Please need assistance with Win32:RLoader-B

Viruses and worms
1

Hi there,

I found this thread (http://forum.avast.com/index.php?topic=104629.0) already for someone who had the same issue as me from last September. I have gone ahead and done all of the initial scans that were asked for (attached). I have gotten to the part where essexboy recommends a fix but warns that it is only relevant to that computer. Could someone please tell me if I should go ahead and follow the rest of the instructions from that post given the info in my attached logs, or should I go with another fix? Thanks a lot in advance!

2

Here are the rest of the logs. Thanks again!

Also if it matters. I have been doing all of the steps in the other topic in Safe Mode. I had previously been trying various scanners (avast, Microsoft Safety Scanner, Malwarebytes, Windows Defender, Super AntiSpyware) and getting various results although none of them ever seemed to fully rid me of the problem.

3

Just one other note. After I ran the TDSS killer, it found and cured the Win32 Reloader and I can now access Google (at least in safe mode). Is this cured or do I still need to do an additional fix?

Thanks!

4

malware removers are notified, it may take hours before they arrive so be patient

5

Could you attach the large TDSSKiller log located at C:\TDSSKiller date time

On completion of this could you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKLM\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^UX^xdm005^S04000^ca&si=CKz8l-yw2bQCFegWMgodlx4AFQ&ptb=2925C524-1C10-4F52-9042-8980506FCD06&ind=2013010813&n=77fc1b7d&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-539632139-4163793399-4093073258-1006\..\SearchScopes\{b0441a0e-a49a-4e16-afc1-74ecced1921f}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^UX^xdm005^S04000^ca&si=CKz8l-yw2bQCFegWMgodlx4AFQ&ptb=2925C524-1C10-4F52-9042-8980506FCD06&ind=2013010813&n=77fc1b7d&psa=&st=sb&searchfor={searchTerms}
IE - HKU\S-1-5-21-539632139-4163793399-4093073258-1006\..\SearchScopes\{CA3A2F7E-2F1C-457D-87AB-8F3B3EB94588}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=BLPV5&o=13149&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=S0&apn_dtid=YYYYYYYYCA&apn_uid=E9290E8A-4085-4733-BB3A-45834BED289C&apn_sauid=A2E830B7-2243-4942-B618-05AF5AFFC187
O3 - HKU\S-1-5-21-539632139-4163793399-4093073258-1006\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKU\S-1-5-21-539632139-4163793399-4093073258-1006\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O33 - MountPoints2\{f65dbd00-a626-11de-84c2-00188bd6b2ab}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e
O33 - MountPoints2\{f65dbd00-a626-11de-84c2-00188bd6b2ab}\Shell\Auto\command - "" = RavMon.exe e
[2013/03/21 11:48:50 | 000,000,228 | ---- | M] () -- C:\WINDOWS\tasks\ARO 2013.job

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

6

Thanks for the replies.

Here’s the large TDSS file. I’m running the OTL fix now.

7

Ta … ONce OTL has finished could you let me know what problems remain

8

So I ran the OTL fix in safe mode and rebooted and it seemed like everything was okay. So I turned off safe mode and rebooted and I got the following warning on start up:
3D9E01C9-B852-4A78-AFE2-2FBDE3DC60A7.exe
Windows cannot find 3D9E01C9-B852-4A78-AFE2-2FBDE3DC60A7.exe. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search.

After I hit okay everything loaded normally.

I’ll post the OTL report in the next reply.

9

Here’s the OTL report. Other than the error on start up everything else seems okay. I can access Google again. Not getting any malicious URL warnings from avast. Is it fixed?

Also any hints on how to avoid picking this up again in the future? This is my in-laws computer and they are not very computer literate so they want some “don’t do this” rules to avoid getting viruses. Is there some additional software on top of avast that I could install for them to keep them safe?

Thanks for all the help!

10

Could you run a fresh OTL scan please just ensure that all users and LOP are ticked. No need for a specific scan instruction. Then I will see if I can remove that warning

Once you are happy I will tidy up and give some guidelines

11

New OTL report attached.
Thanks!

12

Hmm I cannot see the load point for that, would you like me to dig deeper ?

If so then :

Please RIGHT-CLICK HERE and Save As (in IE it’s “Save Target As”, in FF it’s “Save Link As”) to download Silent Runners.

[*]Save it to the desktop.
[*]Run Silent Runner’s by doubleclicking the “Silent Runners” icon on your desktop.
[*]You will receive a prompt:
Do you want to skip supplementary searches?
click NO
[*]If you receive an error just click OK and double-click it to run it again - sometimes it won’t run as it’s supposed to the first time but will in subsequent runs.
[*]You will see a text file appear on the desktop - it’s not done, let it run (it won’t appear to be doing anything!)
[*]Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
NOTE If you receive any warning message about scripts, please choose to allow the script to run.

13

Here’s the log:

14

Are you still receiving the warning on boot ?

Please download Malwarebytes Anti-Malware to your desktop.

[*]Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan, then click Scan as shown below.

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM-2.jpg

[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:

Windows 2000 & Windows XP:
C:\Documents and Settings<USERNAME>\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Logs

Windows Vista & Win7:
C:\Users<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes’ Anti-Malware\Logs

15

I tried re-booting again and did not receive the warning this time. However when I downloaded the Malewarebytes install program it would not run because it said the install files were corrupted. I deleted that program and went back online to re-download it, but then lost my internet connection. I’m now trying to run repair my wireless network connection but it just hangs at renewing my IP address.

I’m using my computer to post this as my in-laws computer now won’t connect to the internet despite recognizing my wireless signal. Should I go back to working in safe mode?

16

Lets have a shufti at the networking on the sick system

Please download MiniToolBox, save it to your desktop and run it.

https://dl.dropbox.com/u/73555776/minitoolbox.JPG

Checkmark the following checkboxes:

[]Flush DNS
[]Report IE Proxy Settings
[]Reset IE Proxy Settings
[]Report FF Proxy Settings
[]Reset FF Proxy Settings
[]List content of Hosts
[]List IP configuration
[]List Winsock Entries
[]List last 10 Event Viewer log
[]List Installed Programs
[]List Devices
[]List Users, Partitions and Memory size.
[*]List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using “Reset FF Proxy Settings” option Firefox should be closed.

17

Here’s the MiniToolBox report

18

I’ve got the internet connection working again. Still no errors on start up. Currently running Malwarebytes Quick Scan. Will post log when done.

Thanks.

19

Malwarebytes scan complete. Didn’t find anything.

20

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: