Avast WEBforum
Other => Viruses and worms => Topic started by: kishtara on May 29, 2012, 02:00:37 PM
-
Hi,
Much like another user just posted, I too keep getting this Avast popup:
I keep getting an Avast pop--up that says:
"Malicious URL Blocked."
It then shows the alleged URL that was blocked and states:
Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe
I scanned with MBAM and got this.
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.29.03
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Karen :: KAREN-PC [administrator]
29/05/2012 7:21:41 AM
mbam-log-2012-05-29 (07-21-41).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 219491
Time elapsed: 7 minute(s), 1 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Users\Karen\AppData\Local\Temp\tempfiles.exe (Trojan.Agent.H) -> Quarantined and deleted successfully.
(end)
Then I had to restart my computer so it could remove the Trojan. Note that since then Avast is still complaining about the malicious url with svchost.exe.
Then I downloaded OTL and ran it. Only attaching Extras log file here, and OTL log file will be in next reply (due to sizes).
Then I downloaded and ran aswMBR.exe, log will be attached in next reply since it is 2kb.
Thank you kindly,
Karen
-
OTL Log file
-
aswMBR.exe log file
-
Hi,
I'm new here - is there anything else I'm supposed to provide and/or do?
Thank you!
Karen
-
Hi,
I'm new here - is there anything else I'm supposed to provide and/or do?
Thank you!
Karen
nope....now you wait... and it may take several hours
-
No, it is just that there aren't that many malware removal specialists (volunteers) to analyse the logs. I will try and get one to take a look at them.
-
Thank you all, I will check back in later today hopefully get some feedback.
Thanks again,
Karen
-
Hi,
Sorry for the delay....things have been pretty hectic as of late. While I am reviewing your malware logs please do the following...
Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop. - Right-click and Run as Administrator CKScanner.exe then click Search For Files
- When the cursor hourglass disappears, click Save List To File
- A message box will verify the file saved
- Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply
----------
-
Hi Jeff,
Thank you:
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs5.5\plug-ins\en_us\vstplugins\decrackler6.dll
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd's.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)_+_crack_(exe)_+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\9 - the dark side collector's edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
scanner sequence 3.ZZ.11.XQNALM
----- EOF -----
Karen
-
Hi,
CKScanner has detected illegal software on your system. Besides being illegal, it's the number one way of infecting your system as all cracked/keygen software is infected. This forum, as well as all the other malware removal forums, do not support the use of illegal software except for their removal. If I were to continue helping you with illegal software installed, it could be construed in the eyes of the law as aiding and abetting a crime.
This may or may not be related to your computer issues, however, if you wish me to continue helping you, then you must remove both the keygen and crack files as well as the related programs. If you do not agree to this then this thread will be closed and no further help will be offered because I will never be able to tell you your malware logs are clean. Please let me know if you wish to continue.
-
Hi Jeff,
I definitely want you to continue to help me, what should I do? My son uses this computer also, I don't know what to delete that you are referring to? Just the files that showed up in the CK txt?
Thank you!
Karen
-
Ok...
Let me work up a fix to remove these and the rest of the items that I am seeing in the OTL logs. :) I will return as quickly as I can.
-
Hi,
Please download ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://blekko.com/ws/?source=c3348dd4&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&tbp=homepage
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100842&mntrId=eec62336000000000000001ee5df9879
IE - HKU\S-1-5-21-900652906-1050274716-3256234461-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekko.com/ws/?source=c3348dd4&tbp=rbox&toolbarid=blekkotb_031&u=CEF4FC3DC34809F10EFC994FC0AD9563&q={searchTerms}
O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll (Babylon BHO)
O2 - BHO: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (blekko search bar) - {8769adce-dba5-48e9-afb5-67b12cdf2e61} - C:\Program Files (x86)\blekkotb_031\blekkotb_019X.dll ()
O3 - HKLM\..\Toolbar: (Babylon Toolbar) - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll (Babylon Ltd.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{1b44f99a-8cc7-11e0-871c-842b2bbca7e1}\Shell\AutoRun\command - "" = "J:\WD SmartWare.exe" autoplay=true
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell - "" = AutoRun
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\AutoRun\command - "" = J:\autorun.exe
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\readme\command - "" = notepad readme.txt
O33 - MountPoints2\{ac3e5e40-3148-11e1-962e-842b2bbca7e1}\Shell\Setup\command - "" = J:\install.exe
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/26 07:16:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\blekkotb_031
[1 C:\Users\Karen\Documents\*.tmp files -> C:\Users\Karen\Documents\*.tmp -> ]
[2012/05/23 08:41:52 | 000,007,680 | ---- | M] () -- C:\Users\Karen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/21 18:11:14 | 000,000,000 | ---D | M] -- C:\Users\Karen\AppData\Roaming\Babylon
@Alternate Data Stream - 60 bytes -> C:\Users\Karen\.DS_Store:AFP_AfpInfo
@Alternate Data Stream - 255 bytes -> C:\Users\Karen\Documents\invite_2.ai:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 252 bytes -> C:\Users\Karen\Documents\80WebsitesToFindPopularTrends.pdf:com.apple.Preview.UIstate.v1
@Alternate Data Stream - 235 bytes -> C:\ProgramData\Temp:1A15E356
@Alternate Data Stream - 232 bytes -> C:\ProgramData\Temp:0BBF232A
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:F89F2593
@Alternate Data Stream - 229 bytes -> C:\ProgramData\Temp:737160C1
@Alternate Data Stream - 222 bytes -> C:\ProgramData\Temp:AECF4772
@Alternate Data Stream - 221 bytes -> C:\ProgramData\Temp:A02025CE
@Alternate Data Stream - 216 bytes -> C:\ProgramData\Temp:2D2461E7
@Alternate Data Stream - 214 bytes -> C:\ProgramData\Temp:512E1728
@Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:9BB8C675
@Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:491270B8
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:4D551822
@Alternate Data Stream - 139 bytes -> C:\ProgramData\Temp:14B2E0BD
@Alternate Data Stream - 136 bytes -> C:\ProgramData\Temp:24FECE50
@Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:905BCB57
@Alternate Data Stream - 132 bytes -> C:\ProgramData\Temp:9F3CEEE6
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:75798D9A
@Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:1B389835
@Alternate Data Stream - 127 bytes -> C:\ProgramData\Temp:430C6D84
@Alternate Data Stream - 124 bytes -> C:\ProgramData\Temp:5A2E8BBF
@Alternate Data Stream - 122 bytes -> C:\ProgramData\Temp:59465B40
@Alternate Data Stream - 121 bytes -> C:\ProgramData\Temp:CAC06C34
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:9BAC4211
@Alternate Data Stream - 120 bytes -> C:\ProgramData\Temp:8204AA35
@Alternate Data Stream - 117 bytes -> C:\ProgramData\Temp:B139DDF3
@Alternate Data Stream - 105 bytes -> C:\ProgramData\Temp:DFC5A2B2
:Files
c:\program files (x86)\adobe\adobe dreamweaver cs5.5\configuration\taglibraries\html\keygen.vtm
c:\program files (x86)\adobe\adobe flash catalyst cs5.5\plugins\com.adobe.thermo.core_1.5.0.308731\com\adobe\thermo\undo\thermoundosystem$undoabledocumentchangecracker.class
c:\program files (x86)\android\android-sdk\docs\reference\java\security\spec\rsakeygenparameterspec.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygenerator.html
c:\program files (x86)\android\android-sdk\docs\reference\javax\crypto\keygeneratorspi.html
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\idl\nsikeygenthread.idl
c:\program files (x86)\common files\adobe\adobe contribute cs5.1\app\configuration\browsers\mozilla run time libraries\dist\include\nsikeygenthread.h
c:\program files (x86)\gimphoto 1.4.3\share\gimp\2.0\patterns\cracked.pat
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\cmd.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.coderush.common.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.data.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\devexpress.utils.v11.1.dll
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\gacutil.exe
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\register.bat
c:\users\karen\downloads\devexpress.dxperience.universal.11.1.7.upby.margus\devexpress.dxperience.universal.11.1.7.upby.margus\crack.upby.margus\sn.exe
c:\users\karen\downloads\iphone apps and games\pb_fantasies-v1.1.1805-cracked_by_trancewarp.ipa
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\d.o.c-howto-crack-a-game.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd protection.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\how to crack cd's.doc
c:\users\karen\downloads\magazines and ebooks pack\banned books collection-p2p\wolf-howto-crack-any-cdprotection.doc
c:\users\karen\downloads\marketing\web_content_studio_[software_(msi)_+_crack_(exe)_+_instructions(txt)].rar
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\9 - the dark side collector's edition - full precracked - foxy games.exe
c:\users\karen\downloads\pc games\9 - the dark side collector's edition - full precracked - foxy games\torrent downloaded from demonoid.me.txt
c:\users\karen\scrapbooking\scrappingtable\theme sets\easter jubilee\eggcracked.scut2
c:\users\karen\scrapbooking\scrappingtable\theme sets\patriotic picnic\firecracker.scut2
c:\web content studio [software (msi) + crack (exe) + instructions(txt)]\crack\webcontentstudio.exe
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi Jeff,
I did as instructed, but when I went to run OTL the last time, I did uncheck LOP and Purity but when I clicked Quick Scan I looked and those 2 options got selected again.
Thank you,
Karen
-
Hi,
I see that you have both Avast and AVG on your system. You should only run one antivirus program at a time as running more than one will cause system problems eventually. Let me know which one you would like to remove.
-----------
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]- Tick the box next to YES, I accept the Terms of Use
- Click Start
- When asked, allow the ActiveX control to install
- Click Start
- Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
- Click Scan (This scan can take several hours, so please be patient)
- Once the scan is completed, you may close the window
- Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
- Copy and paste that log as a reply to this topic
----------
In your next reply please let me know which antivirus you want to remove and attach the logs to Malwarebytes and ESET online scanner. :)
-
Hi Jeff,
I'd like to remove AVG and Keep AVAST.
Here is ESET log results and attached is Malwarebytes log:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=b8bc8138c1354e489eaa6e8952d536b7
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-05-31 03:11:47
# local_time=2012-05-31 12:11:47 (-0400, Atlantic Daylight Time)
# country="Canada"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1280 16777215 100 0 0 0 0 0
# compatibility_mode=5893 16776574 33 85 23941150 89969199 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=553467
# found=11
# cleaned=0
# scan_time=8157
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarApp.dll a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarEng.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarsrv.exe probably a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\Program Files (x86)\Bookmarkwiz\bookmarkwiz.exe a variant of Win32/Packed.PrivateexeProtector.F application (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\AppData\Local\dplayx.dll a variant of Win32/Kryptik.AEKJ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\Documents\hosts2.txt Win32/Qhost trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\Karen\Downloads\cnet2_revosetup_exe.exe a variant of Win32/InstallCore.D application (unable to clean) 00000000000000000000000000000000 I
C:\Windows\Installer\{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\n Win64/Sirefef.W trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\Installer\{2cc33ef4-4271-9c44-d303-7ad6c65ccd93}\U\80000000.@ Win64/Sirefef.AE trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\BabylonToolbarTlbr.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\05302012_140604\C_Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.35.10\bh\BabylonToolbar.dll Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
-
Hi,
Ok...thanks for letting me know about the antivirus you would like to remove.
The ESET log is interesting.... please do the following...
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
-
Hi,
Ok...thanks for letting me know about the antivirus you would like to remove.
The ESET log is interesting.... please do the following...
Download Combofix from either of the links below, and save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
--------------------------------------------------------------------
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
- Please post the C:\ComboFix.txt for further review.
Hi Jeff,
I did as instructed, but when I ran (as Administrator) the ComboFix.exe on my desktop, what happened was a window appeared (black background, bright green text) and several lines scrolled by then all of a sudden nothing. All my desktop icons disappeared, I waited, after a minute they all came back, but my Chrome browser was shut down. I tested this 3 times and same results. Plus there is no ComboFix.txt file that gets created. But what is odd is during that scrolling green text it said it was making something (dir or whatever) and it IS on my C:\ when I open Windows Explorer. It is called 32788R22FWJFW and when I click on that it then appears NOT to be a folder, but instead shows me my drives (same thing I see if I click on "Computer"). Very strange!
Not sure what to do...
Thank you,
Karen
-
Hi,
Go ahead and run ComboFix in Safe Mode and see if it will run through. If so please attach the log that is made. :)
-
Hi,
Go ahead and run ComboFix in Safe Mode and see if it will run through. If so please attach the log that is made. :)
Did this (twice, once Safe mode w/ Networking, once Safe mode without). Still didn't act any differently.
Except this time that funny numeric folder I described, is actually a folder with a bunch of files in it (executables, .dat, .inf, etc). Very odd.
But still no ComboFix.txt file anywhere.
New problem though, cannot load into Windows at all. I reboot in normal mode and Windows is loading, asks me for my password, and then I just get the spinning circle and "Welcome" but my desktop NEVER loads. Do you know how to fix this? I'm freaking out a bit here.. Right now I'm typing this on a different machine (mac).
Please please hope you can help.. I will try rebooting and seeing if I can get in with Safe mode. Have to head to sleep shortly.
Thank you,
Karen
-
Hi,
Let's do this...
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
- Extract the contents of the zipped file to desktop.
- Right-click and Run as Administrator GMER.exe. If asked to allow gmer.sys driver to load, please consent .
- If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
- Save it where you can easily find it, such as your desktop, and attach it in your reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries.
----------
-
Hi Jeff
The only way I could get into Windows was Safe Mode With Networking. Did this, and got GMER, run as administrator, cannot proceed w/ your instructions because bunch of stuff is greyed out pls see attached image.
My *main concern* right now is How can I possibly load into Windows (not Safe mode)? I have deadlines to meet and not being able to get on my PC is panicking to say the least! :(
Thank you!
Karen
-
Hi Jeff,
Actually was able to get Windows loaded normally but it is running Verrrrry slowly. I open up windows explorer and right-click on gmer.exe and it's taking Forrrever (spinning circle, Not Responding). Very abnormal. Finally after about 3 minutes the right-click menu presents itself and I choose 'run as administrator'.
Nothing will open.. Gmer won't open... Task Manager won't open... Chrome won't open...
At a loss here :(
-
Hi,
Sorry to see so many problems with your system. I was looking over your logs and believe that along with all the illegal software that CKScanner picked up I believe that the ZeroAccess rootkit came aboard with some of that software as well. Just so you know that infection is the real deal.
Since you are only able to boot to Safe Mode please do the following...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
-
Hi Jeff - I am currently running a full scan Malwarebytes on my pc in safe mode - do you want me to cancel that and do the following or wait until it is complete?
Thank you,
Karen
Hi,
Sorry to see so many problems with your system. I was looking over your logs and believe that along with all the illegal software that CKScanner picked up I believe that the ZeroAccess rootkit came aboard with some of that software as well. Just so you know that infection is the real deal.
Since you are only able to boot to Safe Mode please do the following...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Attach the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------
-
You can wait until it is complete. Then run TDSSKiller and attach both of the logs then. :)
-
Hi Jeff
Attached are the logs from Malwarebytes and TDSSKiller.
Thank you,
Karen
-
Download
FIXTDSS (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe)
Launch it. It may ask for restart. Reboot the PC
On reboot let me know what it finds
-
Download
FIXTDSS (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe)
Launch it. It may ask for restart. Reboot the PC
On reboot let me know what it finds
Reboot in safe mode w/ Networking? Or try Normal mode this time?
-
Hi,
Try in Normal Mode...if it won't work give it a try in Safe Mode with Networking. :)
-
Download
FIXTDSS (http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe)
Launch it. It may ask for restart. Reboot the PC
On reboot let me know what it finds
Hi Jeff,
Restarted in normal mode, it didn't find anything. But my PC is back to "working" like normal, i.e. not running slow.
Not sure about the original problem yet though, since I need to wait and see if that pops up again with Avast.
What now? :)
Karen
-
Okay, original problem still exists.. still Malicious URL blocked issue.. :(
-
Hi,
Do you know how to take a screen shot? If you are, please take a screenshot of the popup the next time that it happens. We may just be dealing with a False Positive (FP).
-
Yes I will take a screenshot. Every day it's a new url though... but always svchost.exe
Thank you,
Karen
-
Ok great! That might shed more light.
-
Hi Jeff,
Here is the screen shot attached
Thank you
Karen
-
Hi,
Ok...
OTL
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- In Custom Scans/Fixes put the following:
netsvcs
/md5start
consrv.dll
/md5stop
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
-
Hi Jeff,
Did what you said but it only created OTL.txt and that file is way too large to put in a post so I've attached it here.
(post maximum characters is 10000)
Thank you,
Karen
-
Just attach all logs. :)
-
I did, the only log it created was OTL.txt which I attached in my prior post.
-
Sorry....missed that. :)
-
Hi,
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {2F5142BF-B9C2-452F-9080-D801203552D5}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2F5142BF-B9C2-452F-9080-D801203552D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = {85FD7698-3808-4492-8FCB-06D657E668D5}
IE - HKLM\..\SearchScopes\{85FD7698-3808-4492-8FCB-06D657E668D5}: "URL" = http://www.bing.com/search?q={searchTerms}&form=DLCDF8&pc=MDDC&src=IE-SearchBox
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ca.msn.com/?lang=en-ca&OCID=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-CA
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE E7 C6 76 C7 3E CD 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={A1A6A39F-D0DD-4071-A7D3-2EEFF12CB5BA}&mid=b0f3881399f747d098bb55626d584e12-9892d0231abdf0e5babc2f6b12d87f4943c4456f&lang=en&ds=AVG&pr=fr&d=&v=11.0.0.9&sap=dsp&q={searchTerms}
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKCU..\Run: [AdobeBridge] File not found
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- [2009/07/14 06:29:38 | 000,106,760 | R--- | M] (Microsoft Corporation)
[2012/05/30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll
:Files
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi Jeff,
Ok I did what you said but in the middle of the OTL scan my whole computer froze up. So I had to hard-shutdown, then problems began after that. Windows wouldn't load at all. Then I went in with Safe Mode and restored my registry that I had backed up with ERUNT. Then still Windows wouldn't load. So now I am back in with Safe mode not sure what to do next.
So I ran another OTL scan for you, without checkmarking those Purity etc, and log is attached.
I will try rebooting again to see if Windows will load now.
(I have rebooted a few times, it keeps getting hung up on the "Welcome" with the circle spinning.. so then I have to hard-shutdown and then boot up in Safe mode).
Help! :(
Thank you,
Karen
-
Hi,
Lets try something new...
FRST
Download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to a flash drive.
Plug the flashdrive into the infected PC.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[/list]
- Select Command Prompt
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
-
Hi Jeff,
Attached the FRST64 log because it's too large to copy and paste here.
Still in safe mode just waiting to hear what to do next.
Thank you,
Karen
-
Hi Jeff,
I hope everything is okay, I haven't heard from you today. I'm debating whether or not it's come time to have to reformat and reinstall Windows. I hope not though :(
Eagerly awaiting your reply!
Karen
-
Hi Karen,
Sorry for any delay...I have had a pretty busy day and haven't been on much, but I am looking over your logs to see what I can find. :)
-
Thank you Jeff, I truly appreciate everything you have been doing to help.
I'm heading to bed now but will check first thing in the morning.
Thanks again,
Karen
-
Hi,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (https://www.virustotal.com/)
Press Choose File and then browse to the following file: (one at a time if more than one file is listed)
C:\Users\Karen\AppData\Roaming\Microsoft\service.exe
Once you locate the file select it and press Open now press Scan it!.
Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
-
Hi Jeff,
No such file exists.. I do not have a Microsoft subfolder beneath my Roaming folder:
C:\Users\Karen\AppData\Roaming\Microsoft\service.exe
Thanks,
Karen
Hi,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (https://www.virustotal.com/)
Press Choose File and then browse to the following file: (one at a time if more than one file is listed)
C:\Users\Karen\AppData\Roaming\Microsoft\service.exe
Once you locate the file select it and press Open now press Scan it!.
Now Copy/Paste the link to the results showing in the web browser bar to your next reply so that I can take a look at the results.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
-
Hi,
Let's make sure it isn't hidden first...
Click on Control Panel
Click on Folder Options
Click on View Tab
Check:
Show hidden files,folders, or drives, press OK
======================================================
***NOTE: Be sure to re-hide hidden files and folders when mission is accomplished!
Did you find the file now?
-
Hi Jeff,
I had already enabled that in order to even see my AppData folder in the first place. But now I went back to the Folder Options in CP to look at the other view options, and also unchecked "Hide protected operating system files". Once I UNchecked that, I was then able to see the Microsoft subfolder. But still I do NOT see service.exe file at all.
Thanks,
Karen
Hi,
Let's make sure it isn't hidden first...
Click on Control Panel
Click on Folder Options
Click on View Tab
Check:
Show hidden files,folders, or drives, press OK
======================================================
***NOTE: Be sure to re-hide hidden files and folders when mission is accomplished!
Did you find the file now?
-
Hi,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Right-click and Run as Administrator SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:dir
C:\Users\Karen\AppData\Local\blekkotb_031 /s
:file
C:\Users\Karen\AppData\Local\dplayx.dll
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Hi Jeff,
The output is too large for the message, file is attached.
Thank you,
Karen
-
Hi,
Run ERUNT and backup your registry and then do the following...
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BE E7 C6 76 C7 3E CD 01 [binary data]
O1 - Hosts: 93.113.196.146 www.google.com
O1 - Hosts: 93.113.196.147 www.bing.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 142.177.2.130
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{2B15D14A-DAAC-4F68-9E5A-BA9E9720EF97}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F45D678C-713E-4E22-87A4-D16C5C1DEE98}: DhcpNameServer = 192.168.2.1 142.177.2.130
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe -- [2009/07/14 06:29:38 | 000,106,760 | R--- | M] (Microsoft Corporation)
:Files
[2012/05/30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
[2012/05/25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll
ipconfig /flushdns /c
:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache_TIMESTAMP| /E : value set successfully!
93.113.196.146 www.google.com removed from HOSTS file successfully
93.113.196.147 www.bing.com removed from HOSTS file successfully
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2B15D14A-DAAC-4F68-9E5A-BA9E9720EF97}\\DhcpNameServer| /E : value set successfully!
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F45D678C-713E-4E22-87A4-D16C5C1DEE98}\\DhcpNameServer| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\ not found.
File D:\setup.exe not found.
========== FILES ==========
Invalid Switch: 30 18:28:35 | 000,000,000 | ---D | C] -- C:\Users\Karen\AppData\Local\blekkotb_031
Invalid Switch: 25 16:07:08 | 000,041,952 | -HS- | M] () -- C:\Users\Karen\AppData\Local\dplayx.dll
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Karen\Downloads\cmd.bat deleted successfully.
C:\Users\Karen\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Karen
->Temp folder emptied: 1070189 bytes
->Temporary Internet Files folder emptied: 4612970 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 382081169 bytes
->Flash cache emptied: 4567 bytes
User: Public
User: User
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65015 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 77100387 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 3565 bytes
Total Files Cleaned = 443.00 mb
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
OTL by OldTimer - Version 3.2.44.0 log created on 06052012_155213
Files\Folders moved on Reboot...
File move failed. C:\Users\Karen\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
C:\Users\Karen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O59STKD8\virustotal_com[1].htm moved successfully.
Registry entries deleted on Reboot...
-
Hi Jeff,
Reply above is the first output from OTL. My PC rebooted but still was hanging at "Welcome" so I had to hard shutdown again and reboot in safe mode w/ Networking. Then I ran OTL again as instructed and attached is that log.
I really hope I can reboot in normal mode at some point, starting to get a bit nervous...
Thank you,
Karen
-
Hi,
I understand how you can be nervous...I have been in your shoes before and know how you feel. Try not to worry. :)
Run ERUNT again to back up your registry and then do the following...
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Users\Karen\AppData\Local\blekkotb_031
C:\Users\Karen\AppData\Local\dplayx.dll
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
All processes killed
========== SERVICES/DRIVERS ==========
========== FILES ==========
C:\Users\Karen\AppData\Local\blekkotb_031\data folder moved successfully.
C:\Users\Karen\AppData\Local\blekkotb_031 folder moved successfully.
C:\Users\Karen\AppData\Local\dplayx.dll moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Karen
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 11091798 bytes
->Flash cache emptied: 343 bytes
User: Public
User: User
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2937718 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2908034 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 16.00 mb
OTL by OldTimer - Version 3.2.44.0 log created on 06052012_162237
Files\Folders moved on Reboot...
File move failed. C:\Users\Karen\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
Registry entries deleted on Reboot...
-
Ok..... any popups?
-
Popups? No... (posting this with my Mac).
I'm running the 2nd OTL scan now .. should be done soon...
What did you expect to pop up?
(OR are you talking about the Avast popup for malicious url?) I'm in safe mode again, and not using my PC, so no.. no popups right now.
-
Here is the 2nd OTL log attached
And actually I left it "hanging" on the "Welcome" screen on this reboot and it actually booted 'normally' to Windows. The thing is, everything was *extremely* slow and I had to hard-shutdown again and reboot into safe mode w/ Networking.
Thanks
Karen
-
Hi,
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt
HKLM\...\Run: [napsn] rundll32.exe "C:\Users\Karen\AppData\Local\Temp\napsn.dll",SteamAPI_Init
HKU\Karen\...\Run: [WinRemote] C:\Users\Karen\AppData\Roaming\Roaming\Microsoft\Protect\csrs
HKU\Karen\...\Run: [WinHoster] C:\Users\Karen\AppData\Roaming\Microsoft\service.exe
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system[/color]
On Vista or Windows 7: Now please enter System Recovery Options.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please attach it to your reply.
-
Hi Jeff,
Here you go, fix log attached (and also copied and pasted here for convenience):
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 03-06-2012
Ran by SYSTEM at 2012-06-05 20:53:11 Run:1
Running from F:\
==============================================
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\napsn Value deleted successfully.
HKEY_USERS\Karen\Software\Microsoft\Windows\CurrentVersion\Run\\WinRemote Value deleted successfully.
HKEY_USERS\Karen\Software\Microsoft\Windows\CurrentVersion\Run\\WinHoster Value deleted successfully.
==== End of Fixlog ====
Thank you!
Karen
-
Hi,
Good job getting that ran. How is your system behaving?
-
Hi Jeff,
Well ... not good, because I'm still in safe mode. :(
Avast hasn't even been running.. I'll start it up now.
(EDIT)
Just started up Avast and it says Manual scans available in safe mode but real time protection is not. So I cannot even test whether or not this malicious url issue has gone away, because I'm still in safe mode.
Thank you,
Karen
-
If you are able to boot into normal mode do so ?
As that is the only way you can effectively test how your system is running.
-
If you are able to boot into normal mode do so ?
As that is the only way you can effectively test how your system is running.
Hi David,
Just tried booting to normal mode and it just hangs at the "Welcome" screen. Had to hard-shutdown again and reboot in safe mode w/ networking.
I understand what you are saying but isn't it more critical that we figure out why my system won't run in anything but safe mode first? I mean, in my eyes, that is what is important because something I've done in these actions the last few days has caused my pc to no longer function properly.
Thank you,
Karen
-
Yes it is critical that you can't run in normal mode, but as Jeff had asked how your system is running, essentially that is for normal mode. I think it was hoped that after the previous fix it may have had a positive effect.
Clearly there is more work to be done to see if a resolution can be found, however, I will have to leave that to Jeff.
Hopefully he will be able to get back to the topic soon.
-
Hi,
Sorry for your distress. So you understand what we are dealing with I will try to explain it for you. With the amount of unauthorized software you had on your computer there was a lot to remove, but when you gave me the first ESET scan I found what were thought to be traces of the ZeroAccess Rootkit; unfortunately, what I have now found is that it actually is a new variant of the ZeroAccess Rootkit. That is the reason we are having such a hard time with this. I do appreciate your patience with this though. Please read the following...
**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
I assure you I will return as quickly as I can. :)
-
Hi,
Hopefully you read my previous post... :)
Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------
-
Well holy crap... this is way worse than I realized. Question though.. I use LastPass to store all my passwords (online banking etc), is that BAD or GOOD?? At least I *think* in this case must be GOOD since that means those passwords are not stored anywhere on my PC. I will definitely change my LastPass password right away though. Is it really necessary to contact my bank? I'm just concerned what kind of "LOCK DOWN" do they do if you tell them you could be a victim of identify theft?
And Jeff definitely NO need for you to apologize, I am truly forever grateful for ALL of your hard work in trying to help me, please, continue to do so and I will try to do everything you ask me to.
Going to run the combo thing will reply again shortly.
Thank you,
Karen
Hi,
Sorry for your distress. So you understand what we are dealing with I will try to explain it for you. With the amount of unauthorized software you had on your computer there was a lot to remove, but when you gave me the first ESET scan I found what were thought to be traces of the ZeroAccess Rootkit; unfortunately, what I have now found is that it actually is a new variant of the ZeroAccess Rootkit. That is the reason we are having such a hard time with this. I do appreciate your patience with this though. Please read the following...
**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
I assure you I will return as quickly as I can. :)
-
Wow got some interesting stuff for you now Jeff...
When I ran ComboFix the other day, I remember telling you it does not create the file c:\ComboFix.txt. In fact it creates a new folder on my C drive. It did the same thing today. The WEIRD thing is when you click on that folder, it shows your PC contents AGAIN (all your drives etc - see images combo1.jpg, combo2.jpg and combo3.jpg). I also went into cmd to see if I could see this strange numerical folder and you CANNOT. This proven if you look at the directory contents I saved in out.txt.
I also right-clicked on this numerical folder and chose Properties, see image combo4.jpg.
So I decided to right-click on the folder itself and choose copy, and I pasted it onto my desktop (so copied from c:\ to desktop). What I found in the folder at that point was a TON of files that I have NO clue where they came from. So I took a directory listing and the contents are listed in out2.txt. I think you might find this out2.txt very interesting!
(Might have to attach some of this on another reply)
Thank you,
Karen
Hi,
Hopefully you read my previous post... :)
Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Disable your AntiVirus and AntiSpyware applications.
Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------
-
Posting the out.txt and the out2.txt
-
Hi Jeff,
Please see my 3 replies above (had some questions up there) plus do you think it would make sense to run something such as free McAfee Labs tool RootkitRemover?
Thank you,
Karen
-
Hi,
Well holy crap... this is way worse than I realized. Question though.. I use LastPass to store all my passwords (online banking etc), is that BAD or GOOD?? At least I *think* in this case must be GOOD since that means those passwords are not stored anywhere on my PC.
This may be ok.....but I would go to a completely different computer again and change all passwords just to be on the safe side. As for contacting your bank, it is only a recommendation...but I would keep a close eye on all financial operations and statements that you ever used that computer for. If you find something out of the ordinary I would call my bank for sure.
Please see my 3 replies above (had some questions up there) plus do you think it would make sense to run something such as free McAfee Labs tool RootkitRemover?
No....don't do anything yet. Let me look over what is happening. Just so you know....you may want to begin copying everything that you might like to keep such as personal files, pictures, music, pdf files that you created.... I have seen this variant wreak havoc and the only fix may be a reinstall....the positive about that is you will be certain that the infection is gone though.
-
Hi Jeff,
Ok will work on updating passwords for sure from my Mac. Also, will start saving off more files (already saved off most important ones to external drive).
But is my external drive at risk? It's been connected to my pc forever.
Also, I have a Dell pc that has windows pre-installed on it, and the CD I have is called "Reinstallation DVD Windows 7 Home Premium 64 bit" <--- will that be sufficient to wipe my computer and fully reinstall Win7? I'm assuming the stick on the back of the paper case of the cd is what contains my key necessary to activate windows?
Thank you,
Karen
-
Hi,
But is my external drive at risk? It's been connected to my pc forever.
I can only assume that you only use it to save personal files and such...if that is the case you should be fine and I haven't seen any instances of this infection jumping to external hard drives.
I have is called "Reinstallation DVD Windows 7 Home Premium 64 bit" <--- will that be sufficient to wipe my computer and fully reinstall Win7? I'm assuming the stick on the back of the paper case of the cd is what contains my key necessary to activate windows?
Yes that should be fine.
I am going to scour the logs again and see about the best path to proceed if you choose not to format/reinstall. If you decide to reinstall let me know though LOL!! :D
-
I'm going to work on going through all my files, photos etc and backing them up and also writing down all of my software I will want to reinstall and then decide if I have to reinstall. If I decide to reinstall windows that means I will be formatting my pc then installing whole version of windows yes? Will you be able to help me through that if I have questions etc? (I can communicate still with my Mac).
Thanks
Karen
-
Hi,
If I decide to reinstall windows that means I will be formatting my pc then installing whole version of windows yes? Will you be able to help me through that if I have questions etc?
Yes it means you will be formatting your entire PC if you decide to do it. Honestly I am not the best at providing instructions for doing a complete reinstall but if you want I can give you the link to a great step by step instuctional on how to do it?
-
Hi,
If I decide to reinstall windows that means I will be formatting my pc then installing whole version of windows yes? Will you be able to help me through that if I have questions etc?
Yes it means you will be formatting your entire PC if you decide to do it. Honestly I am not the best at providing instructions for doing a complete reinstall but if you want I can give you the link to a great step by step instuctional on how to do it?
Can I see that link? I'm worried that even formatting my pc won't get rid of all of the malware though. Can't some get themselves into the cmos or bootstrap or whatever that is called?
-
If you decide to do a format it will remove everything.
Here is the link >> http://howtoformatacomputer.com/format-windows-7
-
If you decide to do a format it will remove everything.
Here is the link >> http://howtoformatacomputer.com/format-windows-7
Ok Jeff I will reinstall and format.. I think this has gotten really complicated and if I ever really want to be sure my computer is clean I think I have to format.
I will check in with you on this thread once that is all done and Avast is back up and running and hopefully things will be great then :)
Thank you again for all of your help
Karen
-
You are more than welcome. For what it is worth...that is exactly what I would have done as well. :)
-
I am having the same exact problem since reinstalling Avast. I had it, I switched to McaFee to try it out and had nothing but problems. Now I am back with Avast and Avast doesn't like something it found on my PC. I have installed and run Malwarebytes. It found issues and corrected them. I then ran a full system scan with Avast, and it found issues. After fixing them and rebooting, the boot scan also found issues and I moved them to the sandbox. Now when I run scans nothing is found, but I still get the popup "Malicious URL blocked." Before I try anything else, I thought I would post here.
-
You should create your own new topic here http://forum.avast.com/index.php?board=4.0 click the 'new topic' button at the top of the listings:
- This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0) for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and start your own new topic and attach the logs there, not in the LOGS topic.
-
Ok David thank you
-
Ok I have tried to post the requested files, but I have overshot the character limit of 10000. I even tried to break my post down into two seperate posts, but to no avail. Any help or suggestions would be appreciated.
-
You need to attach the logs...are you doing that or trying to copy/paste them into the reply?
-
I was trying to copy and paste, but I finally figured out how to attach them, so I have done so. Thank you
-
Ok David thank you
You're welcome.