Help with Malware!

Hi,

I recently “cleaned” (or so I thought) my computer from malware software that installed itself as an enterprise extension on Chrome (YTBloccKErAAPp) . I thought I had dealt with it my own way, and from what I know, there are no unknown programs or extensions currently installed (via Chrome>Extensions or Control Panel>Add/Remove Programs).

However after a couple weeks since then I keep receiving this notification from the webshield:
http://i.imgur.com/QFh9u4g.jpg?1

The link that it’s trying to redirect me to is mypageresults.com/blahblah, which from the research I’ve done is a commonly known browser hijacking virus.

This virus has been persistently getting more intensive, and the processes are not just chrome, but pretty much anything. I’m not sure how to deal with it. I’ve run an antivirus scan and a malware scan, both of which came up with nothing. Is there a reason why this isn’t popping up in any of my virus scans? And how should I go about fixing it?

I have attached various logs that I think are required for these inquiries

Remover Notified. Sit tight.

Could you let me know if this cures it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O2:64bit: - BHO: (IIsaver) - {20ACB41D-AF69-DCEF-707A-780369370679} - C:\ProgramData\IIsaver\qKbqV.x64.dll File not found
O2:64bit: - BHO: (YTBloccKErAAPp) - {F3161909-8CC0-5771-E327-9A8E69C4B9C5} - C:\ProgramData\YTBloccKErAAPp\LeD9.x64.dll File not found
O2 - BHO: (YTBloccKErAAPp) - {F3161909-8CC0-5771-E327-9A8E69C4B9C5} - C:\ProgramData\YTBloccKErAAPp\LeD9.dll File not found

:Files
C:\ProgramData\IIsaver
C:\ProgramData\YTBloccKErAAPp

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Hey essex, thanks for the reply ! :slight_smile:

I’m not too sure yet if this fixes the problem, because its more of a “wait until it pops up” kind of way of verifying.

But here are the various attached logs (post-fix, scans and adw scans). One thing to note is that the log for the ADWCleaner was in its own subdirectory and indexed at “0” (not sure if that makes a difference but saying it anyways).

If its possible, is there anything I can take away from this? I’m assuming I had lingering files from when I tried to get rid of the virus before?

Thanks for the help :slight_smile:

Well haha I just got a pop up again, so I suppose this didn’t fix the issue :frowning:

Could you confirm it is only in chrome … If it is then as chrome has so many hiding places I would recommend resetting it. Details here https://support.google.com/chrome/answer/3296214?hl=en-GB

Actually to be fair, the pop up no longer is regarding chrome, but pretty much every other process! This is (but probably not limited to) Steam, PMB (League of Legends patcher), HexChat, Explorer, etc.

Yea I think regarding chrome, it is fixed… (?)

OK lets take a better look at the services and tasks

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hmmm I don’t know if I can run it. I’m using Windows 8.1 and keep getting a “Can’t run Combofix in Compatibility mode” error, followed by force close.

No it will not work on 8.1 Duh no problem I have another tool :slight_smile:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Alright here you go.

EDIT: Just an update, I’ve recieved a couple webshield popups regarding chrome as well. So my previous assumption that chrome was fixed was wrong I guess :S. One thing I am noticing though is that these pop ups are a lot less frequent than before!

Could you attach a screenshot of the next popup please as I can see no running tasks or modules that appear to cause this

Sure no problem :slight_smile:

It’s hard to say what exactly prompts the redirect. I can reproduce this every time I start the League launcher, but with Steam, Chrome, Hexchat etc. its very random.

The exact Process on the popup is “Program Files(x86)\Pando Networks\Media Booster\PMB.exe”, which is used for making faster downloads on League patches. A lot of people find it sketchy software but I don’t personally think it is the root of the problem (it might be though!).

I see it is coming from Pando networks not a programme that I would recommend although I believe you do need to use it for some games

I managed to get it to pop up for Steam off of a reboot. wtf is going on LOL

Here’s the details URL that the popup gave: http://www.avast.com/en-ca/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_90_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-ca%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Program%20Files%20(x86)\Steam\Steam.exe&p_obj=http://mypageresults.com/?dn=wpad&flrdr=yes&nxte=dat&p_var=.%2Ffa%2Fen-ca%2Fvirus-alert-default&p_elm=7&p_lex=322&p_lid=en-ca&p_lng=en&p_lqa=0&p_lqe=0&p_lst=0&p_lsu=24&p_pro=0&p_bld=empty&p_vep=9&p_ves=0&p_vbd=2013&p_hid=ffcc261a-b56c-4510-b2f9-4ccfd3ce1d02&p_ram=12184&p_cpu=7.9

It appears to have somehow compromised those programmes in addition to chrome, unfortunately I have no knowledge of steam or pando networks as I have never used them. It may be a small script entered within the update stream of the programmes i.e added as a server address

I will have a think about it and see if I can come up with a way to locate it

Alright essex, thanks by the way for your help so far, it’s been making me scratch my head as well.

Not to just give redundant information but here’s a couple other screencaps I have of the processes its catching. When I browse through the game library on Steam, or when I start up Smite (another MOBA game like League of Legends). I don’t know the extent of which processes are compromised, so the scope could be pretty large :S

http://imgur.com/NCX9sQu&s4Wj5cx&EbPKRe2#0 (I had to give an imgur link because the total size of the screencaps exceeded the attachment limit).

My initial thoughts are that the wpad.dat file that it is trying to access may have a bad URL within it. Wpad contains a list of servers that the update(s) are available on, so I reckon if you turn off the auto update functions for those programmes the alerts should cease. However, that is not really useful to you but it can be done as a test for a short period

Hmmm this is going to be difficult to test.

For majority (if not all) the update functions are integrated into the launcher for the games I’m starting. I’m not sure of a way to bypass this without hacking the launcher itself :S
Would going about this by dealing with the wpad.dat file be better? Should I do a search on it ?

I was looking at a couple other threads dealing with this issue but I’m not sure if they’re relevant to my case:
http://forum.avast.com/index.php?topic=144873.0
http://forum.avast.com/index.php?topic=136247.0

EDIT: With regards to Steam, when I manually force an update check, I get no pop up notification :frowning:

bump :frowning: