Avast WEBforum
Other => Viruses and worms => Topic started by: happygirl323 on August 21, 2013, 03:21:08 AM
-
Noticed sluggish behavior on my computer several days ago. I ran avast and it prompted me to run a boot scan. It found several trojans, bitcoin-A, and malware-gen. I've attached the logs request in the forum instructions
-
continuation of attachments.
Edited to add the boot scan log
-
Hi,
Re-run OTL.exe.
- Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\Windows\SysNative\drivers\avgtpx64.sys
C:\Users\Denise\AppData\Local\AVG SafeGuard toolbar
:services
avgtp
:OTL
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10042&barid={C1658F1E-DECE-11E2-B3FC-002511D1C74F}
IE - HKU\S-1-5-21-2462478338-3029352743-3340727738-1001\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://mysearch.avg.com/search?cid={F0631A15-872E-426F-9354-9FE07A510809}&mid=781442a13c0e47d3aff9d16c57352ebc-3d753c8f921b0eec8a7b1f3d27125b9043cc3991&lang=en&ds=dn011&pr=sa&d=2013-08-20 19:57:21&v=15.4.0.5&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
FF - prefs.js..browser.startup.homepage: "http://mysearch.avg.com/?cid={F0631A15-872E-426F-9354-9FE07A510809}&mid=781442a13c0e47d3aff9d16c57352ebc-3d753c8f921b0eec8a7b1f3d27125b9043cc3991&lang=en&ds=dn011&pr=sa&d=2013-08-20 19:57:21&v=15.4.0.5&pid=safeguard&sg=0&sap=hp"
O2 - BHO: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\15.4.0.5\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
O3 - HKLM\..\Toolbar: (AVG SafeGuard toolbar) - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG SafeGuard toolbar\15.4.0.5\AVG SafeGuard toolbar_toolbar.dll (AVG Secure Search)
O33 - MountPoints2\{7acd3c61-ec8f-11dd-a6c7-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{7acd3c61-ec8f-11dd-a6c7-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.EXE
:commands
[CREATERESTOREPOINT]
[EMPTYJAVA]
[emptytemp]
- Then click the Run Fix button at the top.
- Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:
c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log
.
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
- Double-click to run it. When the tool opens click Yes to disclaimer.
- Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
.
Please download zoek.exe (http://home.kpn.nl/stefsmeenk/zoek.exe/) and save it to your desktop.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Here are the logs from the runs you asked for.
-
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
START
S2 vToolbarUpdater15.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe
CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.0.crx
CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\errorassistant_1.1.crx
CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files (x86)\Common Files\Spigot\GC\coupons_2.4.crx
CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx
END
2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.
- Close any open browsers.
- Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.
- Double click on zoek.exe to run the tool .
Please wait while the tool does not start...
- Copy the text present inside the code box below and paste it into the large window in the zoek tool:
emptyclsid;
C:\Program Files (x86)\AVG SafeGuard toolbar;fs
C:\users\Denise\AppData\Locallow\AVG SafeGuard toolbar;fs
bkpdbnikbinamgnlpdocdofjnoplcpji;chr
hbcennhacfaagdopikcegfcobcadeocj;chr
mhkaekfpcppmmioggniknbnbdbcigpkk;chr
pfndaklgolladniicklehhancnlgocpp;chr
emptyalltemp;
autoclean;
- Click on (http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png) button
Please wait until a logreport will open (this can be after reboot)
- Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named "zoek-results.log"
-
Here are the logs. Thanks for your help with this!
-
looks good, any problems?
-
There was no malware, just crap (adware) ;D
-
Looking good. Thanks again! ;D
-
OK, one more step
Please download DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.
Run the tool and check the following boxes below;
- Remove disinfection tools
- Create registry backup
- Purge System Restore
Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
> I don't need DelFix log report.
I recommended to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link (http://www.mcshield.net)
Softpedija - Mirror download link (http://www.softpedia.com/get/Antivirus/MCShield.shtml)
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.
-
squeaky clean, tools removed :D