Sigh, after TwinHeadedEagle’s hard work a few days ago, I was threat free. However, after a few days…I got 2 Avast popups last night.
After running Malwarebytes, it seems I still have something…
here are the logs

Hi,

Let’s take a look, shall we?

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

here u go magna86

Hi,

My instructions clearly state the need for addition.txt.

Hmmm…it didn’t make any addition.txt files, so i ran it again, and clicked the addition.txt box.

Hi,

It didn’t create the Addition log BC you are not remove the FRST version in THE’s case with DelFix as you should.

Next, you are using multiple AntiVirus product. This can’t do. You must uninstall one of them. Only 1 AV per system.

Then use there removal tools to remove any leftovers.
http://singularlabs.com/uninstallers/security-software/

ALso remove Spybot - Search & Destroy 2 as this software can not follow the current malware.

You still have loaded zekos, the malware isn’t fully removed and you get reinfected.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

I removed AVG, and McAfee.

Here is the search.txt file

The following FixList shall tell FRST to use necessary force in order to disinfect and remove the malware.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\ProgramData\UpdateServer\1403727902\webdev.exe Folder: C:\ProgramData\UpdateServer Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll Reboot: C:\Windows\system32\gyifhy.ijd C:\Windows\system32\kdyhc.kal C:\Windows\system32\khiyc.gmv C:\Windows\system32\rnzio.mrt C:\zoek_backup C:\Users\Chi\AppData\Local\Temp\*.exe C:\Users\Chi\AppData\Local\Temp\*.dll Hosts: BHO-x32: No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} - No File FF Extension: No Name - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\18.1.7.598 [2014-05-30] CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

things look good so far…
here’s the fixlog

Cool. Now execute the following FixList. After that, post me the fresh FRST.txt logfile.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Hosts:
R2 WinDevSrv; C:\ProgramData\UpdateServer\1403727902\webdev.exe [389992 2014-06-25] (VM Host Corporation)
Reboot:
C:\ProgramData\UpdateServer

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

oops forgot to post this

Ok. Now I would like to see the following results.

1. Please download ComboFix by sUBs (
   http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
   ) from here and save it to your Desktop.
   [i]If you are unsure how ComboFix works, read this guide.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
• If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
   => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

here are the files you asked for

Please bump you post tomorrow.

bump

Hi,

Take a peek in this directorys:
c:\programdata\UpdateServer
c:\users\Chi\AppData\Roaming\serv

If there is nothing there, delete that …

Open notepad and copy/paste the text present inside the code box below:

KillAll::
ClearJavaCache::

Driver::
vToolbarUpdater18.1.7

Folder::
c:\program files (x86)\Common Files\AVG Secure Search
c:\users\Chi\AppData\Roaming\AVG 0214c Campaign

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Then …

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

inside c:\programdata\UpdateServer there is a folder called 1405049759, inside that folder there is a file called webdev

insdie c:\users\Chi\AppData\Roaming\serv there’s a file = download.dat

is that bad?

or do I still continue?

Yes, feel free to continue with CFScript.

here are the files

Hi, MCShield is the app that is meant to scan your USB memory devices. Have any?

MCShield log tells me you just did the system drive scanned.

Anyway, how is the computer behavior now?