Avast and Malwarebytes: malicious website blocked

Viruses and worms
1

Recently I clicked on a link in a phony USPS email about a delivery. Shortly after I clicked on AdobeFlashUpdater. Realizing I had viruses I downloaded and ran Malwarebytes Anti-Malware (ScanLog050114). MBAM found 40 objects to quarantine. Soon I started to get many messages from both MBAM and Avast about “Malicious URL Blocked” and “Malicious Website Blocked”.

I followed the instructions on this forum and am attaching my original MBAM log, and the logs that I ran today.

Thank you for your help.

2

Hi, change any passwords you had. Include banking, social media etc. You have recently had a ZBOT infection. And I’d guess a blackbeard infection. Sit tight and I’ll get someone to help you.

3

Trojan.FakeDoc, C:\Users\Mike\AppData\Local\kktjwnlw.exe, Quarantined, [c87866e66c0f280ef65ef57f6899ee12],
Spyware.Zbot.ED, C:\Users\Mike\AppData\Local\vexjwvnt.exe, Quarantined, [ec543f0df8838caa130488e7fe03936d],
Spyware.Zbot.ED, C:\Users\Mike\AppData\Local\hlnhrxra.exe, Quarantined, [360a57f566151d190611a1cede2351af],
Spyware.Zbot.ED, C:\Users\Mike\AppData\Local\mraujqbj.exe, Quarantined, [20201834fd7e03338a8d600fff026b95],
Spyware.Zbot.ED, C:\Users\Mike\AppData\Local\qfeivgec.exe, Quarantined, [4ff1f15b661553e3e037d897ab5641bf],
Spyware.Zbot.ED, C:\Users\Mike\AppData\Local\gmkfslqq.exe, Quarantined, [0937c7857704ff3777a0591652afdf21],

=

Bad.

Zbot info. http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)

Also, disconnect that computer from your network until asked to reconnect. The passwords need to be changed by a known clean computer (Work or something).
I’ve asked someone to come and help you. Please wait until they tell you to do something

4

Hi mcfad,

Let’s start . .

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.
  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]
  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

5

Thank you very much for your help.

6

Hi,

This looks much better. ComboFix has been target the core malware files. We will run this tool one more time but this time with CFScript.
When ComboFix and CFScript finish with its cleaning, I wanna re-check everything in case something is accidentally lefted behind, with another tool known as FRST.

Open notepad and copy/paste the text present inside the code box below:

ClearJavaCache::

DirLook::
c:\users\Mike\AppData\Roaming\ManCTL
c:\users\Mike\AppData\Local\ManCTL

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
“ApnTBMon”=-

KillAll::

Folder::
c:\program files (x86)\AskPartnerNetwork

Firefox::
FF - ProfilePath - c:\users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\cl4f0avu.default
FF - user.js: extentions.webcake.installId - 46292841-23e5-4ce3-994d-fbe5e10b7f99
FF - user.js: extentions.webcake.defaultEnableAppsList - layers/banner,layers/inline,layers/search,layers/shopping,newOffers/wc

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

.

.

THEN …
Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

7

I shut down my computer last night and reconnected the network cable this morning to download and run these applications. I hope that doesn’t negate their results.

8

Hi,

Feel free to connect PC to internet. As I sad, ComboFix has been target the core malware files in his initial run (aka. ComboFix has been kill malware, in other words, malware isn’t active anymore). :wink:

Following script (FixList) shall tell FRST to target some leftovers as well as adware (bad PUP software) lefted registry values…

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\Windows\system32\mshtml.tlb C:\Users\Mike\AppData\Local\qqsjuffh C:\Users\Mike\AppData\Local\niajkbno C:\Users\Mike\AppData\Local\wkgtgvie C:\Users\Mike\AppData\Local\xaqgjxpa C:\ProgramData\PKP_DLeo.DAT C:\ProgramData\PKP_DLes.DAT C:\ProgramData\PKP_DLet.DAT C:\ProgramData\PKP_DLev.DAT c:\users\Mike\AppData\Local\Temp\_MEI19682 C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\cl4f0avu.default\searchplugins\ask-search.xml C:\Program Files (x86)\Kaspersky Lab C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-664542280-2323827590-422119210-1000\...\Policies\Explorer: [] SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - No File FF SearchEngineOrder.1: Ask Search FF SearchPlugin: C:\Users\Mike\AppData\Roaming\Mozilla\Firefox\Profiles\cl4f0avu.default\searchplugins\ask-search.xml FF HKLM-x32\...\Firefox\Extensions: [virtualKeyboard@kaspersky.ru] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\FFExt\virtualKeyboard@kaspersky.ru CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjldcfjmnllhmgjclecdnfampinooman\12.0.0.374_0\plugin/npABPlugin.dll No File CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\jagncdcchgajhfhijbbhecadmaiegcmh\12.0.0.374_0\plugin/npVKPlugin.dll No File CHR Plugin: (Kaspersky Anti-Virus) - C:\Users\Mike\AppData\Local\Google\Chrome\User Data\Default\Extensions\dchlnpcodkpfdpacogkljefecpegganj\12.0.0.397_0\plugin/npUrlAdvisor.dll No File CHR HKLM-x32\...\Chrome\Extension: [pjldcfjmnllhmgjclecdnfampinooman] - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2012\ChromeExt\ab.crx [2013-05-07] S3 catchme; \??\C:\ComboFix\catchme.sys [X] CMD: ipconfig /flushdns CMD: type C:\Users\Mike\Desktop\Rkill.txt CMD: type C:\Users\Mike\Desktop\cc_20140412_112648.reg CMD: DEL %WINDIR%\TEMP\*.* /F /S /Q CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %WINDIR%\TEMP CMD: RD /S /Q %TEMP% End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait…
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

9

FRST.txt attached

10

mcfad, not good.

Please re-read above post (procedure for creating FixList and running Fix via FRST) and post me FixLog.txt report. :wink:

11

Sorry about that. I think I ran Scan instead of Fix the first time.

12

Ok-et :slight_smile: …FRST did his job. How is the situation now?

13

I have had no evidence of a problem today. The computer feels fast and healthy. You are good and generous. Thank you very much for your help.

14

Then I will remove my tools. :slight_smile:

The following will implement some post-cleanup procedures:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

DeleteQuarantine:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). There is no need for attaching that log.

.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

15

Success!