Malicious URL blocked by Avast

system · May 28, 2012, 9:34pm

wxw.couly.com is the bad guy
it also says Program files , Program Data, Tp Screx, Tp screx is the bad guy

i cant remove this map , it says another program is using it.

My laptop:
Alienware m14
windows 7 home premium
intel core i7 2670 QM CPU @ 2.20 Ghz
64 bit

I think its slowing down my system, i noticed skyrim is slightly slower.

Please help me guys!

virustotal;
SHA256: e24ad3dc546640b0503dd61a7674db1b98d508fbcd6da7b3f2bf421f0f8ce3bd
SHA1: e6a481f7ad2e1b7dd803af1bf258eea7282c080d
MD5: f67c06b7555544bbd692a1c1a6c32334
File size: 137.0 KB ( 140288 bytes )
File name: C:\ProgramData\TpScrex\TpScrexm.exe
File type: Win32 EXE
Detection ratio: 0 / 41
Analysis date: 2012-05-20 09:46:36 UTC ( 1 week, 1 dag ago )

polonus · May 28, 2012, 9:44pm

Hi Wendel,

Break the link like with wXw. Site is engaged in spreading a Gzip bomb. Files end in .jsp. Gzip Bomb is located in the Content.IE5 folder ans is a highly compressed file. You were protected from this by the Avast block,

polonus

system · May 28, 2012, 10:14pm

i’m sorry i dont realy understand what you are saying or what i should do : :-\

polonus · May 28, 2012, 10:23pm

Well that has already been done for you now. We do not want others to click a live link that may lead to live malware, do we?
By blocking this site, you were prevented to download the Gzip bomb,

polonus

system · May 28, 2012, 10:28pm

i understand that avast blocked it, but something is triggering it every half an hour so.
even when i’m not on the internet , using a browser, it keeps popping up!

i was following another tread from a guy who had a the same problem. they told me in that post i needed to start my own.

so i did

Asyn · May 29, 2012, 5:37am

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

system · May 31, 2012, 12:47pm

Monitoring…

system · June 12, 2012, 5:39pm

Hi guys,

I was extremely busy the past month.
I’m going to make logs this week and post them here, damn malware is driving me crazy

cheers

system · June 12, 2012, 6:27pm

The Logs:
malware bytes

cheers

system · June 12, 2012, 6:28pm

OTL

cheers

system · June 12, 2012, 6:28pm

OTL
cheers

system · June 12, 2012, 6:35pm

asw MBR

cheers

system · June 12, 2012, 6:37pm

rkt
cheers

system · June 12, 2012, 6:38pm

more rkt

system · June 12, 2012, 6:39pm

rkt 3

system · June 13, 2012, 12:10pm

Hi,

Please download and run ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes

[*]Open the scanner and select the Protection tab
[*]Remove the tick from “Start Protection Module with Windows” as seen below

http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg

Once complete continue with the instructions…

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-522931602-1788683630-3885486422-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://nl.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-522931602-1788683630-3885486422-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = nl-NL
IE - HKU\S-1-5-21-522931602-1788683630-3885486422-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E0 68 C6 1E 05 45 CD 01  [binary data]
IE - HKU\S-1-5-21-522931602-1788683630-3885486422-1002\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[2012-04-11 11:25:19 | 000,211,071 | ---- | M] () (No name found) -- C:\USERS\WENDELLIUS\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\Q11QYWEA.DEFAULT\EXTENSIONS\THEPIRATEBAY@MAFIAAFIRE.COM.XPI
[2012-06-08 02:01:47 | 000,002,252 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\bing.xml
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[1 C:\Users\wendellius\Desktop\*.tmp files -> C:\Users\wendellius\Desktop\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done
[*]Then run a new scan and post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

system · June 13, 2012, 1:11pm

OTL log

At the moment i’m not getting any malware blocks. lets keep our fingers crossed
cheers

system · June 13, 2012, 2:32pm

Hi,

(Crossing fingers )

Malwarebytes

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Please run a free online scan with the ESET Online Scanner
[i]Note: You will need to use Internet Explorer for this scan[/i]
[*]Tick the box next to YES, I accept the Terms of Use
[*]Click Start
[*]When asked, allow the ActiveX control to install
[*]Click Start
[*]Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
[*]Click Scan (This scan can take several hours, so please be patient)
[*]Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner[b]log.txt
[*]Copy and paste that log as a reply to this topic

In your next reply please attach the logs made by Malwarebytes and ESET.

system · June 16, 2012, 9:25pm

still no sign of malware or popups! i’m a happy man!

Pondus · June 16, 2012, 9:31pm

quote jeffce

In your next reply please attach the logs made by Malwarebytes and ESET. :)

Malicious URL blocked by Avast

Once complete continue with the instructions…

I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.

Announcements