I'm at a loss...

Hello,

I’ve been reading and following the generic advice I could find here and on a couple of other reputable forums I’ve long been fond of, but I’m ready to throw this computer out the window at this point! Being in a hurry and not thinking, I clicked a link in a business email because we actually were expecting a FedEx delivery (I attribute whatever is going on to this as it began within a few seconds of clicking the link), and long story short, I apparently got a virus. I say apparently because all initial scans showed nothing and Avast let it through with no warning. I keep all of my definitions up to date, but as I’ve been reading, this little worm or whatever it may be is pretty nifty, it seems, and can get by most scanners.

Anyway, I did the usual:
Safe mode
Malwarebytes (showed no threats on full scan with all options ticked)
Then attempted to schedule a boot scan with Avast thinking it would then catch anything hiding

I get an error that there is a software restriction policy not allowing Avast to run. I Google and come up with a suggestion to run RogueKill to kill any process or delete a registry key that would cause the issue. It found a couple of things and I allowed them to be deleted. I then tried again to run Avast and now get the error message about not being able to scan because there are no endpoints. I read some more and followed more advice and used the Avast uninstall tool - rebooted to safe mode, fresh install of latest Avast…and nothing. I’m still getting both errors, depending on how I try to run Avast (even tried a selective startup via msconfig with only windows services and Avast releted selected). I’ve Googled til my fingers are sore from typing and I’ve done everything (and then some) that I have ever used successfully in the past, to no avail. I downloaded the Farbar Recovery Scan Tool but I need help knowing what to add to be deleted. I used to use HiJackThis to find suspicious stuff when all else failed, but when I look at the results now, due to some extra stuff I run, I no longer know exactly what to get rid of. I’d be forever grateful if someone could help me get my system back in good running order.

Thanks in advance :slight_smile:

Have you run farbar? if so, attach the log please! We will give you a file back to target the needed things.

Great! Thank you for the super fast reply! I just wanted to wait to attach it in case I was supposed to follow other instructions first. Here you go…

I see that you have run combofix, could you attach that log please

Avast should start after this fix

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\AVAST Software\Avast <====== ATTENTION HKU\S-1-5-21-2000478354-1647877149-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION BHO: No Name -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> No File Toolbar: HKLM - No Name - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - No File Toolbar: HKU\S-1-5-21-2000478354-1647877149-725345543-1003 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Toolbar: HKU\S-1-5-21-2000478354-1647877149-725345543-1003 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - No File CustomCLSID: HKU\S-1-5-21-2000478354-1647877149-725345543-1003_Classes\CLSID\{0E55CBE1-B06A-49B6-AD8D-9EFAA0160C6F}\InprocServer32 -> No File Path CustomCLSID: HKU\S-1-5-21-2000478354-1647877149-725345543-1003_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> No File Path CustomCLSID: HKU\S-1-5-21-2000478354-1647877149-725345543-1003_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> No File Path CustomCLSID: HKU\S-1-5-21-2000478354-1647877149-725345543-1003_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> No File Path Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Attaching ComboFix log now and then proceeding with your instructions. Stand by…

Yay!!! Okay, so far at least, Avast is running and computer seems a little less quirky. I’ve only run a basic startup scan and it came back clear. Okay to go ahead and run an in-depth scan or should I complete something else prior?

You guys are awesome, by the way - I honestly didn’t expect help so quickly :slight_smile:

If you could attach the fix log so that I can check the removals were all done

Do you have any other problems ?

Oops, missed that, huh? Here you go. So far, so good…

A few pieces seen on combofix to clear and after this you should be good to go

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: c:\documents and settings\Jodi Clark\Local Settings\Application Data\Orics c:\documents and settings\Jodi Clark\Local Settings\Application Data\ejyho

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Okay, I’m back. Ran Farbar again. Attached is new Fixlog, as well as most recent AdwCleaner log (I had already run it a few times in the last day or two before finally asking for help). Everything is running pretty smoothly now…except for the fact that anything I right click on attempts to install Acrobat 8! What??? :confused:

Could you try the MS fixit first on this page please https://support.microsoft.com/en-gb/kb/290301

I’m so sorry to just now be getting back to this, but I had a bit of an emergency that I had to handle over the weekend and into Monday and this is the first chance I’ve had to get back on here. I just came back to work this morning and checked the status of an in-depth full system scan I had let Avast run. It finally picked up the two .DLLs that I suspected and had renamed so I could find them if nothing else did. It also found the email attachment that started it all (from the bogus FedEx email). I had it move all three items to the chest and then set up a full boot scan and it came up clean. Everything is running great now. Incidentally, the right click thing is no longer happening since the bad files were quarantined. I had attempted to get the FixIt from Microsoft the other day when all this first started, but I could only find support for Vista and newer since XP is no longer being supported. Anyway, thank you so much for being patient and kind in your responses and with your time in walking me through fixing this :slight_smile:

It was my pleasure, if you haven’t all ready done so this will remove the various tools

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

To mitigate any bundled software

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Everything seems to be back in good shape after running it since yesterday afternoon. I’ve got Avast updated (again) and set to auto update. I’ve used it and Malwarebytes for suspicious stuff for the past few years and found the combination to be quite awesome and not too terribly greedy with memory. Is the built-in Windows firewall still considered sufficient, or should I look at something else? As long as you don’t suggest something different, you can mark this issue closed, and again, thank you :slight_smile: