Need help with malware

laww · November 7, 2013

I'm new to forum, not sure I am posting to the right place, but I need help.

I have a windows7 64 bit pc

Symptoms seem to match what I have read about the Hijack malware.

- PC won't boot

- Goes into Checkdisk and stalls out during index checking

- won't go into safe mode

-won't respond to keyboard "press any key not to perform checkdisk"

- repair stalls out on the file \windows\sysWOW64\config\SYSTEMPROFILE\AppData\Local\Microsoft\Windows\TerInternetfiles\Content.IE5\ttjCAAV14FSK.js

I followed the instructions to run FRST64 from a flash drive and attached is the result from that run if anyone can guide me in what to do next, Seems you will provide a solution.txt file?

Please advise what I should do next.

Thank you in advance, the help I've seen you provide others here is awesome.

FRST.txt

Psychotic · November 7, 2013

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Fix with FRST (Recovery Environment)

Open notepad (Start =>All Programs => Accessories => Notepad).

Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-01-28] (Ask)HKU\LaDell\...\Run: [Google Update] - [x]S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\   \...\???\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)C:\Program Files (x86)\Ask.comC:\Program Files (x86)\Google\DesktopC:\Users\LaDell\AppData\Local\Google\Desktop\InstallC:\Windows\assembly\GAC_32\Desktop.iniC:\Windows\assembly\GAC_64\Desktop.iniC:\Users\LaDell\AppData\Roaming\i.ini

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options again.

Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Now try to boot into windows and report.

laww · November 7, 2013

Hi Marius,

Thanks for your help.

My comment is in RED below, I forgot how to do this step:

Now please enter System Recovery Options again.
I still have the 'system recovery options' dialogue open from before, but forgot what steps I need to take to run frst.exe
Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.

laww · November 7, 2013

Nevermind, I remembered and just ran it. Will reboot and let you know what happened.

laww · November 7, 2013

I ran FRST64.txt (the log is below).

Restart.

File system checking began and did what it did before, stopped at this point

CHKDSK is verifying indexes (stage 2 or 3)

65 percent completed (1570397 of 1649788 index entries processed)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013

Ran by SYSTEM at 2013-11-07 12:37:00 Run:1

Running from L:\

Boot Mode: Recovery

==============================================

Content of fixlist:

*****************

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-01-28] (Ask)

HKU\LaDell\...\Run: [Google Update] - [x]

S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\ \...\???\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\Program Files (x86)\Ask.com

C:\Program Files (x86)\Google\Desktop

C:\Users\LaDell\AppData\Local\Google\Desktop\Install

C:\Windows\assembly\GAC_32\Desktop.ini

C:\Windows\assembly\GAC_64\Desktop.ini

C:\Users\LaDell\AppData\Roaming\i.ini

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.

HKU\LaDell\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.

*etadpug => Unable to delete service

*etadpug => Service should be removed with FRST outside recovery mode.

C:\Program Files (x86)\Ask.com => Moved successfully.

C:\Program Files (x86)\Google\Desktop => Moved successfully.

C:\Users\LaDell\AppData\Local\Google\Desktop\Install => Moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.

"C:\Users\LaDell\AppData\Roaming\i.ini" => File/Directory not found.

==== End of Fixlog ====

laww · November 7, 2013

Marius, how do I verify that I have a 64 bit version of windows with my machine not functioning correctly? I am 'guess' only that I have 64 bit. Thanks.

laww · November 7, 2013

I restarted again, this time in Safe Mode to skip the File Checking and it failed at this point:

Loaded: \Windows\system32\drviers\storport.sys

laww · November 7, 2013

Hi there,
my name is Marius and I will assist you with your malware related problems.
Before we move on, please read the following points carefully.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Fix with FRST (Recovery Environment)
Open notepad (Start =>All Programs => Accessories => Notepad).
Please copy the entire contents of the code box below.
(To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-01-28] (Ask)HKU\LaDell\...\Run: [Google Update] - [x]S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\   \...\???\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)C:\Program Files (x86)\Ask.comC:\Program Files (x86)\Google\DesktopC:\Users\LaDell\AppData\Local\Google\Desktop\InstallC:\Windows\assembly\GAC_32\Desktop.iniC:\Windows\assembly\GAC_64\Desktop.iniC:\Users\LaDell\AppData\Roaming\i.ini
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Now please enter System Recovery Options again.
Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Now try to boot into windows and report.

ran FRST64.txt (the log is below).

Restarted.

File system checking began and did what it did before, stopped at this point

CHKDSK is verifying indexes (stage 2 or 3)

65 percent completed (1570397 of 1649788 index entries processed)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013

Ran by SYSTEM at 2013-11-07 12:37:00 Run:1

Running from L:\

Boot Mode: Recovery

==============================================

Content of fixlist:

*****************

HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-01-28] (Ask)

HKU\LaDell\...\Run: [Google Update] - [x]

S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\ \...\???\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\Program Files (x86)\Ask.com

C:\Program Files (x86)\Google\Desktop

C:\Users\LaDell\AppData\Local\Google\Desktop\Install

C:\Windows\assembly\GAC_32\Desktop.ini

C:\Windows\assembly\GAC_64\Desktop.ini

C:\Users\LaDell\AppData\Roaming\i.ini

*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.

HKU\LaDell\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.

*etadpug => Unable to delete service

*etadpug => Service should be removed with FRST outside recovery mode.

C:\Program Files (x86)\Ask.com => Moved successfully.

C:\Program Files (x86)\Google\Desktop => Moved successfully.

C:\Users\LaDell\AppData\Local\Google\Desktop\Install => Moved successfully.

C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.

C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.

"C:\Users\LaDell\AppData\Roaming\i.ini" => File/Directory not found.

==== End of Fixlog ====

Restartedin safe mode to avoid File Checking and it stopped at this point:

Loaded: \Windows\system32\drviers\storport.sys

What do you recommend next? Thank you

laww · November 7, 2013

ran FRST64.txt (the log is below).
Restarted.
File system checking began and did what it did before, stopped at this point
CHKDSK is verifying indexes (stage 2 or 3)
65 percent completed (1570397 of 1649788 index entries processed)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 31-10-2013
Ran by SYSTEM at 2013-11-07 12:37:00 Run:1
Running from L:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [ApnUpdater] - C:\Program Files (x86)\Ask.com\Updater\Updater.exe [1644680 2013-01-28] (Ask)
HKU\LaDell\...\Run: [Google Update] - [x]

S2 *etadpug; "C:\Program Files (x86)\Google\Desktop\Install\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\ \...\???\{860e1ae7-06eb-4f0d-712f-46ba0f9db1df}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

C:\Program Files (x86)\Ask.com
C:\Program Files (x86)\Google\Desktop
C:\Users\LaDell\AppData\Local\Google\Desktop\Install
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\LaDell\AppData\Roaming\i.ini
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnUpdater => Value deleted successfully.
HKU\LaDell\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update => Value not found.
*etadpug => Unable to delete service
*etadpug => Service should be removed with FRST outside recovery mode.
C:\Program Files (x86)\Ask.com => Moved successfully.
C:\Program Files (x86)\Google\Desktop => Moved successfully.
C:\Users\LaDell\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini => Moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini => Moved successfully.
"C:\Users\LaDell\AppData\Roaming\i.ini" => File/Directory not found.

==== End of Fixlog ====

Restartedin safe mode to avoid File Checking and it stopped at this point:
Loaded: \Windows\system32\drviers\storport.sys

What do you recommend next? Thank you
Quote
MultiQuote

Hi Marius.

Though my computer seemed stuck at that old failure point, I accidentally bumped the keyboard and heard the wonderful windows Greeting Song. My desktop works again. I rebooted a second time and it came up with no problems. I'm "Staying with you" as you requested, let's talk prevention!

Thanks so much for the help that got me from "down hard" to "up and running".

Psychotic · November 8, 2013

Full System Scan with Malwarebytes Antimalware

If not existing, please download

Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If the program is already installed:

Run Malwarebytes Antimalware
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform fullscan, place a checkmark on all hard drives, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
Post that log back here.

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

Scan with Farbar´s Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
[*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.

AdvancedSetup · November 15, 2013

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Need help with malware

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information