Malicious URL http://specrtop.org/a/

Today after connecting my laptop to my external harddrive, my Avast starts showing this alert message very frequently.

Malicious URL blocked
object: http://specrtop.org/a/
infection: URL:Mal
Process: C:\Windows\System32\wscript.exe

I’ve tried to run Malwarebyte which was unsuccessful. And my window don’t let me install programs like adwclener, OTL.

Please give me some advice.

Thanks.

hey and welcome to the forum.

you could try OTL in safemode.

http://forum.avast.com/index.php?topic=53253.0

Thanks for your help.

Here are log files.

Hi this will be a tad complicated to remove but here we go. The USB was infected :

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

THEN

Using windows explorer go to C:\Windows\System32
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK

https://dl.dropbox.com/u/73555776/wscript%20ownership.JPG

Then delete Wscript.exe to the recycle bin

FINALLY

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=4.0002002
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes,DefaultScope = {CFF4DB9B-135F-47c0-9269-B4C6572FD61A}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6OyOlrdEk9&i=26
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..extensions.enabledAddons: canitbecheaper%40trafficbroker.co.uk:3.8.28
FF - prefs.js..extensions.enabledAddons: check4change-owner%40mozdev.org:1.9.3
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension
[2012-12-09 17:48:32 | 000,093,072 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\canitbecheaper@trafficbroker.co.uk.xpi
[2013-04-01 14:56:41 | 000,617,362 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\check4change-owner@mozdev.org.xpi
[2013-02-05 15:17:24 | 000,218,916 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\info@priceblink.com.xpi
O2 - BHO: (SearchCore for Browsers) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {EEE6C35C-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b4de90bb-150d-4b33-95fe-6baac97e1c21} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O4 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000..\Run: [64e] C:\Users\Nanda\AppData\Roaming\72f\64e.js ()
O4 - Startup: C:\Users\Nanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3232.js ()
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_32-windows-i586.cab (Reg Error: Value error.)
O20 - AppInit_DLLs: (c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll) - File not found
[2013-05-02 16:51:05 | 000,000,000 | -HSD | C] -- C:\738
[2013-05-02 16:51:05 | 000,000,000 | -HSD | C] -- C:\Users\Nanda\AppData\Roaming\72f
[2012-11-15 09:25:38 | 000,000,000 | ---D | M] -- C:\Users\Nanda\AppData\Roaming\Babylon

:Files
C:\Users\Nanda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Program Files\Web Assistant
C:\ProgramData\Browser Manager

:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thanks for your help.

I follow every steps as you suggested. But now having this message and unable to delete wscript.exe even though I am using administrative account.

I also attach McShield log file.

How many users are available when you select the properties edit tab ?

It shows administrator account and my account (plz see the attached file)

I have tried with both of them.

OK lets work outside of windows

Download the following three programmes to your desktop :

  1. Rufus

For 64bit systems
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64

Insert the USB stick Then run Rufus

https://dl.dropbox.com/u/73555776/rufus.JPG

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

https://dl.dropbox.com/u/73555776/RufusISO.JPG

Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Windows 8 screen shots

When you reboot you will see this.

Select the language on this screen and keyboard on the next

https://dl.dropbox.com/u/73555776/select%20language8.JPG

Select the Trouble shoot option

https://dl.dropbox.com/u/73555776/Select%20option8.JPG

Select Advanced option

https://dl.dropbox.com/u/73555776/advanced8.JPG

Select Command prompt

https://dl.dropbox.com/u/73555776/command%208.JPG

At the command prompt type the following :

https://dl.dropbox.com/u/73555776/notepad.JPG

:frowning: :frowning:
Rufus is not detecting my external drives. I have tried with two different drives. Both of the drives are seen in My Computer and can be accessed. But not detected by Rufus.

Hmm I need to remove wscript from the equation to fix this

Do you have the windows CD as we can use that to get to the recovery console

I’m afraid I don’t have it.

But I see a hard drive partition named ‘Recovery’ in My Computer. Not sure if we can use that.

Do you have a cd burner on the computer that will burn the windows ISO to a CD as bootable i.e. Nero ?

I’ll download and install it even though it is not installed on my laptop now.

Ooops ignore that windows 7 has a native burner

Right click the ISO file… Is there an Option Burn Disc Image

Yes I see window disc image burner.

And I ve already burned an image cd.

OK copy FRST to a USB drive
Boot to the recovery console
And then run FRST

Insert the CD into the sick computer and start the computer. First ensuring that the system is set to boot from CD
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

Insert the USB with FRST64 on it

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Sorry… I’m a little confused. When should I run FRST for the first time. Before the recovery boot?

I assume it to run the first scan before the recovery boot and here r the log files.