You are malware free. Posted logs are now appear cleans and show no signs of active infection.

Good workman always cleans up after himself.
• The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

• To help AntiVirus to protect your computer and speed it up, I recommend that you download, install and keep the following free programs:

1. Keep Malwarebytes Anti-Malware, update it regularly or from time to time and run a Quick Scan weekly.
   Malwarebytes will detect and remove all traces of known malware. MBAM isn’t AntiVirus and it can NOT replace it.

2. Keep MCShield Anti-Malware, the tool will be updated regularly and perform auto-checking for malware to each attached USB memory device.
   MCShield, has been designed as a lightweight scanner that’s smart enough to catch even new worms and work in fully automatic removal mode.

3. It’s recommended to delete Temporary Files every once in a while. Run the tool and click on the Start button and TFC will begin to clean. Then restart the computer.
   Temp File Cleaner aka TFC by OldTimer
   TFC is small & usefull utility that shall clean up temp files from all userprofiles and system folders.

thanks for all

also i would like to ask what i do with the second hard driver . to connect or not?

Feel free to connect drive. If there is malware there, MCShield shall taking care of him.

Hello magna86,

I wondered if you could help me as well, as I am having the same problem right now, that you dealt with here before.

Is it okay if I upload the scan results here?

Hi Macmachine,

Ok, post here logs and I shall analyze them.

You may use “Attachments and other options” > Attach form

thats great, thank you in advance!

Hi Macmachine,

Both FRST & GMER shows active malware. We shall use FRST to remove that.

First go to the link below for instructions on how to change you homepage in Chrome.
https://support.google.com/chrome/answer/95314?hl=en

FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start C:\Program Files (x86)\Ask.com C:\Users\Maximilian Ernst\AppData\Roaming\Mozilla\Firefox\Profiles\f4gaw2az.default\searchplugins\conduit-search.xml C:\Users\Maximilian Ernst\AppData\Local\Temp\avgnt.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\fp_pl_pfs_installer-1.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\fp_pl_pfs_installer.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\LMkRstPt.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\mdi064.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\mdi164.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\mdi264.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\mdi364.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\nsc9216.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nscC413.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nsh16CF.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nsh984F.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nsm9561.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nsmBCC1.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nsmC0A8.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\nvSCPAPI.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\nvSCPAPI64.dll C:\Users\Maximilian Ernst\AppData\Local\Temp\nvStInst.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\ose00000.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\Quarantine.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\SkypeSetup.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\sonarinst.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\uninst1.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\vpnclient_setup.exe C:\Users\Maximilian Ernst\AppData\Local\Temp\_unps.exe Task: {C34B3A48-118E-4035-9F02-B1B9DE7A832A} - \Scheduled Update for Ask Toolbar No Task File Task: {FA063B54-665C-46D2-899D-364997F558EB} - \TubeSaver Update No Task File HKLM-x32\...\Run: [] - [X] HKU\S-1-5-21-3985303476-1737462718-3733698445-1000\...\Run: [tsiVideo] - C:\Windows\SysWOW64\rundll32.exe C:\Users\MAXIMI~1\AppData\Local\Temp\\mdi364.dll,runme <===== ATTENTION HKU\S-1-5-21-3985303476-1737462718-3733698445-1000\...\MountPoints2: G - G:\setup.exe HKU\S-1-5-21-3985303476-1737462718-3733698445-1000\...\MountPoints2: {08e68f04-9f6c-11e2-8a38-6cf0497cda39} - G:\Autorun.exe HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?ctid=CT3319402&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP59E635CE-B83F-45CA-89B4-8E0CBBC69D0B&SSPV= URLSearchHook: HKCU - UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll No File SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319402&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SP59E635CE-B83F-45CA-89B4-8E0CBBC69D0B&q={searchTerms}&SSPV= SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://search.conduit.com/Results.aspx?ctid=CT3319402&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=2&UP=SP59E635CE-B83F-45CA-89B4-8E0CBBC69D0B&q={searchTerms}&SSPV= SearchScopes: HKCU - {68120EB9-E8FD-43CB-84C0-2B59B3142E11} URL = http://websearch.ask.com/redirect?client=ie&tb=AVR-4&o=APN10261&src=kw&q={searchTerms}&locale=de_DE&apn_ptnrs=^AGS&apn_dtid=^YYYYYY^YY^DE&apn_uid=b85241d5-a17a-4fa7-9613-0eea1fd7ee61&apn_sauid=3E8882C0-A864-4DE6-842E-E7DBDB460465 FF DefaultSearchEngine: Ask.com FF SearchEngineOrder.1: Ask.com FF SelectedSearchEngine: Conduit Search FF Homepage: hxxp://search.conduit.com/?ctid=CT3319402&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=2&UP=SP59E635CE-B83F-45CA-89B4-8E0CBBC69D0B&SSPV= FF SearchPlugin: C:\Users\Maximilian Ernst\AppData\Roaming\Mozilla\Firefox\Profiles\f4gaw2az.default\searchplugins\conduit-search.xml S3 ALSysIO; \??\C:\Users\MAXIMI~1\AppData\Local\Temp\ALSysIO64.sys [X] End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Re-Scan

Re-run FRST, just click the Scan button and post me fresh created FRST.txt logreport.

Hey, sorry for the late reply. Here are the attached files.

FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
() C:\Users\Maximilian Ernst\AppData\Local\Temp\iswizard05\dwm.exe
C:\Users\Maximilian Ernst\AppData\Local\Temp\iswizard05
HKU\S-1-5-21-3985303476-1737462718-3733698445-1000\...\MountPoints2: G - G:\setup.exe
HKU\S-1-5-21-3985303476-1737462718-3733698445-1000\...\MountPoints2: {08e68f04-9f6c-11e2-8a38-6cf0497cda39} - G:\Autorun.exe
FF SelectedSearchEngine: Conduit Search
CMD: DEL %TEMP%\*.* /F /S /Q
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

TFC

Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Tell me , how the things are running now?

hey, from what I experienced in the few minutes since the restart I can say I feel like it improved already.

For example before this, I always had these kind of lags when I didn’t move my crusor for some minutes it always had some delay when i moved it again. Now I think this delay is gone.

Tried to get rid of this stuff quite some time already… Thank you so much!

No problem.

I still need the latest FixLog.txt created by FRST after execution of Fix.

Copy of all logs you shall find at: C:\FRST\Logs

Post me the latest log.

Hi Magna86,

Great job you’re doing. Please help me out too, need to resolve this issue urgently! Logs are attached.

Regards,
Zeeshan

Hi zee_shah, Where is Addition.txt log?
Do not use USB devices while cleaning is in progress…

FRST’s FixList

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start () C:\Users\ZAE14~1.SHA\AppData\Local\Temp\iswizard05\indexer.exe C:\Users\ZAE14~1.SHA\AppData\Local\Temp\iswizard05 C:\Users\z.shahid\AppData\Local\Temp\*.dll C:\Users\z.shahid\AppData\Local\Temp\*.exe HKU\S-1-5-21-1769007229-1808773432-3389771191-1489\...\Run: [tsiVideo] - rundll32.exe C:\Users\ZAE14~1.SHA\AppData\Local\Temp\\mdi364.dll,runme <===== ATTENTION HKU\S-1-5-21-1769007229-1808773432-3389771191-1489\...\MountPoints2: {74e0ac25-79b7-11e3-958f-463500000031} - E:\SISetup.exe HKU\S-1-5-21-1769007229-1808773432-3389771191-1489\...\MountPoints2: {c19e0a5d-5e8a-11e3-bd06-426f2a798a6e} - E:\AutoRun.exe DPF: {195538FD-1C39-44B1-A7C3-5D7137A8A8F1} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5opswati.cab DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\urxvpn.cab DPF: {30CF9713-6614-4556-B5F5-66F8C7F9DEF1} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5opswati.cab DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5tunsrv.cab DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\IXP000.TMP\InstallerControl.cab#-1,-1,-1,-1 DPF: {49EC7987-E331-44E3-B170-748B58A268B9} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5opswati.cab DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5InspectionHost.cab DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\urxshost.cab DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\urxhost.cab DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5syschk.cab DPF: {EBDC91CB-F23F-477D-B152-3F7243760D04} C:\Users\ZAE14~1.SHA\AppData\Local\Temp\f5tmp\f5opswati.cab U3 mfeavfk01; No ImagePath End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

ComboFix scan …

1. Please download ComboFix by sUBs from here and save it to your Desktop.
   If you are unsure how ComboFix works please read this guide carefully.
   Note: ComboFix must be downloaded to your Desktop.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

• ComboFix will check if there is a newer version of ComboFix available.
  Click Yes if prompted to download.[/size]
  -If Recovery Console is not installed, ComboFix will offer download & installation.
  Click Yes to allow ComboFix to install Recovery Console.
• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

4. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
   Attach log reports ( ComboFix.txt) back to topic.

Thanks for the response, addition.txt is attached.

I’ve run the first step; need to uninstall McAfee agent to be able to disable McAfee for the second step. Awaiting instructions for the uninstall from my IT administrator. Will perform next step tonight and reply with FixLog and the log by ComboFix. Great thanks for your help again!

Hi Magna86, both files are attached.

Upss…
My line of work here is volunteer based. It is not right for me for help you. Why should I share my acquired knowledge free and clean your computer firms.
Companies earn thanks to these computers, the IT Administrator getting their monthly salary in exchange for the maintenance of these computers.

I will stop monitor this topic.

At first I was pissed but then I realised you’re absolutely right. The reason I’m here was that my own IT people thought that formatting is the only solution. Please feel free not to assist me any longer but please don’t stop monitoring this thread for other people that might need your help.

Cccc … What, are they IT administrators in your firms? Omg … these “IT” people should be ashamed. >:(

And Thank you zee_shah for your kind understanding.
Run DelFix to remove all used tools here:

I’m doing this bc I love that, and if your IT administrators are silly enough to preform a fresh Window install just for this, then allow them to do so. :
Let them work and earn a salary.

Cheers

PS: The OP above does not respond so … ;D

Thanks magna86. I’ll make sure to refer the IT guys to this thread for their continuing professional development!