Help - can't remove Malware

Hi Folks,

A few days ago, I got infected with Malware/virus. I’ve done a number of scans hoping to remove it, but without much success. I’ve run Avast, Panda, Panda Cloud, and Malware Bytes. While Panda has picked up a few items, it hasn’t stopped the threat. Here is a timeline of events and interventions I’ve done thus far.

It started with a request for “Microsoft” to run a program on my computer. I tried ignoring it a number of times. But foolishly, I accepted and my problems began. Avast has been catching the threats (a number of different URLs w/ malware).

Interventions:

  1. AVAST SCAN
  2. MALWARE BYTES SCAN and cleaning (Log attached)
  3. PANDA & PANDA cloud scan
  • The next day, my computer blue-screened. So I took more drastic measures.
  1. In safe mode, ran Panda and Malware Bytes (no change)
  2. Ran Combofix (no change)

So I’m still getting the popups. Here’s what I have attached.

  1. The original MALWARE BYTES Log (subsequent logs have been blank)
  2. FRST
  3. aswMBR

Any help you can provide is MUCH! appreciated.

Thanks,

Chase

Kaspersky blog http://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

Could you attach the combofix log please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

2014-10-20 22:23 - 2013-11-10 11:03 - 00000000 ____D () C:\Users\Chase\AppData\Roaming\DataMgr 2014-10-20 22:23 - 2013-11-10 11:01 - 00000000 ____D () C:\Users\Chase\AppData\Local\CRE C:\Users\Chase\AppSharingChromeHook.dll C:\Users\Chase\AppSharingHookController.exe C:\Users\Chase\appshcom.dll C:\Users\Chase\appshvw.dll C:\Users\Chase\AutoHelper.dll C:\Users\Chase\collabaddin.dll C:\Users\Chase\communicator.exe C:\Users\Chase\crecplayer.exe C:\Users\Chase\CURes.dll C:\Users\Chase\intldate.dll C:\Users\Chase\MeetingJoinAxOC.dll C:\Users\Chase\msptls.dll C:\Users\Chase\OCHelper.dll C:\Users\Chase\ocimport.dll C:\Users\Chase\ocoffice.dll C:\Users\Chase\ocpptview.dll C:\Users\Chase\ocpubmgr.exe C:\Users\Chase\ocrec.dll C:\Users\Chase\ogl.dll C:\Users\Chase\ppvwintl.dll C:\Users\Chase\psom.dll C:\Users\Chase\RTMPLTFM.dll C:\Users\Chase\saext.dll C:\Users\Chase\scdec.dll C:\Users\Chase\sqmapi.dll C:\Users\Chase\Uc.dll C:\Users\Chase\ucaddin.dll C:\Users\Chase\UccApi.dll C:\Users\Chase\UcMapi.exe C:\Users\Chase\xceedzip.dll

EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thank you Essexboy for your help.

I ran FRSTA a few times, but it crashed every time. It did create a log (attached). I’ve also attached my combofix log as well.

Thanks,

After you have run AdwCleaner could you let me know what problems you are having

Here is the ADW cleaner log.

How is the system behaving now ?

Yes - I just ran it. I seem to be getting a lot of what other people on the forum are reporting. xklma.com popups. Etc. Since running the cleaners it’s become almost exclusively this URL:

https://svadxbvtuc8c.com

I’d send you a screenshot of the Avast popup, but I can’t convert my .png file to a .jpg

Is that helpful information?

Still no change. :frowning:

Does it occur in a specific browser or all ?

It happens in both Chrome and IE. I also get popups when neither browser is open.

Could you uninstall Panda cloud please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-262943121-212464047-964901043-1000\...\Run: [SSync] => C:\Users\Chase\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] () HKU\S-1-5-21-262943121-212464047-964901043-1000\...\Run: [Intermediate] => C:\Users\Chase\AppData\Roaming\Intermediate\Intermediate.exe [36864 2013-04-09] () HKU\S-1-5-21-262943121-212464047-964901043-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [SSync] => C:\Users\Chase\AppData\Roaming\SSync\SSync.exe [36864 2013-04-09] () HKU\S-1-5-21-262943121-212464047-964901043-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [Intermediate] => C:\Users\Chase\AppData\Roaming\Intermediate\Intermediate.exe [36864 2013-04-09] () CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION FF Plugin HKCU: bebomedia.com/OfferMosquitoIEHelper -> C:\Users\Chase\AppData\Local\ext_offermosquito\npOfferMosquitoIEHelper.dll No File EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Panda cloud and Panda AV are both now uninstalled. I ran FRST64.exe and I got the same old “program has stopped working” error. But it did generate a Fixlog.txt file. File is attached. Also, still getting the popups from Avast (in case that was going to be your next question :slight_smile: )

I think the problem with FRST fix is the empty temp command as otherwise it is working correctly

OK if the alerts are continuing I will need to look deeper, but first I will flush the DNS

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

That makes sense. Here’s the newest log.

Are the alerts still appearing and do any other computers that use the router experience the same problem ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

The alerts continue … But no other devices are having problems. My other devices are phones, ipad, and DVD player. I have one other laptop but it’s vpn’d into the network at work.

OK to recap all adware has gone, all files are legitimate and have not been tampered with. The phones and Ipad would not exhibit the same behaviour if they are not loaded with Avast and are not windows based. So the next problem area could be the router. Do you know how to reset your router ? If not what is the make

Just to add to this thread - exact same problem started today - web shield alert for url:mal every 30 seconds -

Interesting … about the router. As far as resetting it - do you mean unplugging it and pushing the reset button? Or do you mean reflashing firmware? It’s a Buffalo Router running (I believe dd-wrt).