W32:Malware-gen Avast popup

Hello,

I’m struggling to remove this annoying trojan, can you help please. I’ve attached my OTL logs.

Many thanks,

KW

Hi kevvy wilch,

Struggle no more.

Read and attach the following logs produced from Malwarebytes and aswMBR.exe here: http://forum.avast.com/index.php?topic=53253.0 The more information you attach about your infection, the better. Just use these three programs to begin.

Thanks for your reply.

I’m unable to download aswMBR.exe on any of my PC’s/laptop’s. Seems to be something wrong with that site. When I ran Malwarebytes scan it found no issues.

KW

Confirmed issue @ avast.

bleeping computer link: http://www.bleepingcomputer.com/download/aswmbr/ gives same ‘not found’ result.

‘Down for everyone or just me’ link produces this: http://www.downforeveryoneorjustme.com/http://public.avast.com/~gmerek/aswMBR.exegoogle.com

Servers are likely down at the moment. Please attach the MBAM log in any case. A malware expert has been notified for you.

you can probably download it from essexboys skydrive …if he need that log
he will tell you when he arrive :wink:

Ok thanks. MB log attached as requested.

Cheers,

KW

It appears you are running in Safe Mode/Networking on the affected system. You can use other systems to transfer/download logs and programs requested if you wish, via usb stick. Whoever gets to assist you will get you out of Safe Mode in any case very soon. essexboy is top-notch, just so you know, but others are just as capable. All experts volunteer their time here, live in different time-zones, so might be a bit of time before one comes online for you.

Glad to help you out with the basics. :slight_smile:

For info I did run MB in both normal mode and safe mode, but I got the same results each time, nothing found. I have been using a usb stick already to transfer the logs to my good laptop for upload here.

OK great, many thanks. I see Essexboy has performed wonders elsewhere on this forum for similar issues, so my confidence is high that he can help me too. 8)

KW

Hi @kevvy wilch

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
FF - prefs.js..browser.startup.homepage: "http://www.searchqu.com/406"
FF - prefs.js..keyword.URL: "http://dts.search-results.com/sr?src=ffb&appid=283&systemid=406&sr=0&q="
[2012/02/20 21:38:41 | 000,000,000 | ---D | M] (Searchqu Toolbar) -- C:\Users\martin\AppData\Roaming\Mozilla\Firefox\Profiles\h46ddtxb.default\extensions\{99079a25-328f-4bd4-be04-00955acaa0a7}
CHR - homepage: http://www.searchqu.com/406
CHR - default_search_provider: search_url = http://dts.search-results.com/sr?src=crb&appid=283&systemid=406&sr=0&q={searchTerms}
CHR - homepage: http://www.searchqu.com/406
O2:[b]64bit:[/b] - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O2 - BHO: (DataMngr) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\searchqudtx.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-288686398-2034965131-592580008-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

:files
C:\Windows\Installer\{e08a1a76-dc2a-ba58-71f9-b5e047333336}
C:\Users\martin\AppData\Local\{e08a1a76-dc2a-ba58-71f9-b5e047333336}
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[EMPTYJAVA]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

Step2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Thanks Argus. OTL fix ran fine, log attached. Combofix also ran well and log also attached.

I really appreciate your help with this.

KW

OK it’s alright now, you have any problems?

Hi,

Sorry I meant to mention that in my last post. Yes the popups appear to have stopped now. It was only a brief test this morning over breakfast but I’ll monitor it this evening and report back.

Thanks again for your help.

KW

On computer no more malware, not worry :slight_smile:

It is necessary to uninstall the ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Run OTL and hit the CleanUp button.

Ok great, I’ll run those two tonight when I get home. Am I all done then?

Cheers,

KW

Ok great, I'll run those two tonight when I get home. Am I all done then?

Yes, cheers!

All done and all looking good. Thanks very much for your help Argus. This is a great forum! :slight_smile:

Cheers,

KW