Please help me I have been trying to fix this for 2 days. I already have the logs. I’m getting the Malicious Url Blocking Report. I have done the quick scan, Boot scan, complete scan but it does not seem to help. I was able to clean some of the viruses but I cant fix this
I have windows XP
Hi mc115 and wellcome.
I will be working on your Malware issues. 8)
Step#1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:Commands
[CREATERESTOREPOINT]
:files
echo y|chkdsk c: /f /c
C:\Documents and Settings\Owner.MANNY-60726FA61\Application Data\Mozilla\Firefox\Profiles\pyg6dcr2.default\extensions\searchtoolbar@zugo.com
C:\Documents and Settings\Owner.MANNY-60726FA61\Application Data\Mozilla\Firefox\Profiles\pyg6dcr2.default\searchplugins\askcom.xml
dir /s /a "C:\Documents and Settings\All Users.WINDOWS\Application Data\-Go391OVRbmFgcyr" /c
dir /s /a "C:\Documents and Settings\All Users.WINDOWS\Application Data\-Go391OVRbmFgcy" /c
dir /s /a "C:\Documents and Settings\All Users.WINDOWS\Application Data\Go391OVRbmFgcy" /c
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh int ip reset c:\resetlog.txt /c
:OTL
IE - HKU\.DEFAULT\..\SearchScopes\{6DD4233B-8195-437E-A5BA-1E2BC311BD29}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=APN10379&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^ABE&apn_dtid=^YYYYYY^YY^US&apn_uid=e91918a5-b647-4913-baee-5e89b2205844&apn_sauid=34522234-1D03-495A-AC75-0A0224807255
IE - HKU\S-1-5-18\..\SearchScopes\{6DD4233B-8195-437E-A5BA-1E2BC311BD29}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=APN10379&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^ABE&apn_dtid=^YYYYYY^YY^US&apn_uid=e91918a5-b647-4913-baee-5e89b2205844&apn_sauid=34522234-1D03-495A-AC75-0A0224807255
IE - HKU\S-1-5-21-220523388-1425521274-682003330-1003\..\SearchScopes\{37F9A24C-6873-496F-91C7-9D245616C74F}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=OVO2&o=APN10379&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=^ABE&apn_dtid=^YYYYYY^YY^US&apn_uid=e91918a5-b647-4913-baee-5e89b2205844&apn_sauid=34522234-1D03-495A-AC75-0A0224807255
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..extensions.enabledItems: searchtoolbar@zugo.com:1.2
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {74714D77-1695-4E73-A98E-25CB374F46B4} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {74714D77-1695-4E73-A98E-25CB374F46B4} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-220523388-1425521274-682003330-1003\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-220523388-1425521274-682003330-1003\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
:Commands
[purity]
[emptytemp]
[*]Then click the Run Fix button at the top.
[]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport.
[] Attach here that logreport.
Step#2
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Step#3
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Thank you for the response
I tried to run the otl and recieved cannot create file for Mozilla Firefox
Ok, go and run TDSSKiller and Combofix. Attach here logreports.
Now I can not start my
Computer I try to start and go thru check disk and windows tries to load and I get a black screen nothing more
Ok I got my computer to start but I can not run TDSSKiller . Every time I click on it it does nothing
OTL-in was ordered to run chkdsk. If chkdsk find any sectors errors on the HDD, it will trigger exactly that black window.
Thats Ok.
About TDSSKiller, first rename the name from TDSSKiller to 123abc.exe (or samting random as mc115.exe ) and try to run.
No luck with the renaming
Ok. Skip TDSSKiller for now. Run Combofix as instructed.
Then, try again with fresh and renamed TDSSKiller. If faild again, then try to run in safe mode.
If failed again ( ;AND) then we will use different approach.
Does this program take long to run all I see is attempting to create a new restore point no progress how long should I wait it been on this for about 5 min
Ok sorry he program had to download wIndows recovery console it’s running
It’s been 4 1/2 hours and nothing has changed should I just let it run
Stop it. Reboot your computer.
Download fresh copy of Combofix and try to run TDSSKiller or / and Combofix from safe mode.
If you fail, just let me know becouse we will continue tomorrow.
ok,
I tried to rerun the combo fix in regular and safe mode but it would not finish. I also tried to run the TDSSKiller in both regular and safe mode but it would not load.
@mc115
Let’s try this first:
- Delete current and download fresh TDSSKiller.exe and Combofix.exe.
- Rename TDSSKiller.exe to some random ( example: a4c5fi4fk8.exe )
-Then, follow instructions for running RogueKiller.
http://forum.avast.com/index.php?topic=53253.0
Attach here all RKreport.txt logreports from RogueKiller.
- Then try to run TDSSKiller and / or Combofix.
==========================================
If you fail to run …
Please download MBRCheck.exe to your desktop.
[*] Be sure to disable your security programs
[*] Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*] A small window should open on your desktop
[*] if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
[*] If nothing unusual is found just press Enter
[*] A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
Since we were not able to run Combofix and TDSSKiller, there are still quite a few methods for trying but lets do not waste time, we will do everything outside of Windows.
Please follow instructions “If you cannot Boot the computer” for running FRST wia OTLPE ( OTLPENet )
http://forum.avast.com/index.php?topic=53253.0
Attach here FRST.txt
…
While you’re still in REATOGO-X-PE
- Run OTLPE too.
http://billy-oneal.com/forums/Canned%20Speeches/speechimages/OTL/otlDesktopIcon.png
-
On pop-up “Do you wish to load the remote registry”, select Yes
-
On pop-up “Do you wish to load remote user profile(s) for scanning”, select Yes
-
Check box for “Automatically Load All Remaining Users” and hit Ok
*OTL will run.
→ Switch options from Drivers to Non-Microsoft
*Click on Run Scan
When it done OTL will create logfile ( C:\OTL.txt )
*Copy OTL log (OTL.txt) to your USB flesh…
…
>> Attach here OTL.txt, FRST.txt
ok im at work so ill give it a try tonight when i get home. I really appreciate your help