Possible Malware.

I think I got the same problem with this guy.

But, just to be sure, here’s what happened to me:

Today, while I was browsing on Firefox I got a message from Network Shield of Avast! saying:

“MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.”

The process was at firefox.exe, but I checked If the same problem exists on another browser & It does on Internet Explorer. (at iexplore.exe)
I scanned with avast! but nothing was found.
Also, I’ve used a windows restore point & the problem still existed.

The blocked URLs varies, but I’ll attach a picture for you to see the Infection Details. (Some from Firefox, some from Internet Explorer.)
You will see that the blocked URLs are: maps.gstatic.com, ssl.gstatic.com, gstatic.com

Should I also make the steps mentioned in this topic?

Thanks in advance for your help.

-Gallan

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I’d be grateful if you would note the following:

[] The fixes are specific to your problem and should only be used for the issues on this machine.
[
] It’s often worth reading through these instructions and printing them for ease of reference.
[] If you don’t know or understand something, please don’t hesitate to say or ask!! It’s better to be sure and safe than sorry.
[
] Please reply to this thread. Do not start a new topic.
[] If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
[
]Please be sure to subscribe to the topic if you have not already done so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.

Having said that…
http://i1224.photobucket.com/albums/ee380/jeffce74/vegeta_zps7f4345cf.gif
Let’s get going!!

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any antivirus programs during the scan (If you have difficulty properly disabling your protective programs, refer to this link here )
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbr-1-1.jpg
Please download aswMBR to your desktop.

[*]Double click the aswMBR icon to run it.
[*]Click the Scan button to start scan.
[]If you are asked to update the Avast Virus database please allow it to do so.
[
]When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.


http://i1224.photobucket.com/albums/ee380/jeffce74/aswmbrscan.jpg

Click the image to enlarge it

http://i1224.photobucket.com/albums/ee380/jeffce74/adwcleaner.jpg
AdwCleaner

Please download AdwCleaner by Xplode onto your desktop.

[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Search.
[*]A logfile will automatically open after the scan has finished.
[*]Please post the contents of that logfile with your next reply.
[*]You can find the logfile at C:\AdwCleaner[R1].txt as well.

Thank you for your help.

I had a problem with the aswMBR though.
I started scanning with it, but when It reached a specific file it stopped there.
20 minutes past & It was still on the same file.
I stopped running it and then I re-scanned but again It stopped at the same file. Don’t know why.
That file was named in Greek characters, could that be the problem? (It was a .exe file)
So, the scan could not be completed.
I will send you the log It made, It’s kinda short though.

The other programmes worked well. They finished scanning in a few minutes.

The contents of DDS, aswMBR, AdwCleaner are in the attached files.
(The logs from DDS & aswMBR were automatically saved in the desktop.)

PS

  • Should I turn avast! off only while the 1rst programme scans and then turn in on again, or should I have it turned off generally when I run those programmes?
    I turned avast! on during the scan of AdwCleaner.
  • Also, should I continue serfing on the internet & sometimes get the virus blocked message, or should I avoid using it much?
    (Of course I’ll have to use the internet to download the programmes you instruct me to, but, just to be sure…)
  • Ah, and I think that the popup message of avast! about the virus, happens on google & more specific when I open sites that I’ve searched on google and stuff. I mean, I never got this message when I opened sites from my bookmarks -exept a google translation bookmark- and stuff, till now of course.

EDIT: avast! got an update last night that needed a restart of the computer. I haven’t tried to use google or simply write the “gstatic.com” on the link to get the error message since then. (I did that yesterday and worked.)
So, I have just tried it, and I didn’t get any error message. That could be a coincidence though…

Hi,

Let’s give this a run…

http://i1224.photobucket.com/albums/ee380/jeffce74/TDSK.jpg
Please download TDSSKiller

[*]Double click TDSSKiller.exe
[*]Press Start Scan but do nothing else as we are just looking for what is there.
[*]If Malicious objects are found, select Skip by changing the Cure dropdown in the upper right.
[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)

Here you are.

That looks good. :slight_smile:

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
4. If you get a message saying “Illegal operation attempted on a registry key that has been marked for deletion”, please restart your computer.

And here you are again:

Please go to: VirusTotal
On the page you’ll find a “Choose File” button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.

c:\Program Files\Kill3rCombo\Elsword\data\x2.exe

Next, click the Open button.
Then click the “Scan It!” button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

http://i1224.photobucket.com/albums/ee380/jeffce74/adwcleaner.jpg
AdwCleaner

[*]Close all open programs and internet browsers.
[*]Double click on adwcleaner.exe to run the tool.
[*]Click on Delete.
[*]Confirm each time with Ok.
[*]You will be prompted to restart your computer. A text file will open after the restart.
[*]Please post the contents of that logfile with your next reply.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

The Virus Total URL result:
https://www.virustotal.com/el/file/fcc597aa0898219a0d06c8c2b073c488935a63589222bf40ba45c38ded1a7627/analysis/1372007657/

And the attached file, in place.

EDIT: I tried to re-scan with the aswMBR, and It finished! It seems It did scan before, but it wasn’t refreshing what was scanned…
Meaning, that It seemed like It got stuck, but, It actually wasn’t.
Anyway, I’ll attach it with the other file. (The results are in the 3rd paragraph - They seem the same as the incomplete scans though)

Great job!!

Run a new scan with ComboFix and attach the new log so that we can see where we are now. :slight_smile:

Done!
(The new log must be the same file as before! I mean, It must have overwrite the other one. Because there was only 1 “Combofix.txt” & It was modified a few minutes ago.)

ComboFix

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:

ClearJavaCache::

DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ptec/defaults/su/*http://www.yahoo.com

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix may request an update; please allow it.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.

Attach the new log and let me know how your system is running now. :slight_smile:

I didn’t request any update or stuff, just scanned! :slight_smile:

How is your system running?

Normally. I mean, I cannot notice any difference.

Normally. I mean, I cannot notice any difference.
Sorry...I just need to clarify...do you mean your system seems to be running how it should normally work again or your system still seems to not run right?

Well, It seems to be running how it should normally work.

Ok great! Sounds good! :slight_smile:

http://i1224.photobucket.com/albums/ee380/jeffce74/java-1.jpg
Java

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

http://java.com/en/download/index.jsp

See this page for instructions on how to clear java’s cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
[*]Under Temporary Internet Files, click the Delete Files button.[*]There are three options in the window to clear the cache - Leave ALL 3 Checked
Downloaded Applets
Downloaded Applications
Installed Applications and Applets
[*]Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Java Control Panel.


http://i1224.photobucket.com/albums/ee380/jeffce74/mbam-3.jpg
Please download Malwarebytes Anti-Malware to your desktop.

[*]Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform quick scan, then click Scan as shown below.

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM-2.jpg

[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:

Windows 2000 & Windows XP:
C:\Documents and Settings<USERNAME>\Application Data\Malwarebytes\Malwarebytes’ Anti-Malware\Logs

Windows Vista & Win7:
C:\Users<USERNAME>\AppData\Roaming\Malwarebytes\Malwarebytes’ Anti-Malware\Logs

ESET Online Scanner

Go here to run an online scannner from ESET. Windows Vista/Windows 7 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
[*]Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.[*] Turn off the real time scanner of any existing antivirus program while performing the online scan[*]Tick the box next to YES, I accept the Terms of Use.[*]Click Start[*]When asked, allow the activex control to install[*]Click Start[*]Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.[*]Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.[*]Click Scan[]Wait for the scan to finish[]When the scan is done, if it shows a screen that says “Threats found!”, then click “List of found threats”, and then click “Export to text file…”[] Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.[]Close the ESET online scan, and let me know how things are now.

Phew, finished scanning. Took 5 hours for the ESET scan to finish…
Here are the logs.

In the ESET log, the question marks (?? ?? ??) is the “Downloads” file named in another language that probably couldn’t be shown.

Also, I got a message from Malwarebytes Anti-Malware blocking a website I was trying to enter… (It’s a website with anime)

Successfully blocked access to a potentially malicious website: 93.174.93.65

Type: outgoing

Good Night!

Ok…since you know what folder for sure that is supposed to be with the ??? go ahead and go to these locations and delete the files I have in red below. Once complete, reboot your system and then let me know what remaining malware problems you are having. :slight_smile:

C:\Documents and Settings\vasi\My Documents\Downloads\FreeYouTubetoMP3Converter.exe
C:\Documents and Settings\vasi\My Documents???? ???\cbsidlm-tr1_13-DevC-ORG-12686.exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeDownload(1).exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeDownload.exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeToMP3Converter(1).exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeToMP3Converter(2).exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeToMP3Converter(3).exe
C:\Documents and Settings\vasi\My Documents???? ???\FreeYouTubeToMP3Converter.exe
C:\Documents and Settings\vasi\My Documents???? ???\SoftonicDownloader_for_lemmingball-z.exe