Avast WEBforum
Other => Viruses and worms => Topic started by: chase21 on February 12, 2013, 02:01:38 AM
-
First, I would like to thank who ever it is that assists me with the problem I'm having. I've been trying to clear this all up for a while, but it seems to be getting worse. It's shut down my avast software and it continues to change my search engine and add browser tool bar's.
At one time It was keeping me from getting online and using my keyboard, but so far I have fixed that issue. I have attached logs to help who ever assists me. I have popup's in my browser, (firefox) yim, and even steam. Again, thank you for any and all help. Oh, and This popup in the address bar when i try to make a new tab in firefox. http://www.[r;;iåvÞyevq¾qîx»òki.com/
-
AdwCleaner removed a ton of crap....do you still have the problem?
your malwarebytes log say "No Action Taken" you need to click remove selected after scan to quarantine what was found
if you did not, update MBAM, run quick scan and click remove selected button
Malware removers are notified and will check your logs later today.....
-
Hi you have zero access plus a more difficult rootkit that may need several runs to clear
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
SRV:64bit: - [2012/08/31 12:47:38 | 000,085,944 | ---- | M] () [Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\7f2fe1f1d990b7f7.sys -- (7f2fe1f1d990b7f7)
DRV:64bit: - [2012/08/31 12:47:38 | 000,085,944 | ---- | M] () [Unknown (-1) | Unknown (-1) | Unknown] -- C:\Windows\SysNative\drivers\7f2fe1f1d990b7f7.sys -- (7f2fe1f1d990b7f7)
[2012/09/14 20:09:51 | 000,005,120 | -HS- | M] () -- C:\Windows\assembly\GAC_32\Desktop.ini
[2012/09/14 20:09:51 | 000,006,144 | -HS- | M] () -- C:\Windows\assembly\GAC_64\Desktop.ini
:Files
C:\$Recycle.bin\S-1-5-18\$211c1b78d467a48afff83ead458d984f
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop and rename to Gotcha
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Thank you both for your help. I had taken an action with my malware bytes program after I saved the log I posted. Here are the logs you requested, and I even included the one otl created before the quickscan log.
-
OK one more to kill .. Once done can you let me know what problems remain
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\System32\Drivers\7f2fe1f1d990b7f7.sys
Driver::
7f2fe1f1d990b7f7
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Ok, here's the last log, I hope it helps with what ever you need it for. It seems that things are running better so far, so thank you for that!
-
How is the computer now .. Does windows updates work ?
-
no, i can't download any updates and avast seems to still be busted. Also, while i haven't seen any popups, there's still a menu bar in my firefox that shouldn't be there and something called "football feed" that starts up when i turn on my pc. Also, i still get this http://www.[r;;iåvÞyevq¾qîx»òki.com/ when I open up a new tab in my browser.
-
OK I thought that there would still be problems
Download and run farbar service scanner (http://download.bleepingcomputer.com/farbar/FSS.exe)
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg)
Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
THEN
Could you run a fresh OTL scan selecting all users
-
ok, here's the logs you requested. Hope everything checks out.
-
OK there are still a few bad boys around
Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application
(https://dl.dropbox.com/u/73555776/tdss%20start.JPG)
- Then click on Change parameters.
(https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG)
- Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
- Click the Start Scan button.
- If a suspicious object is detected, the default action will be Skip, click on Continue.
(https://dl.dropbox.com/u/73555776/tdss%20threat.JPG)
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
- Get the report by selecting Reports
(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)
- Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
THEN
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
nsiproxy.*
afd.*
tdx.*
tcpip.*
mpsdrv.*
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs
-
I ran the TDSSKILLER program, but When I try to get the report, it won't allow me to copy it or save it.
I'm also very sorry to say, but I didn't see the cure button and should have scrolled down further. I had thought for what ever reason, when cure wasn't available and the default wasn't skip, That I should go with the programs chosen default. Which, for one high risk program, it did delete it. :(
-
There should be a log at C:\TDSSKiller date time could you attach that and then run the fresh OTL scan
-
I have the OTL file, but it didn't give me the notepad for extra. and one of the files is a little too big for one post, so i will make another one after this.
-
Here's the TDSKiller file
-
OK I see you have been using a reg cleaner, that may have damaged windows
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKU\S-1-5-21-1004905472-1880819908-1281763888-1000\..\SearchScopes\{411F87A5-4572-4D1C-9BDD-1E26F9739E9B}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3181033
O2 - BHO: (no name) - {E4E6BF2A-1667-11DF-A01F-1F9655D89593} - No CLSID value found.
[2013/02/01 12:01:49 | 000,000,000 | ---D | C] -- C:\ProgramData\BrowserProtect
:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-1004905472-1880819908-1281763888-1000\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download Windows Repair (all in one) from this site (http://www.tweaking.com/content/page/windows_repair_all_in_one.html)
Install the programme then run
(https://dl.dropbox.com/u/73555776/waio%20start.JPG)
Go to step 3 and allow it to run SFC
(https://dl.dropbox.com/u/73555776/waio%20step3.JPG)
On the start repairs tab click start
(https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG)
Select the following items and tick restart system when finished
(https://dl.dropbox.com/u/73555776/waio%20rep%20list.JPG)
-
I have the OTL log and ran the Windows repair program. But windows still say's it's in test mode on the bottom right of the screen. At one point the program said that it wasn't allowed access to one thing, but everything else it handled with out a problem.
-
OK it sounds as though you will need to reactivate windows
http://windows.microsoft.com/en-GB/windows7/activate-windows-7-on-this-computer
-
It say's activation was successful. I'm going to restart my pc and see if that get's rid of the test mode in the bottom right.
-
Ok, it still has the test mode notification in the bottom right of the pc. When I follow the directions from the link you gave me, I can't find anything that say's activate windows or show me other ways to activate windows. the only reason i thought I had done it the first time, is because i entered the product key in the "change product key."
-
OK that is a know problem
1. Click on "Start button -> All Programs -> Accessories". Right-click on "Command Prompt" and select "Run As Administrator". If you are prompted to enter password, enter the password and continue. You can also open Command Prompt in Administrator mode by typing "cmd" in Start Menu Search box and press "Ctrl+Shift+Enter".
2. Now provide following command:
bcdedit /set TESTSIGNING OFF
If the above command doesn't work, you can provide following commands:
bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING OFF
3. That's it. Close Command Prompt window and restart your system. It'll disable the watermark from Desktop.
-
Alright, that seemed to have done the trick. Thanks!
-
What problems are outstanding ?
-
I'm still getting this http://www.[r;;iåvÞyevq¾qîx»òki.com/ when i open up a new tab in firefox and I saw one popup in firefox.
-
Could you disable all addons in Firefox
Then renable them one at a time until this appears again
Then let me know which addon it is
-
I disabled them all, but i'm still having problems with the link http://www.[r;;iåvÞyevq¾qîx»òki.com/
-
OK delete the shortcut icons for Firefox on the desktop and the quicklaunch bar then let me know if that stops it
-
I deleted them, but I'm still having the same problem.
-
Could you run a fresh OTL scan please
-
Ok, Here's the new otl text doc. And I notice that in my computer folder, it lists 10 more rom drives then i actually have.
-
Could you attach the log please ;D
-
OPPS! :o
-
Try this and let me know of the result
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\IB UPDATER\FIREFOX
:Files
C:\PROGRAM FILES\IB UPDATER
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Ok, here's the file that came up when it rebooted and the file when it did the quick scan.
-
Are you still getting it in Firefox, if so could you run firefox in safe mode and let me know if it is there
-
yeah, it still shows up when i open up a new tab in safe mode.
-
OK you will need to do a full uninstall of firefox and then a clean install http://support.mozilla.org/en-US/kb/forum-response-clean-reinstall
-
Ok, i followed the directions an removed fire fox and installed it again. But I'm still having the same issue.
-
Did you delete all the Firefox folders ?
This part is badly worded .. You need to remove all data and not save it
IMPORTANT: On Windows, the uninstaller has the option to remove your personal data and settings. Make sure that you do not check this option; otherwise all of your bookmarks, passwords, extensions, user customizations and other Firefox user profile data will be removed from your computer.
-
ah, i didn't do that. I had followed the do not instructions. ok, I'll brb.
-
Ok, that seemed to do the trick.