I have fallen victim to the “Malicious URL Blocked” popup, it comes up every few seconds. It is saying svchost.exe is the process, but it does not seem to be using excess memory. I have run Malwarebytes quick scan (7 threats, removed), Avast quick scan (4 threats, sent to chest) and TDSS killer which found nothing. The problem is still here. I am guessing you will probably need some of my logs, so just let me know which ones. Thanks!
Attach your logs. (MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0
Here is my Malwarebytes log and one OTL log, it didn’t pop up with two .txt documents. Also I cannot seem to download aswMBR, I click on the link and it says “page cannot be displayed”. It did start to work the first try but Avast stopped it and I accidentally clicked “ok” when Avast asked if I wanted it to block the download and since then it hasn’t let me get it. Anyways, here are the two logs I have, I appreciate any help! Thanks!
OK after the fix has run and the computer has rebooted I would like you to zip the following folders C:\Qoobox and C:_OTL
Could you then upload the zipped folder to a file sharing site for me to collect
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
[2014/04/19 07:12:33 | 000,000,064 | ---- | M] () -- C:\windows\SysNative\hpvlf.mku
[2014/04/19 07:12:33 | 000,000,000 | ---- | M] () -- C:\windows\SysNative\cvoicb.ifd
[2014/04/19 06:56:27 | 000,301,959 | --S- | M] () -- C:\windows\SysNative\younro.abh
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
-
Close any open browsers.
-
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-
Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll|c:\windows\system32\rpcss.dll
Save this as CFScript.txt, in the same location as ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
I have no clue what that means or how to create a zip folder… :-[
I ran the fix and the quick scan, attached the logs for both, first attachment (OTL Fix Log) is the log it gave me after the fix ran and the second (OTL1) is the quick scan log.
Also, I am still getting the popups (however not as often) but if I disable my anti-virus to run Combofix, wont the malware be able to attack?
No as combofix needs to replace a system file and until that is done the alerts will continue
I will give zip instructions once you have run combofix
I ran Combofix, still getting the popups. Here is the log. It told me I still had McAfee enabled, but I uninstalled it and it wasn’t showing up in the running processes list.
Could you attach a screenshot of the alerts please
They are all URL Blocked popups, but different url’s. I had one Trojan Horse blocked right after I ran Combofix and reconnected to the internet (I shut my modem off when I killed my anti-virus software). I have attached two examples of what the popups look like…
Lets look with a different programme, as replacement of that file should have stopped the alerts
Please download Farbar Recovery Scan Tool and save it to your Desktop.
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select both shortcut and additions at the bottom
[*]Press Scan button.
https://dl.dropboxusercontent.com/u/73555776/frst.JPG
[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach all 3 logs generated.
Okay, I restarted my computer and now the alerts have stopped. It has been a few hours and nothing…so looks like it did work! Is there anything else I need to do now?
Aye if you could run FRST just to be doubly sure
Here are the FRST logs…
Reboot on completion of this and let me know if the alerts cease
Download the attached Fixlist.txt to the same location as FRST
Run FRST and press Fix
On completion a log will be generated please post that
The alerts have been gone for a couple days now since I ran Combofix and rebooted, should I still run that fix? My system seems to be okay, acting normal.
see essexboys reply #11
Yes there are still 3 payload files evident
Okay, ran the fix. Here is the log…
Looks good, any further problems before I tidy up ?
No sir. Everything is running smooth and I actually gained 40 gigs on my hard drive, which is nice because it was full What might be the reason for the sudden gain in memory? Just curious…I figured it must have been a bunch of temp files deleted or something.