Avast WEBforum

Other => Viruses and worms => Topic started by: thewebguy on September 13, 2012, 11:31:04 PM

Title: URL: MAL cant get rid of it
Post by: thewebguy on September 13, 2012, 11:31:04 PM

Thought I had a grasp of removing a virus, but now I keep getting this popup from avast.

Started with virus hiding all the folders etc. Yadda Yadda I thought it was gone, but now this. Also redirects browser sometimes.

Any help would be awesome!

Windows 7 64bit

Will await instrustions on where to begin again.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 14, 2012, 12:03:24 AM

Used malwarebytes, spybot, roguekiller and all reporting "clean" or not finding any items of concern. But the Avast popup keeps coming.

Originial issue was: redirects in broser and hidden folders. Originally Avast,Malware, spybot all caught and removed a bunch of items.

Thanks again
Steve

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 14, 2012, 12:18:46 AM

Hi,
Follow this instructions for running adwcleaner, OTL and aswMBR.
http://forum.avast.com/index.php?topic=53253.0

Attach here last logs from Malwarebytes; created OTL and aswMBR log.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 14, 2012, 11:58:54 PM

OK...Ran OTL, but there was no EXTRAS file? Attached the other one.

Tried to run aswMBR and it wont run. (Had same issue trying to run TDSKiller)
I double click, click YES to run it, and nothing every happens.

So I ran Ran RogueKiller. (ran this before contacting you and it did remove/delete/replace some items.)
Attached RogueKiller log.

Awaiting next instructions. :)

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 14, 2012, 11:59:30 PM

attachement roguekiller

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 15, 2012, 01:47:20 AM

Hi,



> Download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.

> Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.

How to disable avast:

• Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  
• In the window that opens on the top right corner, click Settings.
  
• In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  
  
• Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.



> Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


> When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
  Attach log reports ( ComboFix.txt) back to topic.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 15, 2012, 03:04:19 PM

took a while, but it ran ???

attached combofix file

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 15, 2012, 03:23:36 PM

Hi,

Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.exe)  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.




***************************
  Step#2 

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]



KillAll::

DDS::
uInternet Settings,ProxyOverride = *.local;192.168.*.*

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\users\spike\AppData\Roaming\Mozilla\Firefox\Profiles\f8jqepio.default\
FF - Ext: My Web Search: m3ffxtbr@mywebsearch.com - %profile%\extensions\m3ffxtbr@mywebsearch.com

RegLock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)







Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

-----------------------------------

Please also attach here:
> C:\Qoobox\ ComboFix-quarantined-files.txt

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 16, 2012, 04:43:11 PM

TDSSKILLER would not run. Tried the TDSSFIX and that failed too...

Ran your script with Combofix (it took a long time to run...) Log Attached.

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 16, 2012, 11:56:58 PM

Hi, thewebguy.


Step#1

• Download AdwCleaner (http://www.general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/2-adwcleaner) (by Xplode) on your desktop.
  
• Launch it, click on [Search] and wait for the scan.
  
• When the scan ends, notepad with the report will appears.
• Click on the [Delete] Wait for the programme completes his work.
  The program will close all active programs. Click OK to confirm that.
  On the next two windows that open ( Informations and Restart required ) click OK
  
• The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
• Save the notepad report on the Desktop
• Please attach here C:\AdwCleaner[S1].txt

Note: The report will also be stored on C:\AdwCleaner[S1].txt [/list]


*********************

Step#2



Ok. I'd like to see a fresh RogueKiller log.

Please, delete (RogueKiller) that you have on your computer, because we will need fresh one:

• Please download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save to the desktop.
  
• Close all windows and browsers
• Right-click the program and select 'Run as Administrator'
• Press the Scan button.
  
• A report opens on the desktop named - RKreport.txt
  
• Please post it in your next reply.

****************
Step#3



Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  
  Code: [Select]
  
BASESERVICES
C:\*.* /md5
/md5start
services.*
/md5stop
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c


  • Then click the Run Scan button at the top.
    
  • Let the program run unhindered; it will reboot the system when it is done and open notepad ( OTL.txt) with logreport.
  
  Attach here OTL.txt logreport.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 17, 2012, 02:50:40 AM

Windows tried to update...so thats good...although the update failed...

Ran the items you said...attached the logs. I see alot of people are starting to see this bugger...

NOTE: ROGUEKILLER DID find 2 items..I DID NOT remove/replace/delete them as you instructions did not say to do that...just an FYI

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 17, 2012, 06:42:12 PM

Hi,

Step#1

I see that you have downloaded TDSFix.exe from Symantec.

Code: [Select]

(Symantec Corporation) -- C:\Users\spike\Desktop\tdsfix.exe
Please,be free and run the tool.  Reboot your computer.


Step#2

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{9C91DE74-9191-4202-862D-807C47706800}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
IE - HKLM\..\SearchScopes\{9C91DE74-9191-4202-862D-807C47706800}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
IE - HKCU\..\SearchScopes\{9C91DE74-9191-4202-862D-807C47706800}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd
FF - prefs.js..extensions.enabledItems: m3ffxtbr@mywebsearch.com:1.1
File not found (No name found) -- C:\PROGRAMDATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.5.0.125\IPSFFPLGN
File not found (No name found) -- C:\USERS\SPIKE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\F8JQEPIO.DEFAULT\EXTENSIONS\M3FFXTBR@MYWEBSEARCH.COM
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.

:files
C:\Windows\tasks\Norton Security Scan for spike.job
ipconfig /flushdns /c

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

------------------

> Re-run OTL, click on QuickScan and attach here fresh OTL.txt log

******************


Step#3


Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A small window should open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  
• If nothing unusual is found just press Enter
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

*****************

Quote

Windows tried to update...so thats good...although the update failed...

We will try to fix that...

Please download Farbar Service Scanner (http://download.bleepingcomputer.com/farbar/FSS.exe) (FSS)  and run it on the computer with the issue.

• Make sure that all options are checked.
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach FSS.txt log to your reply.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 17, 2012, 10:14:59 PM

Howdy!

TDSSFix did nothing. I double clicked it and waited a few minutes and nothing happened. Restarted computer (tried TDSSKiller...and nothing....

Did other scans as instructed. MBR did see a fake file, but I pressed 'N' as instructed.

See attached logs.

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 17, 2012, 11:28:00 PM

That MBR probably belongs to COMPAQ.  My tools only detect nonstandard MBR.  ;)


How's your computer running now?

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 18, 2012, 08:48:08 PM

URL:MAL still being detected.  :(

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 18, 2012, 11:21:29 PM

GOOD NEWS! after being pi**ed off about TDSSSkiller not working and the URL still coming up, I kept playing with it and the tdssfix...long story short, I got tdssskiller to work!! (I had renamed tdssfix and ran it, didnt see anything on screen, re-downloaded from your link and it worked?!?! - Dont ask Dont tell...it just worked)

First run told me to reboot, needed deep scan or something so I did.
Came up with a malicious threat (Rootkit.Boot.SST.b in the physical HDD)

Then ran CURE and rebooted, then ran again...attached all the logs from this. WooHoo!

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 18, 2012, 11:21:55 PM

one more tdsskiller report

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 18, 2012, 11:29:54 PM

Sorry for delay in responding. I have been working...

• Re-run TDSSKiller.exe and click on Change parametres.
  
• Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
• Click on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• Click the Report button and attach the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 19, 2012, 12:37:29 AM

Windows updated! Thats a good sign...

Re-ran TDSSSkiller...attached log...2suspects.

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 19, 2012, 04:12:35 PM

Yes.

> Delete current Combofix and download fresh one.
Re-run Combofix and attach here fresh Combofix.txt log.

> Re-run MBRCheck and attach here fresh MBRCheck.txt log
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 19, 2012, 10:12:03 PM

indows updated to SP1 + 73 other updates  :o

MBR Logs attached...

COMBOFIX LOG is attached in 2 parts..it was too big...

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 19, 2012, 10:16:10 PM

combofix part 1

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 19, 2012, 10:18:10 PM

combofix part 2

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 19, 2012, 10:18:46 PM

make that 3 parts...combofix part 3

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 19, 2012, 10:27:58 PM

How is your computer running now?

Title: Re: URL: MAL cant get rid of it
Post by: thewebguy on September 20, 2012, 12:39:04 AM

Seems good. No popups and not redirecting.

More windows updates installed successfully, and the machine made some recovery discs for me  ;D

Do you see anything else? Or do we begin to remove all the items we added? oh and THANKS!!!! :)

Title: Re: URL: MAL cant get rid of it
Post by: magna86 on September 20, 2012, 12:36:08 PM

Nice.



It is necessary to uninstall ComboFix :

• Click Start (or (http://amf.mycity.rs/pg/images/VistaStartButton.png)) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between "  ComboFix  " and "  /Uninstall  " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.



> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.



...be safe  ;)