another go.wvydeo.com victim

Avast provided several alerts since ~10-Dec-14 that it blocked the following Malware URLs:
Go.wvydeo.com
c.t.c.adlinker.net
s.vb3k.com
199.115.116.230/redirect_js_new.php…

I noticed memory shot up to 100% when the malware was detected so I pretty much was slowed to a halt. To temporarily resolve this, I disconnected my wireless connection but detection alerted again once I reconnected to the network.

I also ran the Avast Quick Scan and http://www.virustotal.com/index.html, both said no files were infected.

I ran other tests as recommended and attached files. Please let me know if you need anything else in order to help me.

Thanks in advance,
mtrotter2

Hi etiennehoward, :slight_smile:

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
    • Please do not install any new software while we are working on this system as it may hinder our process.
    • Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
    • Please do not try to fix anything without being ask.
    • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
    • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
    • Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
    • If you are confused about any instruction, stop and ask. Do not keep on going.
    • Do not repeat the steps if you face any problems.
    • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
    • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
    • The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.

Where did you get this?

2014-12-15 18:56 - 2014-12-15 18:56 - 00002687 ____C () C:\Users\Marshall\Desktop\fixlist.txt

  • Step #1 Fix with FRST
    Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
    [li]Open Notepad.exe. Do not use any other text editor software;
    - Copy and Paste the contents inside the code-box to your Notepad
    [/li]
Start
Closeprocesss:
Emptytemp:
CustomCLSID: HKU\S-1-5-21-2446492379-2231062663-457726658-1008_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
HKU\S-1-5-21-2446492379-2231062663-457726658-1008\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\ProgramData\MakeMarkerFile.exe
CMD: netsh winsock reset 
CMD: bitsadmin /Reset /Allusers
End
  •   [li]Click on [b]File[/b] > [b]Save as...[/b]
    

[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;

		[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
	[/li]
	- After the completion, a log will be produced;
	- Attach the log in your next reply.
[/list][/li]

  • Step #2 Upload File(s) to Virus-Total
    I want you to upload the following suspicious file(s) to an online virus-scanner to scan.

      [li]Please go to [url=https://www.virustotal.com/en/][b]www.virustotal.com[/b][/url]
      - Click on [b]Choose File[/b];
      - Go to [b]C:\Windows\SysWOW64\User32.dll [/b]
      - Click on [b]Open[/b];
      - Click on [b]Scan it[/b];
      - Copy and Paste the link of the result page in your reply;
    

    [/li]


  • Step #3
    Re-run FRST and in the search box type User32.dll. Click on Search File and attach the log when done.

  • Required Log(s):

      [li]Farbar Tool Log(s)--
      - [list]
      	[li]FRST.txt
      	- Search.txt
      [/li]
      - VirusTotal Link 
    

    [/list][/li]
    Regards,
    Valinorum

Hi Valinorum,

Thank you for your help.

I’m not sure where you got etiennehoward but that’s not me. Perhaps that’s why you were asking where I got that fixlist.txt you referenced, which is me. Also, not sure this matters but the issues were detected under my son’s log-in. I have not had the issues when logged in under my account as admin.

Anyway, as requested:

  1. FRST log attached

Farbar requested a restart so I’ll complete the other two tasks thereafter.

mtrotter2

Hi Valinorum,

  1. I couldn’t find an infected file, just URL malware detected
  2. Search.txt attached

Regards,
mtrotter2

additional threat detected http://match.basebanner.com

Also, pop up that Window PowerShell has stopped working-snippit attached

thanks,
mtrotter2

Please give me a fresh FRST scan log.

Addition log was defaulted so I included it…

[*]Step # Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[*]Open Notepad.exe. Do not use any other text editor software;
[*]Copy and Paste the contents inside the code-box to your Notepad

Start
Closeprocesses:
Emptytemp:
CustomCLSID: HKU\S-1-5-21-2446492379-2231062663-457726658-1008_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
HKU\S-1-5-21-2446492379-2231062663-457726658-1008\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\ProgramData\MakeMarkerFile.exe
Replace: C:\Windows\WinSxS\amd64_microsoft-windows-user32_31bf3856ad364e35_6.2.9200.17044_none_262d36dbf7006791\user32.dll C:\Windows\SysWOW64\user32.dll
CMD: netsh winsock reset 
CMD: bitsadmin /Reset /Allusers
End

[*]Click on File > Save as…
[list][*]Inside the File Name box type fixlist.txt
[*]From the Save as type drop down list, choose All Files
[*]Save the file to your Desktop;
[*]Re-run FRST.exe and click Fix;
[*]Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.[]After the completion, a log will be produced;
[
]Attach the log in your next reply.[/list]


[*]Required Log(s):
[*]FRST Fix Log

Regards,
Valinorum

not happy!

Completed the FRST Fixlog and saved it to the laptop’s desktop. Immediately after that, Mozilla became completely unresponsive-wouldn’t open, no error message, nothing… I had been using Firefox up to this point.

Tried to open IE and the best I could get was “Not Responding” and it CLOSED AUTOMATICALLY. On reboot/restart, I can’t even F8 for Safe or to revert to the last good configuration!!

Now I have to find a USB stick so I can transfer the FRST to another computer in order to continue here and then try to get my son’s laptop to work properly again…

Did that happen after running the FRST fix or before?

It happened after your last request for the FRST fixlog.

Before this happened, I installed a Samsung SW Update yesterday that included a BIOS update, sound driver and a couple of other things (didn’t seem related to browsers) so I need to check with Samsung on that. I had several restarts during and after the update was completed and was able to use browsers until the last FRST fixlog.

Did you applied the FRST fix? One of your system file was patched by the malware which may have caused the issue? Can you boot into your PC? Do you have your Windows Installation disk?