Constant WebShield popups

[REDACTED]

My nephew installed a bunch of Minecraft mods on his new laptop and it's now riddled with malware. Had them run MalwareBytes and that seemed to get most of it. I'm here now and noticed his search was being redirected by MaxWebSearch or something like that but Adwcleaner seemed to take care of it.

Removed Security Essentials and installed Avast. Scan was clean, but now we're getting constant WebShield pops for sites like robertsbom5DOTmeSLASHtaskSLASH4001 and MalwareBytes is blocking jubmoz788DOTme.

I had to hop on my brother's computer to access this forum and download some of the recommend files, browsing is very slow on the infected PC and often fails, especially for security-related sites.

Tempted to restore from partition but I'm reading that may not solve the problem.

Requested scans attached. Thanks.

[REDACTED]

Screenshot:

[mchain]

Malware removal expert has been notified.  Might be a bit before he comes on board, but likely less than 12 hours. 

Please be patient.  Make no further changes to the system whilst under his direction unless told otherwise.

[essexboy]

This will take several runs to clean

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
S2 29850aa3; "C:\windows\system32\rundll32.exe" "c:\program files (x86)\so_boo~1\AssistantSvc.dll",service
2014-07-29 20:34 - 2014-07-25 20:15 - 00000000 ____D () C:\ProgramData\AxuzAfquv
2014-07-29 20:34 - 2014-06-22 17:36 - 00000000 ____D () C:\Users\Lucas\AppData\Local\23220
C:\Users\Lucas\hlcgiptd.exe
Task: {00893276-8424-4DA1-B455-2DD2B5CF7F1C} - System32\Tasks\Advanced System Protector => C:\Program Files (x86)\RegClean Pro\SystweakASP.exe <==== ATTENTION
Task: {23FCE237-0AA7-4E21-9BE1-BD2582E5C902} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\RegCleanPro.exe <==== ATTENTION
Task: {29DAA423-1CEC-40CA-8625-3349B25F3C4C} - \ShopperProJSUpd No Task File <==== ATTENTION
Task: {306E8CD3-42A4-4D22-9BAE-97114F5CA4C2} - System32\Tasks\Advanced System Protector_startup => C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe <==== ATTENTION
Task: {37F61C53-12AC-40B3-B2FC-54F6A5302BA8} - System32\Tasks\PC Clean Maestro Scan => C:\Program Files (x86)\CompuClever\PC Clean Maestro\pccum.exe
Task: {3D5E2C61-120F-4FDA-A331-37CF1BE6F56C} - System32\Tasks\SuperFastPC_AutorunOnStartup => C:\Program Files (x86)\System Optimizer Pro\SystemOptimizerPro.exe <==== ATTENTION
Task: {60DFCAA3-12AA-4BBA-9CA0-F9A6FCA78F58} - \SPDriver No Task File <==== ATTENTION
Task: {66F3291A-142C-4DCE-A22E-69776027CE67} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION
Task: {687E9B35-6CB0-4D26-974A-2B443A9099D3} - System32\Tasks\SPBIW_UpdateTask_Time_333132313335313936382d555b373434412d45325a5b6c => Wscript.exe //B "C:\ProgramData\ShopperPro\spbihe.js" spbiu.exe /invoke /f:check_services /l:0
Task: {6F0550D3-E83D-41E4-A0E2-6D99B1051725} - \SMupdate1 No Task File <==== ATTENTION
Task: {77DDA005-F6CA-4CFB-BB68-1BF7735B0705} - \pricemeterdownloader No Task File <==== ATTENTION
Task: {7D2F3D6E-FDBF-4A0F-83CC-E5E4C630B8BD} - System32\Tasks\SaferBrowser Update Task => C:\Program Files (x86)\SaferBrowser\uninstall.SaferBrowser.exe
Task: {985A0431-927F-42E5-8D4E-F967E92A1E13} - \pricemetertask No Task File <==== ATTENTION
Task: {985A0431-927F-42E5-8D4E-F967E92A1E13} - \pricemetertask No Task File <==== ATTENTION
Task: {B4C83D3A-D4CF-4F5E-8165-7525A444B53D} - \pricemeterwatcher No Task File <==== ATTENTION
Task: {B4C83D3A-D4CF-4F5E-8165-7525A444B53D} - \pricemeterwatcher No Task File <==== ATTENTION
AlternateDataStreams: C:\Users\Lucas\Local Settings:init
AlternateDataStreams: C:\Users\Lucas\AppData\Local:init
AlternateDataStreams: C:\Users\Lucas\AppData\Local\Application Data:init
S1 nfplhivw; \??\C:\windows\system32\drivers\nfplhivw.sys [X]
C:\Users\Lucas\AppData\Roaming\unwrapped.exe
C:\Users\Lucas\AppData\Roaming\serv\VoPackage.exe
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[REDACTED]

Thanks so much. Fixlog attached... ComboFix did not seem to generate a log (checked C:, did a search, etc.).

Still seeing alert pop-ups, still unable to get to Avast forums on infected PC.

[essexboy]

OK I will need to do this a different way

Run FRST
In the search box type the following :

rpcss.dll

Then press search files

On completion it will generate a search.tx please post that

[REDACTED]

Attached.

Not sure if relevant, but I *think* ComboFix created a 32788R22FWJFW folder in C: (with a screen icon). If you click it you basically get the same behavior from as if you had clicked Computer from the Start menu (ie, lists your drives).

[essexboy]

OK lets now replace that file

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Attached.

Still can't connect to the Avast forums (server not found error), but the WebShield pop-ups seem to have stopped.

Actually, having trouble getting pretty much anywhere other than Google... go to CNN and it appears to be stuck on the ad server lookups, then the page will load very slowly without CSS.

[essexboy]

OK that is the major bad boy killed, could I now have a fresh FRST scan and I will look at the net problem

[REDACTED]

Thanks, attached:

[essexboy]

What do you know about this programme ?

Killer Network Manager

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Task: {A90041E0-F7B9-484A-813C-FDF3420420E3} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {EABA3A9A-05FF-4D00-A873-CD098D203673} - \ShopperPro No Task File <==== ATTENTION
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[REDACTED]

Attached.

Killer Network Manager is I guess part of the Qaulcomm Atheros Performance Suite, which appears to have been installed by the laptop manufacturer.
http://www.shouldiremoveit.com/Qualcomm-Atheros-Killer-Network-Manager-9853-program.aspx

Web performance is still the same, server not found error for the Avast forums (search Google, find forums, click link, eventual server not found error).

[essexboy]

OK could you re-run combofix please, allow it to update if it asks

[REDACTED]

Sure, thanks for all your help so far.

This time it generated a log: