Hello. My work computer has recently been affected by malware of some sort. On the surface, this has been causing my internet to crash, not to mention any other unforseen complications that these infections are causing.

I installed the free version of avast! and these two notifications have been popping up constantly:

Notification #1

[b]MALICIOUS URL BLOCKED

avast! Network Shield has blocked a harmful site.

Object: ht tp://tikejguk.cn:6999/4293764309?w=599&i=3710484698&v=2.5
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe[/b]

(These variations in the object title also appear: /4293464210, /4293163316, /4292863263, /4292563195, etc.)

Notification #2

[b]MALWARE BLOCKED

avast! File System Shield has blocked a threat.
No further action is required.

Object: C:\Windows\Installer.…\80000000.@
Infection: Win32:Malware-gen
Action:
Process: C:\Windows\System32|services.exe

The threat was detected and blocked when the file was created or modified.[/b]

I have begun the process of removal by following the instructions from essexboy in the pinned topic at the top of the forum: http://forum.avast.com/index.php?topic=53253.0

1. I downloaded and ran the Malwarebytes program and followed its instructions and I’ve attached the “mbam log.txt” and the “protection log.txt”

2. I then ran OTL with the code pasted in the Custom Scan box as instructed. I will attach the “OTL.txt” as well as the “Extras.txt” in the next reply.

3. I then ran the aswMBR program and that’s where I am up to this point. I will attach the the log in the next post and await further action.

Thank you very much in advance for your service!

sean

OTL log attached

Extras log from OTL and the log from aswMBR attached

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL O4 - HKU\.DEFAULT..\Run: [Adobe] C:\Users\sroberts\AppData\Local\cache\Adobe\lggoqkjdn.dll (Microsoft Corporation) O4 - HKU\S-1-5-18..\Run: [Adobe] C:\Users\sroberts\AppData\Local\cache\Adobe\lggoqkjdn.dll (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [Adobe] C:\Users\sroberts\AppData\Local\cache\Adobe\lggoqkjdn.dll (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [Adobe] C:\Users\sroberts\AppData\Local\cache\Adobe\lggoqkjdn.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-1888426207-3847137026-3193930398-6788..\Run: [Adobe] C:\Users\sroberts\AppData\Local\cache\Adobe\lggoqkjdn.dll (Microsoft Corporation)

:Files
ipconfig /flushdns /c
C:\Windows\Installer{8f8f17f6-2af7-fcc1-08e8-671050dbe9b1}
C:\Users\sroberts\AppData\Local{8f8f17f6-2af7-fcc1-08e8-671050dbe9b1}

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Okay. I accidently ran ComboFix BEFORE I ran the OTL fix! I thought I could start the download of ComboFix program then go in and get the OTL set up to run while ComboFix was downloading.

ComboFix rebooted my PC before I even had a chance to realize what I had done. I didn’t get to disable my AV programs either. I’m sorry!

Anyways, my computer rebooted. All my icons are there and now I’m posting in this thread from my computer.

A warning pop up just appeared:

[b]ComboFix has detected the following real time scanner(s) to be active:

antivirus: avast! Antivirus
antispyware: avast! Antivirus

Antivirus and intrusion prevention programs are known to interfere with ComboFix’s running. This may lead to unpredictable results or possible machine damage.

Please disable these scanners before clicking ‘OK’.[/b]

I have not clicked OK yet.

Click OK but do not let Avast quarantine or sandbox anything during the run

Should I just disable avast!, Malwarebytes, and McAfee? (I believe McAfee came installed on this computer. I never use it and it never notifies me of anything. Just runs in the system tray and appears to be worthless.)

never install multiple AV as it will give you all kind of windows errors and false positive detections

when Essexboy say okay run and reboot - http://singularlabs.com/uninstallers/security-software/

I see you are offline. Can anybody else assist me?

I disabled all of my AV software and let CF continue its process. it just rebooted my PC again.

Thanks Pondus. Just saw your post.

My computer rebooted and I have a window from CF that says ”preparing log report. Do not run any programs until combo fox has finished.”

There’s also a window that says ”IAStoreIcon.exe -application error”

I’m posting this from my phone

I see you are offline. Can anybody else assist me?

Thanks. I’m just a little bit freaked out right now. ;D

I’m by no means computer illiterate. I’ve taken logic classes and C++ programming but I’ve never altered my home or work computer’s internal code to this extent! I feel like an idiot for messing up the very clearly laid out steps that essexboy provided.

Well… ComboFix finished running then created a log. I’ve attached it here.

OK that replaced the bad boy… Could you re-run OTL please and select all users. There will only be one log to attach this time

How is the computer behaving ?

The computer is behaving pretty well right now actually.

I’ve used AutoCAD with no problems, sent emails from Outlook with no problems, and have been browsing the net with no problems. And I haven’t gotten any notifications from Avast.

The one thing that I’ve noticed is that it deleted something from Logitech’s SetPoint software and now some of my custom mouse configurations are gone. That’s probably a minor issue that can probably be fixed with the install disk.

I’ll run OTL right now.

Okay I’m running OTL. At least I think it’s running. I clicked ”run fix” and the progress bar at the bottom of the OTL interface says ”processing 04 - HKU\S-1-5-21…” and it’s been that way the whole time. I can move my mouse on the screen but everything else appears to be frozen. Should it take this long to process?

No that should only take a few seconds… The longest bit will be where it empties the temp files

Stop OTL please

How is the system behaving now ?

It won’t react to any mouse clicks. I can’t close it from the task bar and I can’t ctrl-alt-del.

Should I hard boot?

Try to stop with Task manager, if that fails then hard boot

Just hardbooted.

txt file attached