It appears I have an infection of some type. I followed the instructions in the sticky above by essexboy and ran malware antibytes and was going to run OTL however am not sure where to get the scan.txt you are supposed to put in the custom box in OTL.

The problem I was having was that Avast would come up with a warning about the website no matter what website I was going to. The object was a big long series of numbers and characters.

The next line was URL:MAL

I don’t recall what the next line said but the process on the bottom line was either iexplore or svchost.

My tabs on top also did not show, so if you opened a second tab it never showed on the top of IE I didn’t actually think the tabs were opening but when you clicked on the x in the top right corner to close the page it asked if I wanted to close all tabs or just the current tab so it was obviously opening the tabs, just not displaying them or giving you anyway to select them.

I had also gone into the control panel and security and found that the Windows Firewall was turned off and it would not allow me to turn it back on.

After running Malware antibytes the firewall is now on again and my tabs are working but booting takes forever so assume there is still something not right.

I am not sure how these infections get on the computer with Avast running all the time.

Any help/suggestions would be appreciated.

Thank you

If you could just run OTL without any custom scans and ensure that all users is selected. Then attach the logs here and I will have a look

Here are the two logs.

Just now the menu bar in IE just turned black so you can’t read File Edit etc.

Several of your drivers are stalling on start which is a tad suspicious

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - (SYMIDSCO) -- C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20050901.036\symidsco.sys File not found O3 - HKU\S-1-5-21-1922141765-1701184110-4109938974-1007\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found. O3 - HKU\S-1-5-21-1922141765-1701184110-4109938974-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found. [2010/10/10 10:46:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\HP_Administrator\My Documents\Ovi

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Several of your drivers are stalling on start which is a tad suspicious <<<

I guess that may account for the slow booting?

Just now as I reopened this webpage I got the AVAST warning again showing the URL:MAL infection, Process svchost which seemed to have disappeared after running Malware Antibytes.

Here is the log OTL produced after the scan as well as the logs after running it again. I didn’t get an extras log this time.

I’ll run Combofix now. Do I need to diable the firewall as well or just AVAST?

Thank you

Here is the combofix log.

I noticed at one point while combofix was running it stated rootkit activity found.

I also noticed this in the report and would imagine it needs a solution?

c:\windows\system32\DRIVERS\pnp680r.sys . . . is infected!! . . . Failed to find a valid replacement.

Thank you

Just a further follow-up, I am still getting the URL:MAL warning from AVAST.

That is a variant of the TDSS rootkit - we will try TDSSKiller first as that can sometimes repair the file. We will follow that up with a look for a replacement file just in case

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

THEN

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek:: c:\windows\system32\DRIVERS\pnp680r.sys

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

Below is the log from TDSSKILLER and attached is the log from Combofix.

Yesterday when I ran combofix it asked about installing the recovery console and I selected yes to install. It showed it as being installed and even noticed on one of the reboots a screen for a short period of time giving the option to use the recovery console however when I ran Combofix again today it once again asked if I wanted to install it, so again accepted the isntallation and it said it installed correctlly. Was just unsure why it would ask to install it again today.

Also the OTListit.log file, I assume I run OTL again, however don’t recall it generating a report named OTListit.log, so is there something special I need to do to get this log or just run quick scan with all users selected?

Thank you

I just tried to post this reply but with the text pasted from TDSSKILLER it said the post was too long so have attached the log from it as well.

TDSSKiller zapped it - what problems are you experiencing now ?

Here is the OTL log however if you need me to run OTL with different settings please let me know. This was run the same way as yesterday, quick scan with all users selected.
Thanks

Aside from a very long time between when the desktop appers and when it has completed booting I am not noticing anything else. Can you tell if there are still a number of processes that are stalling at startup and what I would need to do to fix that problem?

I also noticed when I did a CRTL ALT DEL earlier today there was an application I believe called sysfader. Do you know what that would be or would that have been looked after by what we just did?

Thanks again

Sysfader is an MS file that gives the fade effect between windows

I would recommend that you upgrade to SP3 - once you have done that I will clear my tools and then commence a speed up run. The malware now appears to be gone

I can’t upgrade to SP3 as I have a drafting program and it will not plot with SP3. After originally installing SP3 I had problems with the program but never associated it with SP3 until I contacted their tech support and explained what was happening and the first thing he said was you must have installed SP3 and told me I needed to uninstall it, which I did.

Thanks again for all of your help.

OK lets remove my tools and then see if we can speed you up

Looking at that I am a happy bunny

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

SPEED UP

To try and ease the startup try this

Download Startup Control Panel here (get the standalone exe version)
Install and you will find a startup icon in the control panel - run this

[*] In the HKLM tab, you may disable (be careful → “disable”) all the entries except your security software
[*] In the HKCU tab, you may disable all entries.
[*] In the StartUp tab, you may disable all entries.

Note : if you notice that some programs no longer run, you can enable them again by running Startup Control Panel, selecting the entry and choosing Run Now.
If you are in doubt with something, don’t hesitate to ask

The Defrag is running now.

Is the Windows Firewall and Avast Home edition adequate protection or should I be looking at something else? Is the Malware Antibytes you gave the link for the same one I already installed earlier as part of the process for removing the viruses/malware or do I need to uninstall that one and install a different one?

Also I didn’t have ERUNT in my add remove programs. Not sure why that would be or what program it is part of.

Once I finish the list you gave me I will post back and let you know how things are working.

Thanks for all your help.

ERUNT is a registry backup programme I sometimes use - so you will not have it. MBAM is the same as you sed previously

Windows firewall and Avast should be sufficient protection as long as you do not go to dodgy sites ;D

Thanks again for all of your help.

I’m relatively new here & to be frank I hope any future visit will be for general interest only.
I have read the above thread, & feel compelled to compliment Essexboy for his great resolve & well prepared responses.
This quality of detailed support is rare & I hope everyone appreciates how long these things take.

Essexboy my thanks & I’m sure I speak for many others.

Rgds,
Peter O

Oh yes, one minor point:what the heck is OTL

Thankee ;D OTL is a system file and registry analysis programme that will show all known malware hijack points. Think of it as Hijackthis on steroids