These are the logs(or some of them) for my other laptop. I can’t attach aswMBR log as the program crashed my computer multiple time–using virtualization and not, in both normal and safe mode. Nasty little whatever it is…
Download zoek.exe from here: Zoek.exe at Bleepingcomputer
- Close/disable all anti virus and anti malware programs so they do not interfere with the download or running of Zoek.exe
(Here or here you can read a manual on how to disable your security applications.)- Doubleclick zoek.exe to start the program.
- Copy and paste the following script in the code box:
- Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar :!:
createsrpoint;
autoclean;
chrdefaults;
FFdefaults;
bitsadmin /reset /allusers >>"%temp%\log.txt";b
emptyalltemp;
resetIEproxy;
ipconfig /flushdns >>"%temp%\log.txt";b
- Close any open browsers.
- Click the Run script button and wait patiently.
- When finished the logfile will be opened in notepad.
- If a reboot is needed the logfile will be opened after reboot.
- The zoek-results.log can also be found on your system drive.
- Please post the logfile for further review in your next comment.
Also, how is your system running now?
It seems to be still doing it although there did appear to be fewer of them. Log attached. Thanks for the help.
Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box and right click on it and select copy (or you can just click on the (select) next to Code Box). Paste this into the open notepad. Save it to your desktop as fixlist.txt
Start
CreateRestorePoint:
CloseProcesses:
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2091008388-2901941314-3346472897-1000\...\Run: [GoogleChromeAutoLaunch_A5B343D047FD8BD2F268B0EA0F8DBD7C] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896 2015-07-13] (Google Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Hosts:
FF NetworkProxy: "user_pref("abine.backup.network.proxy.autoconfig_url", "");
FF NetworkProxy: "user_pref("abine.backup.network.proxy.type", 5);
FF DefaultSearchEngine: DuckDuckGo
FF DefaultSearchEngine.US: DuckDuckGo
FF SelectedSearchEngine: DuckDuckGo
FF NetworkProxy: "autoconfig_url", "abine://auto-conf.js"
FF NetworkProxy: "type", 2
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\dictionary.xml [2010-06-18]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\duckduckgo.xml [2013-07-08]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\hyperwords.xml [2009-07-22]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\imdb.xml [2009-07-22]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\liquid-words.xml [2012-04-05]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\torrent-metasearch.xml [2015-07-18]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\webster.xml [2010-06-18]
FF SearchPlugin: C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lw9pvbyj.default\searchplugins\wiktionary-en.xml [2010-06-18]
StartMenuInternet: FIREFOX.EXE - C:\Mozilla Firefox\firefox.exe
CHR Extension: (DuckDuckGo for Chrome) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpphkkgodbfncbcpgopijlfakfgmclao [2015-05-31]
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpphkkgodbfncbcpgopijlfakfgmclao
U3 aswMBR; \??\C:\Users\Admin\AppData\Local\Temp\aswMBR.sys [X]
C:\Users\Admin\AppData\Local\Temp\aswMBR.sys
2015-06-23 08:24 - 2015-05-30 18:53 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieUserList
2015-06-23 08:24 - 2015-05-30 18:53 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieSiteList
2015-06-23 08:24 - 2015-05-30 18:53 - 00000000 __SHD C:\Users\Admin\AppData\Local\EmieBrowserModeList
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: bitsadmin /reset /allusers
EmptyTemp:
Reboot:
end
NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.
The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Also, tell me how your system is running now.
Here’s the log. Thanks again for your help. I’ll let you know how it goes.
This is to confirm problem still exists. Irritating bugger, this,
Let me get a fresh scan from FRST please.
[*]If you still have the Addition.txt file on your desktop, please delete it now.
[*]Right click the FRST file on your desktop and select “Run as Administrator…” (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]If an update is available, the program will inform you and download the update. Allow it do this please. Otherwise, just wait for the “The tool is ready to use.” message.
[*]Please check the Addition.txt in the Option Scan section of FRST.
[*]Press the Scan button.
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please copy and paste log back here.
[*]The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
OK. Here are the new logs. Thanks for the help.
Download the latest version of TDSSKiller from here and save it to your Desktop.
- Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg
- Check the boxes beside [b]Verify Driver Digital Signature and Detect TDLFS[/b] file system, then click OK.
- Click the [b]Start Scan[/b] button.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg
- If a suspicious object is detected, the default action will be [b]Skip[/b], click on [b]Continue[/b].
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg
- If malicious objects are found, they will show in the Scan results and offer three (3) options.
- Ensure [b]Cure[/b] is selected, then click [b]Continue[/b] => [b]Reboot now[/b] to finish the cleaning process.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg
- [b]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.[/b]
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please attach this to your next reply.
No threats found.
Report attached.
Can you unplug the USB / Portable drive and reboot the system? Do you still get the warning then?
I’m on the road and that computer is packed up but I will give that a try when I get back home.
Thanks.
Understood; real life always comes first in my books. I await your findings when you get a chance.
That seems to have worked. So far so good anyway. I would note that I had also started the laborious process of removing addons from Firefox and removing the Ad Beaver addon also had seemed to have stopped the problem before I removed and restarted the portable drive. Don’t know which actually did the fix but the annoying popup warnings seemed to have stopped, for now anyway.
Thank you for all the help.
Along with Ad Beaver, Liquid Words and SearchPreview are also bad and should be removed from FireFox and your system.
As to the USB drive, you may want to consider adding MCShield to your system to help protect from USB transferred malware.
As it sounds like you are satisfied with the system, then let's remove our tools and let you be ....
Clean up of Malware Removal Tools
Now that we are through using these tools, let’s clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.
[]Download Delfix from here to your desktop and double click it to start the program
[*]Ensure Remove disinfection tools is ticked
Also tick:
[]Activate UAC
[]Create registry backup
[]Purge system restore
[*]Reset system settings
http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/DelFixSelectall_zps0f04cec4.png
[*]Click Run
[*]The program will run for a few moments and then notepad will open with a log. Please attach the log in your next reply.
You can delete any log files left on your desktop as these are no longer needed.