Bad Infection

system · August 4, 2014, 3:59pm

Hi,

Started off with lots of messages from Avast saying that a threat had been detected, even when no browser was open. Did a scan, didn’t change anything. Updated Malwarebytes, did a scan, cleaned up a whole bunch of things, still didn’t stop. Check some forums, ran Adwcleaner and then Junkware Removal Tool. Still didn’t fix it. Did a system restore to a week ago and when it restarted it said the restore had failed. Avast wasn’t working (started after about 5 minutes) and when I tried to re-update Malwarebytes I got an error. Tried downloading Malwarebytes again and the download wouldn’t work. Started it in safemode, then realised that going straight for Malwarebytes might not be the best option. Checked the forums, came back into normal mode to do the Farbar scan and the icons down the bottom are still like they are in Safe Mode.

Pretty sure that’s everything I did in order. Also pretty sure it all started from my bf’s phone when he plugged it in to download some music onto the laptop.

Have attached the frst logs.

Appreciate your help.

Helen

Pondus · August 4, 2014, 4:03pm

Do you have Malwarebytes log so that we can see what was detected/removed…

Removal team is notified

essexboy · August 4, 2014, 4:08pm

Could you attach a screenshot of the Avast alert please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Startup: C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rhlgurysmfppydqrhya.lnk ShortcutTarget: rhlgurysmfppydqrhya.lnk -> C:\Users\Helen\AppData\Local\Temp\ayhrqdyppfmsyruglhr.bfg (No File) HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://websearch.searchannel.info/?pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24 URLSearchHook: HKLM-x32 - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File SearchScopes: HKLM - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms} SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms} SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms} SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms} SearchScopes: HKLM-x32 - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms} SearchScopes: HKLM-x32 - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchannel.info/?l=1&q={searchTerms}&pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24 SearchScopes: HKCU - DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms} SearchScopes: HKCU - {49606DC7-976D-4030-A74E-9FB5C842FA68} URL = SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2102} URL = http://dts.search-results.com/sr?src=ieb&appid=100&systemid=102&sr=0&q={searchTerms} SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=461&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9576432719124120&q={searchTerms} SearchScopes: HKCU - {BB74DE59-BC4C-4172-9AC4-73315F71CFFE} URL = http://websearch.searchannel.info/?l=1&q={searchTerms}&pid=686&r=2013/07/12&hid=186262777&lg=EN&cc=AU&unqvl=24 BHO-x32: No Name -> {30F9B915-B755-4826-820B-08FBA6BD249D} -> No File BHO-x32: No Name -> {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} -> No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - No Name - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File Toolbar: HKLM-x32 - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} - No File Toolbar: HKCU - No Name - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File Toolbar: HKCU - No Name - {30F9B915-B755-4826-820B-08FBA6BD249D} - No File FF SearchEngineOrder.user_pref("browser.search.order.1,S", "WebSearch");: user_pref("browser.search.order.1,S", "WebSearch"); FF Extension: SaveSense - C:\Users\Helen\AppData\Roaming\Mozilla\Firefox\Profiles\nxr777bh.default\Extensions\{2fab2e94-d6f9-42de-8839-3510cef6424b} [2014-08-04] 2014-08-04 14:31 - 2014-08-04 14:31 - 00000000 ____D () C:\ProgramData\Reimage Protector 2014-08-04 14:31 - 2014-08-04 14:31 - 00000000 ____D () C:\Program Files\Reimage 2014-08-04 14:29 - 2014-08-04 15:12 - 00000000 ____D () C:\rei 2014-08-04 14:27 - 2014-08-04 15:12 - 00000000 ____D () C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense 2014-08-04 15:13 - 2013-02-17 13:42 - 00000000 ____D () C:\Users\Helen\AppData\Local\Torch 2014-08-04 15:12 - 2014-08-04 14:27 - 00000000 ____D () C:\Users\Helen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense C:\ProgramData\rhlgurysmfppydqrhya.bat C:\ProgramData\rhlgurysmfppydqrhya.reg CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · August 4, 2014, 4:08pm

Thank you.

Unfortunately, I think the Malwarebytes log was destroyed with the system restore.

system · August 4, 2014, 4:10pm

Avast alerts have stopped.

essexboy · August 4, 2014, 4:12pm

OK run the fix then and let me know how the system is behaving

system · August 4, 2014, 4:21pm

The websites from the Avast warnings were hxxp://cdnrep.reimage.com/protector/ProtectorPackage2004x64.exe and hxxp://i2.superstoragemy.com/addons/agup.exe

system · August 4, 2014, 4:27pm

Attached is the Adwcleaner log. The bar across the bottom still looks like it does in safe mode.

essexboy · August 4, 2014, 4:33pm

Try to reset the resolution

Open Display Settings by clicking the Start button, clicking Control Panel, clicking Appearance and Personalization, clicking Personalization, and then clicking Display Settings.

Under Resolution, move the slider to the resolution you want, and then click Apply.

system · August 4, 2014, 4:40pm

Yeah, that doesn’t really change it. The text is different, as Windows is opening and closing too. Not a big deal, it just seems off.

system · August 4, 2014, 4:45pm

Malwarebytes is still doing weird stuff as well. I tried to open it, came up with the same error. Tried to download it again and it wouldn’t install, since it was already installed. Tried to uninstall it, wouldn’t do it.

essexboy · August 4, 2014, 4:51pm

Download mbamclean from here http://www.malwarebytes.org/mbam-clean.exe to your desktop and run
A reboot will be needed

Then re-install malwarebytes and let me know how it is behaving

system · August 4, 2014, 5:25pm

Downloaded and installed perfectly. Did a scan, log attached.

essexboy · August 4, 2014, 5:32pm

Any further problems

I would recommend that you install this for next time the phone is plugged in

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that

system · August 4, 2014, 5:34pm

Will do.

Thank you so much for your help and for your time. You are so amazing to do this for people!

essexboy · August 4, 2014, 5:38pm

Once you are happy I will remove my rubbish and tidy up

system · August 4, 2014, 5:41pm

This just came up

essexboy · August 4, 2014, 5:43pm

What is the full path to the file. Hover over the file name and it should expand it to the programme files folder

system · August 4, 2014, 5:49pm

I think it was just the shield you sent me to, sorry

essexboy · August 4, 2014, 5:55pm

You still have trend micro antivirus on th system and that is what Avast was picking up, the trendmicro removal tool can be found on this page http://esupport.trendmicro.com/solution/en-us/1037161.aspx?referral=1059018

Bad Infection

Announcements