They're baaaack!

[magna86]

Hi,

Take a peek in this directorys:
c:\programdata\UpdateServer
c:\users\Chi\AppData\Roaming\serv


If there is nothing there, delete that ...




Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::
ClearJavaCache::

Driver::
vToolbarUpdater18.1.7

Folder::
c:\program files (x86)\Common Files\AVG Secure Search
c:\users\Chi\AppData\Roaming\AVG 0214c Campaign


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )





Then ...






Please download MCShield from one of the following links:

MCShield -Official download link

• Double click on MCShield-Setup to install the application.
  Next => I Agree => Next => Install ... per installation click on Run! button.
  
• Wait a few seconds to MCShield finish initial HDD scan...
• Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
• When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt


Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

[REDACTED]

inside c:\programdata\UpdateServer there is a folder called 1405049759, inside that folder there is a file called webdev

insdie c:\users\Chi\AppData\Roaming\serv there's a file = download.dat

is that bad?

or do I still continue?

[magna86]

Yes, feel free to continue with CFScript.

[REDACTED]

here are the files

[magna86]

Hi, MCShield is the app that is meant to scan your USB memory devices. Have any?

MCShield log tells me you just did the system drive scanned.

Anyway, how is the computer behavior now?

[REDACTED]

oh I don't usually use USB devices, should I scan them just in case?

and the computer seems to be doing well now.

[magna86]

Keep MCShield if you will as it came as additional security light app. Yes, check them just in case, MCS shall do that automatically.


• The following will implement some post-cleanup procedures:




=>  It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.




=>  => Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

nooooo...more malware popups...=(
restart?

[magna86]

nooooo...more malware popups...=(
restart?

Post me the screenshot of alearts.

[REDACTED]

one popped up last night, then nothing for a while...then just now

[magna86]

Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.




Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type IqgaPbena.dat into the Search: field in FRST then click the Search File(s) button.
  
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  
• Please attach it to your reply.

[REDACTED]

btw, these two screens popped up


and I haven't gotten any more avast popups.

should I keep going?

[magna86]

yes

[REDACTED]

Here are the files

[magna86]

You are actually again just re-infect the machine. What you do when you re-infect once again.

There is no point that I clean the machine if you are not careful and don't watch what you're doing? The malware does not install by itself ...