Infected

system · February 15, 2015, 10:45am

Need help… Have no idea with what or how but I believe I maybe infected with a virus. For the last couple of days I have been getting random pop up from avast about some file that wants to download asking me what I want to do and everytime I try to open IE11, I’m being asked if I want to open/save/or save as… I`m also getting the same pop ups when I try to troubleshoot using windows.

So far I have done a systems restore as well as downloaded Malwarebytes/FRST/aswmbr and the logs are attached…
From what I can see, there isn’t anything showing up so any help would be much appreciated.

Asyn · February 15, 2015, 10:50am

Can’t see them, try again.

system · February 15, 2015, 10:55am

Here are all the logs so far…

system · February 15, 2015, 11:09am

I still haven’t uploaded all the logs yet have I… ?

Asyn · February 15, 2015, 11:13am

Logs are complete, now you’ve to wait a bit…

system · February 15, 2015, 11:17am

Okay Asyn… thanks heaps

essexboy · February 15, 2015, 11:42am

Could you screenshot the popup for me please and attach that

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2309721919-2532912108-3705383954-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION Toolbar: HKU\S-1-5-21-2309721919-2532912108-3705383954-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File CHR HKU\S-1-5-21-2309721919-2532912108-3705383954-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path 2015-02-15 16:34 - 2015-02-15 16:34 - 00000000 _____ () C:\Users\white\Downloads\blank (1).wxkp5oj.partial 2015-02-15 16:33 - 2015-02-15 16:33 - 00000000 _____ () C:\Users\white\Downloads\blank.vb7jc8u.partial 2015-02-01 19:40 - 2015-02-01 19:40 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieUserList 2015-02-01 19:40 - 2015-02-01 19:40 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieSiteList 2015-02-01 19:40 - 2015-02-01 19:40 - 00000000 __SHD () C:\Users\Administrator\AppData\Local\EmieBrowserModeList EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · February 15, 2015, 12:28pm

I can’t post the log from avast because I can’t seem to find it in the logs but I have attached pics of what IE11 and windows troubleshooting looks like when opened… I have also downloaded the mentioned program and the log is also attached.

Many thanks btw for all your help

system · February 15, 2015, 12:30pm

Sorry here you go

essexboy · February 15, 2015, 12:37pm

OK lets now try this fix, let me know if the popup re-appears

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-02-15 16:55 - 2015-02-15 16:55 - 00330086 _____ () C:\Users\white\Downloads\en-au (4) (1).htm 2015-02-15 16:55 - 2015-02-15 16:55 - 00330086 _____ () C:\Users\white\Downloads\en-au (4) (1) (1).htm 2015-02-15 16:55 - 2015-02-15 16:55 - 00330086 _____ () C:\Users\white\Downloads\en-au (4) (1) (1) (1).htm 2015-02-15 16:54 - 2015-02-15 16:54 - 00330090 _____ () C:\Users\white\Downloads\en-au (3).htm 2015-02-15 16:54 - 2015-02-15 16:54 - 00330086 _____ () C:\Users\white\Downloads\en-au (4).htm 2015-02-15 16:53 - 2015-02-15 16:53 - 00330070 _____ () C:\Users\white\Downloads\en-au (2).htm 2015-02-15 16:52 - 2015-02-15 16:52 - 00330068 _____ () C:\Users\white\Downloads\en-au (1).htm 2015-02-15 16:37 - 2015-02-15 16:37 - 00329917 _____ () C:\Users\white\Downloads\en-au.htm EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · February 15, 2015, 1:35pm

Done but not sure if it has fixed everything because IE11 still looks the same when I try to open it

essexboy · February 15, 2015, 2:02pm

OK lets now reset IE

Go to Control Panel > Internet options > Advanced tab
At the bottom click reset
OK out and then open IE
Any change, if not I will get out my bigger hammer

system · February 15, 2015, 2:15pm

lol@ big hammer… walking out giggling and following ur instructions

system · February 15, 2015, 2:26pm

Nope still hasn`t worked

essexboy · February 15, 2015, 2:49pm

Hmm that is intriguing as it wants to save the pages rather than open them in IE

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · February 15, 2015, 2:53pm

Okay thanks for all ur help… Be back soon

system · February 15, 2015, 3:14pm

Here is the comboFix log…

essexboy · February 15, 2015, 3:48pm

Looks like the associations are messed

Using the link below download the reg fix to your desktop
Right click html_file_association_fix_win7.reg and select merge accept the warnings
Reboot and now try IE

https://dl.dropboxusercontent.com/u/73555776/html_file_association_fix_win7/html_file_association_fix_win7.reg

system · February 15, 2015, 3:53pm

I`m sorry, when I try to open the link it opens a text page I think and I don’t get an option to save to desktop…

system · February 15, 2015, 3:55pm

this is what the link looks like when I try to open it

Infected

Announcements