Hi all,

About an hour ago I started getting notifications from Avast that “A threat has been detected”. The infection details say that it is a HTML:iframe-inf infection and that the process is Internet Explorer. I get this notice every few minutes and every time the URL associated with this threat is different.

In addition, it seems to affect my CPU, since my Task Manager shows usage of between 80-100% (!!), also in physical memory. Explorer.exe (for Windows Explorer) is in charge for 30-50% of this CPU usage.

I read a bit about this infection and it seems to be something that attacks websites, but I am getting these notices even when I am not on the web. At any rate, I used IE once today, but I rarely ever do and it has been closed during this attack. I think it started I restarted my computer once. I would love to get any tips and information on what it is exactly that infected my machine and how I can get rid of it.

Don’t know if it matters, but my system details are: Windows 7, and I am using mainly Firefox but also Iron for the web. Not Explorer…

Thanks!

M.

Logs to assist in cleaning malware https://forum.avast.com/index.php?topic=53253.0

Thank you Pondus.

The problem that the lg is based on using Malwarebytes which crashed my machine several times in the past, so I cannot use it.

My problem has developed since my last post: I ran an Avast scan that found three iframe threats and cleaned them. But now there is a new threat attacking my machine, also via IE and also with different URLs each time. But this infection is named URL:Mal. I think that the URLs are the same series of URLs from the previous infection, but I am not sure.

Does that mean that my IE is infected and should removed and reinstalled?

Thank you!

https://forum.avast.com/index.php?topic=53253.0
Read it.
It is not only Malwarebytes you have to run.

If you’ve problems with the tools, try to run them in safe mode.

Thank you Asyn and Eddy.

I know it’s not only Malwarebytes, but Malwarebytes is essential here. Anyway, I ran it in safe mode and it located two threats that it then cleaned. Then, I continued with the log’s instructions and did all the steps.

It didn’t help - my machine is still infected.

I would like to attach several files to this message so you could what the status is (like instructed in the log you linked to), but I don’t have the Attachment and Other Options section. Any ideas as to what I am missing?

Thanks

The (first) steps as you call them in that topic are analytic tools and require you to post the logs that they generate in this topic.

These logs will be analysed by a malware removal specialist, who will produce the necessary fixes, etc.

When you click on the Reply button you have an open text window: below that is the text ‘Attachments and other options’ clicking that will expand it to allow for attachments.

Thank you David.

For some reason the attachment section wasn’t there before but is now.

Here are all my files. I will post also screenshots of the threat in a new message, since there’s a 4 file limitation per message

And here are screenshots of the threats

A malware removal specialist has been informed about you logs.

Could you let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Toolbar: HKU\S-1-5-21-971390309-2364705423-2234723190-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Tcpip\Parameters: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{188976FD-8447-4440-A0FF-45F55A4277FF}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{3F617762-5C50-4DD9-9BE7-AFA1F0BB288D}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{5AE277CF-A914-43D7-A180-9AE38E51D0C5}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{61A8D6EE-D6BE-4424-A524-B2B7EB0DB5BD}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{6435B07C-B3A7-48C7-A9D9-C09831FA166A}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{816E5EB8-1E97-46C5-AE5C-7863C5B0DC51}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{988AC5D2-D0CA-4567-9BB5-D31EA97C27D5}: [NameServer] 172.16.0.2,172.16.0.3 Tcpip\..\Interfaces\{BA2B7D81-9A04-4346-ACC2-5777EC0AFCFD}: [NameServer] 75.126.206.18,184.173.169.186 Tcpip\..\Interfaces\{ECBADE4C-570B-49E0-AC37-9800C3370056}: [NameServer] 75.126.206.18,184.173.169.186 2015-01-27 23:56 - 2015-01-27 23:56 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage 2015-01-27 18:10 - 2015-01-28 14:12 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2012-11-07 05:13 - 2012-11-07 05:13 - 0000000 _____ () C:\ProgramData\ced3e32c6e1c15ddad7967a5789e90bc_c Task: C:\windows\Tasks\0614aUpdateInfo.job => C:\ProgramData\Avg_Update_0614a\0614a_AVG-Secure-Search-Update.exe Task: C:\windows\Tasks\0814avUpdateInfo.job => C:\ProgramData\Avg_Update_0814av\0814av_AVG-Secure-Search-Update.exe Task: {86F55BD6-0971-49D0-BACE-E2F7F689D150} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe Task: {B5B7CEAA-5799-4BEB-8055-94B5CF9F6460} - System32\Tasks\TuneUpUtilities_Task_BkGndMaintenance2013 => C:\Program Files (x86)\AVG\AVG PC TuneUp\OneClick.exe Task: {C039AA30-0A72-42F5-83A2-94EE049AC866} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.6.0.27\SymErr.exe Task: {1C43006B-8320-46DA-9838-319D84BE138B} - System32\Tasks\0814avUpdateInfo => C:\ProgramData\Avg_Update_0814av\0814av_AVG-Secure-Search-Update.exe [2014-08-12] () CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew C:\WINDOWS\miner EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks essexboy!

I still don’t if it worked because not enough has passed since reboot, but I am attaching the log.

Once you are happy let me know and I will tidy up

Everything seems to be working great! No more threat detection warning. Thank you!

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Thank a lot essexboy! So far everything looks fine on my end

Hi again,

The operation to remove the infection was successful, but the cleanup software messed up my machine I suspect it was Delfix, but I’m not sure.

The first problem I noticed was that I’m blocked from some features I was able to access before. They are now “managed by my system administrator” (though I am not part of a network). Attaching a screenshot of the message.

I think one of the software changed my group settings, but I can’t confirm it because I can’t access it now: I can’t locate gpedit.msc or access these settings otherwise (which makes me think it’s part of the cleanup effects).

But the bigger problem is that after running the cleanup software, my machine started freezing on me. It happened twice already, and I’m now writing from safe mode because the machine is quite unstable. Even when it’s not frozen, it is very slow (CPU and physical memory are normal though).

The gadget is probably blocked by cryptoprevent there should have been a prompt when you installed it asking for permission to disable it

Cyptoprevent also monitors gpedit. You can run it again and disable protection… Does that help ?

Yes it did! I guess I will have to figure out now what’s the right balance for me between applying cryptoprevent and having some features turned on.

Thank you!