Hello,

I recently installed a codec-v on my laptop yesterday and realized that it was something else. I searched online for solutions and found a step-by-step removal instructions from http://forum.avast.com/index.php?topic=53253.0. However, I am not certain that everything has been completely fixed because each time that I open a browser, it brings me to this site: http://mystart.incredibar.com/mb139?a=6PQKvPeiX1&loc=CH_NT, even though my default page is Google.

For your reference, attached are the scan results based on the instructions I found from another thread of this forum. I also used RogueKiller as the last scan performed on the device because aswMBR would not run (says that it is not a valid Win32 application).

Thank you so much in advance for looking into my concern.

also attach OTL log

Thanks for the quick reply. Here’s the OTL log.

Can’t post both attachments at the same time. Here’s the Extras log. Thank you.

no problem

Malware removers are notified and should arrive here in a few hours

You have three or four AV’s onboard, you need to drop that to one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE - HKLM\..\SearchScopes\{0E7B197B-A3DE-4FD4-A19A-1EECF791D16F}: "URL" = http://www.baidu.com/s?tn=temp_pg&ie=utf-8&word={searchTerms}
IE - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YTD Toolbar\IE\6.2\ytdToolbarIE.dll (Spigot, Inc.)
IE - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\SearchScopes\{1FF7973D-AB0A-496d-82C1-4EADBBA11E7B}: "URL" = http://www.soso.com/q?sc=web&cid=th.ub&w={searchTerms}&cin=wBnYMaR8tMDFt-kB08z!!w0000c60g00&lr=&ie={inputEncoding}&unc=o400493_95
IE - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\SearchScopes\{EF805144-2CFD-49CF-B950-2ECA1CCD2E12}: "URL" = http://www.baidu.com/baidu?tn=dealio_dg&wd={searchTerms}
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (IB Updater) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\IB Updater\Extension32.dll ()
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value foundO2 - BHO: (YTD Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YTD Toolbar\IE\6.2\ytdToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (YTD Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YTD Toolbar\IE\6.2\ytdToolbarIE.dll (Spigot, Inc.)
O3 - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\Toolbar\WebBrowser: (no name) - {65F8A3D2-4C22-4A33-9633-73167EAEEC45} - No CLSID value found.
O3 - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1516066185-2893481372-1064927490-500\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
[2012-09-23 20:30:58 | 000,000,000 | ---D | C] -- C:\Program Files\IB Updater
[2012-09-23 20:27:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Codec-V
[2012-09-23 20:26:52 | 000,000,000 | ---D | C] -- C:\ProgramData\InstallMate

:Files
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlnembnfbcpjnepmfjmngjenhhajpdfd

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you for the reply.

I have some clarifications though. Do i need to uninstall the other AV’s first prior to running OTL again, or this can be done after? And next is when I launch the OTL, the tick box for Include 64bit scans does not appear; what should be the step in this case?

In addition to my previous questions, I’d like to report as well that my Office applications have malfunctioned. It attempted to re-install the office package, but in the end it only said Fatal error during installation. I’m not sure if this is still part of this issue, but there might be some insights about it. Thank you.

The 64bit box ticks automatically if required… so you can ignore that

You can run OTL either before or after

When you try to run the office application what error do you get ?

Hi,

I got this error when trying to post the OTL Run Fix results: The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters). So, I just attached it instead.

Also here’s the message I encounter when I try to run Office:

Error 25090. Office Setup encountered a problem with the Office Source Engine, system error: -2147024894. Please open C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM and look for “Office Source Engine” for the information on how to resolve this problem.

When I clicked OK, another prompt pops thats says: Fatal error during installation.

Thank you.

Hi,

I would like to add that aside from Office, almost all other applications are no longer accessible. I also noticed in the Virus Chest of Avast, there were mostly those applications that I could not use and were treated as virus Win32: Sality.

Thank you once more for looking into this.

could you attach a screen shot of avast chest…

if you have sality, that is a nast file infector

Sality info
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FSality

OK that changes the entire problem, if you had made me aware of that earlier we could have stopped it

The following programme may need to be run several times and no guarantee can be given

Download Sality Killer zip to your desktop and extract SalityKiller.exe

Run the utility SalityKiller.exe on the infected computer
A reboot might require after disinfection.

Download the file Sality_RegKeys.zip
unpack the file Sality_RegKeys.zip
run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

Once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key:

under Windows 2000 run the registry file SafeBootWin200.reg
under Windows XP run the registry file SafeBootWinXP.reg
under Windows 2003 run the registry file SafeBootWinServer2003.reg
under Windows Vista / 2008 run the registry file SafebootVista.reg
under Windows 7 / 2008 R2 run the registry file SafebootWin7.reg

I apologize for mentioning it late. I didn’t notice that the other files were not working until the time that led me to my last post.

Anyway, I am doing the scan now. And will give update about the results.

Thank you.

As I say you will need to run the initial programme for as many times as necessary untill it comes up clean

I ran the initial program several times. In the succeeding attempts, no more indications of Win32 Sality found. However, when I check on the Virus Chest of Avast, they are still there. Also, when I try to run the programs, Avast would still block them. What should I do from this point? Thank you.

Hi,

Here is a screenshot of the Avast Visrus Chest after the sality killer was performed several times. The results indicated that there are no more infections as of the last 2 runs.

Thank you.

You have two options really first restore the files and run sality killer again. But the prefered option would be to empty the chest and reinstall the necessary programmes

Now we need to repair/replace any windows files

Open an elevated command prompt:

Go Start > All Programs > Accessories
Right click the command prompt and select run as Administrator
In the black box type the following :

sfc /scannow

Once that has completed

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hi,

Before I proceed, I just want to be sure if I got this right: [i]"But the prefered option would be to empty the chest and reinstall the necessary programmes

Now we need to repair/replace any windows files "[/i]

1. Does “empty the chest” mean to choose Delete as the action?
2. Does “reinstall the necessary programmes” involve uninstalling the actual programs? or
3. Is “repair/replace any windows file” the answer to question #2?

Thank you so much.

Does "empty the chest" mean to choose Delete as the action?

Does "reinstall the necessary programmes" involve uninstalling the actual programs? or

Is "repair/replace any windows file" the answer to question #2?