My nephew installed a bunch of Minecraft mods on his new laptop and it’s now riddled with malware. Had them run MalwareBytes and that seemed to get most of it. I’m here now and noticed his search was being redirected by MaxWebSearch or something like that but Adwcleaner seemed to take care of it.

Removed Security Essentials and installed Avast. Scan was clean, but now we’re getting constant WebShield pops for sites like robertsbom5DOTmeSLASHtaskSLASH4001 and MalwareBytes is blocking jubmoz788DOTme.

I had to hop on my brother’s computer to access this forum and download some of the recommend files, browsing is very slow on the infected PC and often fails, especially for security-related sites.

Tempted to restore from partition but I’m reading that may not solve the problem.

Requested scans attached. Thanks.

Screenshot:

Malware removal expert has been notified. Might be a bit before he comes on board, but likely less than 12 hours.

Please be patient. Make no further changes to the system whilst under his direction unless told otherwise.

This will take several runs to clean

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION GroupPolicy: Group Policy on Chrome detected <======= ATTENTION S2 29850aa3; "C:\windows\system32\rundll32.exe" "c:\program files (x86)\so_boo~1\AssistantSvc.dll",service 2014-07-29 20:34 - 2014-07-25 20:15 - 00000000 ____D () C:\ProgramData\AxuzAfquv 2014-07-29 20:34 - 2014-06-22 17:36 - 00000000 ____D () C:\Users\Lucas\AppData\Local\23220 C:\Users\Lucas\hlcgiptd.exe Task: {00893276-8424-4DA1-B455-2DD2B5CF7F1C} - System32\Tasks\Advanced System Protector => C:\Program Files (x86)\RegClean Pro\SystweakASP.exe <==== ATTENTION Task: {23FCE237-0AA7-4E21-9BE1-BD2582E5C902} - System32\Tasks\RegClean Pro => C:\Program Files (x86)\RegClean Pro\RegCleanPro.exe <==== ATTENTION Task: {29DAA423-1CEC-40CA-8625-3349B25F3C4C} - \ShopperProJSUpd No Task File <==== ATTENTION Task: {306E8CD3-42A4-4D22-9BAE-97114F5CA4C2} - System32\Tasks\Advanced System Protector_startup => C:\Program Files (x86)\Advanced System Protector\AdvancedSystemProtector.exe <==== ATTENTION Task: {37F61C53-12AC-40B3-B2FC-54F6A5302BA8} - System32\Tasks\PC Clean Maestro Scan => C:\Program Files (x86)\CompuClever\PC Clean Maestro\pccum.exe Task: {3D5E2C61-120F-4FDA-A331-37CF1BE6F56C} - System32\Tasks\SuperFastPC_AutorunOnStartup => C:\Program Files (x86)\System Optimizer Pro\SystemOptimizerPro.exe <==== ATTENTION Task: {60DFCAA3-12AA-4BBA-9CA0-F9A6FCA78F58} - \SPDriver No Task File <==== ATTENTION Task: {66F3291A-142C-4DCE-A22E-69776027CE67} - \Mext Guard FBE8818C-5B13-48C2-A93E-AD731167DBF2 No Task File <==== ATTENTION Task: {687E9B35-6CB0-4D26-974A-2B443A9099D3} - System32\Tasks\SPBIW_UpdateTask_Time_333132313335313936382d555b373434412d45325a5b6c => Wscript.exe //B "C:\ProgramData\ShopperPro\spbihe.js" spbiu.exe /invoke /f:check_services /l:0 Task: {6F0550D3-E83D-41E4-A0E2-6D99B1051725} - \SMupdate1 No Task File <==== ATTENTION Task: {77DDA005-F6CA-4CFB-BB68-1BF7735B0705} - \pricemeterdownloader No Task File <==== ATTENTION Task: {7D2F3D6E-FDBF-4A0F-83CC-E5E4C630B8BD} - System32\Tasks\SaferBrowser Update Task => C:\Program Files (x86)\SaferBrowser\uninstall.SaferBrowser.exe Task: {985A0431-927F-42E5-8D4E-F967E92A1E13} - \pricemetertask No Task File <==== ATTENTION Task: {985A0431-927F-42E5-8D4E-F967E92A1E13} - \pricemetertask No Task File <==== ATTENTION Task: {B4C83D3A-D4CF-4F5E-8165-7525A444B53D} - \pricemeterwatcher No Task File <==== ATTENTION Task: {B4C83D3A-D4CF-4F5E-8165-7525A444B53D} - \pricemeterwatcher No Task File <==== ATTENTION AlternateDataStreams: C:\Users\Lucas\Local Settings:init AlternateDataStreams: C:\Users\Lucas\AppData\Local:init AlternateDataStreams: C:\Users\Lucas\AppData\Local\Application Data:init S1 nfplhivw; \??\C:\windows\system32\drivers\nfplhivw.sys [X] C:\Users\Lucas\AppData\Roaming\unwrapped.exe C:\Users\Lucas\AppData\Roaming\serv\VoPackage.exe CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks so much. Fixlog attached… ComboFix did not seem to generate a log (checked C:, did a search, etc.).

Still seeing alert pop-ups, still unable to get to Avast forums on infected PC.

OK I will need to do this a different way

Run FRST
In the search box type the following :

rpcss.dll

Then press search files

On completion it will generate a search.tx please post that

Attached.

Not sure if relevant, but I think ComboFix created a 32788R22FWJFW folder in C: (with a screen icon). If you click it you basically get the same behavior from as if you had clicked Computer from the Start menu (ie, lists your drives).

OK lets now replace that file

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Attached.

Still can’t connect to the Avast forums (server not found error), but the WebShield pop-ups seem to have stopped.

Actually, having trouble getting pretty much anywhere other than Google… go to CNN and it appears to be stuck on the ad server lookups, then the page will load very slowly without CSS.

OK that is the major bad boy killed, could I now have a fresh FRST scan and I will look at the net problem

Thanks, attached:

What do you know about this programme ?

Killer Network Manager

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Task: {A90041E0-F7B9-484A-813C-FDF3420420E3} - \BrowserSafeguard Update Task No Task File <==== ATTENTION Task: {EABA3A9A-05FF-4D00-A873-CD098D203673} - \ShopperPro No Task File <==== ATTENTION CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Attached.

Killer Network Manager is I guess part of the Qaulcomm Atheros Performance Suite, which appears to have been installed by the laptop manufacturer.
http://www.shouldiremoveit.com/Qualcomm-Atheros-Killer-Network-Manager-9853-program.aspx

Web performance is still the same, server not found error for the Avast forums (search Google, find forums, click link, eventual server not found error).

OK could you re-run combofix please, allow it to update if it asks

Sure, thanks for all your help so far.

This time it generated a log:

How is the computer now ?

Sorry, more or less the same. Google loads. Avast forums won’t load (server not found). Minecraft.net loads, but the embedded YouTube video generates a server not found error. Cnn.com doesn’t load (server not found error).

I assume that other computers using the same router are not experiencing problems

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[]Report IE Proxy Settings
[]Reset IE Proxy Settings
[]Report FF Proxy Settings
[]Reset FF Proxy Settings
[]List content of Hosts
[]List IP configuration
[]List Winsock Entries
[]List last 10 Event Viewer log
[]List Installed Programs
[]List Devices
[]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

Correct, other devices are connected without issue.

This didn’t seem to make a difference.

(for List Devices I left Only Problems checked)

DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 76.73.6.108