I wanted to install cyanogenmod on my HTC one S, but I accidentally installed a virus instead.
I downloaded a “driver” from this link: hxxp://d-h.st/23V (filename: HTC_drivers_Win7_x64.zip).
After a while, my browser started displaying weird ads. At first I deleted just the extensions. But when I rebooted my pc, the ads were back. Then someone advised me to install malwarebytes anti-malware, and that found some files that were malicious, which it deleted. But the next time I rebooted my laptop, the ads were back. Then I proceeded to install avast, and did a scan, and I checked all options.

• All hard disks
• Rootkits
• In memory loaded autostart programs and modules (in Dutch: In het geheugen geladen autostartprogramma’s en -modules)

And I did a start up scan (or boot scan?). Which found a few files that were unpropperly zipped in Mathematica or something.
But I don’t know what to do next, so here I am, asking for help. I did this: https://forum.avast.com/index.php?topic=53253.0
I hope you can help me

Hi JoostBesseling, welcome to the forum

Can you please disable the malware link in your post by replacing http with hxxp, so that noboddy can download it by acccident.

As soon as one of the specialists is online and available, he will help you.

Greetz, Red.

P.S. I am Dutch too

Hallo JoostBesseling,

De scan bij VirusTotal voor het zip bestand is geheel schoon volgens de scan, maar er kan sprake zijn van een bij- of ingesloten PUP of een PUP-detectie voor het bestand zelf.
Detecteert/alarmeert avast ook zonder PUP detectie ingeschakeld? Dan zou je al een heel stuk gerustgesteld moeten zijn.
PUPs zijn potentieel ongewenste programma’s, met name dan als men ze niet gewild op de machine krijgt. Daar is hier dus geen sprake van, dunkt mij.
Ik zou eerst de aangehechte bestandjes door een gekwalificeerde malware verwijderspecialist hier laten analyseren om dit ook echt te kunnen bevestigen. Maar ik gok vooralsnog op een PUP detectie of een mogelijk onschadelijk bestand en dan is er sprake van een vals positieve detectie.

Computer veilig met Avast!

Oh ja het linkje niet-doorklikbaar maken gaat via hxtp//link enz.

polonus

Could you let me know how the computer is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO-x32: No Name -> {21bd171f-c25c-4df2-ba88-37ae6ab2037f} -> No File 2015-02-01 00:21 - 2015-02-01 00:21 - 00000000 ____D () C:\ProgramData\12599465192821368914 2015-02-01 00:21 - 2015-02-01 00:21 - 00000000 ____D () C:\Program Files (x86)\unisaeles 2015-02-01 00:20 - 2015-02-01 00:20 - 00000000 ____D () C:\ProgramData\neokkcfafhpeoahjgigafnchdjjifomm 2015-02-01 00:19 - 2015-02-04 00:18 - 00000000 ____D () C:\ProgramData\{84343089-06d7-37d9-8434-4308906dc224} EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hi essexboy,

Thank you for your expert support in this thread.
Was this something that came bundled?

polonus

Here are the log files!

Does chrome now open

Yes, and there are no more ads! Is it fixed now? Thank you

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Thanks for your help! I did what you said. But today malwarebytes found a new threat, I think it was called quarantine.exe (or quarantaine.exe). I clicked on the “take action” button in malwarebytes, so my computer restarted. So… Is this bad? Should I redo everything you said?

May you please post the new MBAM log?

Logs:
the scan called after I made after my computer was restarted.
scantoday was excuted today, when I launched my computer. Then I left my computer for about 3 hours, and I found it with the alert message on my screen.

Joost,

We need the MBAM log from the scan that removed the threat

Greetz, Red.

Yeah, I thought that. But these are all scans that show up in the History tab, from today and yesterday. I couldn’t see anything, so I thought I just didn’t understand. These are all the scans from today and yesterday. But look at the attached picture. There is something there right?

They are all temporary files and as such have had no affect on your computer

Oke, thank you. I was worrying something was wrong again! Thanks again for your help