Avast has been popping up repeated flags warning of “Blocked Malicious URL” Object: give a long string with the URL Infection: URL:Mal Process: C:\program files\ Internet Explorer\ IEXPLORE.EXE I did a full scan and Boot Time Scan with avast and found nothing. Malwarebytes also found nothing. But something is there because my System Restore points are all gone. Task Manager Processes tab shows multiple instances of iexplore.exe even though I try to end them. They pop right back up. They are listed as System Processes not User. I don’t even use that browser anyway. Has anyone seen this and/or know how to rid my machine of this? I have important data backed up but the time required to wipe the drive and reinstall OS and applications is not very appealing. What have I got and how do I get rid of it? Any help would be greatly appreciated.
Follow guide attach the logs
http://forum.avast.com/index.php?topic=53253.0
Should have read that first, sorry. Will run scans and attach logs ASAP.
I have attached a zip of the MBAM and OTL logs. Another Avast! scan says that C:\WINDOWS\system32\svchost.exe has Win32:Malware-gen that it is unable to move to chest or delete. Will now run aswMBR and attach that to next post soon. Thanks for your time on this issue.
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL O33 - MountPoints2\{422e5553-635e-11df-a0c0-002170a6937e}\Shell\AutoRun\command - "" = WScript.exe .\`.vbs O33 - MountPoints2\{422e5553-635e-11df-a0c0-002170a6937e}\Shell\open\Command - "" = WScript.exe .\`.vbs O33 - MountPoints2\{e4457dd0-fb92-11de-be2a-002170a6937e}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe O33 - MountPoints2\{e4457dd0-fb92-11de-be2a-002170a6937e}\Shell\open\command - "" = RECYCLER\S-1-5-21-1254416572-1263425100-317347820-0350\system.exe O33 - MountPoints2\C\Shell\AutoRun\command - "" = WScript.exe .\`.vbs O33 - MountPoints2\C\Shell\open\Command - "" = WScript.exe .\`.vbs @Alternate Data Stream - 24 bytes -> C:\WINDOWS:F64A14005326A992 @Alternate Data Stream - 12 bytes -> C:\Documents and Settings\Chris Dietrich\My Documents:{726B6F7C-E889-4EFE-8CA3-AEF4943DBD38}:Reg
[HKEY_CLASSES_ROOT\CLSID{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
“”=“%systemroot%\system32\wbem\wbemess.dll”
[-HKCU\Software\Classes\clsid{12d0253a-7c96-815c-11e0-3034bbd97cc0}]:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
NEXT
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
http://dl.dropbox.com/u/73555776/TDSSFront.JPG
[*]Then click on Change parameters.
http://dl.dropbox.com/u/73555776/TDSSConfig.JPG
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
http://dl.dropbox.com/u/73555776/TDSSFound.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
http://dl.dropbox.com/u/73555776/TDSSEnd.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Wow, you guys are fast on response times. That’s incredible for people that arev generous enough to volunteer their time and expertise. I will follow the steps you have outlined and report the results. In case it matters at this point I will attach the file generated by aswMBR. Thanks again!
aswMBR confirms the infection
I just went through all the steps you suggested. I have attached the logs to this post. A couple things I noticed: 1)TDSSKiller skipped past the step where it offered fixes to items it had me skip before. Although these were things that it found suspicious that were actually not. I assume it skipped the step because it found nothing to repair in the end. 2)near the top of the combofix report was that it seems to indicate that explore.exe is infected and it didn’t reflect that it had fixed it as it had svchost.exe and others. Perhaps I mis-interpreted this. If there is anything further to be done please advise. Once again, thanks for your time.
Here is the TDSSKiller log. It was too large to include with the other two.
No explorer is still infected. But I know where there is a spare
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: C:\WINDOWS\ServicePackFiles\i386\explorer.exe|c:\windows\explorer.exeSave this as [b]CFScript.txt[/b], in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
THEN
https://dl.dropbox.com/u/73555776/FSS.GIF
Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
That must be one of the files that downloaded from MS in one of the registry reconstruction steps of Combofix. Excellent I will carry out the replacement procedure and the following scan and get back to you with a log from that. Thanks for being more persistent than the jerks that create these things! More soon.
That didn’t go very well. I dragged the script file onto combofix. It ran and when it got to the replacing files part it didn’t appear to replace explorer. I let it run its course. At the end it indicated that it would reboot theachine. It began to do so. However, during the Windows startup it shows a message that explorer has encountered a problem and needs to close. When I click ok it never gets to fully operational. I have my desktop background but no shortcuts, no start menu or task bar. I can get to task mgr to shut down or restart. But I’m dead in the water. I am on my phone browser now. Any idea of a next step?
OK from task manager start the following task… Explorer.exe
Does the desktop load ?
If not from task manager again start the following task …rstrui.exe
Then restore the system to the restore point combofix made prior to the last fix
When back
[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png
[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png
[*]The report has been created on the desktop.
[*]Next click on the ShortcutsFix
http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png
[*]The report has been created on the desktop.
Please post: All RKreport.txt text files located on your desktop.
Explorer closes right away. Also, rstrui.exe is not found. Is that the correct filename for the sta restore executable?
Yes it is
- Restart your computer
- Before Windows loads, you will be prompted to choose which Operating System to start
- Use the up and down arrow key to select Microsoft Windows Recovery Console
- You must enter which Windows installation to log onto. Type 1 and press enter.
- At the C:\Windows prompt, type the following bolded text, and press Enter:
cd erdnt\subs
- At the next prompt, type the following bolded text, and press Enter:
batch erdnt.con
-
The erunt backups will begin copying.
-
At the next prompt, type the following bolded text, and press Enter:
exit
Windows will now begin loading.
I’ll give it a go. More soon.
Not so good again. I can get to the c:/windows/erdnt but there isn’t a subs directory within. There are only two files cfrecovery.bat and funds.dat
Sorry, phone browser autocomplete typo. The second file is cfundo.dat
OK looks like we will need to work outside of windows … Do you have a USB drive to download the following programme to
[*]Download Farbar Recovery Scan Tool and save it to a flash drive.
Restart to the Recovery Console
Insert the USB
At the command prompt type the following :
notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Hey, I just wanted to let you know. I have already commenced with a format and re-install. I had all important data backed up recently. This is something I am good about. I just saw this becoming a bottomless pit of hours to recover from bit by bit. I already have more time in than it would take to start over, especially with a backup of my data available. This way I don’t have to wonder if we totally got everything out going forward. I also figured that you have things besides helping out someone foolish enough to contract this sort of thing. I do truly appreciate your time investment on this issue. Is there anything I can do to repay your generosity? The fact that you folks spend so much time and energy helping the digitally challenged is admirable! Thank you!