11 blocked webpages/files after scans

Viruses and worms
1

With browser open or closed, Web Shield is giving pop-ups for 11 pages flagged as being harmful. Before posting any logs or downloading further software I thought I’d start off with what’s been done so far and await your advisement.

I’m working with a Presario CQ57 running Windows 7. I have downloaded and ran the following in order as listed:

Malwarebytes
Avast Free
Spybot
Wise Program Uninstaller
Slim Computer

Over 170 items were found, including Trojan.BHO, Trojan.Agent.EXPD1, Trojan.Agent, 2 adware, numerous PUPS. Not everything could be fixed or cleaned.

The following programs and extensions have been uninstalled/removed:
xparanormal detecter
iMesh
We care.com (uninstaller needed as a file was missing)
Norton preinstalled trial antivirus
shop on - coupon drop down (maybe)

The following pages are noted in Webshields pop-ups as being harmful and due to settings are preventing internet to stay connected.

URL: Mal
C:\Windows\System32\Svchost.exe
Object(s):

ruggersner8.net/task/3033
rrtunc-net.com/task/3033
h_rumlown-set8_net_task/3033
rozettol-step.com/task/3033 (found on VirusTotal)
robertollo-green.net/task/3033 (found on VirusTotal)
rancho-for-zomb 0.net/task/3033
certix-z3.com/online/820
rottover-end.net/task/3033
rumberger-fon.com/task/3033
rummerstain2.com/task/3033
r-ubmer5.com/task/3033

I am also getting a task host window at shutdown stating a background program is waiting to shut down, however, no program is noted in the pop-up. The PC seems to be running slow in my opinion.

At this point I have not checked to see if the Shop On Coupon Drop Downs have ceased. I’m cool with the blocking if indeed they need to be, but am puzzled as to why Webshield detects them before the browser (FF) is even opened and why do the pop-ups never stop. I’m not sure how to proceed, please advise.

2

[*]Step #1 Scan with OTL
[*]Please download OldTimer’s Listit from one of the following locations and save it to your Desktop.
Download Link 1
Download Link 2
Downlaod LInk 3
[*]Copy and Paste the following code inside the Custom Scans/Fixes box;

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
dir "%systemdrive%\*" /S /A:L /C
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

[*]Click the Quick Scan button;
[]After the scan two logs will be produced;
[]Attach the logs in your next reply

[*]Required Log(s):
[]OTL Log(s) –
[list][]OTL.txt;
[*]Extras.txt
[/list]

Regards,
Valinorum

3

OTL ran … Logs attached as requested

4

Hi,
I have submitted my fix and will post it here after an expert’s approval. Thank you for your forbearance. :slight_smile:

5

Hi nowizard, :slight_smile:

I see you have SpyBot Seach & Destroy installed in your system. One of its features known as TeaTimer sometimes creates issues with our fix(es). Please go to this thread and navigate to SpyBot section to temporary disable TeaTimer. You need to disable it every time you run a fix. I’d recommend you to uninstall SpyBot for now and re-install once I clean your PC but either way is fine with me as long as the fix works unhindered.

Also, you are running OTL.exe from a flash-drive. In future, always run them from your Desktop unless told otherwise.

[*]Step #2 Uninstall Programs
I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them.

[color=teal][b][]MyPC Backup;
[]SlimComputer

[*]Step #3 Fix with OTL
[*]Re-run OTL by right clicking and choosing Run as administrator;
[*]Under the Custom Scans/Fixes Box copy and paste the following contents inside the code box.

:Commands
[createrestorepoint]

:OTL
SRV - [2014/01/27 08:35:28 | 000,036,392 | ---- | M] (Just Develop It) [Auto | Running] -- C:\Program Files (x86)\MyPC Backup\BackupStack.exe -- (BackupStack)
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.55searchengines.com/?hp=G5&opts=no&d=2014-01-23&hpa=yes
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.55searchengines.com/?hp=G5&opts=no&d=2014-01-23&hpa=yes
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{AE986AAE-21E4-49ED-8A99-6C9A7E4FF4D9}: "URL" = http://www.55searchengines.com/?tag=abs&q={searchTerms}
IE - HKLM\..\SearchScopes\{110a9ea2-8810-4c04-b916-cfd4e9427fec}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZXxdm039YYus&ptnrS=ZXxdm039YYus&si=radiopi&ptb=5DBCFB26-5ABC-4983-A650-8CB66082B5EC&ind=2012050720&n=77ed7520&psa=&st=sb&searchfor={searchTerms}
IE - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://search.ask.com/web?q={searchterms}&l=dis&o=CPNTDF
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.55searchengines.com/?hp=G5&opts=no&d=2014-01-23&hpa=yes
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4F524A2D-5637-4300-76A7-7A786E7484D7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
[2014/04/17 15:34:20 | 000,000,000 | ---D | C] -- C:\Users\margaret\AppData\Local\SlimWare Utilities Inc
[2014/04/17 15:33:19 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SlimComputer
[2014/04/17 15:33:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SlimComputer
[2014/04/08 19:04:52 | 000,000,000 | ---- | M] () -- C:\END
[2012/05/12 17:42:07 | 000,000,000 | ---D | M] -- C:\Users\margaret\AppData\Roaming\MusicOasis
[2014/02/03 21:12:55 | 000,000,000 | ---D | M] -- C:\Users\margaret\AppData\Roaming\WildTangent
[2014/04/08 18:53:48 | 000,000,079 | ---- | M] () -- C:\Windows\SysNative\zqxz.itl
[2014/04/07 07:52:08 | 000,000,064 | ---- | M] () -- C:\Windows\SysNative\vewluxl.isf
[2014/04/07 07:52:08 | 000,000,000 | ---- | M] () -- C:\Windows\SysNative\fxltqt.mgw
[2014/04/07 07:35:42 | 000,305,834 | --S- | M] () -- C:\Windows\SysNative\cyqe.trq

:Commands
[emptytemp]
[resethosts]

[*]Click on “Run Fix” and let the program run unhindered;
[]Your PC will reboot automatically and a log will be opened;
[]Please attach it in your next reply.

[*]Step #4 Run ComboFix
Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
Download Link #1
Download Link #2
Donwload Link #3

Warning
Please acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence.
***

[]Disable your security software. For more information, peruse this thread;
[*]Right-click and choose Run as administrator to run the program.
[*]As a buit-in process, ComboFix will check if you system has Microsoft Windows Recovery Console installed. Let Combofix download and install Microsoft Windows Recovery Console.
[list][*]It requires an active internet connection.
[*]If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
[*]ComboFix will now scan your system for malwares and will attempt to remove them.
Note: ComboFix performs fifty steps during this fix. Please be patient.
[*]After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
[]Attach the log in your next reply.[/list]

[*]Crucial Notes:
[*]Do not mouse-click ComboFix is running as it may stall.
[*]Do not re-run ComboFix if you face a problem. Ask for my instruction here.
[*]ComboFix will make Internet Explorer your default browser and will change number of different Internet Explorer settings.
[*]ComboFix prevents autorun functions of all CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
[]It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
[]ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.

[*]Required Log(s):
[]OTL Fix Log;
[]ComboFix Log

Regards,
Valinorum

6

Uninstalled…Spybot, MyPC Backup and Slim Computer per recommendation.
Ran OTL and ComboFix from desktop…logs attached.

Noticed the PC time is incorrect. Have not adjusted yet.

I appreciate your help, Valinorum!

7

While I analyze your logs, please go here and follow the procedure Synchronizing with an Internet time server to adjust your clock.

8

Hi,
I have submitted my fix and will post it here after an expert’s approval. Thank you for your forbearance. :slight_smile:

9

Hi nowizard, :slight_smile:

[*]Step #5 Run ComboFix Script
Make sure that you still have Combofix on your Desktop. If not, download it from here.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

http://forum.avast.com/index.php?topic=149180.msg1083820#new
Collect:: 
C:\Windows\system32\zqxz.itl
C:\Windows\system32\vewluxl.isf
C:\Windows\system32\fxltqt.mgw
C:\Windows\system32\cyqe.trq

Suspect::
c:\windows\system32\rpcss.dll

FCopy::
c:\windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll | c:\windows\system32\rpcss.dll

[*]Click on File > Save as…
[list][*]Inside the File Name box type CFScript.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Make sure your security programs are disabled while performing the actions. If you have difficulties, peruse this thread;
[*]Drag CFScript.txt into ComboFix.exe as shown in the screenshot below –

http://users.telenet.be/bluepatchy/miekiemoes/images/CFScript.gif
[/list]
ComboFix will now run a scan on your system. After the scan finishes, it will execute the script and reboot your computer automatically. Don’t reboot your computer manually, let ComboFix do it. Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you.
[*]Please attach the C:\ComboFix.txt in your next reply.

[*]Required Log(s):
[*]ComboFix log

Regards,
Valinorum

10

I was not aware Combofix would need access to the internet prior to running it. When prompted to connect, the browser would not launch the “terms of agreement” page for the public location I was at in order to gain access, thus giving me the following message…
“Webserver appears to be temporarily inaccessible. …Combofix created a submission form located at: *C:\CF-submit.htm. Please use that to manually upload it later.” – I have not followed up with that at the time of this post and will not be able to until late tomorrow.

The log is attached. Clock has been reset.

Thanks again for your assistance. It is greatly appreciated.

11

Hi,
Normally ComboFix does not require to connect to the internet. But you have a new variant of malware and I used the tool’s directive to submit the sample to its developer. Please use the form to manually submit the files and reset your clock as instructed earlier. How is your PC running?

12

Hi nowizard, :slight_smile:
How is your PC running?

[*]Step #6 Scan with Malwarebytes’ Anti-Malware
[*]Download Malwarebytes’ Anti-Malware from the suitable link below –
[list][]Download Link #1
[]Download Link #2
[]Download Link #3
[*]Double-click mbam-setup.exe to install the application.
[*]Before clicking Finish perform the following actions –
[*]Un-check the box beside Enable free trial of Malwarebytes Anti-Malware Premium.
[*]Check the box beside Launch Malwarebytes Anti-Malware
[*]Once the program has loaded, The MBAM dashboard will appear with an alert to update - click the green button Update Now;
[*]Click on Setting
[*]Navigate to the tab Detection and Protection and check all the boxes under Detection Options
[*]From the Dashboard click on Scan Now;
[*]If threats are detected click on Apply actions. If the program asks to reboot your PC, let it do so;
[*]On completion of the scan click on View Detailed Log after that click on Export Button, select Text File and save the log to your Desktop;
[]Attach the log in your next reply.[/list]

[*]Step #7 ESET Online Scanner
Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.
[*]Go here from Internet Explorer and click on Run ESET Online Scanner.
[list][*]Note: If you use any browser other than Internet Explorer, you will have to download and install esetsmartinstaller_enu.exe when prompt to run the scan.
[*]Accept their terms and condition and proceed.
[*]Install Add-On/Active X if prompted.
[*]From the Computer Scan Setting
[*]Uncheck the box beside Remove Found Threats;
[*]Check the box beside Scan archives
[*]Click on Advanced Setting and check the following boxes–
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology
[*]Click on Start and wait for the virus signature database to update.
[*]The online scan will begin automatically and can take several hours.
[*]Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
[*]After the Scan finishes –
[*]If no threats were found:
[list][*]Put a checkmark in Uninstall application on close.
[*]Close the program and report that nothing was found
[*]If threats were found:
[*]Navigate to the log file located at C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
[*]Attach the log file in your next reply.[/list][/list]
Note: Enable your security programs afterwards.

[*]Required Log(s):
[]Malwarebytes’ Anti-Malware Log;
[]ESET Scan Log

Regards,
Valinorum

13

No longer have constant pop-up windows…shopping info, coupons or webshield. ;D

Was, however, having difficulty staying connected tonight. No obvious reason why it kept disconnecting.

Still a bit slow, in my opinion, on loading some programs and webpages. The latter may be due to low signal on the wireless connection, however, it has never caused issues in losing connectivity.

ESET is running now in FF. Could not get it to run in IE…the window was cut off. Could not access the start button.

Ran MBAM but am unable to send log at this time as it is on the PC running ESET. 8 items were detected and are quarantined. Will post log and ESET results tomorrow.

Keep up the good work.

14
Noticed the PC time is incorrect. Have not adjusted yet.
Check the cmos battery. It may need to be replaced.
15

Eddy – thanks for the suggestion, but the time was incorrectly set for the wrong zone and was corrected at post #9.

I was not awake when ESET finished and a reboot from a Microsoft update had occurred so I did not see the results. The log showed only the issues that stemmed from trying to run it in IE. My understanding is that I can remove ESET via the Control Panel —> Add/Remove software, correct?

MBAM log is attached.

Thanks again for all your help.

16

The MBAM log file is not in your post. Please Re-attach

17

had just realized that myself and modified the post to include the MBAM log. Sorry about that.

18

Yes, you can remove ESET via Control Panel.

[*]Step #8 Scan with RogueKiller
[*]Download Rogue Killer from one of the suitable links below to your Desktop.
Download link for 32 bit system
Download link for 64 bit system
[*]Let the pre-scan finish. After that click on Scan;
[*]The scan won’t take long;
[*]A log has been created on your Desktop;
[*]Attach the content of the log in your next reply.

[*]Required Log(s):
[*]RogueKiller Log

Regards,
Valinorum

19

Problems…
The Laptop in discussion could not maintain connectivity this afternoon AND now it won’t connect at all.
Have been experiencing the intermittent connections for the past two days.

The RogueKiller link (64 bit) does not work. On the Laptop if I right click to open in new tab or window I get “could not establish connection” to localhost/RogueKillerX64.exe. To open in existing window I get the same but to page adlice.com tools.

I went to my desktop PC and right clicking gives me a blank tab. Open in existing window gives me the “could not establish connection” (adlice.com tools).

Also, I set display type to 125% on the Laptop but the font size on this forum is barely readable as in like 6 pt size, but other webpages are normal for the percentage set. Why is this forum so small?

Summary

  1. what is causing the connectivity issue
  2. hyperlink not working for RogueKiller
  3. Small font on forum
20
1) what is causing the connectivity issue
Did you consult with your ISP?
2) hyperlink not working for RogueKiller
The link is down. Use the following instead -- http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe
3) Small font on forum
While on the forum press [b]Ctrl[/b]+[b]+[/b] to increase the display size.