Hello, I am a long-standing Avast user, I have Internet Security.
Some days ago - of course those things happen when one is in hurry - I started having issues with my browser, with internet being slow and pages refusing connections or being riddled with errors.
I initially neglected the issue but after a day the problem became worse. Many common sites (including google and facebook) would not load requesting for a newer version of flash. I found that extremely odd and after another day I came to the conclusion I had to have been infected.
I initially did a full reboot scan and Avast found an infection from Somoto-M. I searched on the net for the M variant with little success. The file was detected in the trashcan and I had it moved to the virus chest.
For about a day everything seemed to be back to normal, but the infection is there again.
Even worse, it spread from my primary computer to the laptop (which I seldom use).

I see you’re doing quite some good work on this forums but unfortunately I cannot afford to keep myself informed on threatware so I have to ask for help. For the time being, I’m following the malware removal guide.

The malwarebytes scan went signaling nothing. To be honest, it was rather fast and I suspect the malware might have lured me in downloading an infected executable. I attach the resulting report anyway, as well as those produced by OTL.

I suppose I have to carry on with the procedure right now.

Another message to keep the concepts separated.
Since the network is sure involved, my home network is comprised of three computers.

• Q6600 is nearly a mission-critical system. It works several hours each day and is often left on even at night. It uses cabled networking.
• Rana is my primary computer. It uses wifi networking. It gets quite some uptime, albeit less than Q6600.
• i3 is a family laptop. Very seldom used, at the start of this adventure it seemed to work perfectly. Wifi networking.

My user is available on all three machines. So far I’ve had the chance to play a bit only with the laptop and I can tell it presents the same symptoms.

I have not tested other users (since I don’t remember their passwords) but I had a chance to use Q6600 with my father’s account. It looks functional, albeit a boot scan I did today revealed quite a few infections which I probably will never be able to clean any time soon.

Notably, the infection affects Rana administrator account but apparently not (yet) laptop administrator (unsurprisingly, as they have different logins and different passwords).

On the pro side, Avast safezone seems to be unaffected. I suppose that’s the good news.

As I said, I’m going to follow the procedure in the thread about malware removal but of course I would gladly accept every possible suggestion!

Monitoring

I initially did a full reboot scan and Avast found an infection from Somoto-M.

http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/Somoto%20BetterInstaller/detailed-analysis.aspx

Logs look pretty good.

[*]Run OTL (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator).
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

:Commands
[CREATERESTOREPOINT]

:OTL
FF - user.js - File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_206.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O4 - HKU\S-1-5-21-4226515709-3376709418-2317576406-1002..\Run: [EPLTarget\P0000000000000000] C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHFE.EXE /EPT "EPLTarget\P0000000000000000" /M "WP-4525 Series" File not found
O13[b]64bit:[/b] - gopher Prefix: missing
O13 - gopher Prefix: missing
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
[2014/03/19 15:37:08 | 000,000,000 | -H-- | C] () -- C:\ProgramData\DP45977C.lfl

:Commands
[RESETHOSTS]
[EMPTYTEMP]

[*]Click the Run Fix button.
[*]After your computer has rebooted, post the Fixlog into your next reply.

Then,

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1

[*]Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
[*]Click Scan and let the scan run.
[*]When it finishes, click Clean, following the on screen prompts
[*]After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.

Note: The log can also be found in here: [b]C:\AdwCleaner[/b]

Then,

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.

Then,

[*]Run OTL by double-clicking on it. (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on OTL.exe and select Run as Administrator)
[*]Click Quick Scan to start OTL.
[*]When OTL finishes scanning, a logs, OTL.txt will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Here is the resulting OTL log. I’m going to run AdwCleaner now.

By the way, as I expected, my father cancelled the remaining scan on Q6600. Up to 85%, it reported quite a few infections I took note of some of them. I’m sure there are plenty of other problems in that remaining 15% but apparently there was something more important to do.
On reboot, my father’s account presented the same problems. Notably, he has an account on laptop.
Nonetheless, it seems now extremely likely the infection started from Q6600 - I have no words to describe its IE toolbar status. The starting event might have been a couple of weeks ago when I changed Q6600/MaxDZ8 password to match Rana/MaxDZ8.

I also tested another account on laptop and found out it is now having the same problems. Notably, that user is laptop-specific. No user, unless explicitly noted has administrator privileges so I’m fairly the admin account had it.

As a side note: even in safebox, the captcha is often not shown.

AdwCleaner logs - 2 files.
Note I had no files auto-opened. I suppose it would open the logs itself if I would log in using the administrator account, but I’m not used to. Is it the case I just use the admin account?
Now running JRT.

Here is the resulting OTL log. I'm going to run AdwCleaner now.

Thank you. I suppose it got lost when I refreshed the page to get my captcha.
Here is OTL log.

Scanning was fairly fast, I’d say less than 10 minutes. I don’t know when it happened since I didn’t hear any sound but when I went back to my PC it was logged using the admin account.
Now running OTL again as instructed.

I ran it using the options suggested in the sticky thread.
I have not tested if the problem is still there - I don’t need the blocked sites today - but I am indeed browsing to my trusted sites. I have observed no problems even though I didn’t observe problems previously so I guess I should either do a check or carry on with the procedure but I suppose the best thing to do is to wait your suggestion.

Note: I had to edit the previous message as the file didn’t get attached.
On closer scrutiny, the file didn’t appear to be in the folder I specified, nor in the USB key I used as as emergency.
I suppose something went wrong with the browser (it crashed soon before) but I remounted my USB key and uploaded the file again.

Result of aswMBR.
I start being out of ideas.
What should I do now?

I wonder if the problem can be in my router - I have heard they sometimes get compromised.

I had to run aswMBR twice, somehow the logfile icon would not show on my desktop. The logfile wasn’t even there according to a command prompt dir, but I could see it from safezone.

You had a lot of Temp folders. You should restart and keep everything clean a little more often. You had over 2GB’s of temp files.

Listen to all of Mach’s instructions please

Hey,
Logs look pretty good.

First,

[*]Run OTL (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator).
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

:Commands
[CREATERESTOREPOINT]

:OTL
FF - user.js - File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_206.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O13[b]64bit:[/b] - gopher Prefix: missing
O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.

:Commands
[EMPTYTEMP]

[*]Click the Run Fix button.
[*]After your computer has rebooted, run OTL and click Quick Scan.
[*]Copy and paste the contents of the log that it produces into your next post.

Then,

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

https://dl.dropboxusercontent.com/u/73555776/MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

https://dl.dropboxusercontent.com/u/73555776/MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

https://dl.dropboxusercontent.com/u/73555776/MBAMReboot.JPG

https://dl.dropboxusercontent.com/u/73555776/MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Then,

Please disable your AntiVirus before doing these steps!

[*]If you have Win Vista / Win 7 / Win 8 please start IE as Administrator!
[*]This will only work for Internet Explorer or FireFox
[*]Please download ESET Online Scanner from here

How to do this?

[]Visit this website here
[]You will see a screen like this:

http://s7.directupload.net/images/131201/e922iil8.png

[*]Click Run ESET Online Scanner

http://s14.directupload.net/images/131201/4e3svhbd.png

[]A Window will open (see above) - please click on the link
[]A window will pop up - please download the file to your Desktop
[*]When the download has finished please run the program (for Win Vista/ Win7 / Win 8 User please run it as Administrator)

http://s14.directupload.net/images/131201/p35jbmyy.png

[*]Tick the box next to YES, I accept the Terms of Use then click on: Start
[*]You may see a panel towards the top of the screen telling you the website wants to install an addon… click and allow it to install. If your firewall asks whether you want to allow installation, say yes.

http://s7.directupload.net/images/131201/p3b9meru.png

[*]Make sure that the option Remove found threats is NOT checked.
[*]Make sure that the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[list]
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Then click on Start
[*]virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically. The scan may take several hours.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]After the scan is finished please click on Finish
[/list]
[]Use notepad to open the logfile located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt
[]Copy and paste that log as a reply to this topic.

Then,
Download Security Check by screen317 from here or here.
[*]Save it to your Desktop.[*]Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.[*]A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Then,
how is your PC running?

Hello Machiavelli, thank you very much for your efforts.
I will execute the last sequence of commands you gave me this afternoon.

In the meanwhile, I want to update you all on what happened yesterday.
After my morning messages, I had to work to pull out a few numbers. I had no issues. I am 100% sure everything worked fine at around 17, no site had issues.
Then, at about 19, the problem arisen again. My father turned on Q6600 more or less at the same hour so I figured out there would have been a connection. Clearly not marking it with a red cross DO NOT START has been an huge error.

This morning I have changed passwords on all the computers and are now unique.
I also had a full scan on Q6600. As predicted, the number of viruses in that remaining 15% was extreme. I took the initiative to also run AdwCleaner and JTR which seemed to fix everything… up to reboot.
Q6600 also got a new admin account which worked perfectly until reboot and now exibhits the same problem.

Give me a few hours to execute your new instructions, I’ll keep you posted. Thank you again.

OK, this PC where we currently are working on is clean if we trust the logs. So you have another infected PC? Just as information I don’t recommend using these tools (JRT, Adwarecleaner, etc.) without any expert.

I understand those tools are indeed powerful. Albeit I have basically no experience in malware nor virus I have took the risk of running them as I have some general and not-so general experience and I really needed to gather some information. I’ll keep running only Rana connected, Q6600 isolated and laptop shut down with no battery.

I want to note the browsers appear to run correctly right now. Blocked sites I use for testing: google.com, facebook.com. Sure hits. Others are rarely affected.
The current situation appars to be more or less the same as yesterday.

For the rest, the situation with the systems is:

[ol]- Rana has always been rather snappy. I cannot observe any anomaly… besides the blocked sites. I would attach a screenshot but it seems to work right now, and I am 100% sure it didn’t before the fix.

• Laptop has always been slow since day one (I blame HP crapware). Situation appear to be the same as Rana.
• Q6600 is in terrible state. After today cleaning, the CPU is like 20C cooler. I observed it has been slow for a while (and considering the logs, it’s not surprising) but after the cleaning, it’s now super slow. Not like “Atom slow”, more like “network timeout slow”. On the pro side, the situation allowed me to take it down for the maintainance.[/ol]

I will now run MalwareBytes again on Rana.

Nothing. Will it last?
Now going with the ESET scanner.

I’m waiting for the ESET Log