I did all the required steps, and I will upload all the logs of the programs. Thanks in advance
@Ariel81937
Welcome to avast.
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
I can’t seem to find the ComboFix log file. I searched for it under the C drive, but it’s not there. The program runs and after finishing whatever it’s doing, it closes.
Ok, then we will re-run it with fresh copy.
Delete your copy of Combofix and download new, fresh Combofix.exe from download link above.
Again, temporaly disable your AntiVirus and re-run Combofix. Attach here created Combofix.txt log.
I ran it again, but it just closes without any log file after the scan ends. I do get a weird error that I ignore. It is error opening file for writing
C:\32788R22FWJFW\pev.3XE
Please download Farbar Recovery Scan Tool and save it to your desktop.
[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Here they are.
Hi,
I do get a weird error that I ignore. It is error opening file for writingThat error/line is Combofix related. Please ignore it.
[list]
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AV: AVAST Software
AV: McAfee, Inc.
Running - more than one - antivirus program is not recommended because:
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc
I strongly suggest you uninstall one of them. Which one, is your decision.
— — — — — — — —
- Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
MountPoints2: F - F:\LaunchU3.exe -a
MountPoints2: G - G:\LaunchU3.exe -a
MountPoints2: {52cbca4d-df92-11de-a847-0026188e3550} - F:\LaunchU3.exe -a
MountPoints2: {f73630cf-a146-11de-9f7f-806e6f6e6963} - E:\autorun.exe
HKLM-x32\...\Run: [] [x]
AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll [97280 2009-07-13] ()
SearchScopes: HKLM - {4E546D24-C8B3-480B-AAF7-00DB4D53052D} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^HJ^xdm003^YY^us&si=CLDP7Zanj7QCFcKPPAodpHQAyA&ptb=8A234683-D408-46CF-A399-39CAAC16E806&ind=2012121002&n=77ee87aa&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {A8E9058B-3ABA-43FE-A4D4-D4600F46F71F} URL =
SearchScopes: HKCU - {cf6e4b1c-dbde-457e-9cef-ab8ecac8a5e8} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^HJ^xdm003^YY^us&si=CLDP7Zanj7QCFcKPPAodpHQAyA&ptb=8A234683-D408-46CF-A399-39CAAC16E806&ind=2012121002&n=77ee87aa&psa=&st=sb&searchfor={searchTerms}
CHR Plugin: (Application Manager) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgafcinpmmpklohkojmllohdhomoefph\1.0_0\spext.dll No File
CHR Plugin: (Babylon ToolBar) - C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.8_0\BabylonChromeToolBar.dll No File
CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\NP4zStub.dll No File
CHR Plugin: (MindSpark Toolbar Platform Plugin Stub) - C:\Program Files (x86)\iWon_5k\bar\1.bin\NP5kStub.dll No File
Task: {09FA421B-81AC-4B64-AABD-C42714283F34} - System32\Tasks\{2456BDC1-49AB-45E7-99A2-EB75500AAA59} => C:\Setup.exe No File
Task: {141BAB9D-1BF4-4E3F-B62C-626DF1591752} - System32\Tasks\{70C639B0-7A27-4CC4-ADFD-72F20163E747} => C:\SETUP.EXE No File
Task: {2A977AEB-A330-4710-A503-3976B27B228E} - System32\Tasks\{CF366B2F-76B1-4A92-8846-9EA12E568AC0} => C:\start.exe No File
Task: {2B9DEE32-D118-44AE-A83F-0CB406BDF06E} - System32\Tasks\{61EB8DB1-3DE2-4832-9210-9BAA545C53D7} => C:\SETUP.EXE No File
Task: {389FAD3A-1335-4138-AA39-FC8ED3CF2D7F} - System32\Tasks\{9B933BD7-D6FA-4C6E-9685-2E7017A605BA} => C:\SETUP.EXE No File
Task: {40A6D569-77D7-4B78-BFD1-670D69767687} - System32\Tasks\{A8BCC1F8-B076-4174-A247-2A8E6390BE59} => C:\SETUP.EXE No File
Task: {5016ECD7-3A47-4EAA-A75E-CB51F5402BAE} - System32\Tasks\{1C2BB6C1-C0DA-45C2-B1B0-97B1910A7FFB} => C:\Setup.exe No File
Task: {5D22BEB6-5498-42DE-8DDB-7B992A5BF581} - System32\Tasks\{B1BF1640-75A0-4F18-8B6F-D677B8ABE52E} => C:\SETUP.EXE No File
Task: {843080AA-18B8-49CE-8CF2-8A49D863321F} - System32\Tasks\{12B6B281-231E-4876-8E5E-49C6EBD78F32} => C:\Autorun.exe No File
Task: {88E743E7-8253-485B-8C2A-03C47FE408B7} - System32\Tasks\{35C0C685-2E4D-484A-9960-8BF6189FE993} => C:\Setup.exe No File
Task: {949F36D1-2008-44A9-8B03-CCC9E1CA1FFD} - System32\Tasks\{38C4B3EF-4C3C-4876-8868-5455A516641B} => C:\SETUP.EXE No File
Task: {94C9C1C4-C402-405C-ACA3-556C2B3D14BC} - System32\Tasks\{4BF0C189-1A50-41E4-AE4F-11C0A63AE58B} => C:\Users\Martin\Desktop\ComboFix.exe [2013-06-22] (Swearware)
Task: {AB7A85EB-700B-4B6E-95AE-24672C4E4466} - System32\Tasks\{FA6FF54E-5D05-4715-9C8C-9BCBE3236250} => C:\start.exe No File
c:\progra~3\browse~1
C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgafcinpmmpklohkojmllohdhomoefph\1.0_0\spext.dll
C:\Users\Martin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.8_0\BabylonChromeToolBar.dll
C:\Windows\Installer\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}
C:\Windows\Installer\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\L
C:\Windows\Installer\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\U
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\@
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\L
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\U
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\U\00000001.@
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\U\80000000.@
C:\Users\Martin\AppData\Local\{9219047f-a7c5-94f8-1b07-c2cef6850bfc}\U\800000cb.@
DeleteJunctionsIndirectory: C:\Windows\system64
File: C:\Windows\system64\services.exe
File: C:\SETUP.EXE
-
Save notepad as fixlist.txt
NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work. -
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
-
Re-run FRST, press Scan button and attach here fresh FRST.txt logreport.
— — — — Next — — — —
Please download ListParts to your Desktop.
http://www.bleepingcomputer.com/download/listparts/dl/77/
Download [b]ListParts64[/b] to your Desktop.
http://www.bleepingcomputer.com/download/listparts/dl/78/
[] Double click ListParts.exe to launch the program.
[] Double click ListParts64.exe to launch the program.
[] Press the Scan button.
[] When finished scanning it will make a log Result.txt on your Desktop.
[*] Please post me the contents of the log.
Thanks so far. Here are the requested logs.
Multiple Antivirus Programs
You are running more than 1 Antivirus program!
AV: AVAST Software
AV: McAfee, Inc.
Running - more than one - antivirus program is not recommended because:[list=1]
[*]They can conflict with each other.
[*]Report the other antivirus software as malicious.
[*]Antivirus programs use an enormous amount of computer’s resources… actively scanning your computer.
[*]Can cause your computer to become unstable…run slowly and even, in rare cases, BSOD crash…etc I strongly suggest you uninstall one of them. Which one, is your decision.
Re-run AdwCleaner
[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK
[*] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
[*] Please attach here C:\AdwCleaner[S1].txt
Note: The report will also be stored on C:\AdwCleaner[S1].txt
======= NEXT ========
Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/
Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.
[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”
[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
Please attach the two following logs from the mbar folder:
system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.
THEN …
Go to \Plugins folder and run fixdamage.exe, black windows will pop-up, follow instructions from that black windows …
How is your computer running now?
It’s working very well, and it’s faster than it has been in a long time. Thank you very much.
Ok, MBAR log is interesting. We need to run additional checking for rootkits:
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*]Click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.
Here it is. Seemed to all be suspicious.
Please re-run TDSSKiller as before (with change parametres ) and use Delete option for this entry:
\Device\Harddisk0\DR0 ( TDSS File System )
Reboot computer and tell me how is your computer running now?
It’s running great, just as before, and the delete was successful and all.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
I recommended to keep Malwarebytes AntiMalware and to use MCShield if you will.
You may download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.