Author Topic: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert  (Read 37487 times)

0 Members and 1 Guest are viewing this topic.

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #15 on: March 26, 2013, 05:54:03 PM »
As i said before. The OTL programm will not start in normal mode. So i can't run an OTL scan in normal-mode.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #16 on: March 26, 2013, 07:31:55 PM »
So even after the removal OTL will not run in normal mode ?

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #17 on: March 26, 2013, 08:16:41 PM »
Attached the ComboFix.txt.
I also couln'd start the programm in normal mode. So i have to start it (as ervery time) in safe-mode.

And 'yes' to your question; even after the "removal" OTL will not run in normal mode. It starts for a very short time (approx 1 sec) and than it closes. This was the same with ComboFix.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #18 on: March 26, 2013, 08:46:47 PM »
On completion of this run could you try normal mode again please

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 
Quote

FCopy::

File::
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\e459e.js

Folder::
c:\users\Momo\AppData\Roaming\ae0d
C:\af87
c:\program files\b105

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-
Driver::
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #19 on: March 26, 2013, 08:57:01 PM »
I tried normal mode.
Refering to the picture, i draged CFScript into ComboFix.exe
For a short time i've seen the red and the blue load bar. Than it closes and thats it.
What should i do now?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #20 on: March 26, 2013, 09:55:30 PM »
Could you retry the combofix CFScript please

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #21 on: March 27, 2013, 06:20:40 PM »
I tried it again in normal mode with same result as before.
So i restarted it the third time in safe mode.
The log you see attached.

What do you think; how close we are to it?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #22 on: March 27, 2013, 07:09:27 PM »
Still the two to remove from the startup folder

These are very stubborn and difficult to kill

Once combofix has run again could you check the two locations to ensure that they have gone

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 
Quote

File::
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ea59.js
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #23 on: March 28, 2013, 06:39:04 AM »
And again: wasn't aible to start in normal mode...so i maked the run in safe-mode.
Attached the ComboFixCFSript_1.txt

I've checked the locations with result that botch startup folders does'nt exist.

There is something new: After a restart it can be, that i get an error message (4-5 times). I've attached a picture.
I'm not sure if it is important. Cause, clicking on it will colse the window. It recomes 4-5 times, but after that it remains closed.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #24 on: March 28, 2013, 03:42:40 PM »
OK the malware is renaming itself at every boot

Once this OTL run has completed it will not reboot
Could you keep the system running and do a fresh OTL scan
If possible do not reboot again until I have done a further check
Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:processes
killallprocesses

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b81bb"=-

:Files
c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
C:\af87
c:\users\Momo\AppData\Roaming\ae0d
c:\program files\b105

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #25 on: March 28, 2013, 03:59:56 PM »
No, this is not possible.
Because OTL will not run in normal mode!
I can start it in safe mode, but i have no internet connection and can't upload the log.
What now?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #26 on: March 28, 2013, 04:05:17 PM »
OK this will need a little renaming work on your part

Reboot to safe mode
Ensure that the files/folders names are exactly as the ones below, renaming if necessary

c:\users\Momo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ec5.js
C:\af87
c:\users\Momo\AppData\Roaming\ae0d
c:\program files\b105


Once that is done then run the OTL fix

On completion of the fix confirm that those files/folders are no longer showing

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #27 on: March 28, 2013, 04:33:46 PM »
Stupid question:
What, if the two first folders doesn't exist?
I meen the two "Startup" -folders. So i can't say if there is a ec5.js file

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #28 on: March 28, 2013, 04:49:07 PM »
OK leave those in there and lets see how it runs

Had the folders changed names ?

BastianS

  • Guest
Re: Wie geht es weiter: Meldung Zugriff auf Webseite blockiert
« Reply #29 on: March 28, 2013, 04:53:35 PM »
Ok. I will start the OTL.
No, the folders had the same name.