« previous next »
Pages: [1]   Go Down

Author Topic: Infected by URL:Mal  (Read 4765 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Infected by URL:Mal
« on: March 11, 2018, 10:43:54 AM »
Message that AVAST presents repeatedly in the last couple of days is:
We have safely aborted the asdbjhwjashdfsancbxzv.99lnk.com connection because it was infected by URL:Mal

Process:   C:WindowsSystem32wscript.exe
Gravity:     Low

After executing Malwarebytes, HitmanPro, CCleanor
and restart, every time the computer, has NOT resolved the topic.

Following the instructions of the forum I have passed
Fabar Recovery Scan Tool.

Attached the two files created

Can you help me?
Thank you
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: Infected by URL:Mal
« Reply #1 on: March 11, 2018, 10:45:40 AM »
Malware expert is notified. It may take hours before he is online



URL:Mal = Blacklisted URL or IP
https://www.virustotal.com/#/url/6049bc2991fea0af764bd5d5b0926c93f2d06984e630bf44b76f450d4994363b/detection

« Last Edit: March 11, 2018, 10:51:41 AM by Pondus »
Logged

Offline PDI

  • Avast team
  • Full Member
  • *
  • Posts: 159
Re: Infected by URL:Mal
« Reply #2 on: March 11, 2018, 10:54:17 AM »
Hi,

please check "C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs" via virustotal.com.

Add the link to the result of the scan here.

If it's found malicious.

Remove these files:
C:\Users\usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudi.lnk
C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs

Regards,
PDI
Logged

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Infected by URL:Mal
« Reply #3 on: March 11, 2018, 05:37:46 PM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
Startup: C:\Users\usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudi.lnk [2018-03-07]
ShortcutTarget: HDAudi.lnk -> C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs ()
GroupPolicy: Restriction <==== ATTENTION
CHR HKU\S-1-5-21-1161662491-1988502887-1330458484-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1161662491-1988502887-1330458484-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lkeklglhcgdafkfiiagmabcogjapcklc] - C:\Program Files (x86)\HDvidCodec.com\HDvidCodecCR10.crx <not found>
Task: {23E065A7-A76B-44F0-8C04-34613B0DE03A} - System32\Tasks\{47EF6CE7-8056-417B-A80B-873D09B60DA1} => C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp\XRD Manager.exe <==== ATTENTION
Task: {40E0D075-7A94-4CAD-878E-1D5CE679C58A} - System32\Tasks\0 => c:\program files (x86)\internet explorer\iexplore.exe  <==== ATTENTION
Task: C:\WINDOWS\Tasks\{47EF6CE7-8056-417B-A80B-873D09B60DA1}.job => C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp\XRD Manager.exeȚ/exenoupdates  /exelang 3082 /noprereqs  /qr   AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ TRANSFORMS=:3082 AI_PREREQFILES=C:\Users\usuario\AppData\Local\Temp\{47EF6CE7-8056-417B-A80B-873D09B60DA1}\drivers64.msi AI_PREREQDIRS=C:\Users\usuario\AppData\Local\Temp AI_SETUPEXEPATH=C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp <==== ATTENTION
VirusTotal: C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs;C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp\XRD Manager.exe;c:\program files (x86)\internet explorer\iexplore.exe
C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs
C:\Program Files (x86)\HDvidCodec.com
C:\Users\usuario\AppData\Local\Temp\is-IO6G9.tmp
C:\Users\usuario\AppData\Roaming\appk
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
Logged

REDACTED

  • Guest
Re: Infected by URL:Mal
« Reply #4 on: March 11, 2018, 08:31:13 PM »
Quote from: PDI on March 11, 2018, 10:54:17 AM
Hi,

please check "C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs" via virustotal.com.

Add the link to the result of the scan here.

If it's found malicious.

Remove these files:
C:\Users\usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudi.lnk
C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs

Regards,
PDI

1. Result of the scan in virustotal.com
https://www.virustotal.com/#/file/7f867b0b5e5958e646f7aae07aec8e2124e74a3c956250b687c79939d237255f/detection

2. Erased the files.
   C:\Users\usuario\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudi.lnk
   C:\Users\usuario\AppData\Roaming\appk\HDAudi.vbs
3. Restarted the computer
4. All Ok
5. Thank you
Logged

Offline Sass Drake

  • MyCity AMF R2
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 820
Re: Infected by URL:Mal
« Reply #5 on: March 11, 2018, 08:39:29 PM »
Post fixlog.txt as you was instructed.
Logged

REDACTED

  • Guest
Re: Infected by URL:Mal
« Reply #6 on: March 11, 2018, 08:53:11 PM »
Quote from: Sass Drake on March 11, 2018, 08:39:29 PM
Post fixlog.txt as you was instructed.

Impossible.
When running the program FIX with file FIXLIST.TXT, Avast considered it a virus and deleted the program.

I prefer not to reinstall FIX.
Thanks for your help.
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: Infected by URL:Mal
« Reply #7 on: March 11, 2018, 09:01:13 PM »
Right click avast tray icon > manage shields and pause shields ... And try again

« Last Edit: March 11, 2018, 09:04:32 PM by Pondus »
Logged
Pages: [1]   Go Up
« previous next »