Another reddie.net et al Victim

I’m posting for help for a dear friend I’m trying to help remotely – somehow, her PC got completely invaded by PUPs, malware, and the like. Her PC seems functional again, but she’s continuing to get Avast warnings on startup (which I’ve seen remotely) and also periodically while she’s using her computer:

“Avast Web Shield has blocked a harmful webpage or file”

The alerts seem to vary with each boot & include reduled.info, epictory.com, reddie.net, blackfight.info, and blackled.info. There may be others I’ve not seen yet or managed to note.

I’m attaching the logs from Malwarebytes and FRST. I’ve not been able to successfully run aswmbr on her machine-- I’ve tried three times and each time it seems to hang on her default Firefox profile (C:\Users\Pam\AppData\Roaming\Mozilla\Firefox\Profiles\whatever.default) after scanning that file in excess of 20 minutes. The most recent time was this morning, which caused a BSOD. Yikes.

Note: in case it’s needed, I’m also attaching the results of her first Malwarebytes scan dated 2015-05-03 that was done to try to get rid of the malware that couldn’t be removed through Control Panel, Programs – all those items were quarantined and then deleted by Malwarebytes.

Many, many thanks in advance for any assistance & guidance.

Could you let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2257660048-3817784054-582483501-1000\...\MountPoints2: {eddba348-b9f4-11e3-a25e-806e6f6e6963} - D:\autorun.exe CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2257660048-3817784054-582483501-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION ProxyEnable: [S-1-5-21-2257660048-3817784054-582483501-1000] => Internet Explorer proxy is enabled. ProxyServer: [S-1-5-21-2257660048-3817784054-582483501-1000] => http=127.0.0.1:49384;https=127.0.0.1:49384 BHO: AOL Messaging Toolbar Loader -> {b0cda128-b425-4eef-a174-61a11ac5dbf8} -> C:\Program Files\AIM Toolbar\aimtb.dll No File BHO-x32: No Name -> {b0cda128-b425-4eef-a174-61a11ac5dbf8} -> No File FF Homepage: hxxp://theanimalrescuesite.greatergood.com/clickToGive/ars/home CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3330120&octid=EB_ORIGINAL_CTID&ISID=MB470A597-EC7F-488F-BB73-0989A05ED37E&SearchSource=55&CUI=&UM=8&UP=SP934EFBB3-6EFD-405D-A203-BD91FEA2BC0A&D=050315&SSPV=" 2015-05-04 13:59 - 2015-05-04 13:59 - 00000000 ____D () C:\Users\Pam\AppData\Roaming\No Company Name 2015-05-03 16:20 - 2015-05-04 19:01 - 00000000 ____D () C:\ProgramData\76b6bab6000068bc 2015-05-03 15:13 - 2015-05-04 19:01 - 00000000 ____D () C:\ProgramData\7a634ed200005c2f 2015-05-03 14:53 - 2015-05-04 17:49 - 00004304 _____ () C:\Windows\System32\Tasks\Installer_smk 015-05-03 14:49 - 2015-05-04 19:01 - 00000000 ____D () C:\ProgramData\e8115ae0000002ee 2015-05-03 10:45 - 2015-05-03 16:09 - 00000000 ____D () C:\ProgramData\{95b2bace-848e-022c-95b2-2bace848eb3a} 2015-05-03 10:45 - 2015-05-03 10:45 - 00000000 ____D () C:\Users\Pam\AppData\Local\DiscoverBrowser 2015-05-03 10:44 - 2015-05-04 17:44 - 00004158 _____ () C:\Windows\System32\Tasks\Check Updates 2015-05-03 10:44 - 2015-05-03 15:00 - 00000000 ____D () C:\Program Files (x86)\user extensions 2015-05-03 10:44 - 2015-05-03 10:44 - 00000064 _____ () C:\Users\Pam\AppData\Local\a7948626858edca59b43cad5f0aa2c3f 2015-05-03 10:16 - 2015-05-04 14:58 - 00003454 _____ () C:\Windows\System32\Tasks\ProPCCleaner_Popup 2015-05-03 10:16 - 2015-05-04 14:58 - 00003190 _____ () C:\Windows\System32\Tasks\ProPCCleaner_Start 2015-05-03 10:16 - 2015-05-03 10:18 - 00000000 ____D () C:\Users\Pam\Documents\ProPCCleaner 2015-05-03 10:16 - 2015-05-03 10:16 - 00000000 ____D () C:\Users\Pam\AppData\Local\Pro_PC_Cleaner 2015-05-03 10:14 - 2015-04-27 21:39 - 00373864 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService64.dll 2015-05-03 10:14 - 2015-04-27 21:39 - 00326288 _____ (Lavasoft Limited) C:\Windows\SysWOW64\LavasoftTcpService.dll 2015-04-07 10:20 - 2015-04-07 10:20 - 01054912 _____ (Adobe) C:\Users\Pam\Downloads\install_flashplayer17x32au_mssa_aaa_aih(2).exe 2015-04-06 17:57 - 2015-04-07 11:30 - 00000000 ____D () C:\ProgramData\T122078ED 2015-04-04 22:09 - 2015-04-04 22:09 - 00000000 ____D () C:\Users\Pam\Documents\Optimizer Pro 2015-05-03 10:44 - 2015-05-03 10:44 - 0000064 _____ () C:\Users\Pam\AppData\Local\a7948626858edca59b43cad5f0aa2c3f Task: {010D8BA6-323D-479C-8558-BD4266A82D0B} - System32\Tasks\Installer_smk => C:\Users\Pam\AppData\Local\Installer\Installsmk_17310\DCytdkietut_tutdk_setup.exe Task: {2D14C78C-C35F-4299-93B6-60F7915DC931} - System32\Tasks\ProPCCleaner_Start => C:\Program Files (x86)\Pro PC Cleaner\ProPCCleaner.exe <==== ATTENTION Task: {4E55A7A1-7F9F-4CF7-B088-B9AC1DB8567D} - System32\Tasks\ProPCCleaner_Popup => C:\Program Files (x86)\Pro PC Cleaner\Splash.exe <==== ATTENTION Task: {5E205929-AD26-40CD-A0DE-1020F9F37392} - \Installer_geforce No Task File <==== ATTENTION Task: {7DBB276C-7F41-4F8B-BF95-F08CF3D99040} - \SPDriver No Task File <==== ATTENTION Task: {8E57A523-75A7-45EE-AAEE-0CA03AFEAFF5} - \SMupdate1 No Task File <==== ATTENTION Task: {B2A57330-32F6-488B-A9B7-0D244DED84C0} - \ShopperProJSUpd No Task File <==== ATTENTION Task: {EC7B346C-3B70-42FC-8159-6D32255C029E} - \SPBIW_UpdateTask_Time_313734373238383233332d2d5b50342a4155456c5a236c No Task File <==== ATTENTION Task: {F707AA7C-B523-4C59-9B6F-26BC0B11FAE1} - \ShopperPro No Task File <==== ATTENTION C:\Users\Pam\AppData\Local\Installer\Installsmk_17310\DCytdkietut_tutdk_setup.exe C:\Program Files (x86)\Pro PC Cleaner Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Many, many thanks – the problem seems to be resolved as well as another issue she was having with Avast thinking she was offline.

It looks like she must have installed AdwCleaner back in April because there were several existing logs from around that time – I’m not sure what, if any, troubleshooting steps she took back then, but your two steps seem to have fixed everything – I really appreciate it!

I’m attaching the two requested logs – not sure if you need them since everything seems to be working normally now.

Many thanks!

Glad to hear, there were some Lavasoft internet drivers and they do cause problems if not uninstalled properly. So I just deleted them and reset the network :slight_smile:

Any further problems before I give some tidy up and security tips

Again – thanks so much! My friend used her computer throughout the afternoon with no reddie.net et al problems whatsoever, so I think that problem has been permanently resolved :slight_smile:

Tips ahead, please, when you’ve got the time!

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Many thanks for the suggestions – her PC seems to be fine now, thanks to your assistance.

We will proceed with your additional suggestions (Delfix & Unchecky, which I think will be particularly helpful for her) over the next few days. Malwarebytes is already taken care of – she’s now purchased the premium version, which has allowed me to schedule a daily scan for her at a time when the computer will be on but she won’t be using it. Thanks for the Java info – I did notice that she’s got more than one version installed. She must have Java for her work, and once she’s verified that the proprietary program required doesn’t need an older version, I’ll be sure to follow through on that.

Again, I greatly appreciate you helping me help her – I couldn’t have done it without you!

My pleasure :slight_smile: