Over the last couple of days, I started getting an unusually large number of popups in Avast with a “Malicious URL Blocked” notification. I also had new webpages open while i was browsing the internet.
Avast scans failed to point to any problems, but Spybot, Malwarebytes and SUPERAntiSpyware all did.
(1) Spybot consistently comes up with a Click.GiftLoad hijacker that I have been unable to get rid of. I am not sure if as a result of this, I have several svchost processes that have slowed down my computer. When I try the “end process” with the additional svchost processes, they opo up after a while. I’ve also tried deleting the “feature browser emulation” key in my registry multiple times without success, and another fix with a “registry merge” (?) that i found online that also didn’t help.
(2) Malwarebyte and SUPERAntiSpyware also catch some problems and “fix” them, only to have them return at the next scan.
Unfortunately, I made the mistake of trying various “fixes” (reboot in safe made and make changes to the registry or use msconfig and use Selective Startup rather than rather than Normal Startup etc etc) rather than seek professional help. Now I seem to have larger problems:
Avast says system is unsecured, and I cannot get it to run (I have a snapshot, but cannot attach it as the total attachment size exceeds 200Kb)
Save the log as before and post in your next reply
THEN
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
YN -> "SunJavaUpdateSched" -> ["C:\Program Files\Common Files\Java\Java Update\jusched.exe"]
< Run [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Google Update" -> ["C:\Documents and Settings\sridhar\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c]
YN -> "Logitech Vid" -> ["C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{BBF74FB9-ABCD-4678-880A-2511DAABB5E1}" [HKLM] -> [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Internet Explorer Bars [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Bars [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> Search Toolbar -> C:\Program Files\Search Toolbar
[Files/Folders - Modified Within 30 Days]
NY -> ipicaciris.dll -> C:\WINDOWS\ipicaciris.dll
NY -> icogohek.dll -> C:\WINDOWS\icogohek.dll
[Files - No Company Name]
NY -> icogohek.dll -> C:\WINDOWS\icogohek.dll
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
Dear essexboy, thanks very much first for your assistance. I am truly grateful for your help !
I re-ran aswMBR and clicked on Fix, and am attaching the log file.
Unfortunately, the “Run Fix” with OST did not complete, and forced a restart of my PC. I checked to see that it did not save a log. Since i already ran the fix once (and it did go through parts of it), I am hesitant to re-run it without hearing back from you on how to proceed next. Should I re-run the fix or (follow your previous instructions and) run a scan and post the results here ?
Addendum: I should also mention that the svchost processes have increased in number, and almost every “Malicious URL Blocked” popup in Avast (which occur at a very high frequency) has “svchost.exe” as the listed process.
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
i am going out of town in a few hrs and have several personal things to take care of before i leave (it is already 1am and i am [as my students would say] stressing
i will download and use ComboFix as soon as I get back and send you an update. In the meanwhile could you please look at the new aswMBR and OST logs (I got aswMBR to run in safe mode with networking and the Fix seemed to work fine this time. I saved the log file and ran OST with the instructions @ http://forum.avast.com/index.php?PHPSESSID=t7i54rurtcd8dr1mt628mgsrg1&topic=77336.0
)
I will come back on Thu and immediately download ComboFix and post the results.
Might not need CF ;D But, why not as you now have it
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\] > -> HKEY_USERS\S-1-5-21-1482476501-2077806209-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{BBF74FB9-ABCD-4678-880A-2511DAABB5E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> Onuoha -> C:\Documents and Settings\sridhar\Onuoha
[Files/Folders - Modified Within 30 Days]
NY -> icogohek.dll -> C:\WINDOWS\icogohek.dll
[Files - No Company Name]
NY -> ipicaciris.dll -> C:\WINDOWS\ipicaciris.dll
NY -> icogohek.dll -> C:\WINDOWS\icogohek.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.