Hello,
I seem to be having the same issues other people are having with the blocked Trojans with Avast! and the blocking of malicious sites with MalWareBytes. I have attached the logs requested. While running aswMBR I got a blue screen stop error IRQL_NOT_LESS_OR_EQUAL. I restarted and it seems fine however I wasnt able to save the log. If you need that log please let me know what to do.
Thank you very much!
Jack 
Should I try to get the log from aswMBR again?
it does not hurt trying 
got another blue screen stop error trying to run aswMBR…please advise
essexboy (the removal expert) is logged out for today but will be back tomorrow
i will PM him so he see this when he log in tomorrow
Hi JackSession, welcome to the forum.
To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Please read through the instructions to familarize youself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Link 1or Link 2 to your Desktop.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop
[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.
[*]During the download, before you save it to your desktop, rename Combofix to jgh.exe
[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix
[*]Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]
Please post back with
[*]combofix log
How is the computer?
Thanks
Hi Oldman…thanks for your help…its much appreciated
Ran combofix…everything seems cool…Ive attached the log. If I should do anything else please let me know. Also I found out where I got this malware…I can let you know if you like.
Thanks Again!!
If I am back Ill try not to be such a noob next time
Jack
Hi JackSession,
[QUOTE]Also I found out where I got this malware…I can let you know if you like.
[/quote]
Yes please but do not post any live links.
A bit more to do.
Your java is out of date. Click your start button, open Control panel.
[*]Locate the Java icon (it looks like a coffee cup)
[*]double click it to open it
[*]click the Update tab
[*]Click update now
Decline any additional installs that may be offered.
Next, Double click on OTL.exe
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
[*]Do Not copy the word CODE
[*]please note the fix starts with the :
[*]to ensure you get it all click the [select]
:Services
:OTL
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: doginhispen.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: whataboutadog.com ([]* in Trusted sites)
[2012/07/23 14:20:34 | 000,027,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\dt.dat
ipconfig /flushdns /c
:Reg
:Files
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L\00000004.@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\@
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L\00000004.@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\n
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L
c:\windows\installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\u
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}
:Commands
[emptytemp]
[createrestorepoint]
Then click the Run Fix button at the top
[*]Let the program run unhindered
[*]Please save the resulting log to be posted in your next reply.
Please post the OTL fix log.
Next
If OTL is not still open please open it by
[*]Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, underneath Output at the top change it to Minimal Output
[*]check the box beside scan All users
[*]Check the boxes beside LOP Check and Purity Check.
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt, no Extras.Txt this time.
Please post back with
[]OTL fix log
[]OTL.txt
At the end of the fix OTL wanted a restart so I did…when I got back this is the only log it opened…I hope its the right one.
Pretty sure this is where I got this mess…I was reading comments people posted on an article I was reading:
“Kacy Lamb - Suspect will be charged with attempted murder for stabbing him 7 times. http:// HopOnToday. blogspot. com”
that link goes to a site that immediately starts downloading “Windows Security Center Update” Ive seen this before so tried to immediately shut off the PC which has worked before but this time it was too quick. All my problems started after that…
How’s it look? Are we done?
Thanks!!
Jack
Hi JackSession,
The link and the bait are an example of social engineering. It’s designed to get the curious to click an unknown link.
Looks a lot better than when we started. This malware can be difficult to remove and can get in very deep.
See if you can now get aswMBR to run. If it’s clean there will be one more scan then we’ll clean up the tools and send you on your way.
urlquery
http://urlquery.net/report.php?id=105545
Suricata w/emerging threats: level 3 threat detected.
Im still getting the blue screens trying to run aswMBR…
Hi JackSession,
How has the computer been?
Let’s see if this will show us the problem.
Download Rogue Killerand save it to your desktop.
[*]double click the Rogue Killer icon to run it
[*]After it has completed it’s prescan click scan
[*]When the scan is complete click report
Please post the log.
hi oldman…the computer has been running fine…heres the roguekiller report…thanks
i guess there was an adaware component still running…uninstalled and re-ran RK and attached the report…looks like theres a reg key RK found…should i use RK to delete and rerun aswMBR afterwards?
Hi JackSession,
The RK log looks good. The registry entry isn’t any thing to worry about.
Not sure why aswMBR won’t run. Are you running it with or with out the additional scan with avast? If you are trying to run tha avast scan try it without.
ive had avast! disabled and all the realtime shields off also…
Hi JackSession,
Let’s see if this will run.
Go HERE to get a randomly named copy of GMER. Scroll down to the Download section and click Download EXE. Save it to your desktop.
Before scanning with GMER, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
[*] Double click on the file you downloaded. If asked to allow gmer.sys driver to load, please consent .
[*] If it gives you a warning about rootkit activity and asks if you want to run scan…click on NO.
http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif
Click the image to enlarge it
[*] In the right panel, you will see several boxes that have been checked. Uncheck the following …
[*] IAT/EAT
[*] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)
[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “Gmer.txt” or it will save as a .log file which cannot be uploaded to your post.
[*]Save it where you can easily find it, such as your desktop, and post it in your next reply.
Caution
Rootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
If GMER will not run in normal windows, please run it in Safe Mode
hi oldman…seems to have gotten through gmer…here’s the log…i appreciate your help
Jack
Hi JackSession,
Nothing in the GMER log. How is the computer? Any problems?
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg
[*]Click the Start Scan button.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.
