avast can't get rid of url:mal from wxw.cikh71ynks66.xcm which avast blocked.

[PaCKINheAT]

working again. thx

[essexboy]

Aye submit to Avast as that is the name of a known bad file - but leave it in quarantine as it may also be legitimate.  Although looking at your logs I do not believe you should have that file.  On completion of this run can you let me know what problems remain

Main culprit :  Rootkit.Win32.TDSS.tdl4(\HardDisk0) : Dead

 

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

[PaCKINheAT]

 

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No CLSID value found.
  O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-2887382432-435655479-313340097-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  
  Including this?

[PaCKINheAT]

update.exe was in task manager using a lot of memory. it disappears from task manager then reappears on it in a matter of seconds. and keeps doing it

[essexboy]

OK lets get serious with this - does the update file belong to a programme that you know ?

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[PaCKINheAT]

OK lets get serious with this - does the update file belong to a programme that you know ?

no. might it be from windows update?

[essexboy]

No tis not windows update as that uses a different file

Could you run combofix please

[DrUtker]

Hello, I have the same problem as PackingHeat. After I used OTL and TDSSKiller, my pc works just fine and my windows defender was able to update again. Do you think the problem is solved now or do I have to do the combofixes as well?

[Asyn]

Hello, I have the same problem as PackingHeat. After I used OTL and TDSSKiller, my pc works just fine and my windows defender was able to update again. Do you think the problem is solved now or do I have to do the combofixes as well?

Well, it sure would be a good idea to open a new thread for your problem..!
Welcome to the forum..!!
asyn

[essexboy]

OTL is a purely analysis log - unless you used some removal ccommands

[PaCKINheAT]

lol i see that site is really starting to get around now. ill have the log posted in a few minutes essex

[PaCKINheAT]

2 other deletions. 1 of the was the autorun.inf which i suspected to be a problem.

[PaCKINheAT]

idk if my problem is completely over yet. can you tell me why the oem file was deleted

[essexboy]

That file if legit should be in the inf folder, Anywhere else and it is suspect

What problems do you have now ?

[JDourg]

I used the TDSSKiller as specified in the earlier post, and it found that I had one infection.  Did the Cure and rebooted and I've not had the cikh71... blocked again.  My PC seems to be working fine now.  Thanks.