I made a reply in another thread, not realizing the solutions were machine (not infection) specific.

So I got this problem, same as almost all the new threads of the last couple of days, a few days ago. (That is, the warning of mal URLs in system 32.exe on boot or reawakening from sleep)

Steps taken so far:

Full avast scan - Nothing found
MBAM threat scan followed by full custom scan including rootkits. - Nothing found (so no log attached)
HIjackthis. logfile submitted to online analyser - nothing nasty (apparently) found (log appended)
FRST full analysis. Log appended.
aswMBR scan. Log appended.

Since so many users seem to be having this problem, has anyone any idea what it comes with? I haven’t knowingly visited any dodgy sites

HijackThis is outdated/obsolete … have not been updated for many years, so thats why we now use FRST

removal team is notified, they are usually online after work hours european time

Thanks for that speedy get-back Pondus. I’ll delete HJT, but does FRST have a similar direct analysis for us amateurs??
And I’m UK myself so guessed about the hours…Ta anyway!!

A few remarks from your HJT log for what it is worth -HJT became obsolete when combofix was brought in: The version of your browser (11.00.9600.17496) is out of date. Check Windowsupdate to update the Internet Explorer.
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (file missing)
Kind Unnecessary (deactivated) entry that can be fixed. SUN Java O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. jp2ssv.dll - Sun_Java, http://java.sun.com/javase/downloads/ind ex.jsp browser plugin
Some malware camouflages itself as Ath_WlanAgent.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder. Therefore, you should check the Ath_WlanAgent.exe process on your PC to see if it is a threat.Likely OK → http://www.freefixer.com/library/file/ath_wlanagent.exe-113365/

Do not pay attention to the above results, follow the instructions of a qualified remover to the dot. I hope your machine is safe from threats,

polonus

A question first … Did you create this vbs file create-restore.vbs

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> No File BHO: surf and keePP -> {998F94E1-FE2A-7572-A828-99C5189EF786} -> C:\Program Files (x86)\surf and keePP\3kB.x64.dll No File BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\paulsaintuzb@gmail.com.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{aa26583b-4c35-4729-913e-156956078824}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\adblockpopups@jessehakanen.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\autofillForms@blueimp.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\nosquint@urandom.ca.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\paulsaintuzb@gmail.com.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\secureLogin@blueimp.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\SQLiteManager@mrinalkant.blogspot.com.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\{5514CFC3-D9A8-4f1a-8DF1-930EBFB59901}.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\{69d0119c-32f1-4766-82d7-617f04d5643b}.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\adblockpopups@jessehakanen.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\autofillForms@blueimp.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\nosquint@urandom.ca.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\paulsaintuzb@gmail.com.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\savesession@noasobi.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\secureLogin@blueimp.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\SQLiteManager@mrinalkant.blogspot.com.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\undoclosedtabsbutton@supernova00.biz.xpi [2015-01-18] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{5514CFC3-D9A8-4f1a-8DF1-930EBFB59901}.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{69d0119c-32f1-4766-82d7-617f04d5643b}.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{aa26583b-4c35-4729-913e-156956078824}.xpi [2014-05-16] CHR StartupUrls: Default -> "https://www.google.co.uk/", "https://mail.google.com/mail/u/0/?tab=wm#inbox", "https://dub109.mail.live.com/default.aspx?id=64855&rru=inbox", "hxxp://bookos-z1.org/?remix_userkey=b53f62be2bfb77da7d8ed4d8dfe42421&remix_userid=241773", "hxxp://chomikuj.pl/action/SearchFiles" 2014-12-27 08:16 - 2014-12-27 08:16 - 00000000 _____ () C:\Windows\SysWOW64\sho5494.tmp 2014-12-27 07:24 - 2014-12-27 11:12 - 00000000 ____D () C:\Users\Phil\AppData\Roaming\WTools 2014-12-27 07:24 - 2014-12-27 11:12 - 00000000 ____D () C:\Users\Phil\AppData\Roaming\Store 2014-12-27 07:24 - 2014-12-27 09:44 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 3.16 2014-12-27 07:22 - 2014-12-30 05:45 - 00000000 ____D () C:\Program Files (x86)\SearchProtect Task: {172EA49A-0916-4FBA-964E-B35921298419} - \Selection Tools Update No Task File <==== ATTENTION Task: {1C6E8D23-995D-48F7-AF47-4F9F53D10CC7} - \WindApp Update No Task File <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks for help so far. But before I do the deed:

First - you asked about ‘create-restore.vbs.’
No - I know nothing about it or what it does let alone if it’s harmful or not. What is it?

Second - if I paste the list and work it, do I lose all those Firefox extensions etc., or do they reappear at a later date? And do the ‘bookos-z1’ and ‘chomikuj.pl’ lines imply there’s a problem with these (book download) sites?

Third - one of things broken on my PC (as on seemingly so many others) is system restore: if I try to use it we get to the configuration point and it stays there indefinitely until I crash the PC…I was going to ask about that anyway, but now it seems that much more important.

I’ll wait for your reassurance before I proceed - in the meantime there’s a third (previously unheard-of) mal URL site warning happening now.

The reason they were included was because they did not reveal their name, this is a 99% sign of malware

If you are happy that those extensions are good then just remove that line from the fix. I will post a new fix to include the vbs file

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: Startup: C:\Users\Phil\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\create-restore.vbs () CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> No File BHO: surf and keePP -> {998F94E1-FE2A-7572-A828-99C5189EF786} -> C:\Program Files (x86)\surf and keePP\3kB.x64.dll No File BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll No File BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\paulsaintuzb@gmail.com.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{aa26583b-4c35-4729-913e-156956078824}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\rcezdkq8.FF27\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-02-21] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\adblockpopups@jessehakanen.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\autofillForms@blueimp.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\nosquint@urandom.ca.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\paulsaintuzb@gmail.com.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\secureLogin@blueimp.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\SQLiteManager@mrinalkant.blogspot.com.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\{5514CFC3-D9A8-4f1a-8DF1-930EBFB59901}.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\dsw1vcac.FF29\Extensions\{69d0119c-32f1-4766-82d7-617f04d5643b}.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\adblockpopups@jessehakanen.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\autofillForms@blueimp.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\nosquint@urandom.ca.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\paulsaintuzb@gmail.com.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\savesession@noasobi.net.xpi [2015-01-17] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\secureLogin@blueimp.net.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\SQLiteManager@mrinalkant.blogspot.com.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\undoclosedtabsbutton@supernova00.biz.xpi [2015-01-18] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{5514CFC3-D9A8-4f1a-8DF1-930EBFB59901}.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{69d0119c-32f1-4766-82d7-617f04d5643b}.xpi [2014-05-16] FF Extension: No Name - C:\Users\Phil\AppData\Roaming\Mozilla\Firefox\Profiles\nroli7yb.ff31\Extensions\{aa26583b-4c35-4729-913e-156956078824}.xpi [2014-05-16] CHR StartupUrls: Default -> "https://www.google.co.uk/", "https://mail.google.com/mail/u/0/?tab=wm#inbox", "https://dub109.mail.live.com/default.aspx?id=64855&rru=inbox", "hxxp://bookos-z1.org/?remix_userkey=b53f62be2bfb77da7d8ed4d8dfe42421&remix_userid=241773", "hxxp://chomikuj.pl/action/SearchFiles" 2014-12-27 08:16 - 2014-12-27 08:16 - 00000000 _____ () C:\Windows\SysWOW64\sho5494.tmp 2014-12-27 07:24 - 2014-12-27 11:12 - 00000000 ____D () C:\Users\Phil\AppData\Roaming\WTools 2014-12-27 07:24 - 2014-12-27 11:12 - 00000000 ____D () C:\Users\Phil\AppData\Roaming\Store 2014-12-27 07:24 - 2014-12-27 09:44 - 00000000 ____D () C:\Program Files (x86)\Optimizer Pro 3.16 2014-12-27 07:22 - 2014-12-30 05:45 - 00000000 ____D () C:\Program Files (x86)\SearchProtect Task: {172EA49A-0916-4FBA-964E-B35921298419} - \Selection Tools Update No Task File <==== ATTENTION Task: {1C6E8D23-995D-48F7-AF47-4F9F53D10CC7} - \WindApp Update No Task File <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Boy, that was brutal! Took ages to restore FF extensions etc., AND it wiped out all the site favicons (firefox’s but not Chrome’s intriguingly…)!!!

Anyway, fixlog attached - now we wait and see!

Sometimes a brutal approach with these adwares is the only route to take I am afraid

Oh yes, not complaining at all.

Anyway, nearly 24hrs on, several ‘sleeps’ and reawakes and no recurrence of warnings.

I’m no expert, as all can see, but I’ve just remembered a “coincidence???”: the day before the attacks started I was offered an update by YouTubeDownloader when I opened it. Now I’ve had YTD (standalone) operating with no problems for over 2 years and the box offered “install” and ‘later’. Since it looked like the official thing I clicked on ‘install’ and immediately got Avast warnings. I got out as quick as I could, but could this be the source of all that mess? I only ask because this might be relevant to a whole lot of other members and warn them off that path. I since googled YTD and it seems that all the current versions come bundled with a load of malware.

And is there a way to explain to me (an intelligent scientist but no computer expert) what it was you did so I can avoid bothering you should it ever happen again? You’re heroes and don’t need more ‘customers’ than necessary…

Well Avast was fast, but not fast enough to stop all the junk programmes installing although none had the opportunity to run as they were broken. But, some tasks were installed which Avast was blocking

However they did manage to corrupt some of you internet functions and install the small vbs programme

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe