Recently I’ve started getting constant malware popup warnings and redirects using my browswer, which is Internet Explorer. I ran an Avast boot scan, it identified a couple of problems which I had it move to the Chest. I then rebooted, but the malware popups continued.
One thing I find curious is that the redirects at first were taking me to Avast sites, and then to other security related sites.
This is driving me crazy. The Object sites identified include words or phrases like “clickdata” and “redirect” and “php” Any ideas how solve this?
Yes, I have been interrupted and it looks like I am going to have to rerun all this together tomorrow. I will rerun everything and post it tomorrow. Sorry for the delay.
Okay, finally able to get back at it after a three-day interruption.
Symptoms:
Near constant avast! Web Shield threat popups, even when running the anti-malware programs MBAM and OTL.
Clicking on link results in Google web searches often redirected to various antivirus/antimalware sites, but direct address entry in Internet Explorer 11 do not redirect.
avast! Web Shield popups most frequently contain:
under Object: various, often including text like “click.php?=click”, “redirect_js.psp”, “credit cards”, “debt management”, “cleveland consumer co” etc.
under URS: Mal
under Process: Users/John/AppData…WINFB36.exe
Ran MBAB as instructed, log attached. No threats found.
Ran OTL as instructed, program generated OTL.txt (attached) but not Extras.txt.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Execute TDSSKiller.exe by doubleclicking on it. Confirm “End user Licence Agreement” and “KSN Statement” dialog box by clicking on Accept button.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt
Please post the contents of that log in your next reply.
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\Run: [ARZworks] => regsvr32.exe C:\Users\John\AppData\Local\ARZworks\BRWIA07a.dll <===== ATTENTION
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\MountPoints2: {dfcb262b-b3db-11de-af4a-806e6f6e6963} - E:\GHScrabbleInstall.exe
HKU\S-1-5-21-1802073132-1704809466-3102102586-1000\...\Run: [GameServer548] => C:\Users\John\AppData\Roaming\WinBatch\WINFB36.exe [192000 2014-04-12] ()
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {D8E0CC98-17E3-40B4-A29A-4A4A66D42927} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
CHR DefaultSearchKeyword: mywebsearch.com
CHR DefaultSearchProvider: My Web Search Bar
CHR DefaultSearchURL: http://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJxdm380YSUS&fl=0&ptb=huIiN99FEqxqbAS1Hn1_4Q&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=sb&searchfor={searchTerms}&n=77ce80df
C:\Users\John\microsoft.dat
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
End
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
So far, no, although sometimes in this process there have been brief lull periods where popups diminished or ceased. I’ll monitor it and let you know if they start popping up again.
