Malware removal (lots of winupdate icons on tray), same symptoms as another topi

Hi,

I have the same symptoms as in this topic: http://forum.avast.com/index.php?topic=118769.0
USB drives have all files hidden and ‘turned’ into shourtcuts.
Lots of windows update icons on systray.
Antimalware programs are terminated once ran/or when trying to download)

I’ve followed the same OTM steps, with instructions changed accordingly, i know from roguekiller that the problem is in at least in

C:\Users\Paula\AppData\Roaming\9f

Attached is the OTL log, created with windows in safe mode (is that okay?)

Thank you very much already!

removers are notified…

Hi,

========== First ==========

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

========== Next ==========
Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKU\S-1-5-21-315241628-3474773456-3279493250-1000..\Run: [89be] C:\Users\Paula\AppData\Roaming\9f\89be.js ()
O4 - Startup: C:\Users\Paula\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d8f.js ()
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
O3 - HKU\S-1-5-21-315241628-3474773456-3279493250-1000\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found.


:Files
C:\Users\Paula\AppData\Roaming\9f\*.js
C:\Users\Paula\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c

:Commands
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

========== Next ==========

Re-run OTL, click on QuickScan and attach here fresh OTL.txt log

Thanks a lot magna86!

Worked like a charm. No more of those symptoms.
I don’t have the final OTL with me here right now, but I’ll check them when I get back to the computer that was afected (my parents’ computer).

Thnaks once again!

Hi,
:wink:

If you may run OTL with pressing QuickScanbutton just to make shure it’s gone for real.

Attach here fresh OTL.txt log.

Also attach AllScans.txt tog.
The infection could come through some USB device. If the USB is still infected, the computer can be easily re-infect.