Hi. I recently got hit by a whole swarm of viruses and having dealt with them in the past I think I’ve managed to rid my system of most of the nastiness. There’s still one lingering browser pop-up virus bugging me though. Avast has been blocking the page openings so far but they occur fairly frequently and I need to nip this in the bud. They all seem to come from an IP of 95.143.193 with the last set of numbers varying. I’m new to the process of asking for help in support forums so please be patient with me if I’m a little ignorant. Please let me know what programs you’ll need logs from and or if any other information about my problem is needed before a proper course can be determined. Thanks in advance for the help, hope I can get this knocked out.
There's still one lingering browser pop-up virus bugging me though.does it pop up when you are doing nothing ?
Pretty much. I mean, I have my browser open obviously (Firefox). But I won’t be opening any new pages so it’s not redirecting. Just seems like every few minutes I’ll get a notification from Avast that it’s blocked an attempt at opening a page; sometimes it lists quite a few different attempts at once (I’ve had as many as 8 ). There doesn’t seem to be much of a pattern.
try clearing your browser cache/temp files with this
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
did it work ?
Nope. Soon as I rebooted and opened by browser I got another notification from Avast.
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log / Malwarebytes log ) OTS log must be saved as ANSI
Essexboy will check the logs when he arrives here later today
he is usually here 8:00pm - 11:59pm UK time
It’s Alureon again >:( See the longtrip-todayz and similar threads for solution.
Using the instructions detailed by essexboy in this thread: http://forum.avast.com/index.php?topic=77998.0
I’ve attached the MBAM, OTS and aswMBR logs to this reply.
You’re fix this script?
[Unregister Dlls]
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YN -> Hosts file not found ->
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1346352832-1441925880-3008713139-1000\] > -> HKEY_USERS\S-1-5-21-1346352832-1441925880-3008713139-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32099AAC-C132-4136-9E9A-4E364A424E17}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-1346352832-1441925880-3008713139-1000\] > -> HKEY_USERS\S-1-5-21-1346352832-1441925880-3008713139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "ASRock OC Tuner" -> []
[Files - No Company Name]
NY -> 731v358827u4o32305lpp73 -> C:\Users\Peter\AppData\Local\731v358827u4o32305lpp73
NY -> 731v358827u4o32305lpp73 -> C:\ProgramData\731v358827u4o32305lpp73
NY -> COMMAND - Copy.COM -> C:\Windows\System32\COMMAND - Copy.COM
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
It is not a script for your copmuter ;D
Do this
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Something odd is going on. My browser won’t allow me to post a reply to this thread with my OTS log attached. I get a connection reset error but it seems too instantaneous to be a timeout issue or something like that. Adaptive behavior from my virus? I really have no idea what this thing is capable of but if the only way around this is to copy and paste the log into my reply I can do that. Someone please help.
UPDATE I switched it to Unicode and it goes through(thought I read OTS logs have to be ANSI), but the file size is too large. Any suggestions on how to rectify that?
Attach OTS log ( reply >> additional Options )
or visit this website:
http://pastebin.com/
Just paste your complete logfile into the textbox and click Submint
Paste here URL link to be able to see the log.
Was having trouble with Pastebin too, gave me the same connection reset error when I tried to submit. I did a bootscan and discovered my OTS log was infected with AutoRun-gen2 (Wrm), which might be why it wouldn’t let me attach/paste it. I did another OTS scan and tried going through Pastebin again but I’m having the same problem. As soon as I attempted to attach the log or paste it through Pastebin I get a new alert from avast detailing an AutoRun-BJ (Wrm) infection. The bootscan I mentioned earlier was my attempt at squashing this threat but it apparently didn’t work. It seems my system has a few more viruses squirming around. I don’t know what to do, it won’t allow me to get an OTS log to you guys. I could always copy and paste the log into my reply but I know that isn’t preferable since it takes up so much space. And I’m noticing the URL-Mal infection is getting worse, avast alerts are becoming more frequent and attempts are becoming more numerous. Someone help! ???
UPDATE
Just confirming that every time I do a scan with OTS the log seems to instantly be infected with AutoRun-gen2 (Wrm) and I can’t seem to submit it through Pastebin (though I don’t know if that’s a result of the infection or not). I don’t know how I can get help with the problem if I can’t supply a log. Does anyone have a solution to this problem?