Malware fix

[size=12pt][font=verdana]I followed the steps found in this forum and here are my logs attached. The specific issue I have is a website opening a tab in Chrome “tofushopnews.com
Any help in removing this is appreciated. If I missed a step please let me know. I missed getting the log from the first step and I messed up saving the MBR.dat file.
Thank you![/size][/font]

hey and welcome to the forum.

plaese also attach the log from adwclener from this guide

http://forum.avast.com/index.php?topic=53253.0

it will remove unwanted crap from your browser and unwanted toolbars.

I neglected to save the log the first time I ran AdwCleaner. Attached is the log from the second time I ran it.

Monitoring

Hi beasut and welcome to avast.

  1. Please attach AdwCleaner[S1].txt logreport created by AdwCleaner.

  2. Please download TDSSKiller and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

I ran TDDSKiller and it found no threats, I attached the report.

As for AdwCleaner[S1].txt I did not save the original log. Please let me know how to find it, if possible?

Thanks.

I found it!

Ok, I wanna deeper check with TDSSKiller;

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

========== next ===========

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
IE - HKU\S-1-5-21-3615912540-3620889053-1036141767-1000\..\SearchScopes\{0ECB939F-9C36-42B5-8098-4F2019BB1F89}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN13547950111318718&UM=2
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3 - HKU\S-1-5-21-3615912540-3620889053-1036141767-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

:COMMANDS
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

========== next ===========

Re-check:

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[list]
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
[/list

Here ya go.

@beasut

You have not followed my instructions for running TDSSKiller and all of these files that you are killed are legitimate files and doing so have been damaged your system.
You made us double work… Before going any further, it is necessary to try to correct that.

Download TDSSQLook from here and save it to your desktop:

www.malwareinfo.nl/tools/TDSSQlook.exe

Open TDSSQlook.exe and you will see two options: A (Scan) and B (Fix).

Select A and wait for the scan to finish. A log should be created. Please copy/paste or attach it within your next reply.

I followed your directions, the first time I ran OTL.exe. with your code it crashed my computer. Windows recovered and I tired it again after restarting.

Here’s the lastest scan log. The last time I did TDSSKiller cure and skip were not an option, I guess I should have checked with you before choosing delete.

I appreciate your help, thanks.

I followed your directions, the first time I ran OTL.exe. with your code it crashed my computer.

Not supposed to happen. OTL did not do anything important but just tried to delete a couple of registry entries. It was trying to reboot computer because it was tried to clear all temp crap & junk files and in doing so, he tries to shutdown some process. Probably something has prevented OTL to perform the work and that there is an error.

The last time I did TDSSKiller cure and skip were not an option, I guess I should have checked with you before choosing delete.

TDSSKiller was ordered to delete the following:

service file: C:\Windows\system32\Drivers[b]ANDROIDUSB.sys [/b]- Related to ANDROIDUSB.sys ADB Interface from Google Inc
service key: HKLM\SYSTEM\ControlSet001[b]services\HTCAND64[/b] - Related to htcnprot.sys RawPacket NDIS Protocol Driver from Windows (R) Win 7 DDK provider
file: C:\Program Files (x86)[b]HTC[/b]\Internet Pass-Through[b]PassThruSvr.exe[/b] -Related to PassThruSvr.exe htc internet pass-through

Now you understand why we have to try to return that. :wink:

Stay tuned, while I writing script and instructions for returning these things back into the system.

I’l be back soon

Ok, before we continue with restoring legit files I’l need to create new system restore point, and to see some more info abaut existing points and some additional data.

This will be done quickly…
Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. <— important!
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:

createsrpoint;
srinfo;
HKLM\SYSTEM\ControlSet001\services\HTCAND64;e
HTCAND64;z

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Zoek results attached.

Thanks for the explanation! And your help!

Ok, let’s do this. :slight_smile:

Run TDSSQlook.exe again and choose Option B (Fix)
Notepad will open up
Copy and paste the text below into notepad: (make sure word warp is unchecked > Format > word warp)

REN "C:\TDSSKiller_Quarantine\19.08.2013_11.15.23\susp0000\svc0000\tsk0000.dta" ANDROIDUSB.sys
COPY "C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\ANDROIDUSB.sys" C:\Windows\System32\Drivers\

REN "C:\TDSSKiller_Quarantine\19.08.2013_11.15.23\susp0001\svc0000\tsk0000.dta" PassThruSvr.exe
COPY "C:\TDSSKiller_Quarantine\30.12.2011_12.42.12\susp0000\svc0000\PassThruSvr.exe" C:\Program Files (x86)\HTC\Internet Pass-Through\

Close notepad by clicking the X in the upper right hand corner > save changes
This will start TDSSQlook and replace the file (you won’t see anything happening though)

Please report here when the you do this

I didn’t see this at all but followed everything else.

Nevermind, it was unchecked. I really need to learn how to read all this computer stuff better… :wink:

That’s Ok.

  1. I’l need you to re-run FRST ( press Scan button ) and attach fresh FRST.txt logreport.

  2. Also, I’l need you to re-run zoek.exe as you did before with this script:

ANDROIDUSB.sys;z
PassThruSvr.exe;z

Please whait while zoek finish his work and attach here fresh created zoek logs.

Here ya go…

Recommendation to remove and uninstall Advanced SystemCare 6 from your system:

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

START
HKCU Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKCU Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
HKU\CompAdmin\...\Run: [SearchProtect] - C:\Users\CompAdmin\AppData\Roaming\SearchProtect\bin\cltmng.exe [x]
C:\Users\CompAdmin\AppData\Roaming\SearchProtect
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [fdkednngfjmpnljkolbapdednncafhen] - C:\Users\Darcy\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx
C:\Users\Darcy\AppData\Local\CRE\fdkednngfjmpnljkolbapdednncafhen.crx
CMD: netsh winsock reset
CMD: ipconfig /flushdns
END
  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.