They're baaaack!

[REDACTED]

Sigh, after TwinHeadedEagle's hard work a few days ago, I was threat free. However, after a few days...I got 2 Avast popups last night.
After running Malwarebytes, it seems I still have something...
here are the logs

[magna86]

Hi,

Let's take a look, shall we?


=> Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

[REDACTED]

here u go magna86

[magna86]

Hi,

My instructions clearly state the need for addition.txt.

[REDACTED]

Hmmm...it didn't make any addition.txt files, so i ran it again, and clicked the addition.txt box.

[magna86]

Hi,

It didn't create the Addition log BC you are not remove the FRST version in THE's case with DelFix as you should.

Next, you are using multiple AntiVirus product. This can't do. You must uninstall one of them. Only 1 AV per system.

Then use there removal tools to remove any leftovers.
http://singularlabs.com/uninstallers/security-software/

ALso remove Spybot - Search & Destroy 2 as this software can not follow the current malware.


You still have loaded zekos, the malware isn't fully removed and you get reinfected.


Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

[REDACTED]

I removed AVG, and McAfee.

Here is the search.txt file

[magna86]

The following FixList shall tell FRST to use necessary force in order to disinfect and remove the malware.




1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: C:\ProgramData\UpdateServer\1403727902\webdev.exe
Folder: C:\ProgramData\UpdateServer
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
Reboot:
C:\Windows\system32\gyifhy.ijd
C:\Windows\system32\kdyhc.kal
C:\Windows\system32\khiyc.gmv
C:\Windows\system32\rnzio.mrt
C:\zoek_backup
C:\Users\Chi\AppData\Local\Temp\*.exe
C:\Users\Chi\AppData\Local\Temp\*.dll
Hosts:
BHO-x32: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
FF Extension: No Name - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.7.598 [2014-05-30]
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[REDACTED]

things look good so far...
here's the fixlog

[magna86]

Cool. Now execute the following FixList. After that, post me the fresh FRST.txt logfile.



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Hosts:
R2 WinDevSrv; C:\ProgramData\UpdateServer\1403727902\webdev.exe [389992 2014-06-25] (VM Host Corporation)
Reboot:
C:\ProgramData\UpdateServer
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[REDACTED]

oops forgot to post this

[magna86]

Ok. Now I would like to see the following results.



1. Please download ComboFix by sUBs () from here and save it to your Desktop.
If you are unsure how ComboFix works, read this guide.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note:  Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
- If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
=> Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

[REDACTED]

here are the files you asked for

[magna86]

Please bump you post tomorrow.

[REDACTED]

bump