Mal URL BLOCKED

Apparently, I’m not the only one affected by this malware; paspartux.com/x/, crossmatchx.com/x/,85.195.92.11. I downloaded and ran the programs that were suggested in the help forum but to no avail. I have results from programs not sure about attaching now or wait for instructions. Still have pop-ups, at a lost!

you hav to attach the logs…if not the malware remover can not create a fix

Running the programs as advised in this topic http://forum.avast.com/index.php?topic=53253.0 is only the first stage as they are primarily for analysis gathering; the logs you are asked to attach so that malware removal specialists can analyse them and compile a fix and any other actions required.

Having run the tools suggested in that topic, now attach the logs of the scans you have run.

When you use the Reply button, just below the text input window you will see ‘Attachments and other Options,’ clicking that allows you to attach up to 4 files (max total of 194KB or a single file not exceeding 200KB).

here’s what I have, thank you in advanced

A malware removal specialist has been informed of your topic.

if you got it…also attach aswMBR log

it seems you have avast and McAfee installed?

never install multiple AV as this will slow down your comp, give mysterious errors and false positive detections

uninstall one…then run the vendors removal tool to clear any leftover files that may conflict
you find it here. http://singularlabs.com/uninstallers/security-software/

I see that you have combofix on your system, have you run it yet ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Unknown] -- -- (a48qwi00)
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.4.0024
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1229272821-1647877149-725345543-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

As I am writing those pop-ups are revealing themselves. Enclosed attachments from yesterday and today. You mentioned to delete one or other anti-virus, confused McAfee is just firewall and avast anti-virus? Will run ComboFix after this reply because it wipes out reports from OTL.
I did run ComboFix yesterday, I saw a statement saying that “RootKit with zero access was embeded in TCP-IP”. I did a seach on rootkit; there was 96 RootKit Revealer, 46 were Compiled HTML Help dated 12/7/2005 3:19pm, the other 46 were Application dated 11/1/2006 2:07pm; all were located in folder FireFox 3.5.5/SysinternalsSuite.Zip and that was what the folder was a downloaded zip file. I deleted file but to no avail. I’m hoping this could be a lead for you.

Yes if you could re-run Combofix it will then show me any additional files to replace or remove

Hi! Their back, as soon as I closed combofix. Enclosed is report. Just now recieved from avast: Suspicious files found, please allow the files to be submitted to our virus lab for analysis, then it gives further info ??\C:\DOCUME~\Ron\LOCALS~1\Temp\catchme.sys, then Actions to take Ignore or Delete, then OKIt says it’s using a heuristic method. Is hitting the OK going to submit the files because there’s nothing else and the actions to take is that pertaining to me, ignore or delete? Well I hit delete and ok. Now where was I

Catchme is a false positive so that can be ignored. Could you screenshot the Avast popups please

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

This is a good sign, no popups. Besides, I don’t know how to screenshot the popup, I tried right clicking and that didn’t work. Enclosed is report from TDSSKiller.

18:05:30.0562 0840 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
18:05:32.0718 0840 ============================================================
18:05:32.0718 0840 Current date / time: 2012/10/06 18:05:32.0718
18:05:32.0718 0840 SystemInfo:
18:05:32.0718 0840
18:05:32.0718 0840 OS Version: 5.1.2600 ServicePack: 3.0
18:05:32.0718 0840 Product type: Workstation
18:05:32.0718 0840 ComputerName: RON
18:05:32.0718 0840 UserName: Ron
18:05:32.0718 0840 Windows directory: C:\WINDOWS
18:05:32.0718 0840 System windows directory: C:\WINDOWS
18:05:32.0718 0840 Processor architecture: Intel x86
18:05:32.0718 0840 Number of processors: 2
18:05:32.0718 0840 Page size: 0x1000
18:05:32.0718 0840 Boot type: Normal boot
18:05:32.0718 0840 ============================================================
18:05:40.0718 0840 BG loaded
18:05:41.0656 0840 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000050
18:05:42.0265 0840 ============================================================
18:05:42.0265 0840 \Device\Harddisk0\DR0:
18:05:42.0390 0840 MBR partitions:
18:05:42.0390 0840 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1A4F3A
18:05:42.0390 0840 ============================================================
18:05:43.0140 0840 C: ↔ \Device\Harddisk0\DR0\Partition1
18:05:45.0453 0840 ============================================================
18:05:45.0453 0840 Initialize success
18:05:45.0453 0840 ============================================================

Could you attach the log at C:\TDSSKiller date time

sure if this is the one

Yep thats it. Re-run TDSSKiller with the same parameters as before
When you get to this element select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

Avast will alert as the files are moved

How is the computer behaving now ?

Appreciate your help and patience; looks like those bad boys found a new home with no chance for parole.

Again, thank you essexboy!

OK lets remove them from jail to the nether reaches of hell ;D

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: