Author Topic: Stubborn Malware  (Read 5588 times)

0 Members and 1 Guest are viewing this topic.

JohnABarnett

  • Guest
Stubborn Malware
« on: April 14, 2014, 08:39:05 PM »
I'm using the free version.

Recently I've started getting constant malware popup warnings and redirects using my browswer, which is Internet Explorer. I ran an Avast boot scan, it identified a couple of problems which I had it move to the Chest. I then rebooted, but the malware popups continued.

One thing I find curious is that the redirects at first were taking me to Avast sites, and then to other security related sites.

This is driving me crazy. The Object sites identified include words or phrases like "clickdata" and "redirect" and "php" Any ideas how solve this?

Valinorum

  • Guest
Re: Stubborn Malware
« Reply #1 on: April 14, 2014, 08:40:58 PM »
Follow the instructions here and attach the logs.

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #2 on: April 14, 2014, 08:58:12 PM »
I have attached the most recent MBAM scan file. It comes up clean despite the continued popup behavior.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37697
  • F-Secure user
Re: Stubborn Malware
« Reply #3 on: April 14, 2014, 09:37:00 PM »
We also need OTL and aswMBR logs


JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #4 on: April 14, 2014, 10:02:10 PM »
Yes, I have been interrupted and it looks like I am going to have to rerun all this together tomorrow. I will rerun everything and post it tomorrow. Sorry for the delay.

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #5 on: April 17, 2014, 10:54:50 PM »
Okay, finally able to get back at it after a three-day interruption.

Symptoms:
Near constant avast! Web Shield threat popups, even when running the anti-malware programs MBAM and OTL.

Clicking on link results in Google web searches often redirected to various antivirus/antimalware sites, but direct address entry in Internet Explorer 11 do not redirect.

avast! Web Shield popups most frequently contain:
under Object: various, often including text like "click.php?=click", "redirect_js.psp", "credit cards", "debt management", "cleveland consumer co" etc.
under URS: Mal
under Process: Users/John/AppData...WINFB36.exe

Ran MBAB as instructed, log attached. No threats found.
Ran OTL as instructed, program generated OTL.txt (attached) but not Extras.txt.

Posting this now, will proceed with aswMBR.exe

Behavior continues



JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #6 on: April 18, 2014, 01:48:25 AM »
And here's the aswMBR report...

As I understand it, I have completed the instructed initial steps.

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #7 on: April 18, 2014, 01:55:07 AM »
Do I need to stay offline with this computer until this is resolved?

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Stubborn Malware
« Reply #8 on: April 18, 2014, 09:14:16 AM »
hey better wait for Valinorum to answer that hes the one how will help you with your problem.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

argus

  • Guest
Re: Stubborn Malware
« Reply #9 on: April 18, 2014, 10:59:12 AM »
Hi John,



Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
.

*********************




Download TDSSKiller  and save it to your desktop

  Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
  •   Press Start Scan
  •   If Suspicious object is detected, the default action will be Skip, click on Continue.
  •   If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #10 on: April 18, 2014, 04:20:20 PM »
Here are the reports from the suggested scans.

argus

  • Guest
Re: Stubborn Malware
« Reply #11 on: April 18, 2014, 04:36:35 PM »

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\Run: [ARZworks] => regsvr32.exe C:\Users\John\AppData\Local\ARZworks\BRWIA07a.dll <===== ATTENTION
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\MountPoints2: {dfcb262b-b3db-11de-af4a-806e6f6e6963} - E:\GHScrabbleInstall.exe
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\Run: [GameServer548] => C:\Users\John\AppData\Roaming\WinBatch\WINFB36.exe [192000 2014-04-12] ()
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} -  No File
CHR DefaultSearchKeyword: mywebsearch.com
CHR DefaultSearchProvider: My Web Search Bar
CHR DefaultSearchURL: http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm380YSUS&fl=0&ptb=huIiN99FEqxqbAS1Hn1_4Q&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=sb&searchfor={searchTerms}&n=77ce80df
C:\Users\John\microsoft.dat
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #12 on: April 18, 2014, 05:36:56 PM »
Thank you for your work trying to help me.

I ran FRST64 and it generated a text file called FRST.txt (not fixlog.txt) on my Desktop. I have attached that file.

***

Edited to add, SORRY, I just realized I might have pressed "SCAN" instead of "FIX." I'll rerun this with "FIX"
« Last Edit: April 18, 2014, 05:38:51 PM by JohnABarnett »

JohnABarnett

  • Guest
Re: Stubborn Malware
« Reply #13 on: April 18, 2014, 05:42:07 PM »
OK, here is fixlog.txt.

Hmm...
When I try to submit this post it tells me the requested file is too large.

argus

  • Guest
Re: Stubborn Malware
« Reply #14 on: April 18, 2014, 05:47:07 PM »
Copy/Paste log here  http://pastebin.com/
and click submit.

Copy url link to forum.