Need help Unknown Adware

I've been having a problem with an adware recently. None of my anti-virus/malware programs (malwarebytes, spybot, avg-free) are detecting it but it's causing Internet Explorer to randomly open with random websites (most but not all are for fake anti-virus programs). I don't even use Internet Explorer, I use firefox. It does seem to also be effecting firefox too, sometime when I click a link for a page I want to see it will open some random page similar to the IE problem. I tried using that smitfraud fix tool which is supposed to detect this type of adware and remove it but it did not work (it found several items and supposedly fix them but the problem is still occurring)

My hijack this logfile is attached. I don't have the expertise to determine what should be deleted. Any help is greatly appreciated. Thanks ahead of time

 

No responses? Anyway I've been researching this for several days and I decided to take a chance and assume it was some variant of the vundo trojan (several months back I had a previous infection by vundo and thought it was completely removed using malwarebytes). Now after running combo fix it seems to have removed the symptoms. I read that even having one leftover vundo file on my computer can cause reinfection. I would like to finally remove this thing. I'm attaching the log from combofix if anyone cares to read it. I would greatly appreciate help with locating any leftover rouge files and registry keys that might exist.

 

Welcome to MajorGeeks.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

Also have a look here. Don't Bump! It Only Hurts You!!!

 

Okay. Logs for Super Antispyware, Malwarebytes, combo fix and MGlogs are attached. I could not run RootRepeal for some reason. I clicked the .exe file to open the program but it just hangs on the "initializing please wait" stage. I have 32bit windows so it should work but didn't. Firewall and anti-virus were both disabled and should not have interfered.

Also as mentioned before I had previously ran combo fix and the symptoms went away and have yet to return. If it was vundo I don't want it to come back. If you spot any rogue files or registry keys that I should delete please let me know. Thanks

 

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

c:\windows\system32\drivers\2e14d3bc.sys

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

Note: If using FireFox you will need to copy the link in the address bar and post it back here instead. The Copy to Clipboard feature will not work.



Also do you know what this is?

 

Hi, I attempted to use the online scanner for that file but it appears that the file is no longer present on my hard drive (file not found error). I attempted to locate it manually by following the file path but it's not there. Could it have been automatically removed during the clean up process?

Also I don't know what the 2nd item you mentioned is but it also seems to have been removed from my system.

For what it's worth I have yet to see any of the symptoms since the clean up and running combo fix.

Thanks for all your help so far.

 

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O4 - Startup: PowerReg Scheduler V3.exe

After clicking Fix checked, exit HJT.




Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.




Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
c:\recycler\
c:\program files\Viewpoint
c:\windows\5BGLQV06CHMRW16B 

File::
c:\documents and settings\Robert Garcia\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe
c:\windows\system32\drivers\2e14d3bc.sys

Firefox::
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Now run a new MGtools scan and attach that log along with the new ComboFix log.

 

Okay. Done. The logs are attached.

Note: I had a blue screen of death error in the middle of running combofix. I just rebooted and started the procedure over and it seems to have worked. Hopefully it did not effect the process.

Thanks for all your help!!

 

Run CCleaner to clean out your temporary files.



Please follow the instructions for Using the BitDefender Online Scan and attach the log it creates.

 

I ran into a major problem after attempting to restart my computer after getting that blue screen of death and running combofix. Windows would not boot up and began endlessly trying to reboot. I ended up having to do a repair installation on windows to get it to start again.

When I finally got it running I ran CC cleaner and bitdefender. The bit defender log is attached.

I don't know what effect having to do the repair installation on windows had on previous cleaning steps.

 

Run a new MGtools scan and post the log.

Also let me know how the computer is running now.

 

Okay. New MGTools log is attached. So far it is running good and my AVG, Malwarebytes and Spybot scans are all clean aside for some tracking cookies which were removed.

 

Your logs are clean.

I'm not sure why you were getting the blue screens. Sometimes scanners have a hard time removing files and that will happen.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

All done. Thanks again for all your help.

 

Your welcome.

Safe surfing.