From "Malware Blocked" problem to worse

I will quote what other user asked because I had the same problem:
"Hi there,

For the past few days I have been receiving constant (pretty much every two minutes) pop-ups screaming “Malware Blocked!” whenever my computer is on. It’s not necessarily linked to any particular website I visit. It happens even when I don’t have Chrome open because I am usually connected to the net in some fashion (email/weather updates etc).

Every time the pop-up quotes the same website:

URL: hxxp://skegnessasc.org/accounts/adminsettings.css
Infection: URL:MAL

I’ve never been on this skegness site, so I have no clue where this is coming from. A google search shows that it is a skegness swimming association website, which has nothing to do with me. "

Here goes my part:
I had the same problem. Then I downloaded the Malwarebytes’ Anti-Malware, did the scaning, restarted the computer but it made no difference. The problem was still there. So I decided to restore the system to earlier time, when I didn’t have this problem.

This, as it seems, made the thing only worse. At first I couldn’t see the password section, only the mouse. Somehow I managed to log in, but bunch of .exe errors appeared (like AsusTPLoader.exe, Skype.exe etc.). Addblock on Goole Chrome and Itunes aren’t working, I can download things but not install them. Task manager and control panel aren’t reachable, so I can practically do nothing.

Then I did the Avast fullscan - It did find one malware: win32malware-gen and it is sealed now. But when I restarted the computer nothing changed!

Could someone help me? Exuse me for my english, as it isn’t my mother tongue :slight_smile:

If able to, then follow instructions here and attach Farbar Recover Scan Tool logs https://forum.avast.com/index.php?topic=53253.0

Essexboy is notified and will be online tomorrow

I’m running my computer on safe mode, so I managed to do the logs :slight_smile:

Hi McKiller7,

Here goes my part: I had the same problem. Then [b]I downloaded the Malwarebytes' Anti-Malware[/b], did the scaning, restarted the computer but it made no difference. The problem was still there. So I decided to restore the system to earlier time, when I didn't have this problem.

This, as it seems, made the thing only worse. At first I couldn’t see the password section, only the mouse. Somehow I managed to log in, but bunch of .exe errors appeared (like AsusTPLoader.exe, Skype.exe etc.). Addblock on Goole Chrome and Itunes aren’t working, I can download things but not install them. Task manager and control panel aren’t reachable, so I can practically do nothing.

This sounds like file infector. Could you please post thge Malwarebytes log, the part which is detected infection. Here is how to extract the MBAM’s logreport;

Click on the History tab > Application Logs. Double click on the Scan Log which shows the date and time of just performed scan.

  • Click Export button at the bottom, and then select the ‘Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type “mbam” (without quotes) for your scan log name and click Save.
  • A message box “Your file has been successfully exported” should appear, click Ok and close the windows.

In the meantime, I shall take a peek into posted FRST logs.

As I did System Restore function I don’t have MBAM log. After doing MBAM scan and restarting problem was same as in the beginning, practically nothing changed (or at least orginal problem was not solved). But after doing system restore it turned to mini-hell :stuck_out_tongue:

Pozdrav komsija :smiley:

Hello,

The following FixList shall tell FRST to preform some fixes. It shall also clean a lot of junk and temporaly files. Tell me how is the computer behavior after the execution of this script. :slight_smile:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start Folder: C:\wintemp Folder: C:\Users\Matej\AppData\Local\EmieUserList Folder: C:\WINDOWS\system32\sru Hosts: HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-2820701813-1270350853-680734460-1001\...\MountPoints2: F - "F:\LANLauncher.exe" HKU\S-1-5-21-2820701813-1270350853-680734460-1001\...\MountPoints2: G - "G:\LANLauncher.exe" HKU\S-1-5-21-2820701813-1270350853-680734460-1001\...\MountPoints2: {2f65530c-2b7e-11e3-be7c-6c71d992ab06} - "G:\LaunchU3.exe" -a HKU\S-1-5-21-2820701813-1270350853-680734460-1001\...\MountPoints2: {bbdbd92d-1fe3-11e3-be74-6c71d992ab06} - "F:\fscommand\LS_Start_Launch.cmd" AppInit_DLLs: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll [232896 2014-07-22] () AppInit_DLLs-x32: C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC32Loader.dll [187328 2014-07-22] () HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com/?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=M9FEBD9DF-004A-4C07-A77C-35658AC445FE&SearchSource=55&CUI=&UM=5&UP=SP9C9F371C-D99F-4B71-A9B9-0731D2595A86&SSPV= HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=hp&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621948 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=hp&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621948 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qvo6.com/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=hp&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621948 SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=ds&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621949&type=default&q={searchTerms} SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=ds&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621949&type=default&q={searchTerms} SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=ds&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621949&type=default&q={searchTerms} SearchScopes: HKLM-x32 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://search.qvo6.com/web/?utm_source=b&utm_medium=amt&utm_campaign=eXQ&utm_content=ds&from=amt&uid=HGSTXHTS541010A9E680_JA1000100H26GP0H26GPX&ts=1379621949&type=default&q={searchTerms} SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF NewTab: hxxp://search.conduit.com/?gd=&ctid=CT3324774&octid=EB_ORIGINAL_CTID&ISID=M9FEBD9DF-004A-4C07-A77C-35658AC445FE&SearchSource=69&CUI=&SSPV=&Lay=1&UM=5&UP=SP9C9F371C-D99F-4B71-A9B9-0731D2595A86 S2 CltMngSvc; C:\Program Files (x86)\SearchProtect\Main\bin\CltMngSvc.exe [2975168 2014-07-22] () [File not signed] Task: {18EFE35A-3C03-4CCD-8793-D4E3FCA30692} - System32\Tasks\AmiUpdXp => C:\Users\Matej\AppData\Local\SwvUpdater\Updater.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\AmiUpdXp.job => C:\Users\Matej\AppData\Local\SwvUpdater\Updater.exe <==== ATTENTION AlternateDataStreams: C:\ProgramData\Temp:56E2E879 EmptyTemp: C:\Program Files (x86)\SearchProtect C:\Users\Matej\AppData\Local\SwvUpdater C:\Users\Matej\AppData\Roaming\iminent C:\ProgramData\Iminent C:\ProgramData\eSafe End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Pozdrav magna86 i puno ti hvala!
So I did what you tell me to do.
Now I don’t get any -exe errors and I can assess control panel and task manager normally.
I can install programs again and I-Tunes is running normally.
Although I would say that Google Chrome and my computer aren’t fast as before. Adblock didn’t work so I reinstalled adblock and now it’s going well.
Anyways it seems to me that the biggest part of the problem is solved :slight_smile: Thanks :slight_smile:

Do not add or do anything with your machine at this time other than use it normally. Magna86 needs to remove tools he put on your machine for removing the malware, so do not leave this thread before he does that. Do you understand? Thank you. :slight_smile:

OK, although I did reinstall Adblock, installed new version of Itunes and did the Avast Scan. I hope it won’t affect anything.

That is why we wait for Magna. He is the malware removal specialist, and he put things on your machine to help remove the malware. So do not make any more changes to your machine until he tells you. OK? You can use it normally, and if it acts strangely (differently), let us know here right away…that means something is wrong. He will want to know if your machine is acting normally again or not.

Ola :slight_smile:

First run this FixList and then re-check … :wink:

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
Reboot:
C:\wintemp\*.tmp
C:\Users\Matej\AppData\Local\EmieUserList
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

.

From normal mode re-run FRST …

[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

Did as been told.
Everything seems good to me. :slight_smile:

Hi,

The logs looks good as well. You should reset Firefox browser back to default settins and that should be it.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

You also might wanna take a peek into MCShield. Official thread you may find here:
http://www.mycity.rs/MyCity-Laboratorija/MCShield-v3.html

Official site:
http://www.mcshield.net/

MCShield is an antimalware program designed to prevent infections transmitted via removable drives.

Sve najbolje druze. I koristi zastitu … ;D

Pozdrav, :wink:

Puno hvala :smiley: McShield ću isprobati!

Nema na cemu. Drago mi je da sam pomogao. :wink:

SRB::
PS: Nepravilno je reci McShield jer podseca na McAfee Shield (McShield komponenta) a to ne zelimo. :slight_smile:
MCShield stoji za MyCity (forum) Shield.

Ziveli,

ENG::
It is incorrect to say McShield becose it recalls for McAfee Shield (McShield component) and we do not want that. :slight_smile:
MCShield stands for MyCity (forum) Shield. :smiley:

Cheers,

.

I Have the exact same problem as above, seems like this forum is the only one that really succed to correct this problem !

I ran MBAM, FRST and aswmbr, but I had an error during the scan of the last one, which made him stop.

Also, I don’t know if it’s related but I’m not able to uninstall program. I hope that If I succed to fix the URL:mal problem, it will work again, otherwise I’ll try to look for seomthing else.

I really hope taht someone will help me,

And like the OP, I’m not a native english speaker, so I apologise for my mistake

Hi Stradivarie,

Ok, I will assist you. Know that next time, you should create your own topic. First from Control Panel > Programs and Features you need to uninstall the following PUP program:

Defaulttab

Then …
Please download Zoek tool by Smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List;
FilesRCM;
C:\Users\Ulysse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\register.exe;i
EmptyFoldersCheck;
EmptyCLSID;
StartupAll;
Defaulttab;u
C:\Windows\System32\Tasks\DTReg;fs
C:\Windows\system32\config\systemprofile\AppData\Roaming\DefaultTab;fs
paoponfhfdfnjgddpnpjkambkcgdaaib;chr
FirefoxLook;
ChromeLook;
EmptyAllTemp;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Thx for the fast answer !

Here you have the result

And sorry, I didn’t know I should have create a new topic.

Good. We shall use Zoek tool one more time to target malware and to preform the additional cleaning. Then we shall preform one more ARK (antirootkit) scan with Kaspersky’s tool.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

C:\Windows\Sysnative\drivers\qqov.sys;i
EmptyFoldersCheck;Delete
iedefaults;http://www.bing.com/
C:\Users\Ulysse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\register.exe;f
AutoClean;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

.

Please download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

Thx again for the fast reply.

Here you have the report.

Edit: Sorry, I though i attached it, but it didn’t work and I didn’t check after that