Got a bit of an odd one here. After being away from my computer for a few days I came back to find that Avast was reporting soemthing along the lines of Url:GEN/Mal2 (the exact designation escapes me and I don’t see it in logs) in wscript.exe in c:\Windows\System32, telling me that a “malicious URL has been blocked”, almost as soon as the machine loads into Windows.
I’m not sure exactly what is going on as the computer isn’t exhibiting any odd behavior, I’m not having issues with redirecting or shortcuts - again, everything seems normal. This just started popping up.
I’m going to begin posting the logs as directed in the sticky thread at the top of the forum in my following replies. Any help as to what might be going on with this would be greatly appreciated!
In the spirit of full disclosure, this comes at a bad time - as of Wednesday night this machine will be out of commission for about two weeks while I move. If this happens and the issue persists, I’ll update when it’s back online, of course.
[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report
Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
Attached are two screenshots: One of the popup itself,
Another crop of the screen that results after clicking “More details”
I’d post the URL it refers to itself, but, yeah, might be safer just to link an image.
Quick edit: This time it did not appear at start-up, only when I launched Firefox. Note that I do not actually have ANY homepage set on the browser - it opens to a blank tab.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Log file attached. Had to rename it for it to show up in the attach dialog.
No alerts upon launching Firefox this time.
Was this some sort of attempt by someone to monitor my computer? I’m not an expert at this stuff by any means, but that IP address in the fix text originates in Moscow.
They were attempting to use you as a spambot (mainly pharmaceuticals) but Avast blocked the attempt. Now where that Firefox extension came from I have no idea. But it was a clever subterfuge using wscript as I was looking elsewhere for the culprit. Must bear that in mind from now one… How is the computer behaving
That’s just the thing: It never behaved funny at all. Business as usual, no odd slowdowns, no redirecting, none of that wonderful stuff, no unusually high spam counts, pop-ups…
Also the proxy IP address given was rather interesting - free_Russian_Federation_proxy_servers_RU_Moscow_Moscow_City_Russian_Federation used for spam activities - all sorts. Routers used are vulnerable to sshd remote preauth heap corruption (Mikrotik RouterOS sshd (ROSSSH)).
So abusable and therefore that IP is blacklisted here: http://cleantalk.org/blacklists/95.31.19.43
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.