I am disinfecting a friend’s laptop and pulled the laptp drive and put it in my desktop.
First I run Norton’s and get zero results as usual, but MBAM finds 50 infestations. Mostly PUPs and a few adware. Mostly toolbars.
Then I run SAS and it finds a Trojan. The Trojan.Agent/Gen-Falleg [cont] and a few other nasties.
Here’s the logs for these scans, while I rescan with the drive back in the laptop.
If you want a malware check follow the logs in assist to clean malware thread at the top of the forum section and attach logs. When done malware removers will be notified.
OK, that last one finished finally.
Here’s the logs from the sticky.
I had to redo adwcleaner again, as I apparently ran it on the other account on this laptop. So this is a newer one.
Monitoring.
Hi,
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\Windows\SysNative\drivers\avgtpx64.sys
:services
avgtp
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1Qzuzz0C0AzyzztB0A0B0FtCtDzytD0CyCyBtN0D0TzutBtDtCtBtDyDtBzy&cr=1796634388
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=110807&tt=290312_bexdll&babsrc=SP_ss&mntrId=e4570c670000000000008ca982abf109
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{13B444AA-0C36-49CA-B15D-E2FA6522CF87}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=4F19DFDE-2641-432D-9197-E626786044C6&apn_sauid=BE37712F-C7DE-434F-9C05-8C0A2A7D3342
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{36377DD7-B3EB-42f5-986F-680BAF59BA9D}: "URL" = http://start.iplay.com/searchresults.aspx?o=chrome&q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{413F313F-36FE-484C-A790-F1CA9D76CBA0}: "URL" = http://www.flickr.com/search/?q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{638A5D26-DDEF-A355-E5AA-2E9331BD90E2}: "URL" = http://isearch.avg.com/search?cid={3CDBE3B3-FD3B-4A80-8B94-3221C0943297}&mid=358b8f99bf1f47d0a71d540ab00d786b-5b3fb1b539b17b75f71db3bd295a908ad5a2de3e&lang=en&ds=ft011&pr=sa&d=2012-04-17 20:16:41&v=10.2.0.3&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{6ADEFDA2-306F-4733-B3C4-20A7B1A35244}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3018509
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={3CDBE3B3-FD3B-4A80-8B94-3221C0943297}&mid=358b8f99bf1f47d0a71d540ab00d786b-5b3fb1b539b17b75f71db3bd295a908ad5a2de3e&lang=en&ds=ft011&pr=sa&d=2012-04-17 20:16:41&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=139&systemid=406&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{A5EDF135-212E-41CE-A8AC-27F7809F834D}: "URL" = http://www.mysearchresults.com/search?&c=2648&t=03&q={searchTerms}
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=360&chn=s1122&geo=US&ver=5
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=82157&iwk=234&lng=en
IE - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\SearchScopes\{E2290E25-00D8-4458-B2BE-2B63CDC13460}: "URL" = http://delicious.com/search?p={searchTerms}
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.startup.homepage: "http://isearch.avg.com?pid=avg&sg=0&cid=%7Bc52b81fb-d6d1-4235-bfcd-418052229537%7D&mid=358b8f99bf1f47d0a71d540ab00d786b-5b3fb1b539b17b75f71db3bd295a908ad5a2de3e&ds=ft011&v=15.4.0.5&lang=en&pr=sa&d=2012-04-17%2020%3A16%3A41&sap=hp"
FF - prefs.js..extensions.enabledAddons: ffxtlbr%40babylon.com:1.1.9
FF - prefs.js..extensions.enabledAddons: ffxtlbr%40funmoods.com:1.5.1
[2013/10/13 19:29:32 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Extensions
[2013/10/13 19:32:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions
[2013/08/17 22:21:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions\{5ebdca98-43b3-45bb-87e0-716029fb42ab}
[2012/10/10 18:17:53 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
[2013/08/17 22:21:46 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions\crossriderapp2258@crossrider.com
[2012/04/02 00:31:00 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions\ffxtlbr@babylon.com
[2012/12/19 20:28:02 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\extensions\ffxtlbr@funmoods.com
[2012/09/06 18:58:12 | 000,002,299 | ---- | M] () -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\searchplugins\askcom.xml
[2012/12/19 20:28:10 | 000,002,351 | ---- | M] () -- C:\Users\AngieGuinn\AppData\Roaming\Mozilla\Firefox\Profiles\66i6pawr.default\searchplugins\Funmoods.xml
CHR - Extension: Funmoods = C:\Users\AngieGuinn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjciahceamgodcoidkjpchnokgfpphh\2.1.3_1\
CHR - Extension: AVG Secure Search = C:\Users\AngieGuinn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\15.4.0.5_0\
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\Toolbar\WebBrowser: (no name) - {22DFBF5B-A7CD-4B25-9471-3DC68C71855F} - No CLSID value found.
O3 - HKU\S-1-5-21-627836446-3073685375-2359285761-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\20.3.1.22\coieplg.dll (Symantec Corporation)
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.[/list]
If the log doesn’t appear, it can be found here:
c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.
------------ Next-------------
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
.
-------------- Next -------------------
Please download zoek.zip (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…
[list]
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
uninstall-list;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
Here are the files you requested.
Also, This laptop has two accounts. Will I need to run them on the other account as well.
Also, I just looked with file manager and now it seems a third account exists, but doesn’t show up at boot time.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
S2 vToolbarUpdater15.4.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.4.0\ToolbarUpdater.exe [x]
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1Qzuzz0C0AzyzztB0A0B0FtCtDzytD0CyCyBtN0D0TzutBtDtCtBtDyDtBzy&cr=1796634388
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - No File
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_20.1.0.24\coFFPlgn\
Task: {7095DD02-AE5D-4723-9A8C-14B3CE9A026C} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv => C:\Windows\TEMP\{DFA6766A-F8D3-4FA6-AB41-72593F979746}.exe
Task: {9AF1F225-AE7E-4E23-BEB5-EBDED2E7C734} - System32\Tasks\{FDA90E9E-19C2-467F-89BA-C982C9C5BA4F} => F:\Setup.exe
Task: {9FC79874-ADB1-45F0-A0F1-EFE38E4625A5} - System32\Tasks\PC Optimizer Pro64 startups => C:\Program Files\PC Optimizer Pro\StartApps.exe
Task: {A8D8A64F-097F-41C5-8A98-CB9A7B9AA894} - System32\Tasks\{8F6EB302-EFF0-4BD1-A83B-18A7ABFACF56} => F:\Setup.exe
Task: {D687C500-589F-4373-A582-8F88623B9E2B} - System32\Tasks\{809764A4-0B6C-448D-8070-F9362A3BF033} => F:\Setup.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job => C:\Windows\TEMP\{DFA6766A-F8D3-4FA6-AB41-72593F979746}.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{C4B948C5-4513-46EA-A1C5-1427371AAB14}.exe
Task: C:\Windows\Tasks\PC Optimizer Pro64 startups.job => C:\Program Files\PC Optimizer Pro\StartApps.exe
Task: C:\Windows\Tasks\RMSchedule.job => C:\Program Files (x86)\PC Tools Registry Mechanic\RegMech.exe
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
.
--------------- Next ------------------
[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.
[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:
C:\Windows\tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job;f
C:\Windows\tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job;f
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-627836446-3073685375-2359285761-1000Core.job;f
C:\Windows\tasks\PC Optimizer Pro64 startups.job;f
C:\Windows\tasks\RMSchedule.job;f
Searchqu Toolbar;ff
PC Tools Registry Mechanic 11.0;u
C:\Program Files (x86)\PC Tools Registry Mechanic;fs
emptyalltemp;
autoclean;
emptyclsid;
[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)
[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log”
Here are the results.
New Issues.
First, Internet Explorer hasn’t worked since I’ve had the laptop, but firefox had worked great. But the last round of fixes have left Firefox and chrome unable to access the internet. also, after the first patch with zoek. I started firefox and it said there was an update and it autopatched wiothout prompting me. After that, no internet for firefox, or chome.
I have to use a USB stick to transfer stuff from laptop to PC now.
My wireless is fine and says connected to network and internet both. Maybe the programs have been hijacked to use proxy servers? I had that happen once a long time ago.
Rerun zoek
resetIEproxy;
Here’s the results.
although, still no internet access.
Also, malwarebytes I just installed doesn’t access the internet for updates either.
same with itunes.
windows update works fine.
Download Complete Internet Repair
http://www.majorgeeks.com/files/details/complete_internet_repair.html
Unzip and click to CIntRep.
Check all and click to button Go.
I tried that, but the laptop BSOD with error on power management of some sort. It took forever to shut down. Maybe it tried to go to sleep from taking so long? lol
It’s getting way too late for me. I’ll try again tomorrow and see if it takes a second time.
Feel free to make any more suggestions.
Thanks a lot for all of your help. It is greatly appreciated.
-=Mark=-
I just reran the Cintrep program and rebooted just fine, but still no internet at all except Windows update.
Any other ideas at all?
This is very weird. Never had a virus this bad.
It has disabled norton’s so bad it won’t uninstall, so I can reinstall. I even tried the norton’s uninstaller.
Can’t boot into safe mode either. So I can’t do anything from their.
Please download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html
[*] Install the program then run.
[*] Go to Step 2 and allow it to run Disk check
[*] Once that is done then go to Step 3 and allow it to run SFC
[*] Go to Step4 and create registry backup and system restore point.
[*] On the Start Repairs tab => Click the Start
[*] Restart may be needed to finish the repair procedure.
After Uninstalling Norton’s with Norton Remover, that I downloaded, the laptop is running fine.
I assume I don’t need to run the Windows Repair program now?
Any other things I need to do?
I assume I don't need to run the Windows Repair program now?
Don’t need.
Please download DelFix by “Xplode” to your Desktop.
Run the tool and check the following boxes below;
[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore
Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt
I don’t need DelFix log report.
Thank you once again for all of your help
-=Mark=-