C:\05b1

:Files
C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline PWright

  • Newbie
  • *
  • Posts: 6
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #10 on: August 19, 2013, 06:26:59 PM »
Two latest logs attached.

I've restarted my computer outside of safe mode and so far so good, no avast alerts and no multiplying windows update icons (only the real one, which doesn't disappear when I mouse over it). It seems like the malware is finally dead! I'll be keeping an eye to see if there are any changes though

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28970
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Help removing the multiple windows update icons malware
« Reply #11 on: August 19, 2013, 06:47:09 PM »
Yep that's it now, if all is well tomorrow let me know and I will tidy up

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now