Help removing the multiple windows update icons malware

Hello,

I have the same problem as this guy: http://forum.avast.com/index.php?topic=120789.0. I created a new thread because as guy who answered in the thread I linked said, the steps are unique for each PC!

I’ve already run OTL for the first time as explained in the thread I linked (“with Scan all users”, “include 64bit scans”, “LOP check” and “Purity check” and the code pasted into the custom scans area). And it produced the anexed OTL file.

I checked the folder and it didn’t produce any Extras file this time.

I’ve already tried malwarebytes to remove it, with no success.

Also, if that helps, I have dual boot on my pc with ubuntu…it might help if there’s some removal step involved, to circunvent anything the malware did that keeps me from removing some file!

Thanks in advance

Hi there this probably came from an infected USB

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then run the OTL fix and follow with a fresh scan

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://search.babylon.com/?affID=110808&tt=3412_1&babsrc=HP_ss&mntrId=0c226bb90000000000004c809319d44f
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzuzzyEzz0FyCzy0BtDyCyDtByEyC0B0BzytN0D0Tzu0StByEtCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=2054170067
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\..\SearchScopes\{39B03100-137A-AE8B-BF32-5BE79FBE5FB8}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110808&tt=3412_1&babsrc=SP_ss&mntrId=0c226bb90000000000004c809319d44f
IE - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..backup.old.browser.search.defaultenginename: "Search the web (Babylon)"
FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - prefs.js..browser.search.selectedEngine: "Search"
[2012/08/29 20:25:52 | 000,002,347 | ---- | M] () -- C:\Users\alberto\AppData\Roaming\mozilla\firefox\profiles\fh96mgst.default\searchplugins\Search.xml
O4 - HKLM..\Run: [ApnTBMon] C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe (APN)
O4 - HKU\S-1-5-21-3102745131-1227957348-1422402284-1000..\Run: [12] C:\Users\alberto\AppData\Roaming\044b\12.js ()
[2013/08/17 08:04:02 | 000,000,000 | -HSD | C] -- C:\Users\alberto\AppData\Roaming\044b
[2013/08/16 21:22:56 | 000,000,000 | -HSD | C] -- C:\05b1
[2012/08/29 20:25:31 | 000,384,844 | ---- | C] () -- C:\Users\alberto\AppData\Local\funmoods-speeddial.crx
[2013/07/29 15:47:37 | 000,000,000 | ---D | C] -- C:\ProgramData\boost_interprocess

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I anexed both logs from OTL: Fix and Quick Scan

MCShield didn’t produce a log because I formated the flash drive, and when I scanned it with MCShield, it found nothing!

Thanks!

Could you confirm the alerts have ceased and the system is running normally

No, I still get them. Avast also alerts me of the presence of malware when I startup outside of safe mode

Avast is not running in safe mode so thats why it is not giving alerts.

Please follow Essexboys instructions to clean this up. :smiley:

Or if you want you can run a full system scan or take a screenshot of the alert please so that we can know where this is sitting.

Avast actually still alerts me of the presence of malware. I followed his instructions up until hist last post (running the OTL fix and running the OTL quick scan) but still, no luck. I’ll be waiting for his next instructions!

OK got it, one was hidden until I removed the others

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - Startup: C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48.js ()

:Files
C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Two logs anexed!

Edit: Just to report that I’m having problems with the malware :confused:

It appears that they have now hardened this, could you run the next fix from safe mode please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O4 - HKCU..\Run: [12] C:\Users\alberto\AppData\Roaming\044b\12.js ()
[2013/08/18 16:06:30 | 000,000,000 | -HSD | C] -- C:\Users\alberto\AppData\Roaming\044b
[2013/08/18 16:06:26 | 000,000,000 | -HSD | C] -- C:\05b1

:Files
C:\Users\alberto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Two latest logs attached.

I’ve restarted my computer outside of safe mode and so far so good, no avast alerts and no multiplying windows update icons (only the real one, which doesn’t disappear when I mouse over it). It seems like the malware is finally dead! I’ll be keeping an eye to see if there are any changes though

Yep that’s it now, if all is well tomorrow let me know and I will tidy up