It seems that other people are having similar problems. Using the tools others have been told to do I went ahead and attached the logs from OTL and aswMBR (I’m waiting on aswMBR) to finish.

These is one of the threats. It’s usually the same except the IP may change.

Infection Details
URL: hxxp://77.95.230.80/click.php?s
Process: C:\Windows\system32\svchost.exe
Infection: URL:Mal
[19:11:17] Maria Anne Poirier: Your help is greatly appreciated

This post should be posted in the Virus and Worms section of the forum where it will receive more attention.

Please make your link un-linkable: change http to hXXP. Thank you.

Did you use an online scanner for your url? If so, which one(s) and please provide the results.

Did you get an Avast warning or popup?

How is your machine behaving?

I tried to use an online scanner and when I did, I got a warning from avast that it had blocked a trojan.

The avast alarm that continues to display is a pop-up.

My machine seems to be acting ok, except I can’t post to these forums from home because the captcha isn’t showing.

Now you have three posts, the captcha shouldn’t be required. But something must be blocking it in your browser, something like NoScript or an AdBlockPlus style add-on.

Well that certainly will be helpful. I’m posting from work right now. Any idea on how to fix my problem?

It needs the logs to be analysed by a malware removal specialist to deal with the underlying infection. Time zones and availability of the volunteers means there may be a delay (none on-line at present).

Hi you are using a very old copy of OTL could you download and run the latest version

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[]When the scan completes, it will open one notepad.
[]Attach the log

As requested.

Thanks for your help.

I need to check out some drivers now, and this is a good tool to use

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

I’ve attached the log. Combofix said it had a Zero Access virus and then went through the steps to clean it. I didn’t do anything, I just let it run. However, even with AVG uninstalled, it says that AVG is active. Also, I disabled avast, but it said that was active too, but it went ahead and ran anyway. The machine is running the same. I’m still blocking sites. So I guess combofix didn’t get it

Not yet but this one should

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Just letting you know I am doing the TDSS killer now. I had to leave for vacation right as this nasty little problem creeped up. Since it’s on my desktop, there was no way to fix it until I got home. I just wanted to let you know that I wasn’t being ungrateful and I appreciate your continued support.

That shouldn’t be a problem, though it is just after 1:45am in the UK, so essexboy will be in bed and should be back later today. This gives you plenty of time to get your log attached.

Ok, so this was weird. I followed the instructions EXACTLY. I clicked skip and then it told me to reboot to cure. So since that was what I was told, I did that. When it loaded back up, there was only a report that showed a normal reboot. Not what it found or anything like that. However, I do know there were 4 objects and one of them was a rootkit. Avast went a little nuts and blocked a few things as the cure restart was taking place.

When I restarted, TDSS told me to update (I thought I did that before I ran it) and I ran it again just to be sure I didn’t screw it up. This time, there were 3 objects found, but TDSS didn’t want to do anything about it and I was able to grab the report this time.

I’m sorry if I did something wrong, but it seemed as if the program was taking control and just doing what it needed to do. Here’s the log from the second run. I did not delete anything, just skipped like I was told.

Log in next post.

Edit, I want to follow your instructions, but it won’t let me copy and paste the log. I’ve attached it to this post.

Presumably TDSSKiller is regularly updated so it advices you to update.

Yes there are three things found, but probably only one of them that I can see is going to be an issue (but I’m not a malware removal specialist).
That is the ‘\Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user’ entry and essexboy will give details on running TDSSKiller again to deal with that (when he is back on-line)

Attachment as opposed to copy and paste is fine for larger log files (probably even the preferred option).

Just an update:

I haven’t run anything else while I’m waiting for further instruction, but the pop-ups have stopped. The only issue I had is my browser seemed to hang and crash the computer. It didn’t go to blue screen, but I’m sure if I had given it time it would have. It restarted without a problem. I honestly think it’s a script causing the hang, but I don’t know how to delete those.

I have asked essexboy if he can get back to this topic.

Could you re-run TDSSKiller please and when you get the following select delete:

\Device\Harddisk0\DR0 ( TDSS File System )

Then could you post a fresh OTL quick scan

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Ok, did what you said.

When I did the first part, Avast went a little nuts and says it blocked a malicious threat and no further action was required. TDSS made a quarantine folder and moved some stuff into there.

Here are all the logs you requested. Had to attach, too many characters.

How is the computer behaving now ?