Avast Continuously Blocking 51 sites

Viruses and worms
1

First of all let me say thank you in advance for any assistance you can offer.

Also, i want you to know that I really like Avast and have used it for years and think it is an awesome product particularly because of the Boot scan feature that nobody else has.

But despite having this fully updated software it appears that my Windows 7 Pro 64 bit, IE11/Chrome computer has been infected by some unusual malware.

My browser opened some page (unknown) that quickly closed my browser and restarted the computer. Since then the computer has been running ok (possisbly even faster if that is possible) but every 10 seconds i get an Avast pop-up reporting that it has blocked 51 harmful web pages. The process it reports is C:\Windows32\svchost.exe, the infection URL:Mal, and the sites blocked include rocatto1.me, rotartost17x.me. retraddorotrl.com, rtortern3.boz and others.

I followed the guidelines for collecting logs for cleaning malware and have attached them.
I did replace my username in the logs with *** for privacy.
Malwarebytes was set to include scanning for rootkits and it did find a hacktool that is old and has been on this computer for years, so i do not feel that it has anything to do with this prolem (it was used to solve a windows activation problem i had some time ago of which Microsoft was no help with).
FRST64 was run and the frst.txt is attached but not the additions.txt since it did not generate one.
aswMBR was also run and the

2

This is new and you are only the second I have seen with this, the first was a few hours ago

Go to Virustotal
Click Choose File and navigate to C:\Windows\system32\lUADB3XG.dll and select it
Then press scan it
Once it has completed could you copy the link and post it here

THEN

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-2582216359-4281994784-1118294055-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File S2 pqn; C:\Windows\system32\lUADB3XG.dll [103792 2015-01-13] (Microsoft Corporation) [File not signed] NETSVC: pqn -> C:\Windows\system32\lUADB3XG.dll (Microsoft Corporation) 2015-01-13 16:24 - 2015-01-13 16:24 - 00103792 _____ (Microsoft Corporation) C:\Windows\system32\lUADB3XG.dll EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

3

Thank you for the prompt reply.
Oddly, I can not find “C:\Windows\System32\lUADB3XG.dll”.
It does not appear when looking for it via the file open dialog box when on VirusTotal, and it does not appear in Windows Explorer even after confirming that hidden and protected system files are displayed.
It does appear in the results list when i search for the file name using the Windows Explorer search box and it reports it as in the location that you expected. It also displays a data and time (yesterday) that is about the time that the problem started.
Should I still run the FRST64 program with the Fixlist that you provided?
Thank you.

4

Took a change and ran the FRST64 with the FIXLIST.TXT file you suggested…
Restarted and it seems to have stopped the constant URL:MAL popups.
The Fixlog.txt is attached (with username replaced with ***).
Sill unable to find C:\Windows\system32\lUADB3XG.dll via the Virustotal file open dialog box or Windows Explorer (with hidden and system files displayed), but now also unable to find it via the search box in Windows Explorer.
So I think this is progress!
Thank you.
ps. will keep you posted if it acts up again… had previously run combofix, adwcleaner, mbam, avast boot scan and it seemed ok for two hours before it started with the Avast URL:MAL pop-ups. But keeping my fingers crossed that you fixed it! Thank you.

5

Could you do me a favour, FRST appears to have killed it :slight_smile:

Could you zip the folder C:\FRST and upload to a file sharing site for me to collect as I would like to pass that file on to Avast

6

I will upload the files and send you a private message (if this site allows it - first item here) with how to collect it.
I have edited the log files to bother replace my user name with *** and to remove some other identifiable information (recently edited folder name and some downloads).
And I am uncomfortable with sending the Hives folder after inspecting the ntuser.dat file and seeing lots of identifiable information including some secure banking site that i frequent and am not able to publish.
I hope it will still be of some use to you without the Hives folder.
Thank you again for all of your help.

7

I am more interested in the file and the control set registry keys as they are the ones I will need so the remainder is of no real interest :slight_smile: But the most important will be the file

Thank you for doing this… Is the computer behaving now ?

If it is let me know and I will remove the tools

8

Virus total analysis https://www.virustotal.com/en/file/daae785a0cd05a51670db140bfb9f81cfefdc6aad31cab65dd680ba0379d0c49/analysis/1421270431/

9

Thanks again Essexboy.
The computer is working well. No recurrence of the Avast URL:Mal popup all day. Even applied the ‘patch tuesday’ updates that took two passes and two rebooted and all well.
I see that several other people have reported similar trouble and that it seems to have been harder to clean.
So just want to let you know that before I reached this forum and not finding any mention if this problem I rounded up the usual antimalware tools and ran them including MalwareBytes Free which found noting, AdwCleaner which found nothing, then Combofix which coughed up a few messages about not being able to replace or delete certain registry items, and then Avast Boottime scan that found a couple of things. The system then appeared to be ok but the problem came back and I then posted to this forum… Hope that helps understand this malware a little better.
Thanks again.

10

ps. Also in my initial attempt to clean the machine I had run both Rkill and TDSSKiller of which neither found any problem…

11

As this is new (I have only seen two cases so far) it is a little trial and error to determine the best way to remove it. But, it appears relatively easy to remove at the moment. Hopefully my passing the file along will up the number of people recognising it for what it is :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove Combofix

Click Start then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
In the box copy/paste the following command:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

Then click OK (or press Enter ).
Wait for the uninstall process to complete.

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: