Attached Logs from "Logs to assist in cleaning malware "

[silverdollar]

I keep getting the Malicious URL popup and one Trojan Horse pop up .

Followed the instructions under "Logs to assist in cleaning malware "

Have attached logs....

Please Help,

Thanks,
silverdollar

[silverdollar]

last log attached now

[essexboy]

Hi lets see if we can stop it


Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{993f1df9-4ef3-450c-bf9c-f312f7be85d0}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZKxdm740CWus&ptnrS=ZKxdm740CWus&ptb=DB8AEF95-920E-4A68-B888-ABD24B111587&ind=2012040610&n=77ed4da2&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-892843997-2974704452-3081278980-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = playbryte/search/redirect/?type=default&user_id=9c9555a7-6b71-48ee-b048-3546e6ff1ea2&query={searchTerms}
O3 - HKU\S-1-5-21-892843997-2974704452-3081278980-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
[2012/11/10 13:23:59 | 000,020,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\svchost.exe

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application
  
  
  
• Then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
• Click the Start Scan button.
   
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
  
  
• Get the report by selecting Reports

 

• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

Please copy and paste its contents on your next reply.

[silverdollar]

okay .. here we go....

Report pasted, Log attached.

16:21:26.0124 1116  TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
16:21:26.0872 1116  ============================================================
16:21:26.0872 1116  Current date / time: 2012/11/10 16:21:26.0872
16:21:26.0872 1116  SystemInfo:
16:21:26.0872 1116 
16:21:26.0872 1116  OS Version: 6.1.7601 ServicePack: 1.0
16:21:26.0872 1116  Product type: Workstation
16:21:26.0872 1116  ComputerName: SILVERDOLLAR-PC
16:21:26.0872 1116  UserName: Silver Dollar
16:21:26.0872 1116  Windows directory: C:\Windows
16:21:26.0872 1116  System windows directory: C:\Windows
16:21:26.0872 1116  Running under WOW64
16:21:26.0872 1116  Processor architecture: Intel x64
16:21:26.0872 1116  Number of processors: 4
16:21:26.0872 1116  Page size: 0x1000
16:21:26.0872 1116  Boot type: Normal boot
16:21:26.0872 1116  ============================================================
16:21:29.0821 1116  BG loaded
16:21:33.0222 1116  Drive \Device\Harddisk0\DR0 - Size: 0x3A38800000 (232.88 Gb), SectorSize: 0x200, Cylinders: 0x76C0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
16:21:33.0237 1116  ============================================================
16:21:33.0237 1116  \Device\Harddisk0\DR0:
16:21:33.0237 1116  MBR partitions:
16:21:33.0237 1116  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x178000
16:21:33.0237 1116  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x18C000, BlocksNum 0x1D036000
16:21:33.0237 1116  ============================================================
16:21:33.0346 1116  C: <-> \Device\Harddisk0\DR0\Partition2
16:21:33.0346 1116  ============================================================
16:21:33.0346 1116  Initialize success
16:21:33.0346 1116  ============================================================

[essexboy]

There should be a log at C:\TDSSKiller date time
Could you attach that

Are you still getting the alerts

[silverdollar]

Can't seem to attach anything under that File...


C:\TDSSKiller_Quarantine\10.11.2012_16.14.21\mbr0000

is that the right place?  files in there are called "object" but won't attach

opened one and it says this:
[InfectedObject]
Verdict: Rootkit.Boot.Pihar.c



No alerts so far..  Things seem to be working faster....

Do I leave the programs I downloaded on the computer or delete?

[silverdollar]

wait found it

[silverdollar]

again

[essexboy]

Scan interrupted by user!

Did you let it run all the way through ?

[silverdollar]

i thought so - should i rescan?

[silverdollar]

Here you go:

I think this is the original log....

Sorry!

[essexboy]

OK that now looks more like it

Re-run TDSSKiller with the original parameters
When this element appears select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will alert whilst the files are being moved

Once done let me know how the computer is behaving

[silverdollar]

Okay just got to computer today- the popups were back again.
 Just did scan and deleted. 
Seems okay for now...

Will do some surfing...

[silverdollar]

While I've got you on the hook - do you have any idea how to get rid of this email pop up...? (attached screenshot).
It started happening about the same time all of the other stuff started...
I send out bulk emails from a software program for my business and now have to do them individually, due to having to click pop up on each one.
Used to work fine.  Same program, nothing changed.

Understand if it's not your forte, or I need to start a new topic. 

Just thought I'd ask...

Thanks!

[essexboy]

Hmm not overly sure about that as it is not something I have ever done..  But, I will look around

Have the alerts now ceased.. What was the last on that you got