Infection blocked Constant messages.

essexboy · 2015-07-26T13:17:52.000Z

OK could I have a fresh FRST scan please so that I can be sure the malware has gone

system · 2015-07-26T13:32:14.000Z

Still getting pop-ups

Attached screenshot of pop-up and new Scan.

essexboy · 2015-07-26T14:34:01.000Z

OK the only thing I can think of at the moment is that an MBR type rootkit is re-installing after I am removing it

So I will check that out. Are you downloading anything after running the FRST fix ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

system · 2015-07-26T15:24:21.000Z

Nothing found but a pop up came up while it was scanning. - Probably best thing for me is to back-up and rebuild.

Extremely greatful for your help. If you were really in Essex I’d buy a pint!

Bests

Joaquin

essexboy · 2015-07-26T15:59:47.000Z

Do you have anything on your system that is protecting the registry as that is where the malware is hiding

system · 2015-07-26T20:21:18.000Z

Sorry for the delay. I checked the services and Windows Defender was active so I switched it off, ran Adwcleaner followed by Combofix and after the reboots no more pop ups. All going well for a number of hours.

Thanks

Joaquin

essexboy · 2015-07-26T21:02:03.000Z

Could you post the combofix log please and a fresh FRST

system · 2015-07-27T16:25:44.000Z

Sorry for the delay. Will post this evening when I get home.

Regards

Joaquin

system · 2015-07-27T22:04:23.000Z

I guess I shouted victory prematurely. Last night no pop ups appeared, but this evening they are back in force.

Attached the requested files.

Regards

Joaquin

essexboy · 2015-07-28T14:13:14.000Z

This malware is normally monitored by a blank run key which is not showing in your logs. I wonder if they have now changed the monitor file.

Could you attach the combofix log as that should show any hidden entries

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [WinampAgent] => "C:\Program Files (x86)\Winamp\winampa.exe" HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:WxBVRTj8="uA9IbaM";By8=new%20ActiveXObject("WScript.Shell");uFAG7tSc="q";Xp9rl=By8.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");PvrlG9gl="ibKw";eval(Xp9rl);ZQiPL1Nj7=" (the data entry has 3 more characters). <===== ATTENTION (Value Name with invalid characters) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:UxeT5lmg="jmSAvJRzh";Y0Z3=new%20ActiveXObject("WScript.Shell");gNq4NQ5BS="b7s0";y8tY6J=Y0Z3.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");o8L2EIQxFQ="eny9";eval(y8tY6J) (the data entry has 22 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:IZZV6c3B="iVQKNdj6Kx";oU6=new%20ActiveXObject("WScript.Shell");m7OBrFG="yABojYeU";UvI7n=oU6.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");imRn88mkR="nGnZ5Wx";eval(UvI7n);b1TtfvD="qe (the data entry has 8 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1306190550-1966074902-702322317-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION U3 a16ip6jg; C:\Windows\System32\Drivers\a16ip6jg.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder) 2015-07-27 20:54 - 2015-07-27 20:58 - 00000000 ____D C:\Users\ideoplastic\AppData\OICE_15_974FA576_32C1D314_2688 2015-07-27 20:54 - 2015-07-27 20:54 - 00000000 ____D C:\Users\ideoplastic\AppData\OICE_15_974FA576_32C1D314_3418 2015-07-26 09:22 - 2015-07-26 09:22 - 00685200 _____ () C:\Users\ideoplastic\Downloads\setup.exe Task: {6D0F3D86-B01F-4AA2-9771-0552DF52FA5C} - System32\Tasks\Amazon Music Helper => C:\Users\ideoplastic\AppData\Local\Amazon Music\Amazon Music Helper.exe [2015-07-21] () C:\Windows\System32\Drivers\a16ip6jg.sys DeleteKey: HKCU\software\3ba89a97d2 DeleteKey: HKLM\\software\Wow6432Node\3ba89a97d2 RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-07-28T19:04:42.000Z

Thanks.

Combofix refuses to create a log and the Fix’s logs also attached.

Regards

No pop-ups so far since turning on PC 1:15 minutes ago.!

essexboy · 2015-07-28T19:22:19.000Z

Could you attach the fixlog as that is the previous scan that you have attached

system · 2015-07-28T20:20:49.000Z

Sorry about that.

essexboy · 2015-07-28T20:27:45.000Z

Well that states that it removed it successfully, so lets see if it has had the grace to give up now

system · 2015-07-28T20:32:44.000Z

So far so good. Much obliged for all your hard work.

Regards

essexboy · 2015-07-29T14:01:13.000Z

The one difference I did this time was to remove the amazon music start entry … I wonder if it was related to that

system · 2015-07-29T16:51:10.000Z

I suppose it could be…worth mentioning it to Amazon?

All well so far.

Kind regards

Joaquin

essexboy · 2015-07-29T17:21:49.000Z

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

system · 2015-07-29T17:36:52.000Z

Removed Java & ComboFix - Installed Malwarebytes & Unchecky.

What can I say… First class support! 8) Thanks

Regards

Joaquin

essexboy · 2015-07-29T17:51:05.000Z

My pleasure, keep safe

Announcements