maleware avast pop up?

Hello,

I have an issue where every time I first log onto the internet I get a pop up from avast stating that a threat has been detected and it seems to be the same notification but it only happens when I first go onto the internet. Not sure if it’s a false warning or not.

Here is what it says when I click on more info.
Infection: URL:MAL
http://stats.mydatastatssrv.com/stats.gif?action

I use malewarebytes and superantispyware.
Operating system is windows 7

Any help with this issue to help resolve it would be greatly appreciated.

Thank you,
Kelly

hey and welcome to the forum.

please follow this guide and attach your logs.

http://forum.avast.com/index.php?topic=53253.0

we need the logs from mbam, otl and aswmbr

a malware expert will help you from there.

Is that a site with which you are familiar? Do you have something that loads at startup that might be checking that site? If so URL Mal just means your computer is trying to connect to a site that avast has deemed suspicious. May be something and further research is required… may be nothing and just be a false positive by avast. Check your startup items.

There’s another thread currently listed
http://forum.avast.com/index.php?topic=147178.0

The detection seems to be correct

Site is listed by the mcafee suspicious

http://www.siteadvisor.com/sites/stats.mydatastatssrv.com

reports threat

http://safeweb.norton.com/report/show?url=stats.mydatastatssrv.com

AVG found
Downloader Generic
HTML/Framer

http://www.avgthreatlabs.com/website-safety-reports/domain/mydatastatssrv.com/

Blacklist

http://sitecheck3.sucuri.net/results/stats.mydatastatssrv.com

https://www.virustotal.com/en/url/02b13af2924f4df4f38f32fb566e00a3847e7ea7e70e18b9acbb7d2ee7e7598a/analysis/1394449782/

Zscaler Risk Report malicious

http://zulu.zscaler.com/submission/show/78ed6309233853cf7d979b5af6e4b149-1394450176

Not a false positive http://www.urlvoid.com/scan/stats.mydatastatssrv.com/

as reported by Norton safe web, this is found on the site as we speak
https://www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41c88083f4a3d3c04805a721/analysis/1394467220/

however the problem is what the OP have in his/her computer that is trying to connect?
to find out we need OTL log from the guide mikaelrask gave link to

Hello,

I read your post as to what I need to do. I ran maleware bytes and the log results are below. I have not run any other program as of yet but I will if the problem continues after I restart my computer, I wanted to get this log to you. Thank you so much for your help with this issue, I greatly appreciate your help in resolving the problem.

LOG REPORT:
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.11.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
dick :: DICK-PC [administrator]

Protection: Enabled

3/10/2014 7:17:36 PM
mbam-log-2014-03-10 (19-17-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233908
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.
HKCU\Software\AppDataLow\Software\Crossrider (PUP.Optional.CrossRider.A) → Quarantined and deleted successfully.
HKCU\Software\Cr_Installer\2258 (PUP.Optional.CrossRider.A) → Quarantined and deleted successfully.
HKCU\Software\InstalledBrowserExtensions\215 Apps (PUP.Optional.CrossRider.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk (PUP.GamesPlayLab) → Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|2258 (PUP.Optional.CrossFire.SA) → Data: I Want This → Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\Program Files (x86)\FunWebProducts\Installr (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.

Files Detected: 3
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.
C:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (PUP.Optional.FunWebProducts.A) → Quarantined and deleted successfully.

(end)

hey agian please follow the guide and attach the other logs aswell. the malware expert needs the otl and aswmbr to be able to help you.

Hello,

I’ve attached the log from OTL. When I was doing the scan with aswMBRnmy computer went to the black screen with blue words saying it had to shut down, I haven’t tried running aswMBR again because of my computer shutting when I was running it. Thanks for the help!

I tried to run the scan again with aswMBR and this time my computer did not go the black screen and shit down.
The log report is below. Thanks again for helping me to find out what’s causing the maleware pop up warning.

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-12 23:27:34

23:27:34.038 OS Version: Windows x64 6.1.7601 Service Pack 1
23:27:34.038 Number of processors: 2 586 0x170A
23:27:34.038 ComputerName: DICK-PC UserName: dick
23:27:35.333 Initialize success
23:27:39.170 AVAST engine defs: 14031201
23:27:50.636 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
23:27:50.652 Disk 0 Vendor: ST932032 D005 Size: 305245MB BusType: 3
23:27:50.777 Disk 0 MBR read successfully
23:27:50.777 Disk 0 MBR scan
23:27:50.792 Disk 0 Windows VISTA default MBR code
23:27:50.792 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
23:27:50.808 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
23:27:50.823 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 290204 MB offset 30801920
23:27:50.901 Disk 0 scanning C:\Windows\system32\drivers
23:28:05.425 Service scanning
23:28:32.070 Modules scanning
23:28:32.070 Disk 0 trace - called modules:
23:28:32.117 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
23:28:32.117 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004263060]
23:28:32.117 3 CLASSPNP.SYS[fffff880015bd43f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa800408e050]
23:28:32.803 AVAST engine scan C:\Windows
23:28:34.675 AVAST engine scan C:\Windows\system32
23:31:48.802 AVAST engine scan C:\Windows\system32\drivers
23:32:06.445 AVAST engine scan C:\Users\dick
23:34:29.420 AVAST engine scan C:\ProgramData
23:36:33.377 Scan finished successfully
23:37:00.225 Disk 0 MBR has been saved successfully to “C:\Users\dick\Desktop\MBR.dat”
23:37:00.241 The log file has been saved successfully to “C:\Users\dick\Desktop\aswMBR.txt”

Let me know if this stops the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-2245473696-2751137294-3349256485-1000\..\SearchScopes\{4A18D340-C4DC-4D74-B8CF-BF869AA8A4B3}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=^TV&apn_dtid=^OSJ000^YY^US&apn_uid=6E215438-3F0A-48C6-9EC9-D70AB144EAD0&apn_sauid=D2854A4F-49D0-4B8C-A95B-90E6E97E51A3
IE - HKU\S-1-5-21-2245473696-2751137294-3349256485-1000\..\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}: "URL" = http://search.alot.com/web?q={searchTerms}
FF - prefs.js..extensions.enabledAddons: crossriderapp2258%40crossrider.com:0.94.149
[2014/03/07 03:37:18 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\extensions\crossriderapp2258@crossrider.com
[2014/03/07 03:37:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\extensions\crossriderapp2258@crossrider.com\extensionData
[2014/03/07 03:37:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\extensions\crossriderapp2258@crossrider.com\extensionData\plugins
[2014/03/07 03:37:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\extensions\crossriderapp2258@crossrider.com\extensionData\userCode
[2012/06/22 01:04:43 | 000,002,205 | ---- | M] () -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\searchplugins\alot-search.xml
[2013/03/07 00:46:31 | 000,002,308 | ---- | M] () -- C:\Users\dick\AppData\Roaming\Mozilla\Firefox\Profiles\0zjm67ht.default\searchplugins\askcom.xml
O2:64bit: - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2245473696-2751137294-3349256485-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Files
C:\Users\dick\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpfapcdfbbledbojijcbcclmlieaoogk

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Here’s the new OTL log after running the fix. Am downing loading the other program and will provide that log when done.
Thank you!

AdwCleaner log. Wasn’t sure if I was to keep anything or uncheck certain items that were being removed so left whatever the scan showed up. Hope I didn’t mess this up and remove something I needed.
Here’s the log after scanning and removing.

I’ve logged on to the internet 2 times now since doing the first scan you asked me to do and that maleware pop didn’t pop up but it normally only pops up when I first log on for the day, whether I log off and on several times that day, normally just happens on the first log in.

Could you let me know, after you have restarted the system several times, if the alerts have ceased

Hi Essexboy,

No maleware threat pop-up when I started and logged on for the first time this morning, which normally it does happen.
I haven’t started and logged onto the internet but once so far, will let you know if the maleware threat pop up comes up anytime during the next few log on’s but I’m thinking it’s all good now. You’re amazing for the help and support you provide for us that have no idea how to fix stuff like this…thank you so much!!!

Have a great weekend,
Kelly

Let me know when you are happy and I will remove my rubbish :slight_smile:

Will do! I want to log on the internet a few more times before removing any stuff that helps to get rid of the maleware.’

Thanks so much!

I’ve logged onto the internet several times with no maleware threat pop up notification so I’m thinking it’s okay to remove the stuff you had me put on to help remove the problem. I’ll keep an eye out for your removal instructions. Thanks, Kelly

In that case methinks I will send you on your merry way :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

Regarding Java and disabling it. I followed the instructions for firefox and where it shows the plugins it says, ASK TO ACTIVATE or the other option NEVER ACTIVATE. It was on ASK TO ACTIVATE so I left it on that option. There was no disable option. Is it okay to leave it at ask to activate or should I uninstall java all together?

I ran Delfix and am wondering if I should uninstall AdwCleaner, Aswmbr, and OTL? The icons are still on my desktop as well as their log reports?