Hi All,

Just had a boot and then my browser opened a weird website ozirizsoos.info with some Russian text.

1. How was it detected? What was scanning, you yourself or the back-ground scanner?
Did the message come from the avast Network Shield or Webshield or were you alerted via an avast Webreputation alert ? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
Found it with CCleaner in startup. Programname: my pcname/ file: explorer .exe http://ozirizsoos.info
A capture of the message screen as image can be helpful or what the message says and
where the suspicious file was detected.
link to picture: https://ibb.co/k6zOy6
2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.
internet. Have no idea how I got it on my computer.
3. When was it downloaded or received?
Yesterday probably. I’m starting up this pc daily, so it probably downloaded yesterday. boot opens chrome and displays http://ozirizsoos.info
4. What is the exact file name with extension.
no idea.
5. What was the exact wording of the message that the AV program came up with? This is important for later. Right click the asvast ball and left-click show last pop-up message!
It does not show up in the AV scan. I can open the file with Ccleaner in Regedit, no idea what this is. I’m a noob.
6. Now go back and do nothing yet. Scan the particular file once again with your AV product.
A. The message is in the same wording: maybe positive alert
B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
7. Check with an on line scanner or update to Virustotal for a second opinion. VT resides at http://www.virustotal.com/index.html
You can do an URL scan or file-scan. Also give the MD5 hash that is given further down the scan result page under additional information. This can help to identify the malware file.
Other scan results can be found for a suspicious URL or link at: http://vscan.urlvoid.com/file/
for filescans alternative scanners are: VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/
or you can ask on the forums to have the URL or link in question scanned with
various scanners. A FP is more likely if the file is only flagged by avast and GData.
8. Go get informed ask a Virus Encyclopedia or Virus Central. Remember Google is your best friend, also put a question on a forum.
9. Make an informed decision on the basis of what you have found.
10. Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. Also send a mail to virus AT avast dot com. If you send a suspicious file there for detection password zip this as an attachment and put the password in the mail. This will help us all and in case of a non-detect avast will add it to avast detection or in the case of a false positive re

Can’t scan the file, Since I cannot find where it is located. Plz help. Is my pc still save? Doing sensitive stuff here (banking etc).

Kind regards,

Clear browser crap with AdwCleaner >> https://www.malwarebytes.com/adwcleaner/

still having problems?
Follow instructions >> https://forum.avast.com/index.php?topic=194892.0

Hi all,

Got it fixed by following these instructions:
https://www.youtube.com/watch?v=yEzBHVf-iFM (until minute 6.20). In system config I found where the registry was located. And deleted it.

Hopefully this will help others.

Kind regards,

Aerials

Hey all,

In the end my above answer did not work.

Disable the service in system config (in start up tab). Reboot your pc, now the file isn’t active anymore, but still on your pc).

Download Ccleaner, open it. Go to Tools, start up (there you’ll the ozirizsoos file again). Right click it and ‘‘open in regedit’’.

Then it will show you the real location of the file. HKLM/SOFTWARE/MICROSOFT/Shared tools/startupfolder was the location ( I thought, sorry for not being entirely correctly, forgot the exact folder). Ccleaner will show you the folder.

Delete the entire folder (mine was named after my computer username). Done.

Hope this helps.

Kind regards,

Aerials.

Hi aerials,
I have same problem.
You wrote: Disable the service in system config - What is the name of this service? Do you have win 10?

My file is located in different location : HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
I cannot delete entire folder Run - Can I? If I delete just this one entry USER NAME REG_SZ explorer.exe http://ozirizsoos.info It keeps comming back

Hi
I also found this: REG_SZ explorer.exe http://ozirizsoos.info at location:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SharedTools\MSConfig\SturtUpReg\UserName

Hey Guys,

I’m sorry, above mentioned tool to fix this still hasn’t worked for me!!!

Still figuring out a way to get rid of this annoying malware.

Aerials.

Had same troubles for few days.
After some investigations i found out next:

1. Browser starts because of “explorer.exe http://ozirizsoos.info” at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
2. Deleting this entry helps only until next system reboot. After some time entry restores.
3. I used process momitor utility and found that windows process taskhost.exe restores virus entry in register.
4. I started windows task scheduler and found virus task in list of tasks (see picture), that adds entry to the windows register.
   After deleting this task and entry in register all works fine. No more weird websites after system boot.

https://i.imgur.com/vEXR7rK.jpg

Thank you @wasserati. That fixed it for me!