Urgent malware issues

Hello
My computer keeps installing a lot of programs without me telling it to do so.
I am really worried could you please help me?

Hello and welcome to Bleeping Computer! My nickname is Pystryker , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you

• If you are receiving help for this issue at another forum, please let me know so I can close this thread.
• Please download to and run all requested tools from your Desktop.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
• At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
• If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
• This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
• It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
• If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
• If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
• Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
• Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
• Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way.

Now, let's get started, shall we?


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Place a check in the box marked Addition.txt
  
  
• Press Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

FRST Log

Addition.txt Log

For some reason I cannot load up any websites and I keep getting pop ups saying update now which I am not clicking.
One of the pop ups said it has stopped me from using any browsers

Hello

I'm currently analyzing you logs, however, I can't find any information on the file below. If you can use a browser on the machine, I'd like you to upload it to VirusTotal for scanning.


Step 1: Upload File

• Please go to VirusTotal.org by clicking here
• Please click on Choose File
• When the window opens, navigate to the location listed in the box below and select file that is listed in that location.
  
  

  C:\Program Files (x86)\rec_gb_236\rec_gb_236.exe

• Once you have selected the file, click the blue Scan It! button.
• VirusTotal will scan the file and produce a report for you. Please copy the link the address bar when it shows you the report and post it in your next reply.

Things I need to see in your next post:

VirusTotal Link

https://www.virustotal.com/en/file/4adaa6536b7c36c2c3e3062c26e720524916845797d89777cdc9efc2340e1254/analysis/1458995105/

Hello

Thank you for the link, that file is infected and will be removed . We've got a lot of work to do. The infections have patched a Windows system file and we'll fix that as soon as we get rid of the infections.

When you post the requested logs, please let me know how the machine is running at this point.

Let's get started.


Step 1: Program Uninstalls

Please uninstall the following programs from your machine as they are adware/malware related. If one of the programs fails to uninstall, please move on to the next one in the list.

• Body Text Feathering
• Setup
• SunnyDayApps Maintenance 013.236

Step 2: Fix with FRST

Important: Before performing this step, please move FRST64.exe from F:\willi to your Desktop or the fix will not work. All tools must be run from the Desktop for maximum effect.

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the desktop as fixlist.txt
  
  NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:
() C:\Users\willi\AppData\Local\SunnyDay13\usun.exe
C:\Users\willi\AppData\Local\SunnyDay13
() C:\Users\willi\AppData\Roaming\cpuminer\cpm.exe
C:\Users\willi\AppData\Roaming\cpuminer
() C:\Program Files (x86)\SunnyDay13\SunnyDay.exe
C:\Program Files (x86)\SunnyDay13
HKLM\...\Run: [cpuminer] => C:\Users\willi\AppData\Roaming\cpuminer\cpm.exe [1417216 2016-02-29] ()
HKLM-x32\...\Run: [win_en_77] => [X]
HKLM-x32\...\Run: [sun13] => C:\Program Files (x86)\SunnyDay13\SunnyDay.exe [4055728 2016-03-24] ()
HKLM-x32\...\RunOnce: [usun.exe] => C:\Users\willi\AppData\Local\SunnyDay13\usun.exe [3247280 2016-03-24] ()
() C:\Program Files (x86)\rec_gb_236\rec_gb_236.exe
HKLM-x32\...\Run: [rec_gb_236] => C:\Program Files (x86)\rec_gb_236\rec_gb_236.exe [4054704 2016-03-23] ()
Winsock: Catalog9-x64 01 C:\windows\system32\zdengine64.dll [341670 2016-03-25] (zdengine)
Winsock: Catalog9-x64 02 C:\windows\system32\zdengine64.dll [341670 2016-03-25] (zdengine)
Winsock: Catalog9-x64 03 C:\windows\system32\zdengine64.dll [341670 2016-03-25] (zdengine)
Winsock: Catalog9-x64 04 C:\windows\system32\zdengine64.dll [341670 2016-03-25] (zdengine)
Winsock: Catalog9-x64 16 C:\windows\system32\zdengine64.dll [341670 2016-03-25] (zdengine)
C:\windows\system32\zdengine64.dll
BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> F:\Program Files (x86)\bin\jp2ssv.dll => No File
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> F:\Program Files (x86)\bin\dtplugin\npDeployJava1.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> F:\Program Files (x86)\bin\plugin2\npjp2.dll [No File]
CHR HomePage: Profile 1 -> hxxp://www-searching.com/?s=G3Ozftpbl0cshmoBD,0fcbd9b9-0d39-4234-9c15-2195883a9a88,&prd=smw
CHR StartupUrls: Profile 1 -> "hxxp://www-searching.com/?s=G3Ozftpbl0cshmoBD,0fcbd9b9-0d39-4234-9c15-2195883a9a88,&prd=smw"
CHR DefaultSearchURL: Profile 1 -> hxxp://www-searching.com/search.aspx?s=G3Ozftpbl0cshmoBD,0fcbd9b9-0d39-4234-9c15-2195883a9a88,&prd=smw&q={searchTerms}
CHR DefaultSearchKeyword: Profile 1 -> www-searching.com
CHR DefaultSuggestURL: Profile 1 -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
R2 zdwfp; C:\windows\system32\Drivers\zdwfp64.sys [46352 2016-03-04] (zdengine)
S3 e1edc438-f640-4184-a443-d2a7c37a01dc; \??\C:\3XS-TESTS\OA30\690b33e1-0462-4e84-9bea-c7552b45432a.sys [X]
S4 NVHDA; \SystemRoot\system32\drivers\nvhda64v.sys [X]
S1 owfrxpjm; \??\C:\windows\system32\drivers\owfrxpjm.sys [X]
C:\windows\system32\Drivers\zdwfp64.sys
2016-03-25 21:38 - 2016-03-25 22:21 - 00011056 _____ C:\windows\SysWOW64\zdengineOff.ini
2016-03-25 21:38 - 2016-03-25 22:21 - 00011056 _____ C:\windows\system32\zdengineOff.ini
2016-03-25 21:32 - 2016-03-25 21:32 - 00000000 ____D C:\Users\willi\AppData\Local\rec_gb_236
2016-03-25 21:32 - 2016-03-25 21:32 - 00000000 ____D C:\Program Files (x86)\SunnyDayApps
2016-03-25 21:32 - 2016-03-25 21:32 - 00000000 ____D C:\Program Files (x86)\rec_gb_236
2016-03-25 21:29 - 2016-03-26 11:45 - 00000000 ____D C:\Users\willi\AppData\Local\SunnyDay13
2016-03-25 21:29 - 2016-03-25 21:29 - 00000000 ____D C:\Program Files (x86)\SunnyDay13
2016-03-25 20:57 - 2016-03-25 20:57 - 00000000 ____D C:\Users\willi\AppData\Roaming\cpuminer
2016-03-24 20:12 - 2016-03-25 21:38 - 00000002 _____ C:\END
Task: {99D91490-F9C7-4488-BA3E-AE684A56730F} - System32\Tasks\NIFQIDEGATILRONX => C:\ProgramData\Service1104\Service1104.exe <==== ATTENTION
2016-03-24 20:12 - 2016-03-24 20:12 - 00003450 _____ C:\windows\System32\Tasks\NIFQIDEGATILRONX
2016-03-24 20:12 - 2016-03-24 20:12 - 00000374 ____H C:\windows\Tasks\NIFQIDEGATILRONX.job
2016-03-24 20:11 - 2016-03-26 08:11 - 00000000 ____D C:\Program Files (x86)\QuickSearch
Task: {CC646D0F-A353-4B18-B6B0-2798D9D5A618} - \{080C0D47-0E04-0E0A-0C11-78097E05110C} -> No File <==== ATTENTION
Task: C:\windows\Tasks\NIFQIDEGATILRONX.job => C:\ProgramData\Service1104\Service1104.exe <==== ATTENTION
C:\ProgramData\Service1104
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\zdengine => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\zdwfp => ""="Driver"
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 3: Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 4: AdwCleaner

Download ADWcleaner by clicking here. Please save it to your Desktop

• Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
• Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.
• Please Check the following options:
  • Reset Proxy Settings
  • Reset Winsock Settings
  • Reset TCP/IP Settings
  • Reset Firewall Settings
  • Reset IPSec Settings
  • Reset BITS Queue
  • Reset Internet Explorer Policies
  • Reset Chrome Policies
• Close any open windows or browsers.
• Pause your Anti-Virus program if it is running.
• Once it starts, click on the Scan button.
• Let the scan complete itself. This may take a few minutes.
• Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
• When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
  • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
  This report is also saved at C:\Adwcleaner

Step 5: Frest Scan with FRST

• Start Farbar's Recovery Scan Tool and press the Scan button.
• FRST will scan your system and produce two logs: FRST.txt and Addition.txt. Please post them in your next reply.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Junkware Removal Tool Log

AdwCleaner Log

Fresh FRST.txt Log

Fresh Addition.txt Log

How is the machine running?

We still have much to do, but how is the machine running at this point?

the machine isnt running too bad but i am still getting pop ups telling me to update and i still can only use avast safe browser because ie and chrome wont load any webpages at all

the machine isnt running too bad but i am still getting pop ups telling me to update and i still can only use avast safe browser because ie and chrome wont load any webpages at all

Hello

Ok, let's repair the patched file. Please give me another update on the machine's performance after running these steps.


Step 1: System File Checker

• Click the Start button and in the Search bar, type in Command Prompt You will see cmd.exe appear at the top of the window.
• Right click on it and select Run as Administrator. Answer Yes if the machine requests it.
• When the Command Prompt window opens, type this in: sfc /scannow
• Please note the space between sfc and /scannow, it must be there to execute the command.
• The system scan will begin. It may take a while to complete
• Once the scan is complete, enter the command below and press Enter.

copy %windir%\logs\cbs\cbs.log "%userprofile%\Desktop\cbs.txt"

This will copy a log cbs.txt to your Desktop. Please post it in your next reply.


Step 2: Fresh FRST Scan

• Start Farbar's Recovery Scan Tool and press the Scan button.
• FRST will scan your system and produce two logs: FRST.txt and Addition.txt. Please post them in your next reply.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

cbs.txt Log

Fresh Frst.txt Log

Fresh Addition.txt Log