Avast WEBforum

Other => Viruses and worms => Topic started by: ImmanuelX on August 12, 2012, 12:13:55 AM

Title: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 12:13:55 AM

I've researched it, done what I can to try and fix this and its not getting any better. So I'm coming to you guys to see what you can do. I've had MBAM on my computer for over a year now and run it nearly every week but right when my subscription to Avast was about to run out is when this infection occurred. And it's not going away.

Attached are logs of a full scan with MBAM and a scan from both aswMBR and OTL.

Title: Re: Malicious URL Blocked Spam.
Post by: Pondus on August 12, 2012, 12:47:51 AM

malware removers are notified. it may take several hours before one arrive so be patient

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 12, 2012, 01:53:42 AM

Monitoring  8)

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 12, 2012, 02:08:50 AM

Hello,  :)
You are badly infected +you have lots of PUP , Toolbars...etc installed. This is potentially catastrophic for new infections. So, let start shell we.  ;D

• I will be working on your Malware issues this may or may not solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• If you don't know or understand something, please don't hesitate to ask.
  
• Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc...)
• Please DO NOT run any other tools or scans whilst I am helping you.
  
• It is important that you reply to this thread. Do not start a new topic.
• Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
• Absence of symptoms does not mean that everything is clear.

**************************

Step1


 Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:OTL
PRC - [2009/07/13 21:14:45 | 000,020,480 | ---- | M] () -- \\.\globalroot\systemroot\svchost.exe
IE - HKLM\..\URLSearchHook: {6d474053-6aea-476f-af1a-840e7bbd0edb} - C:\Program Files (x86)\Softonic-EngUSA_\prxtbSoft.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031760
IE - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?l=dis&o=14196
IE - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\URLSearchHook: {6d474053-6aea-476f-af1a-840e7bbd0edb} - C:\Program Files (x86)\Softonic-EngUSA_\prxtbSoft.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\SearchScopes\{350468C0-4EA3-4CD1-BB16-C0B608DA0973}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FWV5&o=14193&src=crm&q={searchTerms}&locale=&apn_ptnrs=FM&apn_dtid=TES002R2US&apn_uid=cdf535b0-52a1-4543-86b7-0dacf4eb59d5&apn_sauid=A005CEDA-81FD-4F18-B01F-E3349EF3DC8E
IE - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3031760
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Google.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O2 - BHO: (no name) - {652853ad-5592-4231-88c6-706613a52e61} - No CLSID value found.
O2 - BHO: (Softonic-EngUSA_ Toolbar) - {6d474053-6aea-476f-af1a-840e7bbd0edb} - C:\Program Files (x86)\Softonic-EngUSA_\prxtbSoft.dll (Conduit Ltd.)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Yontoo) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files (x86)\Yontoo\YontooIEClient.dll (Yontoo LLC)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {652853ad-5592-4231-88c6-706613a52e61} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Softonic-EngUSA_ Toolbar) - {6d474053-6aea-476f-af1a-840e7bbd0edb} - C:\Program Files (x86)\Softonic-EngUSA_\prxtbSoft.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\Toolbar\WebBrowser: (Softonic-EngUSA_ Toolbar) - {6D474053-6AEA-476F-AF1A-840E7BBD0EDB} - C:\Program Files (x86)\Softonic-EngUSA_\prxtbSoft.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files (x86)\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1488464123-3926200872-980151002-1000\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask)

:files
C:\Windows\svchost.exe
ipconfig /flushdns /c

:commands
[purity]
[CREATERESTOREPOINT]
[DRIVES]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

****************************

Step2




> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction. (http://www.bleepingcomputer.com/forums/topic114351.html)

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

 

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 03:48:49 AM

I've tried running OTL a couple of times as you stated and eventually it gets an "OTL.exe error" and both times I go to re-run the program, rather than opening it gives me this message:


Files\Folders moved on Reboot...
File move failed. C:\Users\Jason\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File\Folder C:\Windows\temp\flaB2DA.tmp not found!

PendingFileRenameOperations files...
[2012/07/28 13:15:06 | 000,000,000 | ---- | M] () C:\Users\Jason\AppData\Local\Temp\FXSAPIDebugLogFile.txt : Unable to obtain MD5
File C:\Windows\temp\flaB2DA.tmp not found!

Registry entries deleted on Reboot...

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 05:53:54 AM

Alright, got it to work that time. Here's the log.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 12, 2012, 02:11:56 PM

Im waiting for Combofix's report.

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 04:16:11 PM

Yeah sorry, I keep trying to work out Combofix. It keeps completing up to Stage 4 but then enters the blue screen of death and restarts my computer. I can't seem to complete it.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 12, 2012, 04:17:43 PM

Ok, no problem. Delete Combofix and download fresh one. Try tu run Combofix in safe mode.
If you fail to run it, just let me know.  ;)

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 06:32:25 PM

Alright, got it for ya now. Though I can't open up Mozilla Firefox (which is my main browser) now for some odd reason. Says "Illegal operation attempted on a registry key thats been marked for deletion."

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 06:34:02 PM

Nevermind that last statement. I got it to work, I use Rocketdock for a sidebar and that's what was messing up, not Firefox.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 12, 2012, 06:44:55 PM

Quote from: ImmanuelX on August 12, 2012, 06:32:25 PM

"Illegal operation attempted on a registry key thats been marked for deletion."

Only what you need to do is just restart your computer once more.  :D

.........................

>> Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.





******************************

> Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

KillAll::

Reboot::

ClearJavaCache::

File::
c:\windows\svchost.exe

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 12, 2012, 09:30:10 PM

Well here's the TDSS log, but Combofix didn't supply me with one. Everything went fine, it rebooted and when it produced a log it was completely empty with a message saying it couldn't find some file and asking me I would like to make a new one. Though this log I found seems to be different from the other one so I'm assuming it just misplaced something.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 13, 2012, 02:23:18 AM

Hm...Combofix dont shows some errors. But it shows some malware activity.

• Re-run TDSSKiller.exe and click on Change parametres.
  
• Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Click on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.


************

Step2

• Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
  
  
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, a report appears.

Note : This report is also saved to C:\AdwCleaner[R1].txt
Attach here that report.

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 13, 2012, 03:22:23 AM

Well the major infection of my problems is cured. No more pop-ups at all and I can actually close my laptop into sleep mode and reopen it without it coming to an error screen. But I'm gonna stick with you to get a full clean going, taking no risks.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 13, 2012, 01:04:15 PM

Just litle more...
We must be sure that this malware will not back.

Re-run TDSSKiller as you did before ( with changed parametres ) and use Delete options for this one:

\Device\Harddisk0\DR0 ( TDSS File System )


****************

• Re-run AdwCleaner
  
• Click on the [Delete] Wait for the programme ends.
  The program will close all active programs and out the window with the warning. Click OK to confirm.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart.
• Will open a notepad with the report.
• Copy the contents of that report in the subject.

Note: The report will also be stored on C:\AdwCleaner[S1].txt


*****************************

Re-run Combofix and attach here fresh Combofix.txt log.

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 13, 2012, 05:20:45 PM

Alright, here ya go.

Title: Re: Malicious URL Blocked Spam.
Post by: magna86 on August 13, 2012, 05:33:33 PM

No more malware.  :) Your system is clean.


It is necessary to uninstall the ComboFix :

• Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between "  ComboFix  " and "  /Uninstall  " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.



>> Re-run OTL and click on CleanUp! button


>> Re-run AdwCleaner and click on Uninstall button

Title: Re: Malicious URL Blocked Spam.
Post by: ImmanuelX on August 13, 2012, 06:31:40 PM

Awesome. All complete. Thanks for your help, much appreciated!