I’m sorry incase I am unable to response in a day but I am really grateful to those who will find the solution to this
Logs to assist in cleaning malware https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs
then scroll down to SPECIFIC INFECTIONS LOGS copy and paste MCShield log here
Should I finish the Avast! Scan? or Cancel? before beginning to scan with MBAM?
Cancel …
I’m sorry if I ask a lot of question since I am not an expert or anything. I left my laptop yesterday in sleep mode and returned just now to find that the battery has ran out making the scan in progress stop. Is it bad? Do I need to repeat the scan? Thank you for assisting me
No, the on-demand scanning was interrupted when the computer sleep and was returned when it awoke again at the point it was paused.
So what do I need to do to continue the scan? I’m talking about MBAM here. Ty again
Yes we cant help you before we recive the requested logs
I’m so sorry if I can’t post the logs very quickly since we have classes in the morning and the scan won’t finish in time (seems that there are 60000+ infected files ) >.</ I’m very very sorry I will try today to finish the scan but I am guaranteed to be able to in weekends. Again im very sorry for the inconvenience >.<
What should I do? Every time the scan is about to finish, the blue screen pops up and restarts my laptop!
I used FRST instead
OK this will require several runs
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000\...\Run: [**e©Kû¨**¡<*>] => C:\Program Files\Tongbu\tbMobileService.exe /start <===== ATTENTION (Value Name with invalid characters) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1020510941-2804594897-1489143484-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://istart.webssearches.com/?type=hp&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://istart.webssearches.com/web/?type=ds&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460&q={searchTerms} HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://istart.webssearches.com/?type=hp&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://istart.webssearches.com/web/?type=ds&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460&q={searchTerms} HKU\S-1-5-21-1020510941-2804594897-1489143484-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://istart.webssearches.com/?type=hp&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 URLSearchHook: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 - (No Name) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No File URLSearchHook: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 - (No Name) - {D8278076-BC68-4484-9233-6E7F1628B56C} - No File URLSearchHook: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll (Yahoo! Inc.) SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://istart.webssearches.com/web/?type=ds&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460&q={searchTerms} SearchScopes: HKLM -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm0029Dus&ptnrS=Z1xdm0029Dus&si=CIzh646Un6sCFcPe4AodyzCojQ&ptb=9D383CAB-F322-40F5-BB09-EF3B378626A9&psa=&ind=2011091606&st=sb&n=77ded296&searchfor={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://istart.webssearches.com/web/?type=ds&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460&q={searchTerms} SearchScopes: HKLM -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&q={searchTerms} SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {23088cf8-eaf8-4bb3-a251-9ba61557ac75} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm0029Dus&ptnrS=Z1xdm0029Dus&si=CIzh646Un6sCFcPe4AodyzCojQ&ptb=9D383CAB-F322-40F5-BB09-EF3B378626A9&psa=&ind=2011091606&st=sb&n=77ded296&searchfor={searchTerms} SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://istart.webssearches.com/web/?type=ds&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460&q={searchTerms} SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=SfW0KEkjIEELgashxLzsOoJp9O8?q={searchTerms} SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2A69} URL = http://search.bearshare.com/webResults.html?src=ieb&q={searchTerms} SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {CCC7A320-B3CA-4199-B1A6-9F516DD69829} URL = http://search.avg.com/route/?d=4cd8a2d4&v=6.10.6.4&i=23&tp=chrome&q={searchTerms}&lng={language}&iy=b&ychte=us SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {DECA3892-BA8F-44b8-A993-A466AD694AE4} URL = http://search.avg.com/route/?d=$instd$&v=$ver$&i=$dchid$&tp=chrome&q={searchTerms}&lng={moz:locale}&iy=b&ychte=pht SearchScopes: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://search.sweetim.com/search.asp?src=6&q={searchTerms} Toolbar: HKLM - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKLM - No Name - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File Toolbar: HKLM - No Name - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No File Toolbar: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Toolbar: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> No Name - {A057A204-BACC-4D26-9990-79A187E2698E} - No File Toolbar: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File Toolbar: HKU\S-1-5-21-1020510941-2804594897-1489143484-1000 -> No Name - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://istart.webssearches.com/?type=sc&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 FF NewTab: about:newtab FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\webssearches.xml FF HKLM\...\Firefox\Extensions: [m3ffxtbr@mywebsearch.com] - C:\Program Files\MyWebSearch\bar\firefox FF HKLM\...\Firefox\Extensions: [paffxtbr@FilmFanatic.com] - C:\Program Files\FilmFanatic\bar\1.bin StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox\firefox.exe http://istart.webssearches.com/?type=sc&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 CHR HomePage: Default -> hxxp://istart.webssearches.com/?type=hp&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 CHR StartupUrls: Default -> "hxxp://istart.webssearches.com/?type=hp&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460" StartMenuInternet: (HKLM) Opera - C:\Program Files\Opera\Opera.exe http://istart.webssearches.com/?type=sc&ts=1406610561&from=amt&uid=WDCXWD2500BEVS-75UST0_WD-WXC40827446074460 Task: {722EBBD4-A700-43D7-B4EF-A6BFC8B5928A} - System32\Tasks\GoforFilesUpdate => C:\Program Files\GoforFiles\GFFUpdater.exe <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
I ran the ADW cleaner and then a popup suddenly said it stopped working after I pressed the “Clean” button. Is it alright if I repeat the scan again?
So yeah I decided to scan again and it was sucessful this time. After rebooting, my laptop is unable to connect to the internet. It says it was connected but my browser and the icon says it isn’t connected so Im unable to proceed to next step. I searched for possible option but I figured that I shouldn’t do anything first. Im currently using a tablet
Hmm I wonders what Adwcleaner removed
Open an elevated command prompt :
Go Start > All Programs > Accessories
Right click command prompt and select Run as Administrator
In the black box type the following commands and press enter after each.
Then reboot and try the net again
netsh advfirewall reset
netsh advfirewall set allprofiles state ON
ipconfig /flushdns
netsh winsock reset catalog
netsh int ip reset c:\resetlog.txt
ipconfig /release
ipconfig /renew
the last two returned with a reply something like “unsucessful no adapter” and after I rebooted it. as soon as desktop appeared blue screen suddenly appeared restarting the laptop again. Now internet is still out
OK select the system restore point that FRST created and that should return your internet connect, and maybe the malware as well. But once done continue from the combofix portion
how? sorry if I ask too much Im just being cautious :s
No problem … Here is an MS explanation http://windows.microsoft.com/en-gb/windows-vista/turn-back-time-on-your-pc-undo-system-changes-with-system-restore
After system restore, internet is back. I then used Combofix. The computer’s running fine and all but there are popups from avast(I turned it on after the reboot) saying about a virus called malware gen. It got deleted by avast afterwards.
combofix log is too long :o I can’t attach it. I put the logs up here
I attached AdwCleaner log too incase