Hello all,
I’ve been a long time avast user and this is my first visit to the forums. My wife’s work computer seems to be infected with some nasty trojans. I ran Malwarebytes and an avast scan (normal scan + boot scan) which cleared up some of the problems - browser redirects and some fake virus scanning program that was blocking executables and all kinds of other nonsense. Avast prompted me for two infected Desktop.ini files but I did not remove them for fear that the operating system wouldn’t boot.

However, the boot scan did find multiple trojans and was unable to act on some windows system files. The operating system seems more stable, browser seems ok, but I am getting frequent trojan (WIN32: Downloader-PKU) and malware blocking notifications from avast. Attached are the logs from the avast boot scan and OTL. The aswMBR scan is currently running but seems to be taking a while, I will post that when it’s done if necessary.

Any help with getting rid of these once and for all would be greatly appreciated! Thanks,
-zach

malware removers are notified…

Thank you! Here is the aswMBR log.

Hi it appears to have come from an infected download probably Java, so I will also remove an out of date Java version

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\SearchScopes,Backup.Old.DefaultScope = {9EA00831-B5CD-49A9-B99E-05B38EB08C0D} IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\SearchScopes,DefaultScope = {9EA00831-B5CD-49A9-B99E-05B38EB08C0D} IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\SearchScopes\{9EA00831-B5CD-49A9-B99E-05B38EB08C0D}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0FtDyE0D0AtB0A0FtByDzytB0FyB0CtCtN0D0Tzu0CtCzyyDtN1L2XzutBtFtCtFtDtFtAtDtC&cr=1282999119 IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\SearchScopes\{C7576B9D-B442-46bc-AF74-080A9E723E01}: "URL" = http://websearch.search-results.com/redirect?client=ie&tb=BBY2-SRS&o=41647948&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=7S&apn_dtid=YYYYYYYYUS&apn_uid=27FCA528-49C6-47ED-8383-DBEBB7A6F039&apn_sauid=B6D76EA9-9031-4347-87FC-43EF9961B355 IE - HKU\S-1-5-21-740607502-643587457-892366836-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421; FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{29ED26C1-0ECA-440D-8785-0848D91B2A90}: C:\Users\eclark\AppData\Local\{29ED26C1-0ECA-440D-8785-0848D91B2A90}\ [2011/07/15 11:15:55 | 000,000,000 | ---D | M] O2 - BHO: (Babylon IE plugin) - {9CFACCB6-2F3F-4177-94EA-0D2B72D384C1} - C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll File not found O2 - BHO: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll () O3 - HKLM\..\Toolbar: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll () O3 - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found. O3 - HKU\S-1-5-21-740607502-643587457-892366836-1004\..\Toolbar\WebBrowser: (Search Toolbar) - {9D425283-D487-4337-BAB6-AB8354A81457} - C:\Program Files (x86)\Search Toolbar\SearchToolbar.dll () O4 - HKLM..\Run: [Babylon Client] C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe (Babylon Ltd.) O9 - Extra Button: Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm File not found O9 - Extra 'Tools' menuitem : Translate this web page with Babylon - {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/ActionTU.htm File not found O16 - DPF: {CAFEEFAC-0015-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_21-windows-i586.cab (Java Plug-in 1.5.0_21) 2012/07/13 12:42:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Funmoods [2012/07/13 12:42:47 | 000,384,844 | ---- | M] () -- C:\Users\eclark\AppData\Local\funmoods-speeddial.crx [2012/07/13 12:42:47 | 000,031,465 | ---- | M] () -- C:\Users\eclark\AppData\Local\funmoods.crx

:Files
ipconfig /flushdns /c
C:\Windows\Installer{f0133527-e117-6665-5686-877842c9f5c6}
C:\Users\eclark\AppData\Local{f0133527-e117-6665-5686-877842c9f5c6}
C:\Users\eclark\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjciahceamgodcoidkjpchnokgfpphh
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Program Files (x86)\Babylon
C:\Program Files (x86)\Search Toolbar

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Awesome, thank you so much. Unfortunately my wife had to take this computer out of town until Friday for a work conference, hence the reason I was scrambling to fix it last night

I will probably try to get on the phone with her tonight and run through this, or it may have to wait until Saturday when she is home with the laptop. I will update this thread with the results logs as soon as I have had a chance to follow the steps.

Thanks again!

OK as there will be a delay could you run the OTL quick scan after combofix has run, that way I can ensure that nothing extra was added ;D

Will do. Hopefully she will not need it much at all, maybe just for email - I advised her to only use Firefox if she needs it since it did seem stable and we have avast running, with the webrep add-on for FF.

Should work, I should imagine the warnigs are still happening. After the two runs Avast will shut up ;D

Hello,
I have just completed the steps listed, running OTL with the custom script and combofix.

Unfortunately I messed up a little bit and neglected to run a quick scan after running the custom fix in OTL - I went straight to running combofix so I do not have that log. I hope that doesn’t cause a big issue!

Either way - I have attached 2 logs:

1. The combofix log (everything seemed to run successfully)
2. Another quick scan from OTL after running combofix

Thanks again. Everything seems OK and the constant warnings from Avast do seem to have stopped.

They both look good, any outstanding problems ?

Nope, none that we’ve noticed so far. I’ll ask her for an update after she’s had a chance to use if for a few days at work and report back here if there are any issues. All of the warnings / popups / strange behaviors we were seeing before seem to be gone.

Chrome still prompted me that “Wajam” and “Shopping Sidekick” had been added when I opened it. They were there before the fixes, but I went ahead and removed them since I’m not sure what they are… Wajam may be a legit addon, but I can’t find anything about “Shopping Sidekick”.

They are toolbars/search engines and are kind of legitimate

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe