Hello, I’ve been having this problem for some days, avast has been detecting some malicious URLS in the Wscript,(URL: http://copertps.com/a/; specrtop; etproprc.ru…), and, in the taskbar, the windows atualization icon (that yellow shield w/ an exclamation mark) keeps appearing multiple times and all of them disappear on mouseover.

I’m attaching the AdwCleaner log, the MBAM log, OTL + extras log (merged so I can post the 4 logs) and aswMBR log.

Also, MBAM/AdwCleaner logs have some parts in portuguese, idk if it was my fault or system default, let me know if I can do anything to re-do them.

Thanks, Mindbless.

Hi,
Let’s kill this thing:

1. Download ComboFix from here and save it to your Desktop.
   If you are unsure how ComboFix works please read this guide carefully.
   note: ComboFix must be downloaded to your Desktop.

2. Temporarily disable your AntiVirus program.
   If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

3. Run ComboFix. Click on I Agree!
   ComboFix will check if there is a newer version of ComboFix available.
   Click Yes if prompted to download.
   ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
   Click Yes to allow ComboFix to continue.
   If Recovery Console is not installed, ComboFix will offer download & installation.
   Click Yes to allow ComboFix to install Recovery Console.
   Note:Do not mouse-click Combofix’s window while it is running.
   If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

4. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
   Attach log reports ( ComboFix.txt) back to topic.

========= Next ==========

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:

process;
srinfo;
systemscpecs;
installedprogs;
wscript;z
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log”

Sorry it took so long, I thought the reply would take a while and fell asleep, haha. Here are the logs

Open notepad and copy/paste the text present inside the code box below:

DirLook::
C:\Logs para limpeza 01
C:\61
c:\documents and settings\Máa\Dados de aplicativos\607d6
c:\arquivos de programas\7f7

ClearJavaCache:: 

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"FirewallDisableNotify"="0"
"AntiVirusDisableNotify"="0"

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C53C8AFE-780B-A095-1875A9D39C824CF2}\{151E6624-94D7-6041-A2A26FFA6BDDEF0C}\{8D08884B-CD31-5FF0-CA8CAC497363EFC4}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
   12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9807A10-4727-9AC7-5739BD03864C7141}\{F4D35AF9-854F-CCC6-B4221006081D3FF5}\{1DA5733C-531E-5F12-5A70B13F4DD5DE9D}*]
"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,
   12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

========= Next ==========

Re-run Zoek.exe as you did before with this script:

emptyclsid;
C:\WINDOWS\Prefetch\WSCRIPT.EXE-32960AB9.pf;f
C:\Documents and Settings\Máa\Dados de aplicativos\607d6;vs
C:\Documents and Settings\Máa\Configurações locais\Dados de aplicativos\APN\GoogleCRXs\aaaaojdbdbhbbkpenbmlejjngphokgnp_7.17.1.0.crx;f
aaaaojdbdbhbbkpenbmlejjngphokgnp;chr
aaaaojdbdbhbbkpenbmlejjngphokgnp;chr
FFdefaults;
chrdefaults;
shortcutfix;
resetIEproxy;
ipconfig /flushdns >> %temp%\log.txt;b
resethosts;
emptyalltemp;
autoclean;

Attach here fresh Zoek.exe log

ComboFix.txt and zoek-results.log attached

Hi,

Open notepad and copy/paste the text present inside the code box below:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"c:\61"
"c:\arquivos de programas\7f7"

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted !!

pause
del %0

Save this as fix.bat

Choose to Save type as - All Files to your desktop then close the Notepad file.

Double-click on fix.bat to run it.

Did you got any message after running this bat?

How’s your computer running now?

The program generated a message like this:
“deleted!
Press any key to continue …”
Then I pressed the space bar and the program disappeared.
I restarted the computer, and after that appeared no warning avast system unprotected. Appeared only an update of avast that I’m updating now.

Hi,

If I understand correctly, your computer running just fine?

yeah, I think so.
Do you think it’s a good idea to scan the system completely just to make sure?
And, about the pen drive, now, can I use it normaly? Because before making the whole process, I formatted it.

It’s always good idea. But most of what it can detect now is maximum some configuration file of malware because active malware you shouldn’t have.

And, about the pen drive, now, can I use it normaly? Because before making the whole process, I formatted it.

Check USB storage devices / removable drives

Download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.

When all scanning is done, you need to attach a logreport that has made MCShield.

Start → All Programs → MCShield → Logs

Attach here → AllScans.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

I’ve attached the scans.

Hi,

I will remove used tools:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=========== Next ============

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Ok, I did all you said.
Thanks for all help you gave to me.

I have the same problem. But along with this the most applications like registry, ccleaner just opens and closes immediately. I can’t find my control panel and folder options. I don’t know what else has changed on the system. What do you suggest?

Thank you for any help!
ESD

Please start a new topic and attach your logs.

Please start you own topic after following these steps http://forum.avast.com/index.php?topic=53253.0