Need help on URL:Mal reddie, blackfight etc

system · 2015-05-18T14:06:36.000Z

Hi everyone,
Could anyone please help me with this? I keep getting “Avast has blocked a threat” popup every now and then.
Attached are the log files needed. Thanks in advance!

essexboy · 2015-05-18T14:17:34.000Z

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-04-28 18:40 - 2015-04-28 18:40 - 00000000 ____D () C:\ProgramData\ff84825200003017 C:\Users\Lim\feather_cl_RuneScape_Core.dat C:\Users\Lim\guardian_noregret_LIVE.dat C:\Users\Lim\JAGEXJAGEX_LIVE.dat C:\Users\Lim\JAGEXJAGEX_LIVE1.dat C:\Users\Lim\matrix_cl_matrix_LIVE.dat C:\Users\Lim\rn_cl_runenova_LIVE.dat C:\Users\Lim\rn_cl_serpent_LIVE.dat EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-05-18T14:50:04.000Z

It seemed to work, so far no popups from Avast yet
Thank you very much for your help, really appreciate it!

system · 2015-05-20T16:23:05.000Z

Same situation.

Tried all of the usual scan and removal apps (Spyhunter, MBAM, etc…). No go.

Happening on my VirtualBox VM guest OS (Windows 7 64 Bit Ultimate).

Required logs attached. Only ran aswMBR in ‘quickscan’ mode. Full scan kept crashing system.

Any help is greatly appreciated.

Thanks in advance!

essexboy · 2015-05-20T17:08:33.000Z

Did you set these proxies

ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001] => http=127.0.0.1:49363;https=127.0.0.1:49363
ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:49363;https=127.0.0.1:49363

system · 2015-05-20T17:12:39.000Z

No.

I have Axure RP loaded and answering local only http requests (as a web server) on port 32767 but no proxies that I am aware of.

Thanks!

Matt

essexboy · 2015-05-20T17:20:35.000Z

What is Avast alerting on ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001] => http=127.0.0.1:49363;https=127.0.0.1:49363 ProxyServer: [S-1-5-21-2913335514-2600213466-2721737044-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => http=127.0.0.1:49363;https=127.0.0.1:49363 2015-04-27 00:46 - 2015-04-27 00:46 - 00000000 ____D () C:\ProgramData\385d9b2400004b6d 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieUserList 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieSiteList 2015-04-27 00:44 - 2015-04-27 00:44 - 00000000 __SHD () C:\Users\Matt\AppData\Local\EmieBrowserModeList 2015-04-27 00:41 - 2015-04-27 00:42 - 00000000 ____D () C:\Users\Matt\AppData\Local\File Viewer 2015-04-27 00:39 - 2015-04-27 00:39 - 00000064 _____ () C:\Users\Matt\AppData\Local\979999c855d797ea409475e9e19f195c 2015-04-25 17:16 - 2015-04-25 17:16 - 00000000 __HDC () C:\ProgramData\{1AC3401A-AA8A-4BE1-9462-65EFED7B6A44} 2015-04-25 17:12 - 2015-04-25 17:12 - 00000032 RSHOT () C:\Users\Matt\AppData\Local\t70rc.dat 2015-04-27 00:39 - 2015-04-27 00:39 - 0000064 _____ () C:\Users\Matt\AppData\Local\979999c855d797ea409475e9e19f195c Task: {9DCA5787-5B77-4329-8B19-5B2D2D4173AE} - \GeniusBox No Task File <==== ATTENTION Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · 2015-05-20T17:28:50.000Z

URL: http://blackled.info/4242/PathGeneration_142669364699402.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

See attached pic.

system · 2015-05-20T17:37:23.000Z

OK. Tried the fix.

Here (attached) is the log.

Will try to get the system to generate new alerts…

Stay tuned.

system · 2015-05-20T17:49:51.000Z

YUP!

Seems like that did it. 8)

Normally I get the first popup from Avast the moment I connect to a new network (or just disable then enable the NIC).

Now, nothing… Everything else seems to be working like it says on the tin.

Thanks!

Got a fav charity I can throw $20 at?

Matt

system · 2015-05-20T17:52:56.000Z

Last question:

Any idea what F### this particular exploit does?.. tracks… steals?

I do not use this VM for anything personal so no worries. Just curious.

Thanks again!

Matt

essexboy · 2015-05-20T18:48:10.000Z

Tries to download ads if Avast would let it

Announcements