system
1
Background: I noticed one day that I was download/uploading a significant amount of more traffic than usual with that I normally have open. I ran Wireshark it turns out that my computer has been essentially clicking ads in the background. I ran scans of AVG, Spybot S&D, etc. and nothing. I’ve been looking for an excuse to uninstall AVG anyways so I uninstalled that and installed Avast Free.
Avast at least recognizes that there is something going on:
http://i.imgur.com/uD6jM0v.png
http://i.imgur.com/ExDUkR9.png
http://i.imgur.com/wNeJj6C.png
Those pop up with variations of the same URL but different search terms they’re using every couple minutes. What’s actually causing it however doesn’t show up running a scan. From the stickied thread, I’ve attached AdwCleaner, Malwarebytes, OTL and aswMBR logs.
Hi,
Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Hi,
Yes, you are definitely infected with one hardcore virus 
Let’s exterminate it…
Download TDSSKiller and save it to your desktop
Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
Twin, I shadow just about every removal expert on this forums. What virus is it? PM Me! I’m just curious lol
system
6
Said no threats detected.
Run TDSS Killer again, but now click on Change parameters, check all boxes, and rescan…
system
8
Pondus
9
since TwinHeadedEagle is running TDSS killer… that should give you and idea ???
Most probaply he is infected with an rootkit.
Ok, let’s continue 
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32] \\?\globalroot\Device\HarddiskVolume2\Users\User\AppData\Local\Temp\suinbtb\ssvyfte\wow.dll ATTENTION! ====> ZeroAccess?
MountPoints2: {458106ac-0686-11e2-9bf9-806e6f6e6963} - G:\setup.exe
CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.1.crx
CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\errorassistant_1.1.crx
CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Users\User\AppData\Local\Slick Savings\coupons.crx
CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx
C:\Program Files (x86)\Common Files\Spigot
C:\Users\User\AppData\Local\Slick Savings
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com?type=937811&fr=spigot-yhp-ie
C:\Users\User\AppData\Local\Temp\suinbtb\ssvyfte\wow.dll
C:\Users\User\AppData\Local\Temp
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then…
Download ListParts64.exe from link below
http://www.bleepingcomputer.com/download/listparts/dl/78/
Start it, click on Scan, and attach the report.
Hi,
Re-run FRST and post me the fresh scan log.
Then…
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Logs look clean now, any more problems?
system
16
Seems to be all good now. Thank you very much.
Allright then 
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
Uninstall Adobe Reader, and download latest version.
Stay safe 