Hi there,

It appears that I’ve also been hit with this nasty trogan/virus, very similar to the one reported here
http://forum.avast.com/index.php?topic=103070.0
I kept getting the messages from these URLs: hxxp://yetanothersheet.com/ hxxp://onceagaincrap.com/ and hxxp://85.195.92.10/
And they are all under the process: \.\globalroot\systemroot\svchost.exe

I accidentally ran OTL first before I ran MWAM and below are the logs:

1. OTL log before I did the MWAM
2. Quick scan log from MWAM
   3 Full scan log from MWAM
3. OTL 2 log after performing MWAM

The pop-up messages persists after these scans, will post the aswMBR log as soon as they are done.
Thanks very much for your time!

I accidentally ran OTL first before I ran MWAM and below are the logs:

malware removers are notified. it may take hours before one arrive so be patient

Hi there,

Here is the aswMBR report, thanks again!
Look forward to hearing from you guys.

Hmm looks like Phibar is trying to take over from Sirfef

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

http://dl.dropbox.com/u/73555776/TDSSFront.JPG

[*]Then click on Change parameters.

http://dl.dropbox.com/u/73555776/TDSSConfig.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://dl.dropbox.com/u/73555776/TDSSFound.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

http://dl.dropbox.com/u/73555776/TDSSEnd.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

Below is the TDSSKiller report, and it seems that the malicious URL blocked messages have stopped following the reboot after the cure.

09:11:45.0150 3416 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
09:11:45.0727 3416 ============================================================
09:11:45.0727 3416 Current date / time: 2012/08/15 09:11:45.0727
09:11:45.0727 3416 SystemInfo:
09:11:45.0727 3416
09:11:45.0727 3416 OS Version: 6.1.7601 ServicePack: 1.0
09:11:45.0727 3416 Product type: Workstation
09:11:45.0727 3416 ComputerName: TIM-PC
09:11:45.0727 3416 UserName: Tim
09:11:45.0727 3416 Windows directory: C:\Windows
09:11:45.0727 3416 System windows directory: C:\Windows
09:11:45.0727 3416 Running under WOW64
09:11:45.0727 3416 Processor architecture: Intel x64
09:11:45.0727 3416 Number of processors: 2
09:11:45.0727 3416 Page size: 0x1000
09:11:45.0727 3416 Boot type: Normal boot
09:11:45.0727 3416 ============================================================
09:12:31.0196 3416 BG loaded
09:12:33.0302 3416 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000040
09:12:33.0396 3416 ============================================================
09:12:33.0396 3416 \Device\Harddisk0\DR0:
09:12:33.0396 3416 MBR partitions:
09:12:33.0396 3416 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x1D4C000
09:12:33.0396 3416 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1D5F9C5, BlocksNum 0x38625E6B
09:12:33.0396 3416 ============================================================
09:12:33.0567 3416 C: ↔ \Device\Harddisk0\DR0\Partition2
09:12:34.0004 3416 D: ↔ \Device\Harddisk0\DR0\Partition1
09:12:34.0004 3416 ============================================================
09:12:34.0004 3416 Initialize success
09:12:34.0004 3416 ============================================================

attached are the RougeKiller reports

OK could you attach the entire TDSSKiller log please it will be at C:\TDSSKiller date and time

Also could I have a fresh OTL quickscan with all users selected

Here are the TDSSKiller full logs

Here is the fresh OTL quick scan from all users.

OK whilst I look at the OTL log

Re-run TDSSKiller with the same parameters then when the following is displayed select delete :

\Device\Harddisk0\DR0 ( TDSS File System )

\Device\Harddisk0\DR0 ( TDSS File System ) is deleted now.

Done

How is the computer behaving now … Any problems ?

Have not seen the URL blocked message pop-up since the first time I ran TDSSKiller.

Thanks very much for your time and help, is there anything else I should do at this point?

Just run one further scan with MBAM and then

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

Bad News. I just ran the MBAM again and it picked up another trogan, and I selected removed and rebooted.
And this shows up when I restarted (attached as jpeg).

Please advise~

Where was that detected ? Could you post the MBAM log please

The log was attached in the previous reply along with the picture.
I’m running a full system MBAM scan now and will upload the log if it picks up anything.

I anticipated the svchost which is why I asked you to run MBAM … Maybe I should have explained that… The svchost was being generated by the MBR malware, but with that gone a deletion would see it gone for good

I see, ok I’ve done all the steps and seems like there are no more malwares on my computer, thanks so much once again!