Malware alert popping up

[hrshovon]

Hello,
I mistakenly tried installing an expansion pack of Hawx 2 and perhaps thats when it happened...Avast started to show up pop ups that it has blocked a malicious site etc.Then I installed Malwarebytes anti malware....It detected malware and removed them(Think so,since I didnt see anything erroneous in the log and I had to reboot my system).But now Antimalware keeps on popping up saying that it has stopped a malicious transmission or something but the process isnt the same everytime(Dwm.exe,rundll32,chrome,utorrent).
What should I do?

2014/01/19 03:38:20 +0600   SHOVON-PC   Shovon   MESSAGE   Starting protection
2014/01/19 03:38:20 +0600   SHOVON-PC   Shovon   MESSAGE   Protection started successfully
2014/01/19 03:38:20 +0600   SHOVON-PC   Shovon   MESSAGE   Starting IP protection
2014/01/19 03:38:24 +0600   SHOVON-PC   Shovon   MESSAGE   IP Protection started successfully
2014/01/19 03:51:48 +0600   SHOVON-PC   Shovon   IP-BLOCK   162.210.192.21 (Type: outgoing, Port: 1989, Process: rundll32.exe)
2014/01/19 03:57:51 +0600   SHOVON-PC   Shovon   IP-BLOCK   162.210.192.21 (Type: outgoing, Port: 2245, Process: rundll32.exe)
2014/01/19 04:02:01 +0600   SHOVON-PC   Shovon   IP-BLOCK   162.210.192.21 (Type: outgoing, Port: 2404, Process: chrome.exe)
2014/01/19 04:07:56 +0600   SHOVON-PC   Shovon   IP-BLOCK   162.210.192.21 (Type: outgoing, Port: 2636, Process: chrome.exe)
2014/01/19 04:12:22 +0600   SHOVON-PC   Shovon   IP-BLOCK   77.78.216.231 (Type: outgoing, Port: 23583, Process: utorrent.exe)
2014/01/19 04:13:50 +0600   SHOVON-PC   Shovon   IP-BLOCK   46.243.8.213 (Type: outgoing, Port: 6881, Process: explorer.exe)
2014/01/19 04:13:58 +0600   SHOVON-PC   Shovon   IP-BLOCK   162.210.192.21 (Type: outgoing, Port: 2849, Process: chrome.exe)

Thisi is the output of the protection.log

[Asyn]

Please attach your logs. (MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[magna86]

Monitoring . . .

@ hrshovon
Beside OTL and aswMBR logs I shall also need the FRST logs ...


Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[hrshovon]

Here are the attached files
I included the log of the very first run as well for MalwareBytes Anti Malware
For the Farbar recovery scan,the file has been attached in the next reply

[hrshovon]

The FRST.txt

[magna86]

Hi hrshovon,

There is no need to run tool two times. One will do.

FRSTScript (FixList) shall kill the malware and solve the problem. ComboFix is here for additional extra check.
PS: do NOT run ComboFix more than one time ! !




    1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

   

Code: [Select]

Start
File: C:\Program Files\i-Funbox DevTeam\ifb_conn.exe
Folder: C:\Program Files\i-Funbox DevTeam
C:\Program Files\ss Supporter\AssistantSvc.dll
C:\Users\Shovon\AppData\Roaming\Mozilla\Firefox\Profiles\oocpruwh.default\Extensions\wldpk-b@ssal-ayouvfe.net
C:\Users\Shovon\AppData\Roaming\Mozilla\Firefox\Profiles\oocpruwh.default\Extensions\firefox@mega.co.nz.xpi
2014-01-18 01:14 - 2014-01-19 03:32 - 00000000 ____D C:\ProgramData\goreattsavear
2014-01-18 01:14 - 2014-01-19 03:32 - 00000000 ____D C:\Program Files\goreattsavear
2014-01-18 01:13 - 2014-01-18 01:15 - 00000000 ____D C:\ProgramData\483a232284efe716
2014-01-18 01:13 - 2014-01-18 01:13 - 00000000 ____D C:\Users\Shovon\AppData\Local\Torch
2014-01-18 01:13 - 2014-01-18 01:13 - 00000000 ____D C:\Users\HomeGroupUser$\AppData\Local\Torch
2014-01-18 01:13 - 2014-01-18 01:13 - 00000000 ____D C:\Users\Guest\AppData\Local\Torch
2014-01-18 01:13 - 2014-01-18 01:13 - 00000000 ____D C:\Users\Administrator\AppData\Local\Torch
AlternateDataStreams: C:\ProgramData\TEMP:DBC416F8
AlternateDataStreams: C:\ProgramData\TEMP:E21CFDE4
MountPoints2: {a9c4af26-4908-11e3-ae5a-806e6f6e6963} - G:\Autorun.exe
MountPoints2: {d730b48e-489f-11e3-b4ef-00030d000001} - I:\setup.exe
MountPoints2: {d730b499-489f-11e3-b4ef-00030d000001} - I:\setup.exe
FF Extension: greatsaver - C:\Users\Shovon\AppData\Roaming\Mozilla\Firefox\Profiles\oocpruwh.default\Extensions\wldpk-b@ssal-ayouvfe.net [2014-01-18]
FF Extension: MEGA - C:\Users\Shovon\AppData\Roaming\Mozilla\Firefox\Profiles\oocpruwh.default\Extensions\firefox@mega.co.nz.xpi [2013-12-12]
R2 43c1b835; C:\Program Files\ss Supporter\AssistantSvc.dll [146768 2014-01-18] ()
U3 aswMBR; \??\C:\Users\Shovon\AppData\Local\Temp\aswMBR.sys [x]
C:\Users\Shovon\AppData\Local\Temp\*.dll
C:\Users\Shovon\AppData\Local\Temp\*.exe
CMD: ipconfig /flushdns
End

2. Save notepad as fixlist.txt to your Desktop.
    NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


    3. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
    Note: If the tool warned you about the outdated version please download and run the updated version.



================================================
Next . . .





1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

[hrshovon]

There they are.
Btw...as soon as I ran ComboFix,I got a program crash message for "iexplore.exe"...is it okay???
My Taskbar was gone(May be because that program turned off explorer.exe)...is it okay too?

[hrshovon]

btw...still getting the Malware Alert message...the process is utorrent.exe

[hrshovon]

Ran Malwarebytes again.
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.20.04

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Shovon :: SHOVON-PC [administrator]

Protection: Enabled

1/20/2014 11:18:33 PM
mbam-log-2014-01-20 (23-18-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 310148
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Shovon\AppData\Local\Temp\utt2F8D.tmp (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

(end)

[magna86]

Hi,

Manual delete this folder: c:\programdata\InstallMate.

FRST has been remove active malware and crapware and ComboFix has been remove some mal_extensions that you had installed afterwards + CF was additionaly preform check ...

You are malware free.   Posted logs are now appear cleans and show no signs of active infection., therefore I shall remove used tools:



• The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.




=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.



Btw,

C:\Users\Shovon\AppData\Local\Temp\utt2F8D.tmp (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

This is the leftover, it was created as a result of inattentive installation legitimate applications that contain droper for bad adware.

still getting the Malware Alert message...the process is utorrent.exe

You should know what this process is. It's uTorrent. Shutdown uTorrent or do not use it for download malware or ilegal staff.


This should be it. Cheers,

[hrshovon]

I would have been way too happy if this was all...
but again Malwarebytes showing alert and the process is explorer .exe

[Pondus]

I would have been way too happy if this was all...
but again Malwarebytes showing alert and the process is explorer .exe

also consider this.    http://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/