Need help on URL:Mal reddie, blackfight etc

Hi everyone,
Could anyone please help me with this? I keep getting “Avast has blocked a threat” popup every now and then.
Attached are the log files needed. Thanks in advance!

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-04-28 18:40 - 2015-04-28 18:40 - 00000000 ____D () C:\ProgramData\ff84825200003017 C:\Users\Lim\feather_cl_RuneScape_Core.dat C:\Users\Lim\guardian_noregret_LIVE.dat C:\Users\Lim\JAGEXJAGEX_LIVE.dat C:\Users\Lim\JAGEXJAGEX_LIVE1.dat C:\Users\Lim\matrix_cl_matrix_LIVE.dat C:\Users\Lim\rn_cl_runenova_LIVE.dat C:\Users\Lim\rn_cl_serpent_LIVE.dat EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

It seemed to work, so far no popups from Avast yet :smiley:
Thank you very much for your help, really appreciate it!

Same situation.

Tried all of the usual scan and removal apps (Spyhunter, MBAM, etc…). No go.

Happening on my VirtualBox VM guest OS (Windows 7 64 Bit Ultimate).

Required logs attached. Only ran aswMBR in ‘quickscan’ mode. Full scan kept crashing system.

Any help is greatly appreciated.

Thanks in advance!

Did you set these proxies

ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001] => http=127.0.0.1:49363;https=127.0.0.1:49363
ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:49363;https=127.0.0.1:49363

No.

I have Axure RP loaded and answering local only http requests (as a web server) on port 32767 but no proxies that I am aware of.

Thanks!

Matt

What is Avast alerting on ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001] => http=127.0.0.1:49363;https=127.0.0.1:49363 ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:49363;https=127.0.0.1:49363 2015-04-27 00:46 - 2015-04-27 00:46 - 00000000 ____D () C:\ProgramData\385d9b2400004b6d 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieUserList 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieSiteList 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieBrowserModeList 2015-04-27 00:41 - 2015-04-27 00:42 - 00000000 ____D () C:\Users\Matt\AppData\Local\File Viewer 2015-04-27 00:39 - 2015-04-27 00:39 - 00000064 _____ () C:\Users\Matt\AppData\Local\979999c855d797ea409475e9e19f195c 2015-04-25 17:16 - 2015-04-25 17:16 - 00000000 __HDC () C:\ProgramData\{1AC3401A-AA8A-4BE1-9462-65EFED7B6A44} 2015-04-25 17:12 - 2015-04-25 17:12 - 00000032 RSHOT () C:\Users\Matt\AppData\Local\t70rc.dat 2015-04-27 00:39 - 2015-04-27 00:39 - 0000064 _____ () C:\Users\Matt\AppData\Local\979999c855d797ea409475e9e19f195c Task: {9DCA5787-5B77-4329-8B19-5B2D2D4173AE} - \GeniusBox No Task File <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

URL: http://blackled.info/4242/PathGeneration_142669364699402.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

See attached pic.

OK. Tried the fix.

Here (attached) is the log.

Will try to get the system to generate new alerts…

Stay tuned.

YUP!

Seems like that did it. 8)

Normally I get the first popup from Avast the moment I connect to a new network (or just disable then enable the NIC).

Now, nothing… Everything else seems to be working like it says on the tin.

Thanks!

Got a fav charity I can throw $20 at?

  • Matt

Last question:

Any idea what F### this particular exploit does?.. tracks… steals?

I do not use this VM for anything personal so no worries. Just curious.

Thanks again!

  • Matt

Tries to download ads if Avast would let it :slight_smile: