Help cleaning infected computer

[wilky]

Another bit of info, it has been rejecting windows security update kb2859537 since aug, that update had a big issue with causing bsod, but not one person having a machine that rejected it, so i assumed it would fix itself after this cleanup, but now I'm thinking it might related.

[wilky]

Logs attached.
thanks

[magna86]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
S2 DictionaryBossService; C:\PROGRA~1\DICTIO~2\bar\1.bin\v4barsvc.exe [x]
S2 GasGlance_5iService; C:\PROGRA~1\GASGLA~2\bar\1.bin\5ibarsvc.exe [x]
S2 InboxAce_1gService; C:\PROGRA~1\INBOXA~2\bar\1.bin\1gbarsvc.exe [x]
C:\PROGRA~1\DICTIO~2
C:\PROGRA~1\GASGLA~2
C:\PROGRA~1\INBOXA~2

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



-----------------------------------------------


How's your computer running now?

[wilky]

Log is attached.
I think the only issue I have now is the blocked malicious url warnings from Avast, still the same ones popping up over and over until I take the ethernet cable out.
One thing I didn't do, Malwarebytes told me to run a full scan after the quick scan and I never did, so I am running that now.
thanks for your help

[magna86]

Ok, let's re-check all then:

1. Re-run FRST, hit Scan button and post me fresh created log.

2. Please download fresh copy of zoek.exe. Delete old ones. Re-run zoek.exe as you did before with this script:

Code: [Select]

StandardSearch;
Post me fresh created logreport.

[wilky]

Here they are.
thanks

[magna86]

Not good. You have been posted the old zoek log.
Also logs says that you did not run tools one at a time, but you run both programs together. I have been written instructions very well. First run FRST and then run Zoek.

Let's go again with zoek. Delete all old created zoek logs you have.
Delete old zoek.exe, download fresh copy and run it with StandardSearch; script.
Wait for zoek to finish his scan and when it pop-up log, save that log on Desktop (to make shure it's right log) and post it here.

[wilky]

Sorry about that, I wasn't thinking that specifically.
fresh zoek log is attached.
thanks

[wilky]

or maybe here!

[magna86]

I shall look into logs tomorrow. Refresh topic with new post tomorrow if I forget to give my reply but I will try not to forget. 

[magna86]

I see no malware or some bad characters enter here.

Re-run zoek with this script, wait to finish his work and when it finish post me created log.

Code: [Select]

C:\Users\Owner\AppData\Roaming\Real\Update\temp\~Upg3;f
oobefldr.dll;z
autoclean;
Do you still have avast warning? If you do, please post me screenshot of that alert as I see nothing bad.

[wilky]

logs and pix attached. Still getting blocked url warnings. Maybe avast has problem and needs to be uninstalled/reinstalled, doesn't seem like any processes are running that are triggering the blocked url warnings, like malware running in the background. CPU is flat-lining and still getting a loop of 7-10 blocked url's.

[magna86]

As all looks good, we shall run very depth in check for malware and rootkit presence. I want to see which dll file is running under svchost.exe.

1. Run FRST and post me fresh created log.


2. Please download GMER, AntiRootkit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named



Double-clicking to run GMER.

• Wait for initial scan to finish - if there is any query, click No;
  
• Click Scan button and wait until the full scan is complete;
  
• Click Save ... - save the report to the Desktop (named Gmer1 );
  
  
• Right-click wherever in the GMER's window and select Options > 3rd party - click the Scan button;
  
• Please wait until the full scan is complete;
• Click Save ... button and save report to Desktop (named Gmer2 );
  note: time scan for Gmer2 log may take some time
  
  
• Click the >>> and select Autostart card;
  
• After quick scan, click Copy button;
  
• Open notepad and Paste text. Save report to the Desktop (named Gmer3 )
  

> Attach here all Gmer logreports. (Gmer1; Gmer2 and Gmer3)

[wilky]

sorry for delay, went out of town.
after second 3rd party scan, "fake" windows security alerts window pops up and says Avast is not turned on, while Avast itself says it is secure. I say fake becuase I think the real window says "windows security center", not alerts. Also, no links on startbar are functioning, I can't open notepad or any other item on list, can't restart computer or turn off. So I had to manually shut down computer and restart to run the
autostart scan. After restart, all was back to normal.
If you need all three scans to run at same session, I will have to run again and hope that doesn't happen again.
thanks for your help

[magna86]

after second 3rd party scan, "fake" windows security alerts window pops up and says Avast is not turned on, while Avast itself says it is secure. I say fake becuase I think the real window says "windows security center", not alerts.

As I can not see none of the rogue program, this is a legitimate and Windows related.


Run this FRST script. If the problem still persists after this FRSTFix, that isn't malware related as you do not have any active malware.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

START
HKCU\...\InprocServer32: [Default-pngfilt]  <==== ATTENTION!
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
END
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.