RFIHUB infecting Outlook 2013

Avast Free Antivirus / Premium Security
1

Hello All -

I’m running Windows 7 64bit on a mac with bootcamp. (Drive is partitioned between Windows and Mac OS) I also use MS Office 2013. A couple of weeks ago I noticed a pop up when using Outlook 2013. I’ve attached a screen shot of the pop up that references “contacting RHIHUB” (see attached). Some background research showed examples/solutions for dealing with this when it hijacked a browse but there is very little by way of detecting and removing an infection in Outlook. Ran scan from several different AVS companies all of which showed no results. It doesn’t come up every time I use Outlook but my computer is noticeably slower at times or has problems reaching a web address. Rebooting usually offers a temporary solution but the situation is becoming untenable aside from obvious security risk having something this insidious on my machine.

Reading the FAQ - I downloaded the suggested software, ran them in the following order and followed recommended steps unless otherwise noted:

Malwarebytes: (log attached) This program did find several PUPS but it only gave me an option to “remove” the files but not to “quarantine” them. I decided to leave them “as is” until provided further advice.

Farbar Recovery Scan Tool: 2 log files attached - FRST and Addition

ASWMbr - log attached.

I appreciate if anyone has any insights. Right now, I’ve been told to format the drive and reinstall the software which I’m hoping to avoid.

Thanks - P

2

Screenshot of the RFIHUB pop that occurs in MS Outlook 2013:

3

You can let MBAM delete the ask partner network

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe [1382672 2015-10-21] (Lavasoft) Winsock: Catalog9 01 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited) Winsock: Catalog9 02 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited) Winsock: Catalog9 03 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited) Winsock: Catalog9 04 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited) Winsock: Catalog9 16 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited) Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited) Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited) Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited) Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited) Winsock: Catalog9-x64 16 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited) Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - Steganos Password Manager Toolbar - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} - C:\Program Files (x86)\Steganos Privacy Suite 11\SPMIEToolbar.dll No File Toolbar: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000 -> No Name - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} - No File Toolbar: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000 -> No Name - {4F524A2D-5350-4500-76A7-7A786E7484D7} - No File R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareService.exe [712432 2015-08-27] () R2 LavasoftTcpService; C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe [2751760 2015-10-21] (Lavasoft Limited) R2 SearchProtectionService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [17168 2015-10-21] () 2015-10-21 15:06 - 2015-10-22 04:35 - 00002880 _____ C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini 2015-10-21 15:06 - 2015-10-22 04:35 - 00002880 _____ C:\Windows\system32\LavasoftTcpServiceOff.ini 2015-10-21 15:06 - 2015-10-21 15:07 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Lavasoft 2015-10-21 15:06 - 2015-10-21 15:06 - 00425744 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService64.dll 2015-10-21 15:06 - 2015-10-21 15:06 - 00345360 _____ (Lavasoft Limited) C:\Windows\SysWOW64\LavasoftTcpService.dll 2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Users\Peter\AppData\Roaming\LavasoftStatistics 2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Users\Peter\AppData\Local\Lavasoft 2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Program Files (x86)\Lavasoft 2015-10-21 15:05 - 2015-10-24 16:49 - 00002289 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk 2015-10-21 15:05 - 2015-10-21 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft 2015-10-21 15:05 - 2015-10-21 15:05 - 00000000 ____D C:\Program Files\Lavasoft 2015-10-21 15:03 - 2015-10-21 15:06 - 00000000 ____D C:\ProgramData\Lavasoft 2015-10-21 15:03 - 2015-10-21 15:03 - 02012464 _____ C:\Users\Peter\Desktop\Adaware_Installer.exe 2015-10-21 15:03 - 2015-10-21 15:03 - 00000000 ____D C:\Program Files\Common Files\Lavasoft AV: Ad-Aware Antivirus (Disabled - Out of date) {B0CC18C6-E527-6EE6-874C-9D19920E5619} AS: Ad-Aware Antivirus (Disabled - Out of date) {0BADF922-C31D-6168-BDFC-A66BE9891CA4} FW: Ad-Aware Firewall (Disabled) {88F799E3-AF48-6FBE-AC13-342C6CDD1162} IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com IE trusted site: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\...\webcompanion.com -> hxxp://webcompanion.com C:\Program Files (x86)\Lavasoft Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

4

Essexboy - thanks in advance for your help. I removed the 4 pups using MBAM as advised. Not sure if that fixed the problem as the RFIHUB window only appears intermittently. I did run the fxlist.txt as recommended and the log is posted below:

fixlist content:

CreateRestorePoint:
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000.…\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe [1382672 2015-10-21] (Lavasoft)
Winsock: Catalog9 01 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9 02 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9 03 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9 04 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9 16 C:\Windows\SysWOW64\LavasoftTcpService.dll [345360 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited)
Winsock: Catalog9-x64 16 C:\Windows\system32\LavasoftTcpService64.dll [425744 2015-10-21] (Lavasoft Limited)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKLM-x32 - Steganos Password Manager Toolbar - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} - C:\Program Files (x86)\Steganos Privacy Suite 11\SPMIEToolbar.dll No File
Toolbar: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000 → No Name - {9C65D12D-CF9D-454D-8049-61965D8C6FFF} - No File
Toolbar: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000 → No Name - {4F524A2D-5350-4500-76A7-7A786E7484D7} - No File
R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareService.exe [712432 2015-08-27] ()
R2 LavasoftTcpService; C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.7\LavasoftTcpService.exe [2751760 2015-10-21] (Lavasoft Limited)
R2 SearchProtectionService; C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [17168 2015-10-21] ()
2015-10-21 15:06 - 2015-10-22 04:35 - 00002880 _____ C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini
2015-10-21 15:06 - 2015-10-22 04:35 - 00002880 _____ C:\Windows\system32\LavasoftTcpServiceOff.ini
2015-10-21 15:06 - 2015-10-21 15:07 - 00000000 ____D C:\Users\Peter\AppData\Roaming\Lavasoft
2015-10-21 15:06 - 2015-10-21 15:06 - 00425744 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService64.dll
2015-10-21 15:06 - 2015-10-21 15:06 - 00345360 _____ (Lavasoft Limited) C:\Windows\SysWOW64\LavasoftTcpService.dll
2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Users\Peter\AppData\Roaming\LavasoftStatistics
2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Users\Peter\AppData\Local\Lavasoft
2015-10-21 15:06 - 2015-10-21 15:06 - 00000000 ____D C:\Program Files (x86)\Lavasoft
2015-10-21 15:05 - 2015-10-24 16:49 - 00002289 _____ C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2015-10-21 15:05 - 2015-10-21 15:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2015-10-21 15:05 - 2015-10-21 15:05 - 00000000 ____D C:\Program Files\Lavasoft
2015-10-21 15:03 - 2015-10-21 15:06 - 00000000 ____D C:\ProgramData\Lavasoft
2015-10-21 15:03 - 2015-10-21 15:03 - 02012464 _____ C:\Users\Peter\Desktop\Adaware_Installer.exe
2015-10-21 15:03 - 2015-10-21 15:03 - 00000000 ____D C:\Program Files\Common Files\Lavasoft
AV: Ad-Aware Antivirus (Disabled - Out of date) {B0CC18C6-E527-6EE6-874C-9D19920E5619}
AS: Ad-Aware Antivirus (Disabled - Out of date) {0BADF922-C31D-6168-BDFC-A66BE9891CA4}
FW: Ad-Aware Firewall (Disabled) {88F799E3-AF48-6FBE-AC13-342C6CDD1162}
IE trusted site: HKU.DEFAULT.…\webcompanion.com → hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000.…\webcompanion.com → hxxp://webcompanion.com
C:\Program Files (x86)\Lavasoft
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

Restore point was successfully created.
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Web Companion => value removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004” => key removed successfully
“HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000016” => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{9C65D12D-CF9D-454D-8049-61965D8C6FFF} => value removed successfully
“HKCR\Wow6432Node\CLSID{9C65D12D-CF9D-454D-8049-61965D8C6FFF}” => key removed successfully
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{9C65D12D-CF9D-454D-8049-61965D8C6FFF} => value removed successfully
HKCR\CLSID{9C65D12D-CF9D-454D-8049-61965D8C6FFF} => key not found.
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{4F524A2D-5350-4500-76A7-7A786E7484D7} => value not found.
HKCR\CLSID{4F524A2D-5350-4500-76A7-7A786E7484D7} => key not found.
LavasoftAdAwareService11 => Service stopped successfully.
LavasoftAdAwareService11 => service removed successfully
LavasoftTcpService => Service stopped successfully.
LavasoftTcpService => service removed successfully
SearchProtectionService => Service stopped successfully.
SearchProtectionService => service removed successfully
C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini => moved successfully
C:\Windows\system32\LavasoftTcpServiceOff.ini => moved successfully
C:\Users\Peter\AppData\Roaming\Lavasoft => moved successfully
C:\Windows\system32\LavasoftTcpService64.dll => moved successfully
C:\Windows\SysWOW64\LavasoftTcpService.dll => moved successfully
C:\Users\Peter\AppData\Roaming\LavasoftStatistics => moved successfully
C:\Users\Peter\AppData\Local\Lavasoft => moved successfully

“C:\Program Files (x86)\Lavasoft” folder move:

Could not move “C:\Program Files (x86)\Lavasoft” => Scheduled to move on reboot.

C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft => moved successfully
C:\Program Files\Lavasoft => moved successfully

“C:\ProgramData\Lavasoft” folder move:

Could not move “C:\ProgramData\Lavasoft” => Scheduled to move on reboot.

C:\Users\Peter\Desktop\Adaware_Installer.exe => moved successfully
C:\Program Files\Common Files\Lavasoft => moved successfully
AV: Ad-Aware Antivirus (Disabled - Out of date) {B0CC18C6-E527-6EE6-874C-9D19920E5619} => removed successfully
AS: Ad-Aware Antivirus (Disabled - Out of date) {0BADF922-C31D-6168-BDFC-A66BE9891CA4} => removed successfully
FW: Ad-Aware Firewall (Disabled) {88F799E3-AF48-6FBE-AC13-342C6CDD1162} => removed successfully
“HKU.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com” => key removed successfully
“HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com” => key removed successfully

“C:\Program Files (x86)\Lavasoft” folder move:

Could not move “C:\Program Files (x86)\Lavasoft” => Scheduled to move on reboot.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

========= End of Reg: =========

========= RemoveProxy: =========

HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3830564640-2351533630-2455819041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

========= netsh advfirewall reset =========

Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107
Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107
Ok.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= netsh int ip reset c:\resetlog.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Route, OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= ipconfig /release =========

Windows IP Configuration

No operation can be performed on Local Area Connection 5 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.

Ethernet adapter Local Area Connection 5:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::8874:b09f:6395:635c%11
Default Gateway . . . . . . . . . :

Tunnel adapter isatap.T-mobile.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

========= End of CMD: =========

========= ipconfig /renew =========

Windows IP Configuration

No operation can be performed on Local Area Connection 5 while it has its media disconnected.
No operation can be performed on Bluetooth Network Connection while it has its media disconnected.

Ethernet adapter Local Area Connection 5:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . : T-mobile.com
Link-local IPv6 Address . . . . . : fe80::8874:b09f:6395:635c%11
IPv4 Address. . . . . . . . . . . : 192.168.29.193
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.29.1

Tunnel adapter isatap.T-mobile.com:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :

========= End of CMD: =========

========= netsh int ipv4 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.

========= End of CMD: =========

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {71F626DF-520C-451E-9487-E124F8995A6F}.
0 out of 1 jobs canceled.

========= End of CMD: =========

EmptyTemp: => 809.1 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-10-25 13:54:18)

C:\Program Files (x86)\Lavasoft => Is moved successfully
C:\ProgramData\Lavasoft => Is moved successfully
C:\Program Files (x86)\Lavasoft => Is moved successfully

==== End of Fixlog 13:54:18 ====

5

Out of curiosity did you install Lavasoft as there was no uninstall entry for it

Monitor for as long as needs and let me know when you are happy or otherwise :slight_smile:

6

I had installed/used AdAware as one of the AVS programs before posting here. What is the recommended combination of AVS software to use? Avast/MBAM? or just MBAM alone?

Hoping that removing the PUPs with MBAM did the trick. Right now all seems well.

All the best - PCY

7

One anti virus and one anti spyware is a nice rule of thumb… Avast and MBAM play nice together :slight_smile:

8

Hello Again -

So your fix worked great in terms of removing the RFIHUB scourge and thanks again.

Realize this might be slightly off topic, but wanted to follow up on your mention about “no uninstall entry for Lavasoft”. After installing MBAM and removing Ad-aware, the latter keeps trying to randomly install itself on my computer. It seemingly happens at random when I click on any number of file formats: .doc, .pdf, .wmv, etc. Not every time, but enough that its getting really annoying by having to close several pop up windows. It looks like I’ve removed any trace to Lavasoft from my computer but evidently something is hiding somewhere still. I’ve attached a screenshot of one pop up window.

Any thoughts people have are appreciated.

PCY

9

Could you run this MSfixit please https://support.microsoft.com/en-gb/mats/program_install_and_uninstall?wa=wsignin1.0

Unfortunately they have retired the MSI cleanup utility that used to fix this problem

10

Hello - I had an extended business trip and was planning to run the MSfixit today. Unfortunately, I opened when I first opened Outlook, I found that the RFIHUB malware has returned before I had the chance. I upgraded to the fully licensed version of MBAM and ran a scan but nothing was detected. I have run a Smart Scan using Avast but still nothing detected.

Suggestions for next steps? Do I recreate the initial series of logs?

Thanks very much for your help.

PCY

11

Yes please a fresh FRST set :slight_smile:

12

Thanks and good hunting!

13

Bits of Adaware came back… You should find two entries in programmes and features after this run
Uninstall both allow windows to remove the entries when it cannot find them

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\...\Run: [] => [X] HKLM\...\Run: [AdAwareTray] => "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.8.586.8535\AdAwareTray.exe" SearchScopes: HKU\S-1-5-21-3830564640-2351533630-2455819041-1000 -> {47959FF7-ED34-4A00-9FBD-3E45B490A497} URL = hxxp://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11405&pf=V7&p2=^BBD^OSJ000^YY^US&gct=&itbv=12.24.1.51&apn_uid=2AA277D6-6BA7-4D25-89F8-A96747B8A89D&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17631&doi=2015-02-22&trgb=IE&q={searchTerms}&psv=&pt=tb BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\PROGRA~2\Yahoo!\Companion\Installs\cpn0\yt.dll => No File S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [452040 2015-01-22] (BitDefender S.R.L.) AdAwareInstaller (Version: 11.8.586.8535 - Lavasoft) Hidden AdAwareUpdater (Version: 11.8.586.8535 - Lavasoft) Hidden Task: {7AE61259-0A5F-4031-ADB7-93EB29F252C7} - System32\Tasks\{AF23F690-89AE-4ED7-8E6A-4D8FAC8992FD} => pcalua.exe -a C:\Users\Peter\Downloads\mp620sosmwin100us.exe -d C:\Users\Peter\Downloads C:\Program Files\Lavasoft C:\Windows\System32\DRIVERS\Trufos.sys Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

14

I ran the program First file as instructed and have attached the output log.

I did find the two instances of Adware in programs and tried to uninstall using windows. One program was deleted but it would not allow me to delete the “installer” using windows. I’ve also attached the error message that comes up. Can’t believe how messed up this company is to create something like this!

15

Revo uninstaller will force uninstall that if you wish…

Meanwhile what other problems are present ?

16

So I am free of RFIHUB at the moment? Any idea how its transmitted? I have a suspicion it happened from a work colleagues memory stick. Will MBAM detect it on a device like that?

I downloaded the free version of REVO. For some reason the Adaware Installer does not show up as a program it can detect/uninstall. Also checked - and there are no programs listed for “Lavasoft”. Any other suggestions?

Again - many thanks.

17

Hmm that is weird I will have a think about it …

For the USB sticks this is the best protection

Download MCShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be located under the logs tab on the main page

And post that