HTML:Includer-CI [Trj]

This computer seems to have a lot of infections going on (the most recent popup is the one in the subject), and I’ve run several virus scanning software. I’ve attached the logs that I could gather based on the “Logs to assist in cleaning malware” thread, but when I run aswMBR.exe, the program runs for a few minutes and then dies. I’ve attached a screenshot of that program’s error as well.

Thanks for your help.

A bit of an overkill on the antiviruses here

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1} AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} AV: Ad-Aware Antivirus (Disabled - Out of date) {D87B6541-12A1-DAEA-0033-9B8057AAB996} AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B} AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C} AS: Ad-Aware Antivirus (Disabled - Out of date) {631A84A5-349B-D564-3A83-A0F22C2DF32B} AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664} AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
You will need to uninstall all bar one of them

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-1631263659-2879179527-1311941438-1000\...A8F59079A8D5}\localserver32: <==== ATTENTION! BootExecute: autocheck autochk * es??ss???<?xml version=1.0?> URLSearchHook: HKU\S-1-5-21-1631263659-2879179527-1311941438-1000 - Default Value = {c111c814-fd58-0a04-3924-998b53830e29} URLSearchHook: HKU\S-1-5-21-1631263659-2879179527-1311941438-1001 - Default Value = {c111c814-fd58-0a04-3924-998b53830e29} HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1631263659-2879179527-1311941438-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKU\S-1-5-21-1631263659-2879179527-1311941438-1000 -> {36377DD7-B3EB-42f5-986F-680BAF59BA9D} URL = http://start.iplay.com/searchresults.aspx?o=chrome&q={searchTerms} SearchScopes: HKU\S-1-5-21-1631263659-2879179527-1311941438-1000 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=C636FBD001CD3D0700253063&install_time=2012-05-28T19:26:32Z&src_id=30504&camp_id=3906&tb_version=1.2.2000.2(B) SearchScopes: HKU\S-1-5-21-1631263659-2879179527-1311941438-1001 -> {36377DD7-B3EB-42f5-986F-680BAF59BA9D} URL = http://start.iplay.com/searchresults.aspx?o=chrome&q={searchTerms} SearchScopes: HKU\S-1-5-21-1631263659-2879179527-1311941438-1001 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=C636FBD001CD3D0700253063&install_time=2012-05-28T19:26:32Z&src_id=30504&camp_id=3906&tb_version=1.2.2000.2(B) BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: No Name -> {9194649F-7143-4308-90C1-D6A35B0E354E} -> No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File 2014-11-14 23:25 - 2014-11-14 23:25 - 00000000 ____D () C:\ProgramData\boost_interprocess 2014-11-14 23:24 - 2014-11-14 23:24 - 00000000 ____D () C:\ProgramData\Anvisoft 2014-11-14 23:24 - 2014-08-20 00:52 - 00048656 _____ (Anvisoft) C:\Windows\system32\Drivers\asd2fsm.sys 2014-10-29 03:03 - 2014-10-31 19:06 - 00000000 ____D () C:\ProgramData\BopzaJtare 2014-10-29 03:03 - 2014-10-31 19:05 - 00000000 ____D () C:\ProgramData\KujesVodiq CustomCLSID: HKU\S-1-5-21-1631263659-2879179527-1311941438-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> No File Path Task: {FBEC707B-8F25-4F08-BB9A-C16A490CB608} - System32\Tasks\{F0FF9C88-BE0E-879C-F0DB-1BAF8AE85751} => C:\Windows\system32\gkqtfvq.dll/s "C:\Windows\system32\gkqtfvq.dll" C:\Windows\system32\gkqtfvq.dll EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Download and run farbar service scanner

https://dl.dropboxusercontent.com/u/73555776/fssscan.JPG

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Thank you.

I’ve run through the steps you’ve outlined. Attached are the requested logs.

Oddly enough, now if I try to go to a folder, I get a popup message saying No Such Interface Supported (See attached). I can navigate to folders when going through a Open or Save dialog box, just not if I try to go to Computer, Libraries or any folder on the desktop.

That is a very faked message. The Title bar (Text) is off, and in a VB Design mode, the vbCritical (The X in the circle) and the text are on the same line.

Have you uninstalled 4 out of your 5 antiviruses?

I had not yet uninstalled the other antivirus software. Unfortunately, I can’t get to the Control Panel now because doing so will throw either the explorer.exe error message or the one attached followed by the explorer.exe message.

Give the removal tools a try:
http://www.ache.nl/index.php?location=mal-01

Thanks. Doing this now.

At this point, Avast is the only antivirus software installed on the machine. I am still getting the explorer-related error messages.

I was able to resolve the Explorer errors by running SFC /Scannow

It looks like everything is resolved at this point.

Thank you everyone for your help.

Keep a good eye (not your bad one ;D ) on the system for the next 2 weeks or so.
If anything comes up, let us know.