The Attack is Back (and better than ever)

[michaelglew]

Hello:

 

In July the Forums assisted me in removing the malware infecting my system and preventing me from running malwarebytes on this machine. Now I seem to have a similar problem. Constantly misdirected to phishing sites, drivers out of date messages, and on, and on. It seems to be on my wife's Motorola cell phone as well.  Would you be able to assist? Thank you.

 

Michael    

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  

 
 
 
 
 
HijackThis is not the preferred initial scanning tool in this forum. With today's malware, a more comprehensive set of logs is required to determine the presence of malware.
 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)
 

• Run FRST.
• Don´t change one of the checkboxes and hit Scan.
• Logfiles are created on your desktop.
• Poste the FRST.txt and (after the first scan only!) the Addition.txt.
  

 
 
 
 
 Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

• Double click the aswMBR.exe icon, and click Run.
• There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
• When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
• Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
• Click the Scan button to start the scan once the update has finished downloading
• On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.
  

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

[michaelglew]

Hello Marius:

 

Thank you for the help. Here are the two logs.

 

Michael

aswMBR.txt

SepFRST.txt

[Psychotic]

I cannot see any suspicious acitivity here.

Let´s cross check:

 

Full System Scan with Malwarebytes Antimalware

• 
  If not existing, please download

Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.
  

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.
  

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

[michaelglew]

Hello:

 

Thank you for the reply. Malwarebytes finds nothing suspicious. Meanwhile ESET will not run. No start option appears after acceptance of terms of condition on ESET. I tried both in the pop up and opening in it's own tab. Also I can no longer launch chrome, only Internet Explorer. It is difficult, if not impossible, to navigate from one page to the next. I continue to receive the re-directs of "security warnings call this 800 number", various dating websites,  and "drivers out of date click here" Thanks.

 

Michael

[Psychotic]

Combofix

Combofix should only be run when adviced by a team member!

Link


Important - Save the file to your desktop!

• Deactivate any and all of your antivirus programs /spyware scanners - they can prevent CF from doing its work.
• Run Combofix.exe
  

When finished, Combofix creates a log file named C:\Combofix.txt. Please post its content in your next reply.

Note: When receiving an error message containing ""Illegal operation attempted on a registry key that has been marked for deletion" simply restart your computer to fix this.

[michaelglew]

Hello:

 

Please forgive the delay in response as I have not had access to a functional PC since yesterday afternoon. When I attempted to download combofix I received a widows error box. I don't recall exactly what it said. This appeared when combofix was about 80% downloaded. Now I'm no longer able to launch any programs on that PC. The machine will boot up and freeze after I attempt any function. I was able to run Malwarebytes and ESET in safe mode. No threats were caught and I do not see if ESET generated a log in safe mode. Thanks.

 

Michael  

[Psychotic]

Please boot into safe mode.

 

 

Use the Windows Error Checking utility (Check Disk), with the options to fix file system errors and scan the disk surface for errors, attempt recovery of data and repair the disk:

• Click the "Windows Orb" Start button, then click Computer.
• Right-click on the drive that you wish to check > Properties > Tools tab
• In the "Error checking" section, click on Check now.
• Place a checkmark in both boxes > Start.
• If the disk you have chosen is the Windows system disk:
• A message will notify you that a restart is necessary ask "Do you want to check for hard disk errors the next time you start your computer?".
• Click Schedule disk check > OK and close all windows.
• Re-start the computer. The disk will be checked when the system boots.
• This will take some time to run and at times may appear stalled but just let it run.
• When the disk check is complete, the system will re-start automatically and load Windows.
  

A log of the disk check is recorded only if the scheduled re-start is used, and only for drives on the same HDD as the Operating System.
To open Event Viewer and view the log:

• Click the "Windows Orb" Start button -> type "eventvwr" without the quotes -> press the key.
• The Event Viewer window will open.
• In the left pane, expand "Windows Logs" and then click on Application.
• In the right pane, at the top, click on the column heading Source to sort the list alphabetically.
• Look in the Source column for "Wininit", with an entry corresponding to the date and time of the disk check.
• Click on that Wininit entry to select it.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.
  

 

 

 

System File Check

For Windows XP:

• Press the Windows- and the R-key simultanously.
• Within the text box that jus opened, write cmd and hit Enter.
  

For Windows Vista/7:

• Press the Windows key to open the start menu.
• Don´t highlight anything, just write cmd.
• The start menu will offer you an entry named cmd.
• Right click it and select "run as administrator"
  

Within the opening window, write the following:

sfc /scannow

(See the blank within).

• Hit enter. Your system will be checked for damaged system files.
• Tell me the result of that scan in here (as the tool produces no log).
  

[michaelglew]

Hello:

 

Alright. I think I got it to run. The system file check stated there was no integrity issues found. Here is the log of the first scan. Thanks!

 

Michael

 

 

 

windowerrorlog.txt

[michaelglew]

PS: One other problem has popped up. I can no longer activate real time scanning. I activate McAfee and it immediately turns back to disabled. Thanks again.  

[Psychotic]

Windows Repair (all-in-one)

Download Windows Repair (All in One) from this site

Install the program then run it.

NOTE 1. In Windows Vista, 7 and 8 right click on the program, click "Run As Administrator".
NOTE 2. Disable your antivirus program before running Windows Repair.

Go to Step 2 and click on Check button next to 1. See If Check Disk Is Needed.
If the tool indicates that the Check Disk is needed click on Do It button next to 2. Check Disk.
In that case make sure you restart computer.




Once the above is done go to Step 3 and allow it to run System File Check by clicking on Do It button:




Go to Step 4 and under "System Restore" click on Create button:




Go to Start Repairs tab and click Start button.

Leave all checkmarks as they're.
NOTE for Windows 8 users. Reset Registry Permissions is NOT checked by design.

Click on Start button.



Post Windows Repair log which is located in the following folder:
64-bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
32-bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

[michaelglew]

Hello Marius:

 

I am no able to down load or run the windows repair log. When I attempt to do so I will either get screen after screen of redirects or windows error boxes that state "Failed to Read Lu Dll". Thanks.   

[Psychotic]

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:

• For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
• For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt
• Select Command Prompt
  

• 
  In the command window:
• type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[michaelglew]

Hello:

 

Attached is the log. Thanks.

FRST.txt

[Psychotic]

I cannot see anything suspicious here - try to run Windows Repair (all in one) in safe mode.

I expect a system defect here.

[michaelglew]

OK. Here is the log from the all in one windows repair. Thanks again.  

chkdsk_full_log.txt

[Psychotic]

That´s not the Windows Repair log.

Did you finish the procedure described here?

[michaelglew]

Hello:

Yes, I did. My apologies. Attached is the proper log you have requested. Thank you for your time.

 

Michael

Windows_Repair_Log.txt

[Psychotic]

Please try again to run combofix

[michaelglew]

Hello:

I was able to get combofix to run in safe mode only. Here is the log. Thank you.

combolog.txt

[Psychotic]

Scan with ESET Online Scan

Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
• Click on Advanced Settings
• Make sure that the option Remove found threats is unticked.
• Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

  [*]Click Start[*]Wait for the scan to finish[*]When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."[*] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[*]Close the ESET online scan, and let me know how things are now.

[michaelglew]

Hello:

 

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application

C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application

C:\Temp\white.exe Win32/Conduit.SearchProtect.M potentially unwanted application

C:\Windows\System32\Adobe\Shockwave 11\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Windows\SysWOW64\Adobe\Shockwave 11\gt.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

 

ESET.txt

[Psychotic]

 

C:\Temp\white.exe

Please delete this file.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner

Please download AdwCleaner to your desktop.

• Run adwcleaner.exe
  
• Hit Scan and wait for the scan to finish.
  
• Confirm the message but don´t uncheck anything.
  
• Hit Clean
  
• When the run is finished, it will open up a text file
  
• Please post its contents within your next reply
  
• You´ll find the log file at C:\AdwCleaner[s1].txt also
  

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
  
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.
  

[michaelglew]

Hello Marius:

Attached are the logs. I haven't noticed much of a difference. The PC will now only run in safe mode.

 

 

checkup.txt

AdwCleaner19.txt

JRT.txt

[Psychotic]

Do you have the windows disk?