system
April 30, 2016, 5:07pm
1
Hi.
I got infected with a malware I got after installing this toolkit for Microsoft Office 2010 Professional Plus.
I read the article on https://forum.avast.com/index.php?topic=53253.0 and decided to create this topic to get some help on how to remove this thing.
The logs are attached. The last program mentioned on the forum (aswmbr) didn’t finish the scan so I couldn’t attach its log though.
Hope to get some help soon!
What problems are you experiencing ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-04-04]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.309\SSScheduler.exe (McAfee, Inc.)
HKU\S-1-5-21-2482332098-1381596929-129475100-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.baixaki.com.br/portal/?utm_source=sol&utm_medium=ppi&utm_campaign=portal
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.309\McCHSvc.exe [293128 2016-03-11] (McAfee, Inc.)
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys [X]
2016-04-26 15:30 - 2016-04-30 17:15 - 00000000 ____D C:\Program Files (x86)\7F63EB81-1461677417-11E0-B5EF-031FE8F987FB
2016-04-24 13:15 - 2016-04-24 13:15 - 00003180 _____ C:\Windows\System32\Tasks\{4FAB1261-14FB-45D5-A07F-ED862BE5A5D5}
2016-04-24 13:15 - 2016-04-24 13:15 - 00003180 _____ C:\Windows\System32\Tasks\{3FACE8DC-1AEF-438A-8099-530674F773B4}
2016-04-04 18:27 - 2016-04-04 18:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-04-30 17:15 - 2014-11-14 01:21 - 00000000 ____D C:\Users\Todos os Usuários\APN
2016-04-30 17:15 - 2014-11-14 01:21 - 00000000 ____D C:\ProgramData\APN
C:\Users\User\AppData\Local\Temp\_MEI28642
C:\Program Files\McAfee Security Scan
C:\Program Files (x86)\Baidu Security
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
system
April 30, 2016, 10:13pm
3
Hi essexbox.
What problems are you experiencing ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-04-04]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.309\SSScheduler.exe (McAfee, Inc.)
HKU\S-1-5-21-2482332098-1381596929-129475100-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.baixaki.com.br/portal/?utm_source=sol&utm_medium=ppi&utm_campaign=portal
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.309\McCHSvc.exe [293128 2016-03-11] (McAfee, Inc.)
S3 PCFApiUtil; \??\C:\Program Files (x86)\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil64.sys [X]
2016-04-26 15:30 - 2016-04-30 17:15 - 00000000 ____D C:\Program Files (x86)\7F63EB81-1461677417-11E0-B5EF-031FE8F987FB
2016-04-24 13:15 - 2016-04-24 13:15 - 00003180 _____ C:\Windows\System32\Tasks\{4FAB1261-14FB-45D5-A07F-ED862BE5A5D5}
2016-04-24 13:15 - 2016-04-24 13:15 - 00003180 _____ C:\Windows\System32\Tasks\{3FACE8DC-1AEF-438A-8099-530674F773B4}
2016-04-04 18:27 - 2016-04-04 18:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-04-30 17:15 - 2014-11-14 01:21 - 00000000 ____D C:\Users\Todos os Usuários\APN
2016-04-30 17:15 - 2014-11-14 01:21 - 00000000 ____D C:\ProgramData\APN
C:\Users\User\AppData\Local\Temp\_MEI28642
C:\Program Files\McAfee Security Scan
C:\Program Files (x86)\Baidu Security
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.
The PC is very slow, it’s not restarting properly and there are mor than 300 infected files on quarantine. In the beginning there were lots of pop-up windows which I tried to remove going to msconfig and searching for strange programs. I thought it had worked, but apparently it didn’t.
Before doing what you suggested I decided to post the Scan Log, because just now I saw that I posted the wrong file.
Thanks and hope hearing from you soon!
Pondus
April 30, 2016, 10:28pm
4
The PC is very slow, it's not restarting properly and there are[b] mor than 300 infected files[/b] on quarantine
Most of it are PUP, and pup is not infections. PUP = Possible Unwanted Program, crapware that comes bundled with freeware downloads
Essexboy will be back online tomorrow…
Great Pondus.
Now the logs for essexboy.
Thank you very much for the help.
How is the computer behaving now ?
So far so good!
I’ll keep trying it and tell you if something happens.
Thanks a lot!
Let me know when you are happy and I will tidy up