Unable to Insall OTL.Oldtimer

Viruses and worms
1

I keep getting Malicious URL blocked from Avast when I visit some reliable websites. This happens only from my computer. If I visit these sites when avast is disabled, I get this fake alarm virus called window security shield. To get rid of this fake security shield I use Rkill and then run Malwarebytes. However this Malicious URL blocked message never stops. So I searched this forum and found a solution by running OTL by Old timer software. I downloaded the software but I am unable to run it. When I click on the exe.file, i get a security warning window with a Run option. When I click on Run, nothing happens. I tried with disabling avast and Malwarebytes, but still the same. Please help or please let me know are there any other software that would solve my malicious URL blocked message issue.

Thank you very much

2

follow guide:
http://forum.avast.com/index.php?topic=53253.0

if u cant run OTL…just skip step and attach all logs here :wink:

3

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions of obtaining an MBAM log (make sure you update MBAM first) and the OTL logs (save them as ANSI), and aswMBR log. Post the logs as an attachment (Additional Options > Attach > Post).

I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs. Thank you.

Edit: Essexboy has been notified.

4

essexboy on holidays…jeff notified :wink:

5

Thanks. I know Jeff will be on holiday soon too.

6

Thank you. This is the Malwarebytes log file. The last time I did a scan was last night. This log file is from a quick scan I performed just now. Nothing found

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.03.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 6.0.2900.2180
user :: [administrator]

6/3/2012 2:43:35 PM
mbam-log-2012-06-03 (14-43-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 281747
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

I have read those posts you mentioned here about malware removal but I cannot seem to install OTL. Besides both malware and avast is not detecting any virus. However there seems to be a problem because I keep getting URL blocked message when I am online. And if Avast is disabled I immediately get this window security shield virus and then I have to use Rkill. I used to use Avira but moved to Avast only last week. Do you think it would be good Idea if I uninstall Firefox and install it again? There seems to be no issue with my internet provider because if I go online using my laptop, I don’t have this issue. Please help

7

Hello, could someone please help??

8

the malware remover is notified…
one is in UK timezone… on vacation at the moment, the other is in US timezone…
they also have a life beside helping here, so be patient.

aso attach the aswMBR log
you may also try running OTL from safe mode…

9

Hi,

Could you take a screen shot of the popup you are receiving from Avast please? :slight_smile:

Try to run OTL from Safe Mode and see if it will run through and if so please attach the logs created.

10

Thank you Jeffce.

Pasted below is the Avast warning I get when I go online. I have inserted space in the URL so that don’t want anyone to click on it accidentally. I will try to run OTL on safe mode and post the result.

Infection Details
URL: a 3. t o p s i t e s t a t s. i n f o /4 0 4 n o t f o u n d
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal

Thanks again

“Great opportunities to help others seldom come, but small ones surround us every day.”

11

Hi,

Ok thanks…

Let me know if OTL runs and if so attach the logs. :slight_smile:

12

Jeffce, OTL doesn’t run of safe mode either :). I reinstalled Firefox, but the problem continues. Strangely I just found out that I don’t get this warning when I use Google chrome browser!. But as I said, when I disable Avast I immediately get this Security shield fake alarm virus. This has been going on for almost a week. I tried scanning with avira, avast, and even tried Panda 2013 Beta version ( bad one). But no result.

Thank you for your time, I really appreciate it.

“Great opportunities to help others seldom come, but small ones surround us every day.”

13

[list]Hi,

Delete your copy of RKill and then do the following…

RKill

Print out these instructions as we may need to close every window that is open later in the fix.

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested in this guide on another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

Do not reboot your computer after running rkill as the malware programs will start again.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won’t run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

[]rkill.exe
[]rkill.com
[]rkill.scr
[]WiNlOgOn.exe
[*]uSeRiNiT.exe

Do not reboot your computer after running rkill as the malware programs will start again.

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.

[*]Disable any script blocking protection
[*] Double click dds to run the tool.
[*]When done, two DDS.txt’s will open.
[*]Save both reports to your desktop.

Please include the contents of the following in your next reply:

DDS.txt

Attach.txt

14

Followed your instructions,

Hope you can see the text

Thank you very mcuh

15

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

16

Hi , Thank you.

I followed your instructions, combo.fix started scanning and after “completed 50”, it did not respond for an hour and I did not get any log file. I tried combo.fix again but now it warn me that an antivirus is running. I have disabled malwarebytes and Avast. But I see window security alert on my task bar and I do not know how to disable window security center virus protection ( antivir virus). I disabled the firewall visiting control panel security center but it doesn’t give me an option to disable it the virus protection. The link you gave doesn’t have any information on it. Please let me know how to disable The window security center is on my taskbar. It appeared after I installed the Microsoft Windows Security console.

Since the problem continues should I format my system…?
Thank you so much.

17

Hello Jeffce,

I ran combo fix despite the AntiVir Desktop warning. .please look at the combo fix log file.
Please let me know whether I can deactivate AntiVir desktop. I am unable to remove it…

Thank you very much

18

Hi,

While I am reviewing the ComboFix log, please download and run the tool found here >> http://dlpro.antivir.com/package/regcleaner/win32/en/avira_registry_cleaner_en.zip This will remove any remaining parts of the AntiVir Desktop.

If you have any problems let me know…otherwise I will return with the next set of instructions shortly.

19

Thank you Jeffce.

I ran Avira registry cleaner successfully last night. Today ( Tuesday) I tried to run combo fix again just to make sure that no anti virus is detected and it showed the same warning! Antivir Desktop. It is part of Windows Security center but I am wondering whether it is the virus. because there is no way I can disable it

I am waiting for your instructions. Thank you.

20

Hi,

If the warning about Antivir pops up again on ComboFix don’t worry about it. :slight_smile:

[*]Please open Notepad (Start → Run → type notepad in the Open field → OK) and copy and paste the text present inside the code box below:


ClearJavaCache::

DDS::
uStart Page = hxxp://searchya.com/?chnl=dcom-100&s=0&cr=1189743197&cd=2XzutAtN2Y1L1QzutN0D0TzutBtDtCtBtDyCtDyE

Firefox::
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\kfloyz3k.default\
FF - user.js: extensions.searchya_i.hmpg - true
FF - user.js: extensions.searchya_i.hmpgUrl - hxxp://searchya.com/?chnl=dcom-100&s=0&cr=1189743197&cd=2XzutAtN2Y1L1QzutN0D0TzutBtDtCtBtDyCtDyE
FF - user.js: extensions.searchya_i.dfltSrch - true
FF - user.js: extensions.searchya_i.srchPrvdr - SearchYa!
FF - user.js: extensions.searchya_i.dnsErr - true
FF - user.js: extensions.searchya_i.newTab - true
FF - user.js: extensions.searchya_i.newTabUrl - hxxp://searchya.com/?chnl=dcom-100&s=2&cr=1189743197&cd=2XzutAtN2Y1L1QzutN0D0TzutBtDtCtBtDyCtDyE
FF - user.js: extensions.searchya_i.tlbrSrchUrl - hxxp://searchya.com/?chnl=dcom-100&s=3&cr=1189743197&cd=2XzutAtN2Y1L1QzutN0D0TzutBtDtCtBtDyCtDyE&q=
FF - user.js: extensions.searchya_i.id - c0228bb300000000000000241dd957a4
FF - user.js: extensions.searchya_i.instlDay - 15495
FF - user.js: extensions.searchya_i.vrsn - 1.5.13.0
FF - user.js: extensions.searchya_i.vrsni - 1.5.13.0
FF - user.js: extensions.searchya_i.vrsnTs - 1.5.13.018:50
FF - user.js: extensions.searchya_i.prtnrId - ironsrc
FF - user.js: extensions.searchya_i.prdct - searchya
FF - user.js: extensions.searchya_i.aflt - dcom
FF - user.js: extensions.searchya_i.smplGrp - none
FF - user.js: extensions.searchya_i.tlbrId - base
FF - user.js: extensions.searchya_i.instlRef - dcom-100
FF - user.js: extensions.searchya_i.dfltLng -
FF - user.js: extensions.searchya_i.excTlbr - false

[*]Save this as CFScript.txt and change the “Save as type” to “All Files” and place it on your desktop.

http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*]ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*]When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix’s window while it is running. That may cause it to stall.