Avast keeps reporting URL:Mal or similar in wscript.exe at startup

Hello folks,

Got a bit of an odd one here. After being away from my computer for a few days I came back to find that Avast was reporting soemthing along the lines of Url:GEN/Mal2 (the exact designation escapes me and I don’t see it in logs) in wscript.exe in c:\Windows\System32, telling me that a “malicious URL has been blocked”, almost as soon as the machine loads into Windows.

I’m not sure exactly what is going on as the computer isn’t exhibiting any odd behavior, I’m not having issues with redirecting or shortcuts - again, everything seems normal. This just started popping up.

I’m going to begin posting the logs as directed in the sticky thread at the top of the forum in my following replies. Any help as to what might be going on with this would be greatly appreciated!

In the spirit of full disclosure, this comes at a bad time - as of Wednesday night this machine will be out of commission for about two weeks while I move. If this happens and the issue persists, I’ll update when it’s back online, of course.

Thanks!
-Metzger

Log from MalwareBytes, shows nothing:

Hi I believe I know what it is

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[
]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

THEN

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropboxusercontent.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[]Select LOP and Purity
[
]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir “%systemdrive%*” /S /A:L /C
/md5start
rpcss.dll
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Anti-VBS/VBE Log:

(the OTL software is scanning currently)

OTL logs:

Definitely an odd one as the malware I thought it was is not appearing

Could you attach a screenshot of the alert please

Attached are two screenshots: One of the popup itself,
Another crop of the screen that results after clicking “More details”

I’d post the URL it refers to itself, but, yeah, might be safer just to link an image.

Quick edit: This time it did not appear at start-up, only when I launched Firefox. Note that I do not actually have ANY homepage set on the browser - it opens to a blank tab.

Thanks for that data

On completion of this run reboot the computer if it does not do it itself

Let me know if the alert still appears
If not then run Firefox, is there an alert

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
FF - prefs.js..extensions.enabledAddons: ich%40maltegoetz.de:1.5.5
FF - prefs.js..network.proxy.http: "95.31.19.43"
FF - prefs.js..network.proxy.http_port: 8080
[2013/12/11 11:34:10 | 000,000,000 | ---D | M] (ProxTube - Unblock YouTube) -- C:\Users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\ngo56wqi.default\extensions\ich@maltegoetz.de

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Log file attached. Had to rename it for it to show up in the attach dialog.

No alerts upon launching Firefox this time.
Was this some sort of attempt by someone to monitor my computer? I’m not an expert at this stuff by any means, but that IP address in the fix text originates in Moscow.

They were attempting to use you as a spambot (mainly pharmaceuticals) but Avast blocked the attempt. Now where that Firefox extension came from I have no idea. But it was a clever subterfuge using wscript as I was looking elsewhere for the culprit. Must bear that in mind from now one… How is the computer behaving

Fascinating!

That’s just the thing: It never behaved funny at all. Business as usual, no odd slowdowns, no redirecting, none of that wonderful stuff, no unusually high spam counts, pop-ups…

Seems to be good so far!

If all is well tomorrow let me know and I will tidy up :slight_smile:

It never managed to download the spam templates as Avast blocked it, so in a way it was an impotent bit of malware

Hi Metzger28 and essexboy,

Also the proxy IP address given was rather interesting - free_Russian_Federation_proxy_servers_RU_Moscow_Moscow_City_Russian_Federation used for spam activities - all sorts. Routers used are vulnerable to sshd remote preauth heap corruption (Mikrotik RouterOS sshd (ROSSSH)).
So abusable and therefore that IP is blacklisted here: http://cleantalk.org/blacklists/95.31.19.43

polonus

I went two boots without any issue, yet it appears the problem has returned today. Same popup, same URL.

Is this happening on a specific website ?

Could you run another OTL scan please

No specific website - when I launch Firefox for the first time to a blank tab, the popup shows up then.

I can run another OTL scan. Same settings as before?

Yes please

OTL logs attached.

Lets check for any adware first

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Attached. It is [S2] as I ran this program yesterday per (apparently outdated) instructions I found in another thread dealing with a similar issue.