I recently found this on my system, and I don’t know how to get it off. I’d like to get it off quick before it does anything.
Thanks in advance.
I recently found this on my system, and I don’t know how to get it off. I’d like to get it off quick before it does anything.
Thanks in advance.
@legas143
Hi. Wellcome to avast. 8)
[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.
Stap#1
Please follow guide for running Rogue Killer.
http://forum.avast.com/index.php?topic=53253.0
Stap#2
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Stap#3
Follow guide for running 1.AdwCleaner, 2. Malwarebytes, 3.OTL, 4. aswMBR.
http://forum.avast.com/index.php?topic=53253.0
First of all, thanks for the quick reply.
And secondly, I’m working through step 1 here, and Roguekiller made me restart. So I did, and now my mouse has been doing that loading thing for about 10 minutes, I have no desktop icons, and I cannot click the start button or anything else.
I’m hoping Roguekiller is just doing stuff, but I really have no idea.
EDIT: It’s still stuck like it was; can’t click anything, no icons, constant loading.
Just don’t panic. Something has blocked RogueKiller…
Reboot computer and try to repet scanning with RK. If it faild again, skip RK and go&run TDSSKiller.
I couldn’t start the system normally, as I kept getting stuck at that loading and not being able to do anything. So I restarted and went to safe mode, and the RK logs were on the desktop. I’ve attached them. I’ll work on step 2 now.
Okay. Continue with TDSSKiller so when you’re done with him, tell me can you then load Windows in normal mode?
There’s the log for TDSS. And as of right now, I still can’t do anything in non safe mode. =/
EDIT: Seems that normal mode is working now. Do I continue with step 3?
EDIT2: Not working in normal again. I restarted again to make sure it was working in normal mode, but then it wasn’t. <_<
Hi,
EDIT2: Not working in normal again. I restarted again to make sure it was working in normal mode, but then it wasn't. <_<Explain in detail what happens when you try load Windows into normal mode. Does the system boots successfully in normal mode? Does only block Windows in normal mode wile running? Slow? -----------
Go to step#3. I only need OTL logs for now. Skip aswCleaner, Malwarebytes and aswMBR. Just down & run OTL.exe.
Safe mode will do for running OTL if you cant load in normal mode.
When I start in normal mode, Windows loads and everything. I can log in to the user. But when the desktop loads, none of the icons shows, and the mouse just loads forever. And I cannot click on the start menu or any quickstart icons on the bar. My only choice is to restart via the power button.
And I’ll post the logs to OTL in a second, it’s just finishing up.
EDIT: added OTL logs.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKU\.DEFAULT\..\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}: "URL" = http://www.basicscan.com/?prt=BASICSCAN115&keywords={searchTerms}
IE - HKU\S-1-5-18\..\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}: "URL" = http://www.basicscan.com/?prt=BASICSCAN115&keywords={searchTerms}
IE - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
IE - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\URLSearchHook: {cce665dd-f6dd-4808-968e-eaec971f70ef} - No CLSID value found
IE - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\SearchScopes\{660D0A07-0133-4C38-8D03-95FCB1A6C90D}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=55168381-447E-463E-A459-25E215B9A785&apn_sauid=49798455-B8BD-4937-A1FD-C7D8261C8F66&
IE - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\SearchScopes\{CA72F477-273C-4F21-8AAE-032BC6259245}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3198785
CHR - homepage: http://search.conduit.com/?ctid=CT3198785&SearchSource=48
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3198785
CHR - default_search_provider: suggest_url = http://search.conduit.com/
CHR - homepage: http://search.conduit.com/?ctid=CT3198785&SearchSource=48
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O3 - HKU\S-1-5-21-1824422464-3963870868-2061467287-1000\..\Toolbar\WebBrowser: (no name) - {CCE665DD-F6DD-4808-968E-EAEC971F70EF} - No CLSID value found.
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files (x86)\Ask.com\Updater\Updater.exe (Ask)
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
:files
C:\Program Files (x86)\Ask.com
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Run Combofix in safe mode.
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Here is the log for that OTL fix part. I’ll start the Combofix stuff now.
And here is the Combofix log.
I see that you have run Combofix from normal mode. Nice…
How is your computer running now? It is successfully load in normal mode?
Oh lol, oops. Yes it’s running fine in normal mode now. Everything is working as it should. Shall I do it again in safe mode?
Why “oops”? It is very good to run Combofix from normal mode. I just think that you where not able to run in so i say to you to run CF from safe mode.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
We will keep used tool by tomorow.
Please, bump this topic tommorov and tell me is it still everything running fine.
Thank you very much! And I’ll definitely bump this tomorrow.
Thanks again.
Got home today, turned my computer on, and it did the same thing it was doing yesterday; won’t work in normal mode. =/
Ok. We will try to do some repairing…
Just for info… Do you have Windows instalation disk?
First create few new system restore points
http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7
This tool try to run from the normal mode. If not, the safe mode with network will do…
Please download Windows Repair (all in one) from here:
http://www.tweaking.com/content/page/windows_repair_all_in_one.html
[*] Install the program then run.
[*] Go to Step 2 and allow it to run Disk check
[*] Once that is done then go to Step 3 and allow it to run SFC
[*] Go to Step4 and create registry backup and system restore point.
[*] On the Start Repairs tab => Click the Start
[*] Restart may be needed to finish the repair procedure.
How’s your computer running now? This OTL scan also try to run from normal mode. If not…safe mode with network will serve…
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
CREATERESTOREPOINT
BASESERVICES
netsvcs
drives
msconfig
activex
safebootminimal
safebootnetwork
drivers32
%SYSTEMDRIVE%\*.exe
/md5start
services.exe
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini
dir /s /a "C:\Windows\Installer\{8e910da9-d425-e918-0b1e-26d8dd184ee8}" /c
%systemroot%\*. /mp /s
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemdrive%\drivers\*.exe
%systemroot%\system32\drivers\*.* /90
%ALLUSERSPROFILE%\Application Data\*.exe
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%systemroot%\*.src
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\System32\Wbem\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%systemroot%\Tasks\*.job /lockedfiles
[*]Then click the RunScan button at the top.
[*]Let the program run unhindered; it will create and open notepad with logreport with name OTL.txt. Attach here that logreport.
Re-run aswMBR and attach here fresh aswMBR.txt log
Here are the two logs you asked for. I managed to get it running in normal mode; it’s seeming random now if normal mode will work or not. ;s
Run this OTLFix and tell me if problem is solved?
Here we remove only some remans because your machine is malware free…
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
CHR - homepage: http://search.conduit.com/?ctid=CT3198785&SearchSource=48
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&ctid=CT3198785
CHR - default_search_provider: suggest_url = http://search.conduit.com/
CHR - homepage: http://search.conduit.com/?ctid=CT3198785&SearchSource=48
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
:Files
C:\Windows\Installer\{8e910da9-d425-e918-0b1e-26d8dd184ee8}
:Commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the problem persists, you have to tell me the following:
To remind me, what exactly happens when you boot into Windows normal mode?
Did you run sfc/scannow with windows repair?
Also please answer my question.
Just for info... Do you have Windows instalation disk?