Virus and/or malware that still persists on my system

system · 2014-03-13T16:13:28.000Z

all things have been tried out but nothing works out! it seems to be the hardest virus/malware of all

Eddy · 2014-03-13T16:17:55.000Z

Please post the logs.
Not all has been tried.
If it was, the malware would have been gone.

system · 2014-03-13T16:25:07.000Z

OTL log has been posted here

system · 2014-03-13T16:39:28.000Z

aswMBR log

Eddy · 2014-03-13T16:53:30.000Z

I found several things that need to be fixed.
Please do nothing untill one of the people who know more about OTL tell you to do so.

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-861567501-1123561945-839522115-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.trovigo.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&SSPV=SE1CGNB1_sp_ie
FF - prefs.js..browser.search.selectedEngine: "http://www.trovigo.com/Results.aspx?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&q={searchTerms}&SSPV=SE1CGNB1_sp_ff"
FF - prefs.js..browser.startup.homepage: "http://www.trovigo.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&SSPV=SE1CGNB1_sp_ff"
CHR - default_search_provider: Conduit Search (Enabled)....(rest of the code here)
CHR - default_search_provider: search_url = http://www.trovigo.com/Results.aspx?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&q={searchTerms}&SSPV=SE1CGNB1_sp_ch
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms},
CHR - plugin: Error reading preferences file
O4 - HKU\S-1-5-21-861567501-1123561945-839522115-500..\Run: [LiveSupport] "C:\Program Files\LiveSupport\LiveSupport.exe" /noshow /log File not found
O20 - AppInit_DLLs: (c:\progra~1\ws-ena~1\assist~1.dll) -  File not found

essexboy · 2014-03-13T17:19:42.000Z

OK Firefox has been compromised, we will clear that first and then see what’s left

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
DRV - File not found [File_System | On_Demand | Stopped] -- -- (yeibbiie)
[2014/03/12 04:57:53 | 000,000,000 | ---D | M] (SaveSense) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\extensions\{2fab2e94-d6f9-42de-8839-3510cef6424b}
[2014/02/15 10:49:42 | 000,000,000 | ---D | M] (YoTuberAdsRemov) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\extensions\a_zjld@oo-aagur.edu
[2014/02/07 00:45:02 | 000,000,000 | ---D | M] (webseavvE) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\extensions\evxmsolyao@ao-ye.com
[2014/02/07 00:45:02 | 000,000,000 | ---D | M] (YoutubeAdblocker) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\extensions\iiemyo@eaye.edu
O4 - HKU\S-1-5-21-861567501-1123561945-839522115-500..\Run: [LiveSupport] "C:\Program Files\LiveSupport\LiveSupport.exe" /noshow /log File not found
[2014/03/12 04:57:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\SearchProtect
[2014/03/12 04:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DOSBox
[2014/03/08 20:32:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Search Protection
[2014/03/08 20:31:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\YTD Video Downloader
[2014/03/08 20:30:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\YTD Video Downloader
[2014/02/13 14:39:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\YoTuberAdsRemov
[2014/02/13 14:39:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\fmcgnbjgipbbpdfgnhallmcmlmngnfah
[2014/03/12 03:09:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Search Protection
[2014/02/02 03:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Smadav
[2014/02/07 01:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\systweak
[2014/02/13 14:39:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\16a2801affcc246b
[2014/02/13 14:39:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\fmcgnbjgipbbpdfgnhallmcmlmngnfah
[2014/02/05 05:52:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\greaatosaaver
[2014/02/13 14:39:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YoTuberAdsRemov
[2014/03/08 20:31:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YTD Video Downloader

:Files
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\cmedhionkhpnakcndndgjdbohmhepckk
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\fmcgnbjgipbbpdfgnhallmcmlmngnfah
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mpdcfdklflbadebnimcanpkminhcbnii

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

FINALLY

Run a fresh OTL scan selecting all users

system · 2014-03-14T03:50:25.000Z

AdwCleaner v3.022 - Report created 14/03/2014 at 09:12:53

Updated 13/03/2014 by Xplode

Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

Username : Administrator - ADMIN-AEAE7CBC3

Running from : C:\Documents and Settings\Administrator\My Documents\Downloads\adwcleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\GreenTree Applications
Folder Deleted : C:\Program Files\Optimizer Pro
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\SearchProtect
Folder Deleted : C:\Documents and Settings\Administrator\Local Settings\Application Data\torch
File Deleted : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\user.js

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\Optimizer Pro v3.2
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\AppDataLow{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\Software{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\Software\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache{CA41BB14-E67B-1653-C57B-5CA99418A866}

***** [ Browsers ] *****

-\ Internet Explorer v8.0.6001.18702

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\ Mozilla Firefox v6.0.1 (en-US)

[ File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5d808ga4.default\prefs.js ]

Line Deleted : user_pref(“browser.search.selectedEngine”, "hxxp://www.trovigo.com/Results.aspx?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&q={searchT[…]
Line Deleted : user_pref(“browser.startup.homepage”, “hxxp://www.trovigo.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=55&CUI=&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464&SSPV=SE1CGNB1_sp_ff”);
Line Deleted : user_pref(“extensions.11OKfL.scode”, "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf("acebook")>-1||url.indexOf("txtlnkusaolp00000800")>-1||url.indexOf("sumo[…]
Line Deleted : user_pref(“extensions.TTE.scode”, "(function(){try{var url=(window.self.location.href + document.cookie);if(url.indexOf("acebook")>-1||url.indexOf("txtlnkusaolp00000800")>-1||url.indexOf("sumorob[…]
Line Deleted : user_pref(“extensions.XVaIZLtkb1.scode”, "(function(){try{var url=window.self.location.href;if(url.indexOf("acebook")>-1||url.indexOf("txtlnkusaolp00000800")>-1||url.indexOf("sumorobo")>-1||url.[…]
Line Deleted : user_pref(“browser.newtab.url”, “hxxp://www.trovigo.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=69&CUI=&SSPV=SE1CGNB1_sp_ff&Lay=1&UM=4&UP=SP0AE52F69-ACF2-4CEA-B4E2-B1AB48329464”);

-\ Google Chrome v

[ File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]

Deleted : suggest_url
Deleted : keyword
Deleted : search_url

AdwCleaner[R0].txt - [4056 octets] - [14/03/2014 09:06:00]
AdwCleaner[S0].txt - [3843 octets] - [14/03/2014 09:12:53]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3903 octets] ##########

system · 2014-03-14T03:52:15.000Z

OTL log is posted here.

essexboy · 2014-03-14T14:02:24.000Z

What problems are you experiencing at the moment ?

system · 2014-03-14T14:29:51.000Z

the pc is hanging at times and isn’t responding for a few seconds. some 20-30 virus is there in my avast virus chest.i wan’t to remove them completely out of my computer.please help.

essexboy · 2014-03-14T14:54:32.000Z

OK for the virus chest you can just empty it by right clicking the files and selecting delete

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

system · 2014-03-14T15:22:55.000Z

combofix log has been posted here

essexboy · 2014-03-14T15:46:08.000Z

Let me know how it is on completion of this

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:

Driver:: wgapldfq

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

system · 2014-03-14T16:21:27.000Z

combo

essexboy · 2014-03-14T16:23:42.000Z

Is there any improvement in the system response ?

system · 2014-03-14T16:25:10.000Z

combo

system · 2014-03-14T16:26:47.000Z

yes of of course .it is better now

essexboy · 2014-03-14T16:27:47.000Z

Test it out for a bit, and if you are happy let me know and we will tidy up

system · 2014-03-14T16:29:47.000Z

yes happy with its performance

essexboy · 2014-03-14T17:16:22.000Z

In that case methinks I will send you on your merry way

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Announcements