First symptom was Win 7 x64 doesn’t shutdown. Hangs at “Please wait” message. System feels slow.
System scan detected nothing. Boot time scan detected and moved to chest:
There could be others. Screen went blank during boot-time scan, computer stoped responding. Performed hard reset at which point Windows startup failed. System Restore allowed Windows startup but infection persists.
According to sticky I ran AdwCleaner. Log follows:
# AdwCleaner v3.005 - Report created 25/09/2013 at 14:16:38
# Updated 22/09/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Luis Faim - SPASTARK-3
# Running from : C:\Users\Luis Faim\Desktop\adwcleaner.exe
# Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Users\Luis Faim\AppData\Roaming\Mozilla\Firefox\Profiles\xlgrt4mx.default\user.js
Folder Found C:\ProgramData\boost_interprocess
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Found : HKLM\Software\PIP
***** [ Browsers ] *****
-\\ Internet Explorer v8.0.7601.17514
-\\ Mozilla Firefox v8.0 (en-GB)
[ File : C:\Users\Luis Faim\AppData\Roaming\Mozilla\Firefox\Profiles\xlgrt4mx.default\prefs.js ]
Line Found : user_pref("de.soerenrinne.googlebuttons.userlist", "Mail,Web Search,Maps,Calendar,Tasks,News,Translate");
Line Found : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...]
Line Found : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
Line Found : user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
*************************
AdwCleaner[R0].txt - [1909 octets] - [25/09/2013 14:16:38]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1969 octets] ##########
According to sticky I should now run MBAM. Only analyse or should I allow it to try cleaning?
According to sticky I should now run MBAM. Only analyse or should I allow it to try cleaning?
allow it to clean... then attach logs, also OTL and aswMBR
when you clean with AdwCleaner and MBAM first OTL log will be much smaller bc most of the crap is removed
that also makes the OTL fix smaller … saves the remover lots of work.
Apparently no big alarm bells !?
From what info I googled of the virus names none seem to be ‘that’ bad. What do you think?
I’ll reboot now to check if the hanging shutdown problem persists and report back here.
Edit: Hooray! I can shutdown and restart now. Can’t say yet if the machine is more responsive.
Could it be that I’m clean now? What is the word on these reports?
Do you see any threats in the reports that could have compromised my homebanking passwords? Keyloggers and the like?
That is what I’m most worried about.
Could it be that I'm clean now? What is the word on these reports?
essexboy is in bed now, so you get the verdict tomorrow afternoon when he is back
somoto and the other PUP detections found by Malwarebytes is some browser hijacker crapware, and lootor seems to be related to android phones, so yea nothing bad but there may be additional files that need removal… you find out tomorrow, then he will also remove the tools used
recomended to keep is Malwarebytes
recomended to add is MCShield USB protector http://mcshield.net/
Well, the system doesn’t hang anymore when trying to shutdown and that was the prime symptom.
So if it looks ok and you see no major threats and no further action I am content
Thank you very much essexboy and Pondus for your help!
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run AdwCleaner and press uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
Clear Restore Points
Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update
Tried to run AdwCleaner and it wouldn’t start.
Tried to shutdown the computer and it hanged at “Please Wait” message and just before that it showed a message pertaining to AdwCleaner:
“Too many 16bit program are currently in use. Please close…”
I have recently seen this message about other executables that I double-clicked but did not start.
I restarted the computer by cutting power, run AdwCleaner which (like observed earlier about other failed runs) did run this time, scanned again and am attaching its report again.
AdwCleaner only scanned, I never pressed Clean button. Should I?
What is the procedure now? Repeat the MBAM, OTL etc and re-attach reports?
Well, I’m not sure the infection is resolved but I’ve gone ahead and uninstalled AdwCleaner and OTL.
Haven’t removed Restore Points yet. Only want to do that once I get avast Boot time scan to run to completion and once I’m convinced there’s no infection.
I cleaned temp files (bitool.dll vanished), ran MalwareBytes again and it found no threats.
I’ll keep MalwareBytes, intend to install Trusteer Rapport but not FileHippo.
I’ll update avast engine now.