URL:Mal 51 Reports, & Continue every Minute

Hello All,

Thank for taking the time to assist me in this matter.

The following message keeps popping up continuously
51 Reports every exit

Object: http:/
Infection: URL: Mal
Process: C:\Windows\System32\dllhost.exe

It was so bad, Chrome would let me post. I had to switch PC’s
Thank you in Advance!!

Hi that is the latest Aleurion malware this may take two runs to kill properly

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKU\S-1-5-21-1920933346-218109947-2895132486-1012\..\Toolbar\WebBrowser: (no name) - {1392B8D2-5C05-419F-A8F6-B9F15A596612} - No CLSID value found.
O3 - HKU\S-1-5-21-1920933346-218109947-2895132486-1012\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O3 - HKU\S-1-5-21-1920933346-218109947-2895132486-1012\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O4:64bit: - HKLM..\Run: [ChangeID] Reg Error: Invalid data type. File not found
O4:64bit: - HKLM..\Run: [DLCICATS] rundll32 \3\DLCItime.dll,RunDLLEntry File not found
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKLM..\RunOnce: [AvgUninstallURL] C:\Windows\SysWow64\cmd.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\.DEFAULT..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f File not found
O4 - HKU\S-1-5-18..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f File not found
[2011/01/02 16:13:27 | 000,000,000 | ---D | M] -- C:\Users\MYO\AppData\Roaming\WhiteSmokeSetup

:Files
[-HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Here you go, less pop ups… but wont let me surf much

I guess that reg key did not want to go. I will need two scans this time the first will be tdsskiller to check out the afs driver and the second to check on the reg key

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

THEN

Run a fresh OTL scan with all users selected

Here you go, Thank you!

Yep it is still there

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64 "" = \\?\globalroot\Device\HarddiskVolume2\Users\MRDESI~1\AppData\Local\Temp\ssttxkx\snisvpv\wow.dll
  1. Close any open browsers.

  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  3. Open notepad and copy/paste the text in the quotebox below into it:

Folder:: C:\Users\MRDESI~1\AppData\Local\Temp\ssttxkx

Registry::
[-HKEY_CURRENT_USER\Software\Classes\clsid{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.

I think its dead…

Edit: Btw can you reference some strong defenses?

This is very new and as of now there are no defences against it, although give it a day or two and it should be caught. Not even combofix recognised it as bad :slight_smile:

Could I have one further run with OTL to confirm the reg key is history

Thank you so much! That bug was so annoying

In the mist of all of that, I deleted some files from my registry :frowning: out of desperation.
So just Avast free will be fine? I’m considering investing in the whole nine.

OK the reg entry is still there but inactive now, could you post the log that appears after reboot so that I can confirm it took

So lets now overwrite it with the legitimate key

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@="ShellFolder for CD Burning"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
  00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,00,68,00,\
  65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\MergedFolder]
"Location"="@shell32.dll,-12591"
"Attributes"="0x0"
"AttributeMask"="0xffffffff"
"ConflictOverlayIcon"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,\
  6f,00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,\
  00,5c,00,69,00,6d,00,61,00,67,00,65,00,72,00,65,00,73,00,2e,00,64,00,6c,00,\
  6c,00,2c,00,2d,00,31,00,36,00,39,00,00,00


:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hello! The OTL froze on me…It was running for 1 Hour or so and I realized it failed "(

essexboy in bed now. Should be back in a few hours.

Could you temporarily uninstall MBAM please and run the fix again

MalwareBytes? Sorry to Ask

That is correct Malwarebytes, on some systems it gets uppity when OTL tries to close all processes

Thank you!

OK no success there as the malware has altered the permissions on that key, but I know how to get around that :slight_smile:

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Right click on the Avenger.zip folder and select “Extract All…”
    [*] Follow the prompts and extract the avenger folder to your desktop
  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

https://dl.dropbox.com/u/73555776/avenger.jpg

Begin copying here: 
Registry keys to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

  1. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  2. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .

Its advising me the file appears malicious?

What the Avenger programme ?

The warning is based upon what this programme can do as it is very powerful, but it is safe

I cant find the Log o.0?