go.wvydeo.com infection

[REDACTED]

Hello,

Today my Avast began blocking a bunch of malware, the most common of which seems to be: http://go.wvydeo.com/resultsa/...., although there are others as well.
The only other problem I noticed was that my system seemed a bit slower than usual lately and today it seems like after I install windows "important" updates, (it says successfully) they come up again to be installed.

So I found this forum, followed the steps on the "Logs to assist in cleaning malware" post and:

1. Found that I could not download Malwarebytes using IE (or any of the other suggested software).  I get a pop-up titled "Security Alert" that says "Your current security settings do not allow this file to be downloaded".  I used Firefox instead and was able to install and run Malwarebytes (log attached).  This however did not fix the issue.  It seems to be frequently blocking something from fff5ee.com, outbound, from the process "C:\WIndows\SysWOW64\dllhost.exe".  The IP and port change frequently and sometimes the doman is blank.

2. I used firefox to download the "Farbar Recovery Scan Tool".  I ran it and the logs are attached.

3. I used firefox to download "aswMBR.exe" but every time I try to run it I get the blue screen of death. (copy of the windows error log attached).

Is there any hope for me?  Next steps?

Thank you!
-Ryan

[Pondus]

aswMBR does mot run om Win8 if that is what you have
Now you wait, it may take some hours before removal team is online

[Asyn]

aswMBR does mot run om Win8 if that is what you have

The newer versions actually run on W8 and above.
@OP: Try it in safe mode.

[REDACTED]

I have Windows 7 Home Premium with Service Pack 1.

I tried running aswmbr in safe mode with networking and had the same issue.  I will try running it in safe mode without networking...

[Pondus]

no need ....removal experts have other tools that does the same work if they need it

[magna86]

Hi,

Let's start with mighty ComboFix.


1. Please download ComboFix by sUBs () from here and save it to your Desktop.
If you are unsure how ComboFix works, read this guide.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note:  Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Then, on disclaimer window, click I Agree! button.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
- If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
=> Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

[REDACTED]

I was able to complete a scan with aswmbr in safe mode.  log attached.
Also ran combofix.  logs attached...

[REDACTED]

Combofix seems to have done some good.  I am not seeing the barrage of threats being blocked by mbam and avast and everything seems to be running faster.

It may be too early to declare victory, but we are winning!

Thanks magna86 and crew!

[magna86]

Hello,

Malware has disinfected now. Please run FRST again and post me fresh both FRST and Addition.txt logreprot for reanalysis.

[REDACTED]

The new logs are attached.
Should I worry about any theft of login/password or other info from my computer from this infection?

Thanks,
Ryan

[magna86]

Hi,

It is always recommended to change the personal passwords but your malware does not have mission (by our knowledge) to steal personal information.


Run this fix and tell me how is the computer behavior now?

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

CloseProcesses:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-656882943-162664348-3855432940-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
EmptyTemp:2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[REDACTED]

The computer still seems to be running well.
Here are new logs and the fixlog...

Would you recommend running combofix or any of these other tools on a regular basis?

Thanks,
Ryan

[magna86]

Would you recommend running combofix or any of these other tools on a regular basis?

No without supervision. 

You have Malwarebytes installed on board, you may keep him, update and preform scanning. Tools like ComobFix and FRST (etc) are advanced tools and they behave differently.




• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

[REDACTED]

Thanks again.  Hopefully I won't be back soon!
The Delfix log is attached.
-Ryan