MALWARE???

Avast kept giving red alert that URL: Mal (sometimes Mal2) was blocked.

DETAILS

Object: http://corptps.com/a/
http://copertps.com/k/
http://etpssoprc.ru/a/
http://specrtop.org/a/

Infection: URL: Mal
URL: Mal2

Process: c:\windows\System32\wscript.exe

e.g but like two other more website were indicated.

I know am infected because it started after a friend used his USB stick in my system. Though I scanned with avast and USB antvirus deleted an autorun from the stick.

what should I do now.

follow guide and attach logs. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done, removal experts will be notified and help will arrive later today

I downloaded AdwCleaner but it won’t run. After clicking run as adminisrator, it ask if it should be permitted the normal warning sign, i clicked yes it never started.

Decided to go ahead and download Malwarebytes’ Anti-Malware tried installing it, it won’t install also. restarted my system several times and re-tried installing same thing. Not installing.

I’m using windows 7 x64bite

and under hidden icon, i started seeing thousands of control panel icon showing new update, the icon gave me goose-pimples coz its irritating. it even pushed away Avast logo and solve Pc issue ‘flag’ logo. and once i place mouse over the control panel icon they start disappearing rapidly like ghost. It all looks like as if am attacked by a demon and seeing visions.

my system is working well, but I knew something is wrong with avast regularly giving me red alert “a site is blocked…”

what can I do to get all the software in Log assist installed.?

you may also try to run programs from safe mode

if no success…move to next program

removal specialist is notified and will be here later today :wink:

Could you run OTL from safe mode please with the standard script and attach it here

aswMBR just ran now. am attaching the log.

will try the OTL and report back to you now.
Thanks

I believe I know what this is … OTL will confirm that for me

Sorry, my internet does not work on safe mode. this is the OTL log.

should I still run adwcleaner and mbam on safe mode??

thanks.

sorry i needed to change it to ANSI

adwcleaner

mbam

OK could you run OTL from safe mode please as I do not want the malware to regenerate

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
SRV:64bit: - [2013-01-29 14:28:02 | 000,188,760 | ---- | M] () [Auto | Stopped] -- C:\Program Files\IB Updater\ExtensionUpdaterService.exe -- (Web Assistant)
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD22}
IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=281&systemid=2&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=281&systemid=2&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm208^LENIN^in&si=197727&ptb=6D7CC341-00C3-4415-B892-9553DAC26150&psa=&ind=2012090709&st=sb&n=77ee1155&searchfor={searchTerms}
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.delta-search.com/?affID=119370&babsrc=HP_ss&mntrId=fc06d0bd000000000000000000000000
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www.delta-search.com/?q={searchTerms}&affID=119370&babsrc=SP_ss&mntrId=fc06d0bd000000000000000000000000
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=281&systemid=2&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm208^LENIN^in&si=197727&ptb=6D7CC341-00C3-4415-B892-9553DAC26150&psa=&ind=2012090709&st=sb&n=77ee1155&searchfor={searchTerms}
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}: "URL" = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80182&lng=en
IE - HKU\S-1-5-21-3464401708-3411778692-912532096-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb128/?search={searchTerms}&loc=IB_DS&a=6PQK31Bz1e&i=26
FF - prefs.js..browser.search.selectedEngine: "Delta Search"
FF - prefs.js..extensions.enabledAddons: 64ffxtbr@TelevisionFanatic.com:2.26.0.50199
FF - prefs.js..extensions.enabledAddons: ffxtlbr@babylon.com:1.5.0
FF - prefs.js..extensions.enabledAddons: inboxcomtoolbar@inbox.com:1.2.0.34
FF - prefs.js..extensions.enabledAddons: ffxtlbr@incredibar.com:1.5.0
FF - prefs.js..extensions.enabledAddons: plugin@yontoo.com:1.20.00
FF - prefs.js..extensions.enabledAddons: 1cffxtbr@BringMeSports_1c.com:2.50.0.53478
FF - prefs.js..browser.startup.homepage: "http://www.delta-search.com/?affID=119370&babsrc=HP_ss&mntrId=fc06d0bd000000000000000000000000"
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\IB UPDATER\FIREFOX [2013-03-25 19:55:27 | 000,000,000 | ---D | M]
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\PROGRAM FILES\IB UPDATER\FIREFOX [2013-03-25 19:55:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\IB Updater\Firefox [2013-03-25 19:55:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{FE1DEEEA-DB6D-44b8-83F0-34FC0F9D1052}: C:\Program Files\IB Updater\Firefox [2013-03-25 19:55:27 | 000,000,000 | ---D | M]
[2012-10-02 21:22:53 | 000,000,000 | ---D | M] (Wincore Mediabar) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\{c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c}
[2013-01-21 16:38:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\64ffxtbr@TelevisionFanatic.com
[2013-03-07 10:54:53 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\ffxtlbr@babylon.com
[2012-09-19 01:10:52 | 000,000,000 | ---D | M] (incredibar.com) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\ffxtlbr@incredibar.com
[2012-09-19 01:07:56 | 000,000,000 | ---D | M] (Yontoo) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\plugin@yontoo.com
[2012-09-19 01:06:46 | 000,214,127 | ---- | M] () (No name found) -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\extensions\freehdsport@freehdsport.tv.xpi
[2013-03-07 10:54:33 | 000,006,484 | ---- | M] () -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\searchplugins\browsemngr.xml
[2013-03-07 10:55:04 | 000,001,294 | ---- | M] () -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\searchplugins\delta.xml
[2012-09-03 21:02:45 | 000,009,614 | ---- | M] () -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\searchplugins\my-web-search.xml
[2012-09-19 01:09:34 | 000,002,203 | ---- | M] () -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\searchplugins\MyStart Search.xml
[2012-10-02 21:22:28 | 000,002,515 | ---- | M] () -- C:\Users\PRINCETEEJAY\AppData\Roaming\Mozilla\Firefox\Profiles\8waqz9y6.default\searchplugins\Search_Results.xml
[2013-03-07 10:54:33 | 000,006,484 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
O2:64bit: - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\IB Updater\Extension64.dll ()
O2:64bit: - BHO: (DataMngr) - {B939CF93-F2CB-443d-956C-DC523D85C9DB} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\x64\BrowserConnection.dll (MusicLab, LLC)
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\Program Files (x86)\SiteRanker\SiteRank.dll (Crawler, LLC)
O2 - BHO: (Web Assistant) - {336D0C35-8A85-403a-B9D2-65C292C39087} - C:\Program Files\IB Updater\Extension32.dll ()
O2 - BHO: (DataMngr) - {B939CF93-F2CB-443d-956C-DC523D85C9DB} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\BrowserConnection.dll (MusicLab, LLC)
O2 - BHO: (Wincore Mediabar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Wincore Mediabar) - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll ()
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKU\S-1-5-21-3464401708-3411778692-912532096-1000..\Run: [b773b] C:\Users\PRINCETEEJAY\AppData\Roaming\a16\b773b.js ()
O4 - HKU\S-1-5-21-3464401708-3411778692-912532096-1000..\Run: [eType] C:\Users\PRINCETEEJAY\AppData\Roaming\eType\eType.exe (DSNR Media Innovations)
O4 - Startup: C:\Users\PRINCETEEJAY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e33.js ()
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\x64\datamngr.dll) - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\x64\datamngr.dll (MusicLab, LLC)
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\BearShare Applications\MediaBar\Datamngr\x64\IEBHO.dll (MusicLab, LLC)
[2013-05-19 17:47:20 | 000,000,000 | -HSD | C] -- C:\Users\PRINCETEEJAY\AppData\Roaming\a16
[2013-05-19 17:47:20 | 000,000,000 | -HSD | C] -- C:\a0e6
[2013-05-19 17:47:20 | 000,000,000 | -HSD | M] -- C:\Users\PRINCETEEJAY\AppData\Roaming\a16
[2012-09-04 01:23:38 | 000,000,000 | ---D | M] -- C:\Users\PRINCETEEJAY\AppData\Roaming\Babylon
[2013-05-21 20:41:04 | 000,000,000 | ---D | M] -- C:\Users\PRINCETEEJAY\AppData\Roaming\eType

:Files
C:\Users\PRINCETEEJAY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Surely i cant run it on someone else’s system.

after rebooth

After quick scan.

Thanks waiting to know what next.

Could you confirm the alerts have ceased now

After restarting no alert, but i’m still waiting on it, sometimes it doesn’t come so quick. the demon that took over activity icon has stopped.

it 23:53 (almost 12am here) struggling with sleep.

I sure believe it has been taken care off. In 8hrs time I will reach you back for full feedback.

Thanks for the time, I appreciate.

No problem see you tomorrow, from the log it looks like it is history

Yah yah EssexBoy

The alert has ceased.

Thank you so much.

I owe you :o :smiley: ;D

Yah Yah essex boy

Red alert stopped, all demons gone inside your dragon.

Thanks. I owe you.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and press uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: