hidden malware - can't install malwarebytes - can't perform dds report

[biterzio]

Hello,

I think my pc has a hidden malware somewhere. It needs to hit f5 several times just to load a webpage. There are pop ups coming up from nowhere.

I checked via kaspersky but found nothing.

Tried to install malwarebytes v2 but says "this computer can't use this version". Tried to send you the report of dds but says compatibility issues. I use win 8. I'd much preciate the help. Thanks a lot

[Psychotic]

Hi there,
my name is Marius and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
• Perform everything in the correct order. Sometimes one step requires the previous one.
• If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
• Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
• Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

 
 
 
 
Scan with FRST in normal mode

Please download Farbar's Recovery Scan Tool to your desktop: FRST 32bit or FRST 64bit (If not sure: Start --> Computer (right click) --> properties)

• Run FRST.
• Don´t change one of the checkboxes and hit Scan.
• Logfiles are created on your desktop.
• Poste the FRST.txt and (after the first scan only!) the Addition.txt.
  

 

 

 

 

Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
  
• If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please post the contents of that log in your next reply.

[biterzio]

Thanks.

I tried to run FRST but PC says "this program can't run on your computer. for a compatible version communicate with the publisher" (something like that. i just translate). 

[Psychotic]

Scan with FRST (Recovery Environment)


To run FRST on Vista and Windows7:

• For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
• For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.
  

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.
  

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.
  

On the System Recovery Options menu you will get the following options:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt
• Select Command Prompt
  

• 
  In the command window:
• type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
  

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[biterzio]

Thanks for the quick reply.

But unfortunately I got the same message: "this program can't run on this computer". (I tried both 32bit and 64bit. My PC is 64bit)

[Psychotic]

So you booted your computer to Recovery Environment, started FRST64.exe ang got this message displayed?

Or did you try to run FRST64.exe while Windows was loaded?

[biterzio]

tried

1. in normal way

2. in safe mode

3. via System Recovery Options from the Advanced Boot Options (as you described)

 

everytime the same message: "this app can't run on your pc"

[Psychotic]

Which windows version is running here?

[biterzio]

computer: asus

windows 8.1

intel core i5-3317u

[Psychotic]

go to http://windows.microsoft.com/en-us/windows-8/restore-refresh-reset-pc

 

Follow the instructions to refresh the system files.

 

When finished, reboot and try again to run FRST.

[biterzio]

refreshed the windows. now it runs as windows 8 (not 8.1)

problem remains. i got the same message when i tried to run frst64 (this app can't run on your computer)

However, now dds.scr runs. dds.com doesn't unfortunately. I don't know if it helps but i send you the "attach" and "dds" logs.

attach.txt

dds.txt

[Psychotic]

That won´t help.

 

Lets try a different way:

 

 

 

Scan with OTL

1. Download OTL by OldTimer and save it to your desktop.
2. Double click on the OTL.exe icon on your desktop. If you are using Vista, please right-click and select run as administrator
3. Click the "Scan All Users" checkbox.
   
   
   Note: If you are using a Windows 64bit machine, please make sure the checkbox next to Include 64Bit Scans is checked. It will be checked by default.
   
   
4. Push the button.
5. It will now begin to scan, please be paitent while it scans.
6. Two reports will open once it's done.
7. Please copy and paste them in your next reply:
   
   • OTL.txt <-- Will be opened
   • Extras.txt <-- Will be minimized
     

[biterzio]

Thanks. This time OTL worked. Here are the files.

Extras.Txt

OTL.Txt

[Psychotic]

Scan with aswMBR

Please download aswMBR ( 4.5MB ) to your desktop.

• Double click the aswMBR.exe icon, and click Run.
• There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
• When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
• Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
• Click the Scan button to start the scan once the update has finished downloading
• On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.
  

Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).
 
 
Scan with TDSS-Killer

Please read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.

Download TDSSKiller.zip and extract to your desktop

• Execute TDSSKiller.exe by doubleclicking on it.
• Press Start Scan
  
• If Malicious objects are found, do NOT select Copy to quarantine. Change the action to Skip, and save the log.
  
• Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
  

Please post the contents of that log in your next reply.

[biterzio]

thanks for the quick anf thorough reply. Here are the files attached.

aswMBR.txt

TDSSKiller.3.0.0.26_28.03.2014_20.11.12_log.txt

[Psychotic]

Try again to install Malwarebytes:

 

 

Full System Scan with Malwarebytes Antimalware

• 
  If not existing, please download

Malwarebytes Anti-Malware to your desktop. Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to the following:

• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

[*]Click Finish.

If the program is already installed:

• Run Malwarebytes Antimalware
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.
  

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.
  

[biterzio]

Thanks,

Now, malwarebytes worked. Here is the scan log.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 31.3.2014
Scan Time: 11:25:54
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.03.31.03
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: ASUS pc

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 300313
Time Elapsed: 16 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.Conduit.A, HKU\S-1-5-21-284399717-2469920456-462359662-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CONDUIT\FF, Quarantined, [03cc15f45b20cb6bc37c146f976c9c64],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.OpenCandy, C:\Users\ASUS pc\AppData\Roaming\OpenCandy, Quarantined, [25aafe0b522989ad2b046ae67191f10f],
PUP.Optional.OpenCandy, C:\Users\ASUS pc\AppData\Roaming\OpenCandy\11E93E91AA9A42919605C162D20C7546, Quarantined, [25aafe0b522989ad2b046ae67191f10f],
PUP.Optional.OpenCandy, C:\Users\ASUS pc\AppData\Roaming\OpenCandy\OpenCandy_11E93E91AA9A42919605C162D20C7546, Quarantined, [25aafe0b522989ad2b046ae67191f10f],

Files: 1
PUP.Optional.OpenCandy, C:\Users\ASUS pc\AppData\Roaming\OpenCandy\11E93E91AA9A42919605C162D20C7546\PokkiInstaller.exe, Quarantined, [25aafe0b522989ad2b046ae67191f10f],

Physical Sectors: 0
(No malicious items detected)


(end)

[Psychotic]

That looks good:

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  • Scan for potentially unwanted applications
• Scan for potentially unsafe applications
• Enable Anti-Stealth Technology

[*]Click Scan[*]Wait for the scan to finish[*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.

[biterzio]

Hello;

 

Thanks. Here is the text document

eset_threat.txt

[Psychotic]

Fix with FRST (normal mode)

WARNING: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 

• Download the attached fixlist.txt and save it to the location where FRST is saved to.
• Run FRST.exe (on 64bit, run FRST64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.

 

• Run adwcleaner.exe
• Hit Scan and wait for the scan to finish.
• Confirm the message but don´t uncheck anything.
• Hit Clean
• When the run is finished, it will open up a text file
• Please post its contents within your next reply
• You´ll find the log file at C:\AdwCleaner[s1].txt also

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.

 

fixlist.txt

[biterzio]

frst doesn't work anymore. i got the same message again: "this program can't run on your computer".

[Psychotic]

Sorry...

 

 

Fix with OTL

Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :FILES
  C:\Users\ASUS pc\Google Drive\çal??malar\program\ABBYY FineReader v11.0.102.583 Corporate Edition\Patch.exe
  C:\Users\ASUS pc\Google Drive\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe
  D:\Yedek\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe:COMMANDS
  [emptytemp]
  

• Return to OTL, right click in the "Custom Scans/Fixes" section and choose Paste.
• Click the red Run Fix button.
• OTL may ask to reboot the machine. Please do so.
• If OTL did not reboot the machine, click OK and the log will open. Post the contents of the log in your next reply.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  
  

[biterzio]

Thanks. I run the OTL. Here is the log file.

 

All processes killed
========== FILES ==========
File\Folder C:\Users\ASUS pc\Google Drive\çal??malar\program\ABBYY FineReader v11.0.102.583 Corporate Edition\Patch.exe not found.
File\Folder C:\Users\ASUS pc\Google Drive\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe not found.
File\Folder D:\Yedek\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 0 bytes
 
User: All Users
 
User: ASUS pc
->Temp folder emptied: 1064293353 bytes
->Temporary Internet Files folder emptied: 213863 bytes
->Java cache emptied: 1019630 bytes
->FireFox cache emptied: 105100938 bytes
->Flash cache emptied: 2625 bytes
 
User: Default
->Temp folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
 
User: Public
 
User: UpdatusUser
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 846443 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 25908943 bytes
RecycleBin emptied: 22987 bytes
 
Total Files Cleaned = 1.142,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 04022014_130900

Files\Folders moved on Reboot...
C:\Users\ASUS pc\AppData\Local\Microsoft\Windows\INetCache\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

[Psychotic]

 

C:\Users\ASUS pc\Google Drive\çal??malar\program\ABBYY FineReader v11.0.102.583 Corporate Edition\Patch.exe

C:\Users\ASUS pc\Google Drive\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe

D:\Yedek\çal??malar\program\BS.Player Pro 2.56.1043\bsplayer_pro256.1043.exe

OTL cannot handle the localized names. Please delete these filse manually.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.

Delete junk with adwCleaner

Please download AdwCleaner to your desktop.

• Run adwcleaner.exe
  
• Hit Scan and wait for the scan to finish.
  
• Confirm the message but don´t uncheck anything.
  
• Hit Clean
  
• When the run is finished, it will open up a text file
  
• Please post its contents within your next reply
  
• You´ll find the log file at C:\AdwCleaner[s1].txt also
  

Delete junk with JRT

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
  
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  
• The tool will open and start scanning your system.
  
• Please be patient as this can take a while to complete depending on your system's specifications.
  
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  
• Post the contents of JRT.txt into your next message.
  

SecurityCheck

Reboot your system before starting!

Please download SecurityCheck: LINK1 LINK2

• Save it to your desktop, start it and follow the instructions in the window.
  
• After the scan finished the (checkup.txt) will open. Copy its content to your thread.
  

[biterzio]

Hello. The files are attached. But there wasn't a file named AdwCleaner[s01].txt. There was AdwCleaner[s0].txt

AdwCleanerS0.txt

JRT.txt

checkup.txt