Assistance With Chitka Removal

[Danderosa]

Any help appreciated.

 

[Fiery]

Hi Danderosa and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

PLEASE NOTE: The first 3 posts of ALL new members require approval by mods/admins. Please be patient if you don't see your post immediately after submitting it.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>
Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
[2013/05/14 16:20:47 | 000,000,000 | ---D | C] -- C:\Users\Daniel\AppData\Roaming\Ixqie
[2013/05/14 16:20:47 | 000,000,000 | ---D | C] -- C:\Users\Daniel\AppData\Roaming\Gutay
[2013/05/14 16:20:47 | 000,000,000 | ---D | C] -- C:\Users\Daniel\AppData\Roaming\Afuf

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

 

[Danderosa]

Used the OTL fix. When trying to run jtl.exe it just asks me if in installed correctly and then close. Haven't got any popups since running the OTL fix. Going to restart again and see what happens. Fingers crossed.

 

[Danderosa]

Rebooting and popups are back. When running JRT.exe I get the error "The system cannot find the file specified". It pops up and disapears so quickly I had to take a screen shot to see it.

 

[Fiery]

Ok,

Please download ComboFix from one of these locations:

<a title="External link" href="http://download.bleepingcomputer.com/sUBs/ComboFix.exe" rel="external"><>Link 1</></a>
<a title="External link" href="http://www.infospyware.net/antimalware/combofix/" rel="external"><>Link 2</></a>
<ul>
<li>Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See <a title="External link" href="http://www.bleepingcomputer.com/forums/topic114351.html" rel="external">HERE</a> for help</li>
<li>Double click on Combo-Fix & follow the prompts.</li>
</ul>

When finished, ComboFix will produce a log.

<>Note:</>
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

 

[Danderosa]

Ran combofix. Still getting popups.

 

[Fiery]

Do you get popups in one particular browser or in all browsers?

Upload a File to Virustotal
Please visit www.virustotal.com

• Click the Choose file... button
• Navigate to the file c:\windows\system32\frapsv64.dll
• Click the Open button
• Click the Scan It button
• Copy and paste the results back here.

 

[Danderosa]

I have IE and Chrome. Getting popups in both.

I have a program on my external (which is unplugged) called Fraps which is a frame per second display program.

Scanned the file, the analysus came up 0/46 and here is the rest of the info I can paste:

One odd thing though, couldn't find the file in /system32/ in the browser, had to copy it to desktop in order for the browser to find it.


SHA256:

daa3880f8ba56eb3ef48f9418b6f424951095747d9c19e22398593db587c16fb



SHA1:

0d6109a0428db1dd36125eed45b44978c950bff2



MD5:

b6e154d478a5baec3a12b2ee50d396d4



File size:

70.0 KB ( 71680 bytes )



File name:

Fraps



File type:

Win32 DLL



Detection ratio:

0 / 46



Analysis date:

2013-05-16 02:15:52 UTC ( 0 minutes ago )







0




0



Less details
 Analysis
 File detail
 Additional information
 Comments
 Votes




 File identification


MD5 b6e154d478a5baec3a12b2ee50d396d4

SHA1 0d6109a0428db1dd36125eed45b44978c950bff2

SHA256 daa3880f8ba56eb3ef48f9418b6f424951095747d9c19e22398593db587c16fb


ssdeep

1536:gCJzBLxa5Bqti1K5TLL/tRkLzaCGYro3xlfEI7PSXjv:gC7tyqtiY5T3/tWLzRhoB+6SXjv


File size 70.0 KB ( 71680 bytes )

File type Win32 DLL


Magic literal

PE32+ executable for MS Windows (DLL) (GUI) Mono/.Net assembly





TrID

Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)



 VirusTotal metadata


First submission 2013-03-01 17:40:00 UTC ( 2 months, 2 weeks ago )

Last submission 2013-05-16 02:15:52 UTC ( 2 minutes ago )




File names

frapsv64.dll
vt-upload-yF2Zk9
vt-upload-qFO7C
frapsv64.dll
Fraps

 

[Danderosa]

BTW, thank you for all the help. I really appreciate your time and expertise.

 

[Danderosa]

Also, I'm currently doing the last steps you listed in the other Chitka thread. I'll attach the logs here.

 

[Fiery]

Ok, let me know how that goes

 

[Danderosa]

It seems to have worked. Fingers crossed it doesn't come back. Thanks again for all the help!

 

[Fiery]

No problem

Test it out for a bit and let me know. I would like you to 2 more scans.

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!