Greetings,

I’m having the same problem as several others, this post sums it up;

http://forum.avast.com/index.php?topic=149699.0

I’ve run Malwarebytes and it found a couple things.
I ran Avast and it found a few things but the problem persists.

I have attached the OTL logs, aswMBR and MBAW log.

I’m running Windows 7 64 bit on an HP Pavilion g7 Notebook PC

Thanks in advance for any help you can provide.

I will be offline for the next 8 hours (U.S. time) but will follow any suggestions you guys may have tonight and post the results.

Thanks again.

I’m on it …

Hi TheHorror,

Before we continue I would like to get the reports from the tools below.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

.

.

Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*] After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

just a note … you are running Malwarebytes 1.75 … V 2.0 have been out for some time

Your infection needs to be followed directly. Do not run ANY scans without magna approving it. Malwarebytes included. That files needs to be replaced. Not deleted.

Magna will help you from here.

Thanks magna.

Here are the Farbar logs.

Here are the Gmer log reports.

Hi TheHorror, let’s start hunting that bastard.

The following FixList (script) shall tell FRST to become aggressiv and target the malware (plus some bad things too) and remove/disinfect it.

When FRST remove malware, I’d like everything double-check with ComboFix.

---

=> FRST’s FixList

---

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start Folder: C:\Users\Nathan\AppData\Local\EmieSiteList C:\Windows\system32\pjsbqlm.qsa C:\Windows\system32\aibtgil.cfr C:\Windows\system32\vmtg.saz C:\Windows\system32\doln.vgv C:\Users\Nathan\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe C:\Users\Nathan\AppData\Local\Temp\lwh30ob5.dll C:\Users\Nathan\AppData\Local\Temp\MSNFF88.exe C:\Users\Nathan\AppData\Local\Temp\oyc4a_7n.dll REPLACE: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll REBOOT: SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = SearchScopes: HKCU - {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL = Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File U3 aswMBR; \??\C:\Users\Nathan\AppData\Local\Temp\aswMBR.sys [X] End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

---

=> ComboFix

---

1. Please download ComboFix by sUBs (
   http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
   ) from here and save it to your Desktop.
   [i]If you are unsure how ComboFix works, read this guide.

---

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

---

3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
• If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

---

4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
   => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Here are the FRST and ComboFix logs.

The alerts have stopped but I don’t seem to be able to get Google results from the (don’t know what to call it) box in the upper left of iExplorer where the http info is displayed. Do I need to reset Google as my search engine?

Hi,

Well, this looks good. We shall run ComboFix one more time. This time, we will use CFScript to tell the tool to preform some additional fixes …
Then I like check again with fresh FRST logreprot.

Do I need to reset Google as my search engine?

Yes, do that please, before re-running FRST. Set google as default search engine and as home page. Or ... you may reset Chrome seetings back to default. You wont lose your bookmarks or typed passwords.

---

CF’s CFScript

---

Open notepad and copy/paste the text present inside the code box below:

SkipFix::

ClearJavaCache::

RegLock::
[HKEY_USERS\S-1-5-21-220738300-221661899-3633194777-1001_Classes\Wow6432Node\CLSID{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_USERS\S-1-5-21-220738300-221661899-3633194777-1001_Classes\Wow6432Node\CLSID{c935c2d3-5a6b-455d-8921-4d0a88507594}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

---

FRST Scan

---

Set google.com as home/default on GoogleChrome. Then, please re-run FRST tool …
Please note that FRST has been updated recently, so wait few seconds for tool being update itself and then press the Scan button.
Please post here fresh created FRST.txt logreport.

ComboFix log an FRST log attached.

Google issue resolved, seems to be running well so far.

I can’t thank you enough.
Let me know if there is anything else you want me to do. I’ll keep checking back.

Hi, as logs looks clean and problem has been resolved, I shall remove my tools.

• The following will implement some post-cleanup procedures:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

DeleteQuarantine: 

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Note, I do not need that log.
Note: If the tool warned you about the outdated version please download and run the updated version.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tools removed.

THANK YOU!!!