system
July 13, 2015, 10:36pm
1
Hello,
I’ve been battling a malware infection and am not sure what to do. I’ve performed a number of Avast scans, which detects the malware, but doesn’t seem to remove it. Attached are the requested logs for assistance. Thank you to anyone who takes a crack at this.
Pondus
July 13, 2015, 10:50pm
2
I've performed a number of Avast scans, which detects the malware, but doesn't seem to remove it.
And what does avast say/detect ...... a screenshot would help
Removal team will be back online tomorrow
Could you let me know what problems remain after this
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint:
HKU\S-1-5-18\...\RunOnce: [SpUninstallDeleteDir] => rmdir /s /q "C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect"
AppInit_DLLs: c:\documents and settings\all users\application data\epsandrive\epsandrive32.dll => c:\documents and settings\all users\application data\epsandrive\epsandrive32.dll File not found
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-823518204-1897051121-1177238915-500\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultUrl = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^YK^xdm177^S01926^us&si=Wjmdrct&ptb=A14D4B45-68E8-4DF2-B738-79FC41F653DD&psa=&ind=2012092523&st=sb&n=77ee186b&searchfor={searchTerms}
HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs,Tabs: "about:newtab" <======= ATTENTION
SearchScopes: HKU\S-1-5-21-823518204-1897051121-1177238915-500 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={34B2DFDF-BF26-4477-8F17-D2C134EBAAD1}&mid=547c46169e2447d0ab14d16836559886-6a595f5feaaf65d6ee01d6141edc9afc0f919922&lang=en&ds=AVG&coid=avgtbavg&cmpid=1214av&pr=fr&d=2014-12-09 18:46:22&v=4.0.5.7&pid=wtu&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKU\S-1-5-21-823518204-1897051121-1177238915-500 -> {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80472&lng=en
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File
Toolbar: HKU\S-1-5-21-823518204-1897051121-1177238915-500 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
015-07-01 04:34 - 2015-07-13 16:19 - 00000000 ____D C:\Program Files\Snmzknwm1ndiyzdz
2015-06-29 10:57 - 2015-06-28 19:34 - 00001471 _____ C:\WINDOWS\system32\dossuoiaz.js
2015-06-29 10:57 - 2015-06-28 19:34 - 00000486 _____ C:\WINDOWS\system32\lezugyne.js
2015-06-29 10:57 - 2015-06-28 03:27 - 00053971 _____ C:\WINDOWS\system32\tuufep.js
2015-06-29 10:57 - 2015-06-18 03:42 - 00094958 _____ C:\WINDOWS\system32\jquery4toolbar.js
2015-06-28 23:36 - 2015-06-28 23:36 - 00043682 _____ C:\Documents and Settings\Administrator\Local Settings\Tempdivx82f1
2015-06-28 23:36 - 2015-06-28 23:36 - 00043682 _____ C:\Documents and Settings\Administrator\Local Settings\Tempdivx423e
2015-06-28 22:47 - 2015-06-28 22:47 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\b6d629ae000051e5
2015-06-28 22:39 - 2015-07-01 10:06 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\nmzky2nxngsybtz
2015-06-28 22:26 - 2015-06-28 22:26 - 00000000 ____D C:\Documents and Settings\Administrator\Local Settings\Application Data\globalUpdate
2015-06-28 22:25 - 2015-06-30 08:02 - 00000004 _____ C:\WINDOWS\system32\029B560A371F4E00AB32838EBC01B9E7
2015-06-28 21:52 - 2015-06-28 21:52 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\94769394000028b6
2015-06-28 19:53 - 2015-06-28 20:36 - 00000000 ____D C:\Program Files\StormWatch
2015-06-28 19:50 - 2015-06-30 11:34 - 00000000 ____D C:\Program Files\globalUpdate
2015-06-28 19:44 - 2015-07-13 16:19 - 00000000 ____D C:\Documents and Settings\Administrator\Application Data\Company
2015-06-28 19:42 - 2015-06-28 19:42 - 00635544 _____ (DivX, LLC) C:\Documents and Settings\Administrator\Local Settings\Tempdivx73a5.exe
2015-06-28 19:42 - 2015-06-28 19:42 - 00000064 _____ C:\Documents and Settings\Administrator\Local Settings\Application Data\ab3acd04dfe0d0981345b5062bbe1323
2015-06-28 19:41 - 2015-06-28 19:41 - 00635544 _____ (DivX, LLC) C:\Documents and Settings\Administrator\Local Settings\Tempdivx09d2.exe
2015-06-28 19:41 - 2015-06-28 19:41 - 00043682 _____ C:\Documents and Settings\Administrator\Local Settings\Tempdivx516b
2015-06-28 19:41 - 2015-06-28 19:41 - 00043682 _____ C:\Documents and Settings\Administrator\Local Settings\Tempdivx20e9
2015-06-28 19:40 - 2015-06-28 19:40 - 00043682 _____ C:\Documents and Settings\Administrator\Local Settings\Tempdivxef5a
2015-06-28 19:37 - 2015-06-29 11:17 - 00004696 _____ C:\WINDOWS\system32\Tulvae.ini
2015-06-28 19:37 - 2015-06-29 11:17 - 00002408 _____ C:\WINDOWS\system32\TulvaeOff.ini
2015-06-28 19:34 - 2015-07-13 16:25 - 00000510 ____H C:\WINDOWS\Tasks\RABAGUCAHJREGVRR.job
2015-06-28 19:34 - 2015-07-13 16:19 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Service1198
2015-06-28 19:34 - 2015-06-28 19:34 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\7c0535b143fc4671b6ebd202fbffe066
2015-06-28 19:08 - 2015-06-28 19:09 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\15630667128165572325
2014-01-08 20:48 - 2014-06-27 11:32 - 0003728 _____ () C:\Program Files\Mozilla Firefoxavg-secure-search.xml
2015-04-14 11:28 - 2015-04-14 11:28 - 0004387 _____ () C:\Documents and Settings\Administrator\Application Data\RT8Bhcp9XUdYF4RmXi
2015-04-14 11:28 - 2015-04-14 11:28 - 0004387 _____ () C:\Documents and Settings\Administrator\Application Data\TaobiT9IWDG4HuRU9AYrCXy0
2015-04-14 11:28 - 2015-04-14 11:28 - 0004387 _____ () C:\Documents and Settings\Administrator\Application Data\z2jEtmxbn7P80
2015-06-28 19:42 - 2015-06-28 19:42 - 0000064 _____ () C:\Documents and Settings\Administrator\Local Settings\Application Data\ab3acd04dfe0d0981345b5062bbe1323
2015-06-28 19:08 - 2015-07-01 11:16 - 00000000 ____D C:\Program Files\CutTaHePRuiece
2015-06-28 19:28 - 2015-06-28 19:28 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\COMODO
2015-06-28 19:27 - 2015-06-28 19:27 - 00000000 ____D C:\Program Files\COMODO
2015-06-28 19:07 - 2015-06-28 19:08 - 01840457 _____ C:\WINDOWS\chromebrowser.exe
Task: C:\WINDOWS\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\WINDOWS\TEMP\{C39BB78D-B46B-46F5-B10F-24D6C947EE3A}.exe <==== ATTENTION
C:\WINDOWS\system32\config\systemprofile\Application Data\SearchProtect
RemoveProxy:
EmptyTemp:
Save this as fixlist.txt , in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan .
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok .
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.