"http:// stats.mydatastatssrv.com/stats.gif?action" infection help

[cruisecontrol49]

  I keep getting random malicious pop-ups from Avast with this URL.

  I have downloaded otl, mbam, aswmbr, adwcleaner. I have been running Avast, CCleaner, and Mbam on a regular maintenance basis. Mbam scan shows nothing malicious in quick scan mode.

  ...appreciate any help, thanks for your time and knowledge

Windows 7 home premium
Avast 2014
Firefox

[mikaelrask]

hey and welcome to the forum.

please follow this guide and attach your logs ( we need the logs from mbam,otl and aswmbr)

http://forum.avast.com/index.php?topic=53253.0

a malware expert will help you from there.

ps could you also provide a picture of that avast popup it will give the malware expert some more information.

[cruisecontrol49]

...here is Mbam, I will have to post OTL in a second post. I get a "message body is empty" error when I try to attach them, so I will have to copy & paste. If I try to copy & paste both of them I exceed character maximum.

...also when I tried to run awsbmr it seemed to freeze at one point in the scanning process. I walked away to wait it out, when I looked back I had a black windows message that it had shut down improperly. I just let Windows reboot it and I got a desktop popup saying "windows had recovered from an unexpected shutdown". Do I need to try and run awsbmr again?

--------------------------------------------------------------------------------------

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.17.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
Bruce (Lenovo) :: BRUCELENOVO-PC [administrator]

3/18/2014 8:38:29 AM
mbam-log-2014-03-18 (08-38-29).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 244616
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Pondus]

OTL must be attached..... or it will take 10 posts with copy and paste

you may tru to run aswMBR from safe mode

[cruisecontrol49]

thanks for being patient, I'm working on it.

[cruisecontrol49]

OTL

[cruisecontrol49]

apologize again...I think I've got it right, if not let me know.

I ran aswmbr in safe mode. I have not received anymore Avast popups, but I will try to post them if they show up.

thanks again for your patience

[essexboy]

Hi did you run AdwCleaner on your computer ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-2347637176-146510975-2075407822-1000\..\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}: "URL" = http://blekkosearch.mystart.com/blekkotb_soc/?source=86adbc52&tbp=rbox&toolbarid=blekkotb_soc&u=20120510153B42EDA9559B97E0111B26&q={searchTerms}
FF - prefs.js..extensions.enabledAddons: crossriderapp2258%40crossrider.com:0.94.149
FF - prefs.js..keyword.URL: "http://blekko.com/ws/?source={SourceID}&tbp=url&toolbarid=blekkotb_soc&u=USERGUID&q="
[2014/03/07 14:21:04 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Bruce (Lenovo)\AppData\Roaming\Mozilla\Firefox\Profiles\l2xt4udt.default\extensions\crossriderapp2258@crossrider.com
[2014/03/07 14:21:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bruce (Lenovo)\AppData\Roaming\Mozilla\Firefox\Profiles\l2xt4udt.default\extensions\crossriderapp2258@crossrider.com\extensionData
[2014/03/07 14:21:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bruce (Lenovo)\AppData\Roaming\Mozilla\Firefox\Profiles\l2xt4udt.default\extensions\crossriderapp2258@crossrider.com\extensionData\plugins
[2014/03/07 14:21:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Bruce (Lenovo)\AppData\Roaming\Mozilla\Firefox\Profiles\l2xt4udt.default\extensions\crossriderapp2258@crossrider.com\extensionData\userCode

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Michael (alan1998)]

I'd say yes given he has it installed.

If you've run it, attach the log(s) in your next reply for Essexboy.

[cruisecontrol49]

Ok...apparently I got trigger happy or confused, there are three AdwCleaner reports

I'm going to go run the fix now

as always... I appreciate your kindness

[cruisecontrol49]

 I ran the fix and attached the log.

 I also attached the details screen from the Avast warning popup. I didn't get a chance to capture the popup, but if it returns I will post it (if you think you need it)

(disregard log attachment, getting the right one now)

[cruisecontrol49]

Disregard log attachment in last post...my mistake, and I don't know how to delete posts or attachments

I attached the OTL log from the quick scan.

I tried to post the screenshot from  the OTL scan window with this post, but I am being told my attachment is to large.

 I wasn't sure if I was running the quick scan with the same ticks and custom data as the original scan... so I ran it the way it opened. If I need to re-run with the original, or a different configuration, let me know.

I will put the OTL quick scan window screenshot in the next post, and you can see if it was configured properly

I'm sorry about the confusion on my part, but I am learning, and I appreciate your patience

[cruisecontrol49]

...here is the scan window screenshot as it was configured when I ran the quick scan

[mikaelrask]

hey again, you doing fine and what the expert wants you to run so no problem there. Essexboy will be back later to continue help you so just be patience 

[essexboy]

Nope, a quick scan is good.  Have the alerts now ceased ?