Author Topic: Avast keeps reporting URL:Mal or similar in wscript.exe at startup  (Read 9421 times)

0 Members and 1 Guest are viewing this topic.

Metzger28

  • Guest
Hello folks,

Got a bit of an odd one here. After being away from my computer for a few days I came back to find that Avast was reporting soemthing along the lines of Url:GEN/Mal2 (the exact designation escapes me and I don't see it in logs) in wscript.exe in c:\Windows\System32, telling me that a "malicious URL has been blocked", almost as soon as the machine loads into Windows.

I'm not sure exactly what is going on as the computer isn't exhibiting any odd behavior, I'm not having issues with redirecting or shortcuts - again, everything seems normal. This just started popping up.

I'm going to begin posting the logs as directed in the sticky thread at the top of the forum in my following replies. Any help as to what might be going on with this would be greatly appreciated!

In the spirit of full disclosure, this comes at a bad time - as of Wednesday night this machine will be out of commission for about two weeks while I move. If this happens and the issue persists, I'll update when it's back online, of course.

Thanks!
-Metzger
« Last Edit: January 26, 2014, 11:06:29 PM by Metzger28 »

Metzger28

  • Guest
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #1 on: January 26, 2014, 10:01:11 PM »
Log from MalwareBytes, shows nothing:


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #2 on: January 26, 2014, 10:01:38 PM »
Hi I believe I know what it is

Download  Anti VBS/VBE to your desktop

  • download the appropriate version (32 bit or 64 bit) and double click the file to run it.
  • After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
  • Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run


THEN

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach  both logs

Metzger28

  • Guest
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #3 on: January 26, 2014, 10:16:05 PM »
Anti-VBS/VBE Log:

(the OTL software is scanning currently)

Metzger28

  • Guest
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #4 on: January 26, 2014, 10:28:45 PM »
OTL logs:

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #5 on: January 26, 2014, 10:48:20 PM »
Definitely an odd one as the malware I thought it was is not appearing

Could you attach a screenshot of the alert please


Metzger28

  • Guest
Re: Avast keeps reporting Gen/Mal2 or similar in wscript.exe at startup
« Reply #6 on: January 26, 2014, 11:02:07 PM »
Attached are two screenshots: One of the popup itself,
Another crop of the screen that results after clicking "More details"

I'd post the URL it refers to itself, but, yeah, might be safer just to link an image.

Quick edit: This time it did not appear at start-up, only when I launched Firefox. Note that I do not actually have ANY homepage set on the browser - it opens to a blank tab.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #7 on: January 26, 2014, 11:12:59 PM »
Thanks for that data

On completion of this run reboot the computer if it does not do it itself

Let me know if the alert still appears
If not then run Firefox, is there an alert

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.5.5
FF - prefs.js..network.proxy.http: "95.31.19.43"
FF - prefs.js..network.proxy.http_port: 8080
[2013/12/11 11:34:10 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\ngo56wqi.default\extensions\ich@maltegoetz.de

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Metzger28

  • Guest
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #8 on: January 26, 2014, 11:33:46 PM »
Log file attached. Had to rename it for it to show up in the attach dialog.

No alerts upon launching Firefox this time.
Was this some sort of attempt by someone to monitor my computer? I'm not an expert at this stuff by any means, but that IP address in the fix text originates in Moscow.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #9 on: January 26, 2014, 11:39:30 PM »
They were attempting to use you as a spambot (mainly pharmaceuticals)  but Avast blocked the attempt.  Now where that Firefox extension came from I have no idea.  But it was a clever subterfuge using wscript as I was looking elsewhere for the culprit.  Must bear that in mind from now one..   How is the computer behaving 

Metzger28

  • Guest
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #10 on: January 26, 2014, 11:42:53 PM »
Fascinating!

That's just the thing: It never behaved funny at all. Business as usual, no odd slowdowns, no redirecting, none of that wonderful stuff, no unusually high spam counts, pop-ups...

Seems to be good so far!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #11 on: January 26, 2014, 11:47:29 PM »
If all is well tomorrow let me know and I will tidy up :)

It never managed to download the spam templates as Avast blocked it, so in a way it was an impotent bit of malware

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #12 on: January 26, 2014, 11:53:29 PM »
Hi Metzger28 and essexboy,

Also the proxy IP address given was rather interesting - free_Russian_Federation_proxy_servers_RU_Moscow_Moscow_City_Russian_Federation used for spam activities - all sorts. Routers used are vulnerable to sshd remote preauth heap corruption (Mikrotik RouterOS sshd (ROSSSH)).
So abusable and therefore that IP is blacklisted here: http://cleantalk.org/blacklists/95.31.19.43

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Metzger28

  • Guest
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #13 on: January 27, 2014, 07:08:46 PM »
I went two boots without any issue, yet it appears the problem has returned today. Same popup, same URL.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting URL:Mal or similar in wscript.exe at startup
« Reply #14 on: January 27, 2014, 07:21:25 PM »
Is this happening on a specific website ?

Could you run another OTL scan please