Bad Infection

[REDACTED]

Hi,

Started off with lots of messages from Avast saying that a threat had been detected, even when no browser was open. Did a scan, didn't change anything. Updated Malwarebytes, did a scan, cleaned up a whole bunch of things, still didn't stop. Check some forums, ran Adwcleaner and then Junkware Removal Tool. Still didn't fix it. Did a system restore to a week ago and when it restarted it said the restore had failed. Avast wasn't working (started after about 5 minutes) and when I tried to re-update Malwarebytes I got an error. Tried downloading Malwarebytes again and the download wouldn't work. Started it in safemode, then realised that going straight for Malwarebytes might not be the best option. Checked the forums, came back into normal mode to do the Farbar scan and the icons down the bottom are still like they are in Safe Mode.

Pretty sure that's everything I did in order. Also pretty sure it all started from my bf's phone when he plugged it in to download some music onto the laptop.

Have attached the frst logs.

Appreciate your help.

Helen

[Pondus]

Do you have Malwarebytes log so that we can see what was detected/removed....

Removal team is notified

[essexboy]

Could you attach a screenshot of the Avast alert please

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

Startup: C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rhlgurysmfppydqrhya.lnk
ShortcutTarget: rhlgurysmfppydqrhya.lnk -> C:\Users\Helen\AppData\Local\Temp\ayhrqdyppfmsyruglhr.bfg (No File)
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchannel.info/?pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24
URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms}
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms}
SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms}
SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchannel.info/?l=1&q={searchTerms}&pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24
SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms}
SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL =
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms}
SearchScopes: HKCU - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchannel.info/?l=1&q={searchTerms}&pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24
BHO-x32: No Name -> {30F9B915-B755-4826-820B-08FBA6BD249D} ->  No File
BHO-x32: No Name -> {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} ->  No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM-x32 - No Name - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -  No File
Toolbar: HKLM-x32 - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} -  No File
Toolbar: HKCU - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} -  No File
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch");
FF Extension: SaveSense - C:\Users\Helen\AppData\Roaming\Mozilla\Firefox\Profiles\nxr777bh.default\Extensions\{2fab2e94-d6f9-42de-8839-3510cef6424b} [2014-08-04]
2014-08-04 14:31 - 2014-08-04 14:31 - 00000000 ____D () C:\ProgramData\Reimage Protector
2014-08-04 14:31 - 2014-08-04 14:31 - 00000000 ____D () C:\Program Files\Reimage
2014-08-04 14:29 - 2014-08-04 15:12 - 00000000 ____D () C:\rei
2014-08-04 14:27 - 2014-08-04 15:12 - 00000000 ____D () C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense
2014-08-04 15:13 - 2013-02-17 13:42 - 00000000 ____D () C:\Users\Helen\AppData\Local\Torch
2014-08-04 15:12 - 2014-08-04 14:27 - 00000000 ____D () C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense
C:\ProgramData\rhlgurysmfppydqrhya.bat
C:\ProgramData\rhlgurysmfppydqrhya.reg
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

 
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

Thank you.

Unfortunately, I think the Malwarebytes log was destroyed with the system restore.

[REDACTED]

Avast alerts have stopped.

[essexboy]

OK run the fix then and let me know how the system is behaving

[REDACTED]

The websites from the Avast warnings were hxxp://cdnrep.reimage.com/protector/ProtectorPackage2004x64.exe and hxxp://i2.superstoragemy.com/addons/agup.exe

[REDACTED]

Attached is the Adwcleaner log. The bar across the bottom still looks like it does in safe mode.

[essexboy]

Try to reset the resolution


Open Display Settings by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, clicking Personalization, and then clicking Display Settings.

Under Resolution, move the slider to the resolution you want, and then click Apply.

[REDACTED]

Yeah, that doesn't really change it. The text is different, as Windows is opening and closing too. Not a big deal, it just seems off.

[REDACTED]

Malwarebytes is still doing weird stuff as well. I tried to open it, came up with the same error. Tried to download it again and it wouldn't install, since it was already installed. Tried to uninstall it, wouldn't do it.

[essexboy]

Download mbamclean from here http://www.malwarebytes.org/mbam-clean.exe to your desktop and run
A reboot will be needed

Then re-install malwarebytes and let me know how it is behaving

[REDACTED]

Downloaded and installed perfectly. Did a scan, log attached.

[essexboy]

Any further problems

I would recommend that you install this for next time the phone is plugged in

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

[REDACTED]

Will do.

Thank you so much for your help and for your time. You are so amazing to do this for people!