InfoMash - Need Help! Am deploying this Saturday and laptop was just infected!

Hello! My laptop was just infected while I was attempting to buy some last minute items online for my upcoming deployment to the sandbox.

I have Avast, AVG, Malwarebytes, Ad-Aware, Microsoft Security Essentials. So far, none of them have done the trick. I have researched for hours online w/o any success.

I rebooted and powered up in safe networking mode and attempted to find the registry ID issues but was unsuccessful.

I am not a computer / IT whiz but was hoping there was at least one on this board that would be willing to help me.

Thanks!

Chris

first, installing multiple AV will make your computer slower, give mysterious windows errors, and false positive detections

so only install one antivirus… uninstall and then to remove any leftover files that may conflict run removal tools fore those you uninstalled and reboot

you find the tools here http://singularlabs.com/uninstallers/security-software/

then follow this guide and attach the logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal specialists will be notified

I believe I was able to successfully follow the instructions. I have attached: AdwCleaner, MBAM, OTL *after running the OTL scan, I did not get two notepads/logs to pop up (the extra notepad didn’t appear).

aswMBR to follow

Here is the aswMBR log.

Thank you for your help!

did you uninstall and run the removal tools?..i still see files from AVG and Ad-Aware

malware removers are notified…may take some hours befor one arrive so be patient

i also see you have IObit software…you may want to reconsider after reading this

http://www.malwarebytes.org/forums/index.php?showtopic=29681
http://www.malwarebytes.org/forums/index.php?showtopic=30989
http://www.malwarebytes.org/forums/index.php?showtopic=33217

Thank you! I believe I have successfully removed all other virus protection/malware programs excluding:
Avast and any others that were necessary according to the instructions provided.

Thanks!!!

Let me know if this clears it… Also are you having problems with windows updates ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
FF - prefs.js..extensions.enabledAddons: nxqmmxkisb@nxqmmxkisb.org:2.5
[1832/11/29 00:30:07 | 000,004,804 | ---- | M] () (No name found) -- C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\sat85s91.default\extensions\nxqmmxkisb@nxqmmxkisb.org.xpi
O3 - HKU\S-1-5-21-1029831516-3325446949-3821875110-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2011/12/14 13:33:18 | 000,001,420 | -HS- | C] () -- C:\Users\Chris\AppData\Local\207852c7x280j712u053h5fiw4h1
[2011/12/14 13:33:18 | 000,001,420 | -HS- | C] () -- C:\ProgramData\207852c7x280j712u053h5fiw4h1
[2011/12/10 23:24:38 | 000,001,124 | -HS- | C] () -- C:\Users\Chris\AppData\Local\mdtffr1f6yca6adb3cpj6q021g7c
[2011/12/10 23:24:38 | 000,001,124 | -HS- | C] () -- C:\ProgramData\mdtffr1f6yca6adb3cpj6q021g7c
[2012/01/12 01:11:07 | 000,001,252 | -HS- | C] () -- C:\Users\Chris\AppData\Local\y728331v6ucxtdog2evi518n
[2012/01/12 01:11:07 | 000,001,252 | -HS- | C] () -- C:\ProgramData\y728331v6ucxtdog2evi518n

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you essexboy for your help! It looks like the issue is not yet resolved.

I would imagine it didn’t have any impact…I accidentally clicked full scan and NOT the quick scan. The log is attached.

Oh - I almost forgot. To answer your question, I don’t feel like I have had any issues with Microsoft Updates. I just double checked and it stated “no important updates available.”

Whilst I look at the log could you tell me exactly what the problem is

Browser redirect e.g. when attempting to purchase some gear to take with me, I will often get redirected (not all the time).

OK lets try this as I have found a little nasty pretending to be a HP file

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2012/09/22 08:29:57 | 000,466,944 | ---- | M] (Catalina Marketing Corporation) -- C:\Program Files (x86)\mozilla firefox\plugins\NPcol400.dll
O2:64bit: - BHO: (no name) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - No CLSID value found.
O2:64bit: - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (no name) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - No CLSID value found.
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O4 - HKCU..\Run: [Hewlett-Packard_Company] C:\Users\Chris\AppData\Local\Microsoft\Hewlett-Packard_Company\gulxp.dll ()

:Files
C:\USERS\CHRIS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\SAT85S91.DEFAULT\EXTENSIONS\NXQMMXKISB@NXQMMXKISB.ORG.XPI
C:\Users\Chris\AppData\Local\Microsoft\Hewlett-Packard_Company

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Completed! Thanks!

Please see attached.

I don’t know if I communicated this or not, but I mostly use IE. However, I do have IE, Firefox, and Chrome all downloaded on my laptop.

OK can you do this for us please. ;D

Open you avast! chest [see the attached pics] and right click on the free space in the chest and click add>>browse to C:\OTL_Moved>>select the gulxp.dll file>> click open>>Right click on the gulxp.dll file in the chest and click send to virus lab>>fill in the form shown and click submit>>Manually update the definations

and now you have helped avast! protecting its users ;D

Have the redirects ceased ?