[Resolved] Same problem as (re: URL blocked, can not open a browser now? )

I have the same problem (IE freezes) I ran the MBR and OTS scans as described and am attaching the two results . what next please ?

what next please ?
also do a scan with Malwarebytes and post the scan log

then wait for Essexboy…he arrives here late today

Download the program SystemLook on Desktop

http://jpshortstuff.247fixes.com/SystemLook.exe

Run SystemLook

  • In the white window frame copy the following text:
:file 
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C8C92139-94E5-429D-8482-1B0969A7F3F3}\MpKsl2c0dd34b.sys

:filefind 
MpKsl2c0dd34b.sys

Click the button Look

Copy the file SystemLook.txt Which will be located on the Desktop

OK lets start again (way too late last night and wasn’t thinking clearly).

Problem started about two days ago IE was acting very slow and Avast poped up the warning about socketopencloud.su/a/getupdate.php?id1=173&id2=1&guid=c0811eab-c960-4bf0-8a2a-46bdf0f38278.

I also ran MS Security Essentials and it indicated that the system32\drivers\hosts file was bad. The hosts file had been modified with many aliases to 127.0.0.1. After a bit I managed to create a new hosts file with nothing in it and set as read only, this prevented the trogen from modifying it.

After this scanning with Avast or MS security essentials came back all clean but the same warning from Avast was there when I try to access the web along with everything hanging.

After running Malwarebytes it indicated that win32sta.dll was infected. I tried copying the dll from a know good install but no luck it just got infected again.

Avast did report infected Microsoft Antimalware\Definition Updates which I deleted (maybe this is why Systemlook found nothing).

Just to be sure I have redone the various scans from MBR, OTS, Malwarebytes and Systemlook and attached the log files

Any help would be greatly appreciated.

Avast did report infected Microsoft Antimalware\Definition Updates which I deleted (maybe this is why Systemlook found nothing).
bc you have installed two AV programs (....scanning with Avast or MS security essentials .....)

Never install two antivirus (see reply from quietman7)
http://www.bleepingcomputer.com/forums/index.php?s=7c8217673a726b92cfc91ecfd4294a29&showtopic=260

OBS: and your MBAM log say - NO ACTION TAKEN
you need to click the “REMOVE SELECTED” button after scan to quarantine
and always update MBAM before you scan

On completion of this run can you let me know the state of the alerts

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Modules - Safe List]
YY -> win32sta.dll -> C:\WINDOWS\system32\win32sta.dll
[Files - No Company Name]
NY ->  win32sta.dll -> C:\WINDOWS\System32\win32sta.dll
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Should I perform ‘Remove Selected’ with MBAM as suggested by Pondus on the win32sta.dll first before re-running OTS ?

No I have slated it for removal with OTS ;D

OK I have turned off MS Security Essentials and just left Avast.

I ran OTS as you suggested with the code you supplied. It ran for about a minute and then the PC requested to reboot, I answered OK and then just hung with ‘Windows Shutting Down’ message. I had to cycle the power, when it came back notepad opened on the log file.

I tried to access the Web but Avast still reports the bad URL error.

Attached is the log file…

DllUnregisterServer procedure not found in C:\WINDOWS\system32\win32sta.dll Releasing module C:\WINDOWS\system32\win32sta.dll C:\WINDOWS\system32\win32sta.dll moved successfully.
Mayhap this was a bit stronger than OTL

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

OK I ran Combofix as directed. I have attached the resulting log file. It seems to have fixed the virus, at least Avast isn’t reporting any URL blocks anymore. I will test over the next few days and let you know.

Thanks for the help.

That looks good - if you have no further problems I will remove my tools. Let me know

Turning off an antivirus is not the same as uninstalling it. Here is the MSE Uninstaller Tool: http://support.microsoft.com/kb/2435760/, then reboot your machine.

@ Essexboy: Did you delete MSE from the OP’s system during the fix? If not, I provided the uninstaller tool above and the OP can also follow the directions for removing the registries as well.

Let us know how your machine is behaving. If all is doing well, Essexboy will start removing his tools and we will have you monitor things for 24- 48 hours and report back while we give you some suggestions for staying safer and avoiding further infections. Thank you.

No I left MSE for now ;D

I had used the windows add/remove programs to un-install security essentials. All I have now is Avast free and a firewall via a NAT router.

So far everything seems to be working OK. I did full scans (boot time and normal) and nothing was detected.

Are there any other precautions I should take ?

How is your machine behaving now? Any problems? If not, Essexboy can begin to remove his tools, but we need to know if you still are having problems.

Everything seems OK now.

Thanks again.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disk check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Puran.gif

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

In the meantime, here are a few suggestions in addition to the ones given to you by Essexboy to keep you and your machine safer in the future:

  1. Keep your definitions up to date for both Avast and MBAM.
  2. Keep all your shields on with Avast.
  3. Update MBAM prior to scanning, then do Quick scans.
  4. Keep your MS/Windows Updates current.
  5. Add security related Add-on’s to your browsers for safer browsing. See my Signature as an example.
  6. Use common sense when browsing and do not go to risky sites.
  7. When downloading software, read what you are clicking and do not download adware toolbars which are commonly opted in; look before you click or do a Custom install to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
  8. Check to see that your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since software is changing all the time. This site gives you the vendor’s direct download link making it easy to upgrade your software. Many of us here scan our machines weekly.

Remember to post back in 24 hours to let us know if everything is still running OK; if not post back sooner.

OK everything is cleaned up as instructed and all is running fine now for 3 days.

Thanks again for everyones help.