You are not logged in.

Tuesday, September 2nd 2014, 8:41am

The Avira Forum will be moved to the new platform Avira Answers soon. We'll make the transition of existing user profiles and threads as smooth as possible.
New visitors are able to log in on Avira Answers with the existing Avira account directly or sign up with a new account.

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

1

Friday, January 18th 2013, 3:39pm

JS/Redirect.CH infection

Hi Georgi,

Please help me with removing JS/Redirect.CH infection

1. Avira Premium warning appears on bootup JS/Redirect.CH
2. I use Chrome but internet explorer appears to be running in the background, can't end it using Task Manager (web site running http://www2.bsearchengine.com......)
3. I have followed your (2nd post) step by step advice re: running OTL scan and my .txt message is attached for your expert advice

http://pastebin.com/WrZ68Ev8

Let me know if you require more info from me.

Thanks
Stan

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

2

Friday, January 18th 2013, 5:12pm

Hi Stan,



We need to run an OTL Fix



  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    Quoted


    :OTL
    MOD - C:\Users\ACER\AppData\Roaming\rmsrep.dll ()
    [2013/01/18 21:23:57 | 000,003,993 | ---- | M] () (No name found) -- C:\Users\ACER\AppData\Roaming\mozilla\firefox\profiles\9eo26p2b.default\extensions\{801e6d58-a6e5-4c13-86d3-f7c7760cd923}.xpi
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKU\S-1-5-21-1171238923-1958829387-797495820-1001..\Run: [naning] C:\Users\ACER\AppData\Roaming\naning.dll (IDT, Inc.)
    O4 - HKU\S-1-5-21-1171238923-1958829387-797495820-1001..\Run: [rmsrep] C:\Users\ACER\AppData\Roaming\rmsrep.dll ()
    O4 - HKU\S-1-5-21-1171238923-1958829387-797495820-1001..\Run: [sropi] rundll32.exe ",AppendTempFileList File not found
    [2013/01/18 21:54:45 | 000,006,523 | ---- | M] () -- C:\Users\ACER\AppData\Local\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
    :commands
    [emptytemp]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.
  9. Now can you please go to C:\_OTL\MovedFiles and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.
  10. Then please upload it to http://www.bleepingcomputer.com/submit-m…php?channel=122 so we can examine the files and submit to antivirus companies if needed.
  11. After that please delete the zip files you just created.




Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

3

Saturday, January 19th 2013, 12:42am

Hi Georgi,

1. After reboot, Avira detected JS/Redirect.CH again in C:\Users\ACER\AppData\Temp\...\manager.js
2. A prompt message also appeared "problem starting C:\Users\ACER\AppData\Roaming\rmsrep.dll, specified module could not be found, click OK
3. The "MovedFiles" zipped file has been uploaded to the site as instructed
4. Internet Expl doesn't seem to be running in the background now

Thanks again for your help

Here's the OTL message

All processes killed
========== OTL ==========
C:\Users\ACER\AppData\Roaming\mozilla\firefox\profiles\9eo26p2b.default\extensions\{801e6d58-a6e5-4c13-86d3-f7c7760cd923}.xpi moved successfully.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1171238923-1958829387-797495820-1001\Software\Microsoft\Windows\CurrentVersion\Run\\naning deleted successfully.
C:\Users\ACER\AppData\Roaming\naning.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1171238923-1958829387-797495820-1001\Software\Microsoft\Windows\CurrentVersion\Run\\rmsrep deleted successfully.
C:\Users\ACER\AppData\Roaming\rmsrep.dll moved successfully.
Registry value HKEY_USERS\S-1-5-21-1171238923-1958829387-797495820-1001\Software\Microsoft\Windows\CurrentVersion\Run\\sropi deleted successfully.
C:\Users\ACER\AppData\Local\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: ACER
->Temp folder emptied: 6162910 bytes
->Temporary Internet Files folder emptied: 863930 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 49797338 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 70475 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 238992 bytes

Total Files Cleaned = 54.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01192013_072451

Files\Folders moved on Reboot...
C:\Users\ACER\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\ACER\AppData\Local\Temp\MMDUtl.log moved successfully.
C:\Users\ACER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IXZGS8QO\find[11].htm moved successfully.
C:\Users\ACER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AIM61NFI\30200000000[1].htm moved successfully.
C:\Users\ACER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Users\ACER\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

4

Saturday, January 19th 2013, 11:50am

Hi,


Could you please re-run OTL and post the link yo the log in your next reply?



Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

5

Saturday, January 19th 2013, 1:24pm

Hi Georgi,

OTL has been re-run with the text/log posted at

http://pastebin.com/GDj8AvG4

Thanks,
Stan

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

6

Saturday, January 19th 2013, 2:22pm

Hi Stan,



STEP 1



We need to run an OTL Fix



  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    Quoted


    :OTL
    O4 - HKU\S-1-5-21-1171238923-1958829387-797495820-1001..\Run: [rmsrep] "C:\Windows\System32\rundll32.exe" "C:\Users\ACER\AppData\Roaming\rmsrep.dll",Long_FromLongLong File not found
    [2011/02/22 21:19:46 | 000,131,984 | ---- | C] () -- C:\ProgramData\FullRemove.exe
    :commands
    [emptytemp]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.



The prompt message should disappear now. :)


Also let's check for leftovers:


STEP 2


  • Please download RogueKiller and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.




STEP 3



Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.



STEP 4

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and post the results in your next reply.




STEP 5


Update Avira and run a full system scan.
Post the log in your next reply.



Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

7

Saturday, January 19th 2013, 4:24pm

Hi Georgi,

Have followed each step and the various log messages are copied below, apologies in advance for the long message. Thanks so much for your patience and help. Stan

STEP 1

Upon reboot, the prompt message has disappeared (yay!) but Avira detected the JD/Redirect again

All processes killed
========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-1171238923-1958829387-797495820-1001\Software\Microsoft\Windows\CurrentVersion\Run\\rmsrep deleted successfully.
C:\ProgramData\FullRemove.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: ACER
->Temp folder emptied: 6029163 bytes
->Temporary Internet Files folder emptied: 140562 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 175397466 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 68251 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 585117188 bytes

Total Files Cleaned = 731.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01192013_213604

Files\Folders moved on Reboot...
C:\Users\ACER\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\ACER\AppData\Local\Temp\MMDUtl.log moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...


STEP 2 RK report - Shall I delete the 6 registry items found in RK?

RogueKiller V8.4.3 [Jan 10 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : ACER [Admin rights]
Mode : Scan -- Date : 01/19/2013 21:44:31

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: TOSHIBA MK7559GSXP +++++
--- User ---
[MBR] ba8f5eed07d25f7d4de12660ecf8370d
[BSP] e4c751cf5be87c85a481da56493680d0 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 15360 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 31459328 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 31664128 | Size: 699942 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01192013_02d2144.txt >>
RKreport[1]_S_01192013_02d2144.txt

STEP 3 JRT REPORT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.4.4 (01.17.2013:1)
OS: Windows 7 Home Premium x64
Ran by ACER on Sat 19/01/2013 at 21:48:59.25
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 19/01/2013 at 22:00:20.55
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

STEP 4 MALWARE REPORT

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.19.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
ACER :: ACER-PC [administrator]

19/01/2013 10:04:50 PM
mbam-log-2013-01-19 (22-04-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 251529
Time elapsed: 3 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

STEP 5 UPDATE & RE-SCAN AVIRA

3 detections of JS/Redirect.CH

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

8

Saturday, January 19th 2013, 4:33pm

Hi Stan,


I need to see that log :)

Quoted

STEP 5 UPDATE & RE-SCAN AVIRA

3 detections of JS/Redirect.CH




Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

9

Saturday, January 19th 2013, 4:58pm

Hi Georgi,

Sorry, the scan just ended. Here's the log (the 4 items were quarantined). Thanks, Stan


Avira Antivirus Premium 2012
Report file date: Saturday, 19 January 2013 22:10

Scanning for 4689316 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee :
Serial number :
Platform : Windows 7 Home Premium
Windows version : (Service Pack 1) [6.1.7601]
Boot mode : Normally booted
Username : ACER
Computer name : ACER-PC

Version information:
BUILD.DAT : 12.1.9.1255 42653 Bytes 11/10/2012 15:43:00
AVSCAN.EXE : 12.3.0.48 468256 Bytes 13/11/2012 22:51:32
AVSCAN.DLL : 12.3.0.15 54736 Bytes 22/05/2012 17:09:40
LUKE.DLL : 12.3.0.15 68304 Bytes 22/05/2012 17:09:41
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 22/05/2012 17:09:41
AVREG.DLL : 12.3.0.17 232200 Bytes 22/05/2012 17:09:41
VBASE000.VDF : 7.10.0.0 19875328 Bytes 6/11/2009 12:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 14/12/2010 03:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 20/12/2011 01:03:38
VBASE003.VDF : 7.11.21.238 4472832 Bytes 1/02/2012 01:04:20
VBASE004.VDF : 7.11.26.44 4329472 Bytes 28/03/2012 13:09:59
VBASE005.VDF : 7.11.34.116 4034048 Bytes 29/06/2012 14:46:10
VBASE006.VDF : 7.11.41.250 4902400 Bytes 6/09/2012 14:29:45
VBASE007.VDF : 7.11.50.230 3904512 Bytes 22/11/2012 11:34:18
VBASE008.VDF : 7.11.55.142 2214912 Bytes 3/01/2013 10:37:46
VBASE009.VDF : 7.11.55.143 2048 Bytes 3/01/2013 10:37:46
VBASE010.VDF : 7.11.55.144 2048 Bytes 3/01/2013 10:37:47
VBASE011.VDF : 7.11.55.145 2048 Bytes 3/01/2013 10:37:47
VBASE012.VDF : 7.11.55.146 2048 Bytes 3/01/2013 10:37:48
VBASE013.VDF : 7.11.55.196 260096 Bytes 4/01/2013 10:04:00
VBASE014.VDF : 7.11.56.23 206848 Bytes 7/01/2013 22:49:16
VBASE015.VDF : 7.11.56.83 186880 Bytes 8/01/2013 17:34:50
VBASE016.VDF : 7.11.56.145 135168 Bytes 9/01/2013 23:00:02
VBASE017.VDF : 7.11.56.211 139776 Bytes 11/01/2013 13:52:07
VBASE018.VDF : 7.11.57.11 153088 Bytes 13/01/2013 22:48:34
VBASE019.VDF : 7.11.57.75 165888 Bytes 15/01/2013 12:06:51
VBASE020.VDF : 7.11.57.163 190976 Bytes 17/01/2013 11:55:57
VBASE021.VDF : 7.11.57.219 119808 Bytes 18/01/2013 19:55:04
VBASE022.VDF : 7.11.57.220 2048 Bytes 18/01/2013 19:55:05
VBASE023.VDF : 7.11.57.221 2048 Bytes 18/01/2013 19:55:05
VBASE024.VDF : 7.11.57.222 2048 Bytes 18/01/2013 19:55:06
VBASE025.VDF : 7.11.57.223 2048 Bytes 18/01/2013 19:55:06
VBASE026.VDF : 7.11.57.224 2048 Bytes 18/01/2013 19:55:07
VBASE027.VDF : 7.11.57.225 2048 Bytes 18/01/2013 19:55:07
VBASE028.VDF : 7.11.57.226 2048 Bytes 18/01/2013 19:55:07
VBASE029.VDF : 7.11.57.227 2048 Bytes 18/01/2013 19:55:08
VBASE030.VDF : 7.11.57.228 2048 Bytes 18/01/2013 19:55:08
VBASE031.VDF : 7.11.57.238 7680 Bytes 19/01/2013 11:13:32
Engine version : 8.2.10.232
AEVDF.DLL : 8.1.2.10 102772 Bytes 10/07/2012 11:54:00
AESCRIPT.DLL : 8.1.4.82 467323 Bytes 17/01/2013 14:17:04
AESCN.DLL : 8.1.10.0 131445 Bytes 13/12/2012 14:56:09
AESBX.DLL : 8.2.5.12 606578 Bytes 15/06/2012 12:40:01
AERDL.DLL : 8.2.0.88 643444 Bytes 10/01/2013 14:22:50
AEPACK.DLL : 8.3.1.2 819574 Bytes 20/12/2012 15:24:46
AEOFFICE.DLL : 8.1.2.50 201084 Bytes 6/11/2012 00:03:52
AEHEUR.DLL : 8.1.4.174 5615991 Bytes 10/01/2013 14:22:45
AEHELP.DLL : 8.1.25.2 258423 Bytes 11/10/2012 12:53:04
AEGEN.DLL : 8.1.6.14 434548 Bytes 10/01/2013 14:22:13
AEEXP.DLL : 8.3.0.10 188789 Bytes 17/01/2013 14:17:06
AEEMU.DLL : 8.1.3.2 393587 Bytes 10/07/2012 11:53:51
AECORE.DLL : 8.1.30.0 201079 Bytes 13/12/2012 14:55:57
AEBB.DLL : 8.1.1.4 53619 Bytes 6/11/2012 00:03:26
AVWINLL.DLL : 12.3.0.15 27344 Bytes 22/05/2012 17:09:38
AVPREF.DLL : 12.3.0.32 50720 Bytes 13/11/2012 22:51:28
AVREP.DLL : 12.3.0.15 179208 Bytes 22/05/2012 17:09:41
AVARKT.DLL : 12.3.0.33 209696 Bytes 13/11/2012 22:51:21
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 22/05/2012 17:09:40
SQLITE3.DLL : 3.7.0.1 398288 Bytes 22/05/2012 17:09:41
AVSMTP.DLL : 12.3.0.32 63992 Bytes 8/08/2012 11:46:02
NETNT.DLL : 12.3.0.15 17104 Bytes 22/05/2012 17:09:41
RCIMAGE.DLL : 12.3.0.31 4493560 Bytes 8/08/2012 11:45:24
RCTEXT.DLL : 12.3.0.32 96544 Bytes 13/11/2012 22:51:16

Configuration settings for the scan:
Jobname.............................: Local Drives
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\alldrives.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: Saturday, 19 January 2013 22:10

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'chrome.exe' - '1' Module(s) have been scanned
Scan process 'SyncServer.exe' - '1' Module(s) have been scanned
Scan process 'distnoted.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'RogueKiller.exe' - '1' Module(s) have been scanned
Scan process 'UNS.exe' - '1' Module(s) have been scanned
Scan process 'LMS.exe' - '1' Module(s) have been scanned
Scan process 'IAStorDataMgrSvc.exe' - '1' Module(s) have been scanned
Scan process 'EgisUpdate.exe' - '1' Module(s) have been scanned
Scan process 'LMworker.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'Monitor.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'clear.fiMovieService.exe' - '1' Module(s) have been scanned
Scan process 'LManager.exe' - '1' Module(s) have been scanned
Scan process 'nusb3mon.exe' - '1' Module(s) have been scanned
Scan process 'BackupManagerTray.exe' - '1' Module(s) have been scanned
Scan process 'PmmUpdate.exe' - '1' Module(s) have been scanned
Scan process 'SuiteTray.exe' - '1' Module(s) have been scanned
Scan process 'IAStorIcon.exe' - '1' Module(s) have been scanned
Scan process 'DMREngine.exe' - '1' Module(s) have been scanned
Scan process 'clear.fiAgent.exe' - '1' Module(s) have been scanned
Scan process 'AVWEBGRD.EXE' - '1' Module(s) have been scanned
Scan process 'avmailc.exe' - '1' Module(s) have been scanned
Scan process 'UpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'c2c_service.exe' - '1' Module(s) have been scanned
Scan process 'daemonu.exe' - '1' Module(s) have been scanned
Scan process 'IScheduleSvc.exe' - '1' Module(s) have been scanned
Scan process 'CommandService.exe' - '1' Module(s) have been scanned
Scan process 'GREGsvc.exe' - '1' Module(s) have been scanned
Scan process 'dsiwmis.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned

Starting to scan executable files (registry).
The registry was scanned ( '2048' files ).


Starting the file scan:

Begin scan in 'C:\' <Acer>
C:\Users\ACER\AppData\Local\Google\Chrome\Application\23.0.1271.97\Extensions\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[0] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
C:\Users\ACER\AppData\Local\Google\Chrome\Application\24.0.1312.52\Extensions\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[0] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\1.0_0\manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
C:\_OTL\MovedFiles\01192013_072451\C_Users\ACER\AppData\Local\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[0] Archive type: ZIP
--> manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
Begin scan in 'D:\'
Search path D:\ could not be opened!
System error [21]: The device is not ready.

Beginning disinfection:
C:\_OTL\MovedFiles\01192013_072451\C_Users\ACER\AppData\Local\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '57d561b6.qua'.
C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\1.0_0\manager.js
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '4f014e42.qua'.
C:\Users\ACER\AppData\Local\Google\Chrome\Application\24.0.1312.52\Extensions\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '1d1d14f9.qua'.
C:\Users\ACER\AppData\Local\Google\Chrome\Application\23.0.1271.97\Extensions\801e6d58-a6e5-4c13-86d3-f7c7760cd923.crx
[DETECTION] Contains recognition pattern of the JS/Redirect.CH Java script virus
[NOTE] The file was moved to the quarantine directory under the name '7b2a5b3b.qua'.


End of the scan: Saturday, 19 January 2013 23:55
Used time: 1:43:56 Hour(s)

The scan has been done completely.

33273 Scanned directories
570312 Files were scanned
4 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
4 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
570308 Files not concerned
4458 Archives were scanned
0 Warnings
4 Notes

This post has been edited 1 times, last edit by "Chess2008" (Jan 21st 2013, 10:30pm) with the following reason: Serial number and Licensee deleted.


FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

10

Saturday, January 19th 2013, 5:40pm

Hi,


Let me check something for one last time:


Please download SystemLook from the link below and save it to your Desktop.
SystemLook_x64.exe
  • Double-click SystemLook_x64.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Quoted


    :filefind
    801e6d58-a6e5-4c13-86d3-f7c7760cd923
    *.crx*
    *.js*
    :dir
    C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions /s
    C:\Users\ACER\AppData\Local\Google\Chrome\Application\24.0.1312.52\Extensions /s
    C:\Users\ACER\AppData\Local\Google\Chrome\Application\23.0.1271.97\Extensions /s
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions /s

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please upload the log at pastebin.com and post the link to the log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

11

Sunday, January 20th 2013, 12:22am

Hi Georgi,

It seems fine now. Avira has not detected JH at reboot.

Pastebin didn't allow the message as the file log size was too large. The txt file can be downloaded from:

https://www.dropbox.com/s/ksx2ry5dorxb7d6/SystemLook.txt

Thanks again for the massive help.

Regards
Stan

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

12

Sunday, January 20th 2013, 12:46am

Hi Stan,


We are almost done here.

  1. Please reopen on your desktop.
  2. Copy and Paste the following code into the textbox. Do not include the word "Code"

    Quoted


    :files
    C:\Users\ACER\AppData\Local\Google\Chrome\Application\23.0.1271.97\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
    C:\Users\ACER\AppData\Local\Google\Chrome\Application\24.0.1312.52\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json
    C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
    :commands
    [emptytemp]

  3. Push
  4. OTL may ask to reboot the machine. Please do so if asked.
  5. Click .
  6. A report will open. Copy and Paste that report in your next reply.
  7. If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  8. Copy/paste the content of the log back here in your next post.



Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

13

Tuesday, January 22nd 2013, 1:43pm

Hi Georgi,

Here's the log.

Thanks
Stan

All processes killed
========== FILES ==========
C:\Users\ACER\AppData\Local\Google\Chrome\Application\23.0.1271.97\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json moved successfully.
C:\Users\ACER\AppData\Local\Google\Chrome\Application\24.0.1312.52\Extensions\cdjbnddbclciabnckgeahmneohjlahdm.json moved successfully.
C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\1.0_0 folder moved successfully.
C:\Users\ACER\AppData\Local\Google\Chrome\User Data\Default\Extensions\cdjbnddbclciabnckgeahmneohjlahdm folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: ACER
->Temp folder emptied: 7796469 bytes
->Temporary Internet Files folder emptied: 33300 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 46361992 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 77801 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 52.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 01222013_203633

Files\Folders moved on Reboot...
C:\Users\ACER\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\ACER\AppData\Local\Temp\MMDUtl.log moved successfully.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

14

Tuesday, January 22nd 2013, 2:13pm

Hi Stan,



If there aren't any more issues, then I can proceed with my final recommendations. :)



Nicely done !
I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.



UPDATING TASKS


  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Secunia Software Inspector or you can use the following application for this purpose PatchMyPC






Visit Microsoft's Windows Update Site Frequently



  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Note:
It is recommended to turn automatic updates on: Click here for more information.





STEP 2 CLEANUP



To remove all of the tools we used and the files and folders they created, please do the following:


Please download OTC.exe by OldTimer and save it to your desktop.

  • Right-click the OTC.exe and choose Run as Administrator.
  • Click on CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.



  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.



Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Feel free to uninstall Eset Online Scanner.





STEP 3 SECURITY ADVICES



Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.



If you do Online Banikng!


Online Banking Protection Against Identity Theft

Also make sure you use HTTPS protocol with your banking websites.

Use HTTPS When Login To Social Websites



Keep your antivirus software turned on and up-to-date


  • Make sure your antivirus software is turned on and up-to-date.
  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note:
  • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.



Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:


  1. If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  2. If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  3. If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  4. If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  5. Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  6. Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  7. When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  8. Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  9. Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  10. DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.



Use Google Chrome or Install Mozilla Firefox with these add-ons - NoScript, Addblock Plus and TrackerBlock or optimize Internet Explorer


To prevent further infections, use Google Chrome, which has a sandbox.


If you like Mozilla Firefox be sure to install the add-ons NoScript, AdBlock Plus and TrackerBlock.
Addblock Plus can be found here.
TrackerBlock can be found here.
NoScript can be found here (however please note that - NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options) Read this for more information: Browsing the internet securely


For Internet Explorer 9 (Vista and Windows 7 and above)


If you are IE user be sure to configure its tracking Protection and ActiveX filtering. More information can be found here. Tracking Protection Lists can be download and install from here
Also make sure that you use SmartScreen Filter. Check this out.
Finally go ahead and configure its protected mode. See here how.


For Internet Explorer 7 and 8 (Windows XP) read the articles below:


Securing Your Web Browser
Security and privacy features in Internet Explorer 8


Immunize your browsers with SpywareBlaster 4.6 and Spybot Search and Destroy 1.6



Create an image of your system


  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorials can be found here.
  • Be sure to read the tutorial first.




Optimize Windows 7 for better performance


Check the following link for more info.



Follow this list and your potential for being infected again will reduce dramatically.



Safe Surfing! :)



Regards,
Georgi

  • "auditstan" started this thread

Date of registration:
Jan 18th 2013

Version:
Avira Antivirus Premium

Operating System:
Win7

  • Send private message

15

Tuesday, January 22nd 2013, 2:23pm

Hi Georgi,

Thanks so much for your help & recommendations. It's great advice.

Regards
Stan

FFreestyleRR

Community member

Date of registration:
Apr 16th 2008

Version:
Avira Free Antivirus

Operating System:
Windows 7 Ultimate SP1 x64

  • Send private message

16

Wednesday, January 23rd 2013, 1:00am

Hi Stan,


You are more than welcome ! :)


Regards,
Georgi