Avast WEBforum

Other => Viruses and worms => Topic started by: Wilke on August 12, 2012, 08:25:35 PM

Title: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: Wilke on August 12, 2012, 08:25:35 PM

Hello. I am having pretty constant avast popups for the past few hours. The popups are sometimes mentioning websites that are just a string of letters. They are also mentioning URL:mal. Malware -gen moved to host. sometimes it will mention a specific file such as Svchost.exe or something in windows/installer. It seems to be a popular problem today :)

Infection: URL:Mal
Process: C:\Windows\system32\svchost.exe

Infection: win32:malware:gen
Action: Moved to chest
Process: windows\system32\services.exe
 
I have ran MBAM twice, The first time was before I found this forum and I didn't save the log. The second time I found 2 more files which it deleted, But after a reboot I still have the same problems.

I have attatched what I assume are all the necessary logs from the sticky thread.

Thanks.

Title: Re: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: magna86 on August 12, 2012, 08:29:36 PM

I'l be right back  ;)

Title: Re: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: magna86 on August 12, 2012, 08:36:47 PM

Ufff...All right. First things first ...  ;D

Step1

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]

:files
C:\Program Files\Ask.com
C:\Windows\assembly\GAC\Desktop.ini
C:\Windows\Installer\{7491b70d-32ef-857b-14f1-b704bbfeb4ae}
C:\Users\Will and Keiths Pc\AppData\Local\{7491b70d-32ef-857b-14f1-b704bbfeb4ae}
ipconfig /flushdns /c

:OTL
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O2 - BHO: (Yontoo Layers) - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Runtime\YontooIEClient.dll (Yontoo LLC)
O3 - HKLM\..\Toolbar: (uTorrentControl2 Toolbar) - {687578b9-7132-4a7a-80e4-30ee31099e03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
O3 - HKLM\..\Toolbar: (facemoods Toolbar) - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.4.17.11\facemoodsTlbr.dll (facemoods.com)
O3 - HKU\S-1-5-21-1737675118-4025767520-293931746-1001\..\Toolbar\WebBrowser: (uTorrentControl2 Toolbar) - {687578B9-7132-4A7A-80E4-30EE31099E03} - C:\Program Files\uTorrentControl2\prxtbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [ApnUpdater] C:\Program Files\Ask.com\Updater\Updater.exe (Ask)

:commands
[purity]
[CREATERESTOREPOINT]
[emptytemp]


• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

**********************************


Step2



> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction. (http://www.bleepingcomputer.com/forums/topic114351.html)

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.


******************************

Step3

• Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
  
  
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, a report appears.

Note : This report is also saved to C:\AdwCleaner[R1].txt
Attach here that report.

Title: Re: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: Wilke on August 12, 2012, 09:17:15 PM

I'm attaching the first log from OTL. It crashed the system the first time I ran it and I had to reboot. It ran ok the second time, But I am unsure if that has caused any problems with the scan.

The avast pop ups have stopped though, So far, At least.

I'll run the other scans now.

:)

EDIT- Added the combofix and ADWcleaner logs

Title: Re: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: Wilke on August 12, 2012, 10:08:12 PM

Added all the logs now, Thanks for help so far :)

Title: Re: Avast malicious popups every minute. URL:Mal, Malware-gen
Post by: magna86 on August 13, 2012, 02:12:12 AM

Hi. You are run AdwCleaner before Combofix when you need to do the opposite. (time log so saying)  ;D

Step1

Disable avast:
With this CFScript i will also remove some traces of Symantec AV.

> Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000



Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

****************************

Step2


Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


****************************

Step3

Re-run AdwCleaner, click on Scan ant Attach here fresh logs.