Could I have a fresh FRST scan please, download a new copy as it has been updated

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Done!

Today there is a new alert in addition to the one mentioned yesterday, which is still coming. A screenshot is attached as well.

Looks like a new variant hiding somewhere different

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*')%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*'))%20%7B%20return%20'PROXY%20ab-us04.personalitycores.com%3A8000%3B%20PROXY%20ab-us03.personalitycores.com%3A8000%3B%20PROXY%20ab-us01.personalitycores.com%3A8000%3B%20PROXY%20ab-us05.personalitycores.com%3A8000%3B%20PROXY%20ab-us10.personalitycores.com%3A8000%3B%20PROXY%20ab-us02.personalitycores.com%3A8000%3B%20PROXY%20ab-us07.personalitycores.com%3A8000%3B%20PROXY%20ab-us09.personalitycores.com%3A8000%3B%20PROXY%20ab-us06.personalitycores.com%3A8000'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D" FF NetworkProxy: "type", 2 2014-12-12 23:56 - 2014-12-12 23:56 - 00000000 ____D () C:\Users\NovaWill\AppData\Roaming\OpenCandy EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download to your desktop process explorer from here http://technet.microsoft.com/en-gb/sysinternals/bb896653.aspx
Open process explorer and from the menu bar select View > Lower Pane
Select Explorer.exe
A Lower window will open
Then on the menu bar go to File > Save as…
Then select the desktop and click save
On the desktop will then be a text file called explorer please attach that
You may need to edit the file name from explorer.exe.txt to explorer.txt to allow it to be attached

After carrying out your instructions, so far only the alert I mentioned on December 11th has been appearing.

Could you run a fresh FRST scan please and this time place a tick in the shortcut.txt box as well

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

Here you go, please have a look through them.

Oh and there are still the two alerts, namely the ones with object stated as “46.161.41.220”, and also “darkblue-new.com”.

Could you temporarily uninstall the following two programmes :

UTorrent
Daemon Tools

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Save the attached fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Yup, uninstalled the programmes and applied the Fixlist.

Hmm wow, the alerts seem to have stopped, and it’s been about 30 minutes!

It may have been a seed within Utorrent or part of the updater in daemon tools. If you wish to reinstall them to see if it returns

No wait, it just came back. This time with a different URL, screenshot attached.

Edit: This is still with Utorrent and Daemon uninstalled, by the way.

OK lets try a deeper analysis. You will need to upload the zip file to a file sharing site for me to collect

Download AVZ tool from here to your desktop
Unzip all files to a folder on your desktop
Open the folder and double click the AVZ icon
https://dl.dropboxusercontent.com/u/73555776/avz.JPG

When the tool opens select “File” > “Standards scripts”

https://dl.dropboxusercontent.com/u/73555776/avz1.jpg

Place a tick in :

7. Database update and system analysis

Then press “Execute selected scripts”

https://dl.dropboxusercontent.com/u/73555776/avz2.JPG

There will be several warnings, OK them all and the system will reboot on completion of the analysis

After the reboot look in the folder AVZ4 on your desktop
Open the LOG folder
Attach KL_syscure.zip to your next post

https://dl.dropboxusercontent.com/u/73555776/vz3.JPG

OK!

The zip file is here: http://1drv.ms/1DGStML

FIX

Open AVZ as before
Click “File” > “Custom scripts”

https://dl.dropboxusercontent.com/u/73555776/avzfix1.png

A dialogue will open
Copy and paste the following script into the marked space then press run

https://dl.dropboxusercontent.com/u/73555776/avzfix2.JPG

Script for insertion :

begin
RegKeyIntParamWrite('HKEY_LOCAL_MACHINE', 'SYSTEM\ControlSet001\Control\Remote Assistance','fAllowToGetHelp', 0);
SetServiceStart('SSDPSRV', 4);
SetServiceStart('TermService', 4);
SetAVZGuardStatus(True);
 DeleteService('X6va014');
 SetServiceStart('X6va014', 4);
 SetServiceStart('SBRE', 4);
 DeleteService('SBRE');
 DeleteService('catchme');
 SetServiceStart('catchme', 4);
 DeleteService('sptd');
 SetServiceStart('sptd', 4);
 DeleteFile('C:\Windows\SystemRoot\System32\Drivers\sptd.sys','32');
 DeleteFile('C:\ComboFix\catchme.sys','32');
 DeleteFile('C:\Windows\system32\drivers\SBREdrv.sys','32');
 DeleteFile('C:\Windows\SysWOW64\Drivers\X6va014','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Wondershare Helper Compact.exe','command');
 DeleteFile('C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WSHelperSetup.exe','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools Lite','command');
 DeleteFile('C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe','32');
 DeleteFile('C:\Program Files (x86)\Funshion Online\3.0.1.23\Funshion.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Funshion','command');
 DeleteFile('C:\Program Files (x86)\PC','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PC Remote Server','command');
 DeleteFile('C:\Program Files (x86)\SweetIM\Communicator\SweetPacksUpdateManager.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Sweetpacks Communicator','command');
 DeleteFile('C:\Program Files (x86)\SweetIM\Messenger\SweetIM.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SweetIM','command');
 DeleteFile('C:\Users\NovaWill\AppData\Roaming\Search Protection\SP.EXE','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Search Protection','command');
 DeleteFile('C:\Users\NovaWill\AppData\Roaming\Search Protection\SearchProtection.EXE','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SearchProtection','command');
 DeleteFile('C:\Users\NovaWill\AppData\Roaming\uTorrent\uTorrent.exe','32');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\uTorrent','command');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RGSC','command');
 DeleteFile('Club\RGSCLauncher.exe','32');
 DeleteFile('Remote\PCRemote.exe','32');
ExecuteSysClean;
end.

Ensure that you copy from begin to end

Then reboot and let me know if the alerts have ceased

Sorry for the late reply, was about to let you know the custom script didn’t work out when Avast alerted me to a presence of a Win32 rootkit, which it asked to delete. I allowed it, and then Avast needed to restart the computer for a boot-time scan, which I allowed as well.

Here’s where it went wrong, on restart my hard disk was wiped blank. I even had to reinstall my OS as there was literally nothing left.

So currently I’m just carrying out data recovery, and hopefully the malware infection doesn’t have a relapse!

Hmm that is intriguing as to wipe the disc you should have received a plethora of alerts. Did Avast say what it found ?

There was this one alert saying it had found a Win32 rootkit and asked to delete and restart, I don’t remember the rest of the info. When it restarted, the boot-time scan didn’t begin at all, there was just nothing left.

Well, I guess that’s that. Any tips for data recovery so that I don’t somehow carve out that same malware infection again?

There was a piece of malware about two years ago that stripped any reference to itself down to just C: but that was very short lived and I have not seen it since…

My recommendation would be to use an imaging programme to backup the drive on a monthly basis http://www.geekstogo.com/forum/topic/345434-macrium-reflect-imaging-tool/

To recover data :

http://i.imgur.com/J8xQM97.png
File Recovery Software
File Recovery Software may be able to recover the original file deleted by the infection. Please bear in mind, the more you use the machine after the files are encrypted, the harder it will be for the recovery software to recover your files.

[]
http://i.imgur.com/fSA1TL4.png
R-Studio
[]
http://i.imgur.com/C08PZmH.png
Photorec
[*]
http://i.imgur.com/uc6sByo.png
Recuva

OK! Thank you very much for your help! I’ve seen you helping out around these forums and I must say, doing God’s work my friend.