Please run this fix from safe mode, then allow to reboot to normal windows

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://brasil-pesquisa.pw/r.asp#
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://brasil-pesquisa.pw/r.asp#
O2 - BHO: (no name) - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - No CLSID value found.
O2 - BHO: (no name) - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [aee] C:\Users\Iuri\AppData\Roaming\b8\aee.js ()
O4 - Startup: C:\Users\Iuri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3a.js ()
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWindowsUpdate = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NofolderOptions = 1
O1364bit: - DefaultPrefix: http://brasil-pesquisa.pw/r.asp#
O1364bit: - www Prefix: http://brasil-pesquisa.pw/r.asp#
[2013/06/12 01:21:45 | 000,000,000 | ---D | C] -- C:\Users\Iuri\AppData\Roaming\WebCake
[2013/06/12 01:21:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WebCake
[2013/06/12 01:21:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Tarma Installer
[2013/06/12 00:33:43 | 000,000,000 | -HSD | C] -- C:\Users\Iuri\AppData\Roaming\b8
[2013/06/12 00:33:43 | 000,000,000 | -HSD | C] -- C:\Program Files\a7f
[2013/06/03 19:54:15 | 000,000,000 | -HSD | C] -- C:\b99
[2013/06/19 18:04:41 | 000,047,667 | ---- | M] () -- C:\Users\Iuri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f3a.js
[2013/06/19 18:04:41 | 000,047,667 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\f3a.js
@Alternate Data Stream - 152 bytes -> C:\Users\Iuri\Documents\Casa - Registro03.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 152 bytes -> C:\Users\Iuri\Documents\Casa - Registro02.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 152 bytes -> C:\Users\Iuri\Documents\Casa - IPTU01.jpeg.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 152 bytes -> C:\Users\Iuri\Documents\Casa - Autorização01.jpeg.jpeg:3or4kl4x13tuuug3Byamue2s4b

:Files
C:\Users\Iuri\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THANK YOU!

It still tries to open a chrome window with ‘brasil-pesquisa.pw’ on startup. I used avast to block the page from loading. But all other, more serious symptoms have disappeared.

Could you open chrome and remove this extension Pesquisa do Google

Then

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

Could not locate or remove ‘Pesquisa do Google’ (Google Search). Tried reinstalling chrome, then ran JRT. ‘Pesquisa-brasil.pw’ tried to open during the scan, and when I rebooted. Still can’t change IE’s start page, but now it is set to ‘msn.com’. Everything else is working fine.

OK open Avast and select security > tools > browser cleanup

Start the cleanup tool

Select the affected browsers and press reset to default

Tried running it on both browsers. Bing.com is now IE’s start page. brasil-pesquisa still tries to open.

OK lets remove the offending folder, on completion you may need to reset the home page again

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Commands
[CREATERESTOREPOINT]

:Files
C:\Users\Iuri\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Oddly patriotic piece of crap refuses to die. I think it is transmitted by pen drive, and that mine is infected. Is there a way to format the pen drive without the virus getting into the PC again?

Yep lets give this a whirl

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

McShield scanned the drive, but didn’t find anything. Avast detected and deleted an autorun.inf trojan. I think its clean now. Only thing left is the site trying to open on startup.

If it is only in chrome then probably the quickest option would be to do a full uninstall and then a fresh install. Chrome has a lot of hiding places

https://support.google.com/chrome/answer/111899

Tried reinstalling chrome. Site keeps showing up.

Does it open to that page in chrome ?

Could you run a quick OTL scan please

Yes, its always on chrome. But I also can’t change the IE home page, though that is set to bing.com. I ran OTL.

Could you post the OTL extras please

Sorry, forgot about it.

Just found out this. When I type something other than a web adress on IE, it tries to search it using brasil-pesquisa.pw.

I’m using IE 10 and, in theory, the default search engine is set to google.

OK this appears to be Brazilian specific so I am having to do some translation which is slowing me down a bit

Please download to your desktop Short cut cleaner
Then run.

https://dl.dropbox.com/u/73555776/sc%20cleaner.JPG

When the Shortcut Cleaner has finished scanning your hard drive it will create a log file on your desktop called sc-cleaner.txt and then display it.
Please post that log

Done. Let me know if you need something translated.

Hi sorry for the delay in getting back, after a lot of research I am unable to find a single solution as to where it is running from. Could you delete your chrome/IE icons from the desktop and the taskbar and let me know if that cures it