My computer has a Malware problem, I truly believe. However, this post is a test, as I am NOT on MY computer at which I attempted to post with a request for assistance. My computer didn’t allow the CAPTCHA to be accepted or sent or whatever the problem. Therefore I am testing to find out if the CAPTCHA works at the library computer and ONLY not at mine. If the CAPTCHA works with this test, I will then return with all the detail of my problem for help.
So, PLEASE reply to this post letting me know that it is received.
Thank you,
kissa
Hi what are the symptoms ?
Hi essexboy,
I hope I can continue my problem with this thread. I am going to try anyway.
Thanks for replying. I have been finding several symptoms, beginning with a short time after getting the many popups for “Malicious URL Blocked”. Most of them indicate the infection to be URL:MAL. I have had a few indicate an infection for a jvascript or Jscript or something like that… “J*script”. I dont’; have the exact on the script infection because I have misplaced my notes, including the print out that I made of your post titled “Logs to assist in cleaning Malware”. with both popups I get the indication that they are happening in the svchost.exe. I have run a few of the programs in the past in attempting to get through onto the forum for help.
First to answer your initial question, the first thing I noticed was that I could not get to www.Google.com (still not able to). I get an error of page not available. My sound has stopped for me totally, my printer no longer will print, I cannot use any site that require CAPTCHA, inthat the words do not show for me to copy into a box (if I even get a box). There may be other syptoms that I am not recalling at this time or that I might not have realized in encountering.
I have run the first three of the programs that you request in your posting (named above). I am attaching all four of the log files that you request from them (Adwcleaner[S3], mbam-log-2013-3-18(17-54-06), the OTL, and the Extras(X)). I ran the programs and retreived the logs today with the exception og the Extras(X) file. There was not Extras file produced today, but the one that I have included was from the last time I ran the programs on my computer. If you find that you might need the logs from previous scan, I have them also.
I hope you will be able to help me with my rpoblem. Thank you for any help that you will be able to give me.
kissagain
also attach aswMBR log
OK this looks like we may need to run some repairs as we go. I will start off with three programmes to remove as much as possible and then try to do some repairs on completion
Please attach all logs
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
:Files
ipconfig /flushdns /c
netsh int ip reset /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset /c
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Download the latest version of TDSSKiller from here and save it to your Desktop.
[*]Doubleclick on TDSSKiller.exe to run the application
https://dl.dropbox.com/u/73555776/tdss%20start.JPG
[*]Then click on Change parameters.
https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG
[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
[*]Click the Start Scan button.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.
https://dl.dropbox.com/u/73555776/tdss%20threat.JPG
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
[*]Get the report by selecting Reports
https://dl.dropbox.com/u/73555776/tdss%20report.JPG
[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.
FINALLY
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[]Allow the installation of the recovery console
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
@ kissagain
The captcha requirement in the avast forums is an anti-spammer measure, but it is only for the first 3 posts. After that you should be OK in the forums without having to go to the library.
Essexboy
I have 1 question before I proceed. For the custom scan, "code: [select] or only the text that is in the lavender box?
kissagain
That is correct, if you click the underlined select it will highlight the necessary text for you to copy
essexboy
Yesterday I proceeded with the process you wanted of me.
I ran the OTL “RUN FIX” with the custom scan. It ran for at least over an hour when my computer sceen went into sleep mode and my desktop closed. I was not able to logon to my computer screen again. I had to perform a “hard” shutdown. I then left it off until today at which time I ran the OTL Quick Scan and have now attached that report. After running the OTL Quick Scan I downloaded and began the TDSSKiller.exe program. It ran for almost 4 hrs when I left home to come to the library for this reply. (I will abort it when I get home). When I left it seemed was still at the same point it was shortly after I left home, processed 4 objects and was still on the same object. (something like C:\WINDOWS\systems32\ASPI **** not sure the rest)
I will await your reply.
Should I rerun TDSSKiller.exe
Thanks
kissa
Hmm that seems a tad weird
Could you go direct to the combofix stage please, but when you download combofix rename it to Gotcha as something is a tad hinky here that is not showing in the normal scans
essexboy,
Again, I seem to have another problem. I ran the ComboFix (after ownload, named it Gotcha) It got stuck at a point that says “Completed Stage_48” (still open and stuck, on my computer) obviously without a log (I even checked).
Thanks
kissa
Could you stop combofix please. Reboot to safe mode and then retry from there
I rebooted into safe mode, choosing the command prompt mode. Then I had further options. I then selected microsoft windows, which brought me to a windows logon with only the admin icons. I logged on which then opened a command prompt window. I entered the command “run” then the path for “gotcha.exe” (on the desktop). I got a return msg saying, " ‘run’ is not recognized as an internal or external command operable program or batch file."
It has been a long time since I have used commands within a prompt mode.
Please explain for me to get to where I need to go to run the “gotcha.exe” (ComboFix.exe renamed as previously directed)
I have shut down my computer at home and will be waiting for a hopeful quick reply here.
Thank you,
kissagain
When you get to the safe mode menu select “safe mode with networking”
This will then bring you to the windows desktop and you can run from there
essexboy,
I was able to get ComboFix to run in safe mode. However, again, it ran up to the same point and no log … “Completed stage_48”.
(FYI - able to now post from home without the CAPTCHA)
kissagain
OK these JS files are causing a problem… So reboot to normal windows, run an OTL scan
Then do not reboot until I give you the next fix… I will be here for a while
essexboy,
I didn’t understand why I hadn’t gotten a reply sooner (didn’t notice the “page 2”) but finally found it a little while ago.
I have done another “Run Scan” with the OTL and have attached the log here.
kissagain
No problem, you will be amazed at how many times I miss page 2
How is the computer behaving now ?
My printing is still getting a “communication not available” msg and my sound has not returned. I try “google.com” and I get a “404 Not found”… no changes that I notice, but I’m not sure how much could be wrong either. I have not gotten any of the " Malicious URL Blocked" msg either for awhile (even before making contact with you, only periodically), with exceptin a few days ago.
The other msg that I had pop up witinmy “problem period” has been the Malicious URL but it was “Object: JS: Script JP-inf[trj] Process: C:\windows\system32\svchost.exe” (“Process” and “Object” may be in wrong order). I have rcently fund ypaperwith this info, but it have been quite awhile since having that popup.
Lets run a repair on the main system files, this could take up to 30 minutes to run
Download Windows Repair (all in one) from this site
Install the programme then run
https://dl.dropbox.com/u/73555776/waio%20start.JPG
Go to step 3 and allow it to run SFC
https://dl.dropbox.com/u/73555776/waio%20step3.JPG
On the start repairs tab click start
https://dl.dropbox.com/u/73555776/waiostart%20rep.JPG
Select the following items and tick restart system when finished