Help with http://debrovorda.com/aa/ bug please.

Seems to be a fairly common issue …

Object: ****://debrovorda.com/aa/
Infection: URL:Mal
Process: C:\Windows\SysWow64\svchost.exe

Object: ****://rumolottra.com/aa/
Infection: URL:Mal
Process: C:\Windows\SysWow64\svchost.exe

I’ve tried some resources to clear this up with no luck. Since I ran MBAM, FRST and aswMBR to get the logs, I haven’t seen the pop up. But then I’m just now back on line so, I’m not sure where it stands.

Attaching logs and hopefully it will make some sense, Any help is sincerely appreciated. Thanks!

Hello,

I shall require Addition.txt logreport as well.

oh sorry forgot that one…

Hello,

It would seems that this is not a home computer, but rather a some kind of business computer. As additional, user of this PC (you?) has a very bad habit of computer usage.

I was thinking whether to continue or not and in this case I’ll make an exception as it would seems that you have a brand new malware and I would like to investigate.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

File: C:\Sifon\launcher\Launcher.exe
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Hosts:
C:\Windows\system32\suies.dll
C:\Windows\SysWOW64\frphe.dll
C:\Windows\System32\Tasks\{8F2875CD-CA1A-F3DF-62BD-AA460EBAE7BE}
C:\Windows\system32\vwfqzvd.dll
EmptyTemp:

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

LOL no, its not a business PC. I have a couple of hobby blog sites and it is a shared machine. So it probably does look odd. :smiley:

Fixlog is attached. From what I can tell, it looks good. Hope the experience helps get a handle on this stupid little trick so we can prevent others from “catching” it. Thank you for your help.

Hello,

Zip/Rar-it and upload the C:\FRST[b]Quarantine[/b] folder into this site:
http://www.wikisend.com

Paste here the download link (URL) as I would like to take a peek into malware files. As additional, I would like you to do the following;

  1. Please download ComboFix by sUBs (
    http://www.mcshield.net/personal/magna86/Images/IconComboFix.png
    ) from here and save it to your Desktop.
    [i]If you are unsure how ComboFix works, read this guide.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
• Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Then, on disclaimer window, click I Agree! button.

[i][size=7pt]- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
  • If malware is detected, ComboFix will begin with its removal, and may need to restart Windows.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt)
    => Attach log report (ComboFix.txt) back to topic.

ComboFix shall also create addition log (typical location: C:\Qoobox\ComboFix-quarantined-files.txt)
=> Please attach that report (ComboFix-quarantined-files.txt) as well.

Link to the quarantine folder is edited :wink:

I’ll add the log next post

and the combofix log…

oh and this one …

Hi,

Thank you, I have the Quarantine. Can you please edit your messege and remove this download link now. Although, there’s nothing executive there, there is no need for that link to stand there anymore. :slight_smile:

Posted ComboFix log says you are clean now. So, how is the computer behavior now?

Actually I would love to preform one more ARK check,

Please download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.

[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.