Hi…my problem resembles this http://forum.avast.com/index.php?topic=118769.msg916117 .
I can’t run mbam or OTL . I ran TDSS killer and am attaching the logs .
Please help!
I can't run mbam or OTLWhy....have you tried run them from safe mode?
also run AdwCleaner and aswMBR http://forum.avast.com/index.php?topic=53253.0
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr
Double click dds to run the tool.
* When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt
Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.
I booted up in safe mode and was able to run OTL and DDS . Check the attached logs .
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchou.com/?affil=7&uid=610450a5-915b-11e2-99c6-10bf480c23ea
IE - HKU\S-1-5-21-3667880896-404420982-380889788-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchou.com/?affil=7&uid=610450a5-915b-11e2-99c6-10bf480c23ea
IE - HKU\S-1-5-21-3667880896-404420982-380889788-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://searchou.com/?affil=7&uid=610450a5-915b-11e2-99c6-10bf480c23ea&q={searchTerms}
FF - prefs.js..keyword.URL: "http://searchou.com/?affil=7&uid=610450a5-915b-11e2-99c6-10bf480c23ea&q="
O4 - HKU\S-1-5-21-3667880896-404420982-380889788-1000..\Run: [ea8d] C:\Users\Vinay\AppData\Roaming\fc9bf\ea8d.js ()
O4 - Startup: C:\Users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7.js ()
O33 - MountPoints2\{068e619e-4cc9-11e2-97d7-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{068e619e-4cc9-11e2-97d7-806e6f6e6963}\Shell\AutoRun\command - "" = E:\InstAll.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\setup.exe
O33 - MountPoints2\H\Shell - "" = AutoRun
O33 - MountPoints2\H\Shell\AutoRun\command - "" = H:\Setup.exe
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\setup.exe
[2013/03/27 13:19:04 | 000,000,000 | -HSD | C] -- C:\Users\Vinay\AppData\Roaming\fc9bf
[2013/03/27 13:19:03 | 000,000,000 | -HSD | C] -- C:\fd3
[2013/03/27 18:19:58 | 000,046,857 | ---- | M] () -- C:\Users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7.js
[2013/03/27 18:00:00 | 000,046,857 | ---- | C] () -- C:\Users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b7.js
:files
ipconfig /flushdns /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Here’s the log…
How’s your computer behaving now?
Still the same way 
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Do you have a problem with flash drives?
Here’s the log…
And as soon as i boot up now, avast icon disappears from the taskbar .
Yes i think the malware came from a pendrive . Many friends insert their pendrives to my lappy …
How do i protect myself from pendrives?
How do i protect myself from pendrives?See argus signature ;) http://amf.mycity.rs/mcshield/ but you may wait untill he is back to install it...
Open notepad and copy/paste the text present inside the code box below:
File::
c:\users\Vinay\AppData\Roaming\fc9bf\ea8d.js
c:\users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdc.js
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ea8d"=-
Firefox::
FF - ProfilePath - c:\users\Vinay\AppData\Roaming\Mozilla\Firefox\Profiles\xvqb4t43.default\
FF - ExtSQL: 2013-02-10 03:32; mozilla_cc@internetdownloadmanager.com; c:\users\Vinay\AppData\Roaming\Mozilla\Firefox\Profiles\xvqb4t43.default\extensions\mozilla_cc@internetdownloadmanager.com
FF - ExtSQL: !HIDDEN! 2013-01-09 23:04; mozilla_cc@internetdownloadmanager.com; c:\users\Vinay\AppData\Roaming\IDM\idmmzcc5
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Here’s the log…
My problem is still not fixed
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.
[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::
Folder::
c:\users\Vinay\AppData\Roaming\IDM\idmmzcc5
File::
c:\users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bdc.js
c:\users\Vinay\AppData\Roaming\Mozilla\Firefox\Profiles\xvqb4t43.default\extensions\mozilla_cc@internetdownloadmanager.com
Firefox::
FF - ExtSQL: 2013-02-10 03:32; mozilla_cc@internetdownloadmanager.com; c:\users\Vinay\AppData\Roaming\Mozilla\Firefox\Profiles\xvqb4t43.default\extensions\mozilla_cc@internetdownloadmanager.com
FF - ExtSQL: !HIDDEN! 2013-01-09 23:04; mozilla_cc@internetdownloadmanager.com; c:\users\Vinay\AppData\Roaming\IDM\idmmzcc5
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
here they are…
there reinfection >:(
we go once again
Open notepad and copy/paste the text present inside the code box below:
Folder::
c:\users\Vinay\AppData\Roaming\fc9bf
C:\fd3
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ea8d"=-
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Here it is…
I don’t understand…the problem still persists!
P.S: Everytime after reboot waterfox asks if its to be made default again even though I click yes.
[*] Please download BlitzBlank by emsisoft and save it to your desktop.
[*] Open Blitzblank.exe by double click on it.
[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).
[*] Click the Script tab and copy/paste the following text there:
DeleteFile:
c:\users\Vinay\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bcbcb.js
c:\users\Vinay\AppData\Roaming\Mozilla\Firefox\Profiles\xvqb4t43.default\extensions\mozilla_cc@internetdownloadmanager.com
DeleteFolder:
c:\users\Vinay\AppData\Local\icsxml
c:\users\Vinay\AppData\Roaming\Letasoft
c:\users\Vinay\AppData\Roaming\IDM\idmmzcc5
[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:\
Remove ComboFix icon
Download new Combofix from the link below, and save it to your desktop.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Run ComboFix and post the C:\ComboFix.txt for further review.
When I click on Execute now button, it says Syntax error in line 2,Invalid file path…