Malicious url blocked

[theullrich]

Recently started getting
'malicious url blocked' all from
hxtp://vjlvchretllifcsgynuq.com

looks like the same problem found here
hxtp://forum.avast.com/index.php?topic=125804.0

Other things I have noticed.
Windows Defender was deleted
and i cant download anything on any browser firefox, chrome, IE
I have been uploading things to dropbox from my phone and accessing on my computer. There are 2 Adwcleaner. The first is from when I recently removed some small adware.

Thanks in advance for anyhelp.

[theullrich]

the last attachemnts

[magna86]

Hi theullrich, 

----      ----      ----      ----      ----      ----     

Re-run AdwCleaner;

• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

----      ----      ----      ----      ----      ----     





> Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

[theullrich]

Here are the S files from  AdwCleaner

Combo fix ran all day and nothing. I finally restarted my computer after it froze for about 30 min. now it is running again but has been running for an hour already.
this is the last thing that displays

"ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient."

[magna86]

Please delete the Combofix.exe ( drag & drop into recycle ) and download fresh copy of Combofix.

Please try again to run the tool. Don't wait all day, if you see that CF doesn't run, reboot your computer and re-try it from safe mode.
I realy need to see Combofix log.

[theullrich]

also avast just poped up after restarting saing i have a rootkit.

c:\windows\system32\drivers\afd.sys
svc: afd > c:\\windows\system32\drivers\afd.sys

both root kits are called Win32:Sirefef-BQQ [Rtk].

doing your last instructions now.

[polonus]

Hi theullrich,

Never post live links to malicious url, break them like with hxtp:// or wXw, so the unaware cannot get infected by clicking on them.
The url you reported has illegal and questionable botnet, see: https://www.virustotal.com/en/url/6539f25b68c07a994d03759ca60f10d1438babaea18436ca186459af86f0a7c6/analysis/1373064401/
I get an unreachable for the Quttera scan...
This scan says it all, look at the IDS alerts: http://urlquery.net/report.php?id=3563677
the malware analysis from dylan server: https://dylansserver.com/note/malware_analysis

polonus

[theullrich]

now i am getting this when I run combo fix

http://www.bleepingcomputer.com/forums/t/500186/combofix-error-the-syntax-of-the-command-is-incorrect/

[magna86]

Combofix had syntax bleep ... if's has been fixet now.


- Download fresh Combofix.exe ( delete old copy ) , disable AV. Then ...
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

• Click Start (or ) then Run.
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

"%userprofile%\desktop\ComboFix.exe" /KillAll /NoMBR /StepDell

Note that there is a space between " ComboFix " and " /KillAll and /NoMBR " .

• then click OK (or press Enter ).

- Attach here Combofix log. As I mentioned above, I realy need to see that CF's log.

[theullrich]

used that code. in safe mode. it has been running for almost an hour and a half.
also looking in the task manager the process swxcacls.3xe is the only one doing anything. staying about 20% cpu. But the memory use is for it is slowing increasing .

[magna86]

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

• Unzip/unrar MBAR in a folder to your Desktop
• Open the folder where the contents were unzipped to run mbar.exe
  
  
• Click on Next > then on Update button to download fresh definitions.
  
• When database updates click Next
  
• In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"
  
  
• If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
  Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.
  
  
• The Clean up procedure will be Scheduled for process.
• When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
  

>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.






THEN ...







Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

[theullrich]

Farbar has been running for a bit. saying this
Getting Office Sessions errors:1305

Malware said I was clear.

Ran both in safe mode.

[magna86]

Do not worry, go ahead and run this tools. 



- Re-run OTL, click on RunScan button and attach here fresh OTL.txt logreport.


- Please download zoek.exe and save it to your desktop.

• Close any open browsers.
•   Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]


process;
srinfo;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;




• Click on button
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  
  
  

[theullrich]

Here they are.

[magna86]

Re-run Zoek.exe using this script:

Code: [Select]

symlinksfix;
emptyclsid;
C:\Windows\$NtUninstallKB62280$\485945278\U;f
C:\Windows\$NtUninstallKB62280$\485945278\L;f
C:\Windows\$NtUninstallKB62280$\485945278\@;f
C:\Windows\$NtUninstallKB62280$\485945278\L\00000004.@;f
C:\Windows\$NtUninstallKB62280$\485945278\U\00000004.@;f
C:\Windows\$NtUninstallKB62280$\485945278\U\00000008.@;f
C:\Windows\$NtUninstallKB62280$\485945278\U\000000cb.@;f
C:\Windows\$NtUninstallKB62280$\485945278\U\80000000.@;f
C:\Windows\$NtUninstallKB62280$\485945278\U\80000032.@;f
resetIEproxy;
C:\users\Ben\AppData\Roaming\mjusbsp;vs
FFdefaults;
chrdefaults;
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{037039D8-8C53-43CC-95BE-198556E66531}];r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8E8176CF-3C72-4F29-B0AF-5E670D763FBD}];r
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{E4A7BA5D-1FCA-4261-85CA-307FC5471A6D}];r
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;


- Attach here fresh created zoek log.


THEN ...



Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.