Seems to be a common problem here at the minute… Got infected earlier with Win32:Dropper-gen Avast managed to remove some, after that I managed to kill some of the processes it had running still and delete those but I still keep getting warnings about me trying to access 64.111.211.158 and other redirects when clicking google results
Here is my log from OTS. ANY help is appreciated, essexboy’s mostly
Hey there,you may have been infected by TDSS variant(s).
Please Download aswMBR from here http://public.avast.com/~gmerek/aswMBR.htm
1)Double click the aswMBR.exe to run it
2)Click the [Scan] button to start scan
3)On completion of the scan click [Save log], save it to your desktop and post in your next reply
Make sure to post your log.
If this doesn’t help,i will pm Essexboy to help you,so don’t worry ;D.
@ adamparker87
There appears to be some issues with the aswMBR scan and these .mui files being considered suspicious, essexboy has reported it as a probable false positive.
I also suspect it is a false positive and my guess would be the double file extension used on these files, e.g. .sys.mui This old double file extensions tactic used to be used back in the old days as a crude attempt to disguise the type of file it actually was. So the suspicious tag could be a simple as that, but I can’t say for certain.
This SUSPICIOUS File: C:\Windows\System32\drivers\wimmount.sys has been uploaded to a multi engine virus scanning site but that didn’t return any hits.
So for the moment don’t take any action with aswMBR or on these SUSPICIOUS files as it could harm your system.
I see from the aswMBR report you have a Sony Vaio laptop ?
If correct it is possible that it has a means of restoring the system back to when you received it from the factory (recovery partition and console, etc.). This could account for the Unknown MBR code, as it could be a custom MBR to enable access to this recovery partition.
So it will require analysis from a qualified malware removal specialist.
That may well account for the unknown MBR code and that the redirections are coming from another area, that will need to be analysed from the OTS report you attached.
I have contacted essexboy, but he will still be at work now (3pm UK time), he should on the forums around 7/8pm. Hopefully he will be able to analyse it then, as you can imaging he is quite busy. That was before this rash of 64.111.211.158 redirections and they are using different tactics to evade detection and removal.
Well essexboy also assists on the geekstogo.com site where he is also one of the Instructors training new malware removal specialists. Since their forum is non-aligned to a particular product/company there may well be a donation link there.
But obviously essexboy as an avast user doesn’t do that in these forums, but he provides an invaluable specialist service here (along with a few select others). I don’t include myself in that number as I am no malware removal specialist, I know enough to know when to call others for help ;D
On completion of this let me know if the alerts persist
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY -> {22116563-108C-42c0-A7CE-60161B75E508}.job -> C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
NY -> {810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job -> C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
NY -> dbfydp.job -> C:\Windows\tasks\dbfydp.job
NY -> {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job -> C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
[Files - No Company Name]
NY -> {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job -> C:\Windows\tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
NY -> {22116563-108C-42c0-A7CE-60161B75E508}.job -> C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
NY -> {810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job -> C:\Windows\tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
NY -> dbfydp.job -> C:\Windows\tasks\dbfydp.job
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.
Noticing the heavy increase in these 64.111.211.158 redirections, now it appears that they are also using the windows tasks and creation of jobs. Would this be a pre-emptive measure (whilst waiting for specialist help) to check for the presence of any scheduled tasks in the windows task scheduler ?
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.