Hello and HELP!

Hi! I’m very, very new here and new to posting to forums like this. But I’m a bit at a loss on what I should do about my current problem. For the last couple of weeks my browser has had pop-ups in the right and left corner of the page, on sites that have never and would never have such pop-up’s.

I used malware bytes and super anti-spyware to remove it all and thought it was over. But they keep coming back and now things are WAY worse. Not only to they keep coming back, I keep getting redirected to other, completely unrelated websites. Everything is running slow and some times I just can’t get it to work at all.

I ran Microsoft security essentials recently and found out that I had two Trojans, it removed them but I’m still having issues. I tried running avast, but to no avail. I’m not even sure what the problem is, if all of these things (ran separately over the course of a couple of weeks. ) can not find what the problem is and even safe mode is experiencing similar issue’s, then it’s all just way over my head.

Any and all help would be greatly appreciated! I can provide answers to anything anyone would need to know, in order to help me.

Hi and welcome to the Forum

Let’s ask Essexboy, our Malware Expert to have a look inside.
Please follow this guide and attach (not copy and paste ) the requested logs. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR

Please be patient as the time zone difference. Response will come tomorrow :wink: :slight_smile:

Thank you so very much for the fast reply! I’ve tried to do as you have suggested, but it won’t let me run aswMBR or even open up some websites. I’ll post the logs I have so far, but i might have to do it one at a time. so, here we go.

here’s the next one.

The next one is the extra file for the otl. But, the forum won’t let me post the main log. It say’s it’s too big for the attachment size. The attachment limit is 200 KB, and it’s a 240 kb file.

did you save it as ANSI … if still to big use some file share site like http://www.mediafire.com/ and post the download link here

you may try to run aswMBR in safe mode

I tried running the aswMBR in safe mode but it still wouldn’t run. I’m going to upload the otl log if i can get it saved as a ANSI. Right now it’s a text document.

I'm going to upload the otl log if i can get it saved as a ANSI. Right now it's a text document.
ANSI is also txt ...see in essexboys guide how to

I just got it to work and was heading here to post it when I saw your reply back. Thank you for the help. :slight_smile:

OK, most of the removal experts are on european time…so in bed now, so check back tomorrow :wink:

Will do! Thanks again!

Hi are you missing any files/folders/menus ?

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

https://dl.dropbox.com/u/73555776/RKDelete.GIF

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

https://dl.dropbox.com/u/73555776/RKFixShortcuts.GIF

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = %3clocal%3e:80
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O4 - HKU\S-1-5-21-93264391-2691908379-2114281164-1000..\Run: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe" File not found
[2012/09/18 16:36:07 | 000,000,000 | ---D | C] -- C:\Users\The Pharmacist\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/18 16:36:09 | 000,000,136 | ---- | C] () -- C:\ProgramData\-ruWXPTPZImp0ILr
[2012/09/18 16:36:08 | 000,000,136 | ---- | C] () -- C:\ProgramData\-ruWXPTPZImp0IL
[2012/09/18 16:36:04 | 000,000,368 | ---- | C] () -- C:\ProgramData\ruWXPTPZImp0IL

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I am missing some little short cut’s that used to sit on my task bar on the left hand side of my screen right next to my start menu. Things like firefox. Other then that, I seem to be fine. I did have a virus that was hiding some files, but I seemingly got rid of that problem and was just left with what I have now.

After I have done as was suggested in your post, I do seem to be able to visit sites that were difficult to access or just completely unresponsive for me. Right now, it’s still running a tad slower then it should, but I can at least make to the site in less then a 2-5 minutes. It still takes about 15-30 seconds though, when it normally loaded in at least 5 seconds. But that’s all I’ve noticed so far.

Here are the requested file logs. Thank you very much for taking this time to help me. First up is the rouge killer file, then the otl file, and finally the combo fix log.

OK there will be at least another two runs to kill this as there is an MBR infection as well

To be on the safe side I will run just one at a time

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

I just downloaded the program and I’m having the same problems as I did with the aswMBR. It act’s like I’m opening it up, but then nothing else happens. I tried opening it up in safe mode, but it did absolutely nothing in that as well.

Alos, I’m noticing that my Avast program is blocking a lot of harmful sites. Even when I’m just starting up the pc and haven’t got a browser open. Also, I don’t know if it helps at all, but when I try to shut down my pc, it Tell’s me it’s waiting on a program to shut off. But, unlike every other program that it’s ever had to wait on, it doesn’t tell me what this program is that it’s waiting on.

And I hadn’t mentioned this before, but I had forgot about it. If I leave my pc idle while it’s running something like super anti spyware or malware bytes, My pc might turn it self off completely. It’s never done it while I’ve been sitting at it, and it doesn’t always do it when I leave it alone to idle.

OK I will reverse the order of my fixes

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\services.exe.8924842A9B75BE9F c:\windows\system32\drivers\ilcmxdxa.sys c:\windows\system32\services.exe.0033B18275FEDB62 c:\windows\system32\services.exe.6DBFD142BA226F8D c:\windows\system32\services.exe.C81440A147EC482D c:\windows\system32\services.exe.C9A62BC68A76D16D c:\windows\system32\services.exe.D070384C43052D6E c:\windows\system32\services.exe.18CBE06FAB4A4B18 c:\windows\system32\drivers\vkwqboja.sys c:\windows\system32\services.exe.7CC78F41CD9BDA22 c:\windows\system32\services.exe.A24116A8480A5B67 c:\windows\system32\services.exe.E6C3985694C3C40C c:\windows\system32\services.exe.C40FF2BC95A06385 c:\windows\system32\services.exe.60EB0703A38CC965 c:\windows\system32\services.exe.9EE25D89C1A79A9F c:\windows\system32\services.exe.F0A28DC33AF95ED7 c:\windows\system32\services.exe.86F6AFF59CC8008A c:\windows\system32\services.exe.9D3FCDBC5A7338A9 c:\windows\system32\services.exe.15B52FAE7B414254 c:\windows\system32\services.exe.F89C6578CD369B48 c:\windows\system32\services.exe.6088442F0979929E c:\windows\system32\services.exe.84CA2FC7AD7BCBA2 c:\windows\system32\services.exe.8A937F506CA44F54 c:\windows\system32\drivers\jcxmmwef.sys c:\windows\system32\drivers\nccicidz.sys

Driver::
jcxmmwef
nccicidz
vpodkgqw

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Ok, Here is the new log file. And I’m noticing that some site’s are once again becoming difficult to visit. I had looked around to see if any of the problems were still there.

Update: firefox just crashed on me and then windows did shortly after. I got a blue screen telling me that it had encountered a serious problem and had to shut down.

Could you now retry TDSSKiller please, download a fresh copy but rename it to winlogon … If it fails I will need a look at the mbr

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

OK, I ran the program again and it say’s it found two more files on my pc. I didn’t delete them or anything yet, i only got the file and am posting it in this reply.