Malicious URL Blocked

[kenpal]

i manage to disable smartscreen and run the first option as instructed please see attached log. Thank you

[essexboy]

Download the attached Fixlist.txt to the same USB as FRST
Start FRST as previously and press the Fix button
Once done reboot to normal windows and try OTL again

[kenpal]

The problem is now on my other computer it seems as if it went in the usb. i tried running OTL it started went for a while the it went away.

[essexboy]

OK first we will clear the USB
Then we will finish one system and move on to the next

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then run the OTL for a fresh scan

[kenpal]

please see attached scan result. Thank you very much

[essexboy]

OK the USB had malware on it, that was probably where the infection came from

How is the first computer now, before we look at the second

[kenpal]

The first computer is behaving the same once the internet is plug in avast repeatedly shows:

Malicious Url Blocked
Object: http://jsh37.net/a/
Infection: URL:Mal
Process: C:\Windows\System32\WScript.exe

The /a/ changes to other letters whenever a new prompt pops up

[essexboy]

Could I have a fresh OTL on that system please .. Ensure that all users is selected

[kenpal]

i just ran OTL in safe mode i select all user. what should i do now

[essexboy]

Could you attach the log please

[kenpal]

Ok is the USB drive ok now

[essexboy]

As McShield is now running then yes

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - HKU\S-1-5-21-100095423-2583221451-3842027763-1000..\Run: [8e858] C:\Users\Kenneth Palmer\AppData\Roaming\989\8e858.js ()
O4 - Startup: C:\Users\Kenneth Palmer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ddc.js ()
[2013/03/23 13:59:28 | 000,000,000 | -HSD | C] -- C:\990
[2013/03/23 13:59:28 | 000,000,000 | -HSD | C] -- C:\Users\Kenneth Palmer\AppData\Roaming\989


:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[kenpal]

please the following logs

[essexboy]

Lets try and kill that last registry entry .. How is the computer behaving now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O4 - Startup: C:\Users\Kenneth Palmer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d3c.js ()

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[kenpal]

good morning this is a hard one to beat computer behaving the same i notice when i reboot a window comes up saying something about compressing but it goes off quickly. please see logs thank you again!