Help removing malware - Please!

system · February 23, 2015, 7:47am

Hi!

I had some problem with Russian porn popping up on my computer in Dec 2014. I got fabulous help from you. And I haven’t had any problems until now.

Now I’ve got the Russian porn AGAIN! (I suspekt my son to have downloaded some crap from the web).

I’ve followed the steps until the aswMBR-programme stopped working for me. It happened last time too…

The log files are attached.

I’m so grateful that you help us novices out when needed!

Pondus · February 23, 2015, 8:31am

run AdwCleaner and attach log http://www.bleepingcomputer.com/download/adwcleaner/

essexboy will be online later today and check your logs

system · February 23, 2015, 9:25am

Here is the log from Adware Cleaner. I ran it yesterday too, so I enclose both files…

essexboy · February 23, 2015, 3:58pm

Could you attach the FRST additions log please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: AppInit_DLLs: C:\Program Files (x86)\SW_x64.Booster => C:\Program Files (x86)\SW_x64.Boo File Not Found AppInit_DLLs-x32: c:\progra~2\sw30e4~1.boo => "c:\progra~2\sw30e4~1.boo" File Not Found CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKU\S-1-5-21-3164634606-3881593238-2463739118-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> No File BHO-x32: No Name -> {42E26D89-80C0-48dc-AA94-18B90EDAD1A2} -> No File BHO-x32: No Name -> {658C5709-D8D0-C403-3D60-1E35B94B7F2D} -> No File BHO-x32: No Name -> {AABEFB10-83C4-274B-22B7-648AE0990EE1} -> No File BHO-x32: No Name -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> No File Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKU\S-1-5-21-3164634606-3881593238-2463739118-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-3164634606-3881593238-2463739118-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-3164634606-3881593238-2463739118-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File 2015-02-12 10:15 - 2015-02-12 10:15 - 00000000 ____D () C:\907ffa949996717ad1 2015-02-23 07:15 - 2013-09-19 21:23 - 00000000 ____D () C:\Users\Marie\AppData\Local\88E48BF7-4A91-4FF2-AD1D-13EEF5F81538.aplzod CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download Junkware Removal Tool to your desktop.

[]Right-mouse click JRT.exe and select “Run as Administrator” the tool will open and start scanning your system
[]please be patient as this can take a while to complete depending on your system’s specifications
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]post the contents of JRT.txt into your next message.

system · February 24, 2015, 12:11pm

This one?

system · February 24, 2015, 12:19pm

Sorry! I found it! I enclose both files (I ran the program once again)

system · February 24, 2015, 12:45pm

And the log afterwards!

system · February 24, 2015, 12:53pm

JRT-file!

essexboy · February 24, 2015, 3:24pm

How is the computer behaving now ?

system · February 24, 2015, 6:45pm

Unfortunately the Russian porn just popped up again…

essexboy · February 24, 2015, 7:35pm

OK big boy time. Is this in all browsers ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · February 25, 2015, 6:12am

I don’t know as I only use Firefox. I’ll try to use Safari and check. I’ll be back.

system · February 25, 2015, 6:31am

I just tried to follow the same link in both Firefox and Safari. The same russian crap did appear in Firefox as yesterday. In Safari it didn’t.

system · February 25, 2015, 7:06am

Now I’ve run ComboFix. The log is enclosed.

I had disabled my antivirusprogram for 10 minutes. It was activated again during the scan. I did deactivate it again. I don’t know if there were some troubles when it was activated… But I think you should know!

system · February 25, 2015, 7:33am

Still popping up that crap.

essexboy · February 25, 2015, 3:13pm

OK could you reset Firefox :

1.Click the menu button and then click help .
2.From the Help menu choose Troubleshooting Information. …
3.Click the Reset Firefox… button in the upper-right corner of the Troubleshooting Information page.
4.To continue, click Reset Firefox in the confirmation window that opens.

Then run this FRST fix

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · February 26, 2015, 6:54pm

A related question. Can I get crap into my home network without having it on my actual computer?

I’ve got ADSL Broadband. A router which was handed out by my operator. Then we have an Apple Airport Extreme to handle the network.

Last october/november there was some information about the routers provided, that they were totally open though they had some locked function. (I’m totally lost here, as you probably understand :-[ ). Is it possible that some crap could have been put into the network?

Is it safe for me/my computer to start the cleaning process all over again? Can I run it several times, to be able to get rid of the crap?

essexboy · February 26, 2015, 7:27pm

Routers can become infected however, it would affect all browsers not just one

Did the Firefox reset help ?

system · February 27, 2015, 7:20am

I ran the reset just now. When I ran the fix, the FRST-program stopped working.

I visited the same page that I visited yesterday evening (to print the invoice from my ADSL supplier ???) and this time there was no crap popping up!

essexboy · February 27, 2015, 1:05pm

Could you monitor it please and let me know if it has gone

Help removing malware - Please!

Announcements