As I have read here, I can see I’m not the only person experiencing this problem. As with the other cases I’ve read about on this forum, I am getting a repetitive message pop-up from my Avast antivirus program that says “MALICIOUS URL BLOCKED”… also, as with the other cases if I’m not mistaken, under “Object” on the message there are URL’s listed: “onceagaincrap.com/x/”, “yetanothersheet.com”, and various IP addresses.
I have had the free version of MBAM installed for some time now, and have run scans with it (as well as the Avast antivirus program) numerous times to no avail.
I am following the directions listed in the “Logs to assist in cleaning malware” thread now, and will attach all of the logs specified. I have downloaded OTL (at which time a message popped up on my screen stating that the program is not downloaded often and may harm my computer… but I installed it anyway), and am currently running another quick scan with MBAM
so now I’ve downloaded aswMBR and am running the scan… I had closed all my browser windows for the scan, but it seems to have paused or frozen (about 18 minutes ago now). I don’t know if I should abort the scan and start over, or just wait and see if it starts again on its own. I guess I’ll wait a few more minutes unless someone tells me different
If you are able to get aswMBR to run great…if not, continue on.
WARNINGUnfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.
Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.
If you would like to format and reinstall your Operating System please let me know and we can assist you with that.
If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.
Download Combofix from the link below, and save it to your desktop. Link
Note: It is important that it is saved directly to your desktop
If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
When finished, it will produce a report for you.
[*]Please post the C:\ComboFix.txt for further review.
luckily I don’t use this computer for anything sensitive like banking, and I never save any passwords on it for this very reason. However, I don’t have my files backed up. The last time I had a computer that got infected to the point I had to reinstall the OS, I did have the files backed up, but I couldn’t figure out how to restore them, lol. I may need help with that if we end up going the reinstall route if it’s not too much trouble
ok, well it’s 2:17am here so I’m going to get some sleep. Thanks Pondus and jeffce for so much for your help… I’ll check back in here in a few hours and see what you have next for me to do. Good night…
by “set up to use a proxy server”, do you mean someone on my computer is trying to mask its IP address? I did not know that actually… in fact, I’ve never used a proxy server personally. My kids use this computer too so I’m guessing it was one of them that did it. One of them was talking about how they got banned from a chatroom and asked me if I knew how to get around it… I’ve heard of using proxy servers for things like that, but I’ve never needed to try it.
So do I need to change a setting somewhere or is that going to affect my system at all?
To enter System Recovery Options from the Advanced Boot Options:
[*]Restart the computer.
[*]As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
[*]Use the arrow keys to select the Repair your computer menu item.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
[*]Insert the installation disc.
[*]Restart your computer.
[*]If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
[*]Click Repair your computer.
[*]Select US as the keyboard language settings, and then click Next.
[*]Select the operating system you want to repair, and then click Next.
[*]Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
I’m curious to know if these instructions can be followed by others who have this same problem or if they are unique to the logs posted. My husband’s computer was infected by this same trojan and I need to find a way to clean it up without having to reformat the hard drive if possible, since I did it already once in the past year. How can I get instructions specific for this computer if these instructions won’t work. Thanks, TacoBelle
the fix is unique to the computer they are made for…running on others may damage the comp
if you have problems, start your own topic in the virus and worms section, and follow this guide http://forum.avast.com/index.php?topic=53253.0
attach the logs in the topic you start and you will recive help
For 32 bit systems, download Farbar Recovery Scan Tool and save it to a flash drive.
For 64 bit systems, download Farbar Recovery Scan Tool64 and save it to a flash drive.
