URL: Mal Avast warnings - http://etpsoprc.ru/a/, http://specrtop.org/a/

Today I plugged in a flash drive I use for printing at the local print shop. When I plugged it in it gave continuous messages of detected threat on the drive but I couldn’t remove it no matter what I did. What’s more after removing my flash drive Avast started informing me of malicious sites (http://etpsoprc.ru/a/, http://specrtop.org/a/) even when I’ve closed all internet browsers. When I googled the problem I stumbled on one of the previous similar topics and I installed McShield. Problem is OTL won’t install and my Malwarebytes’ doesn’t open so I tried reinstalling it but the install wizzard would start running then terminate. Please help!

P.S.: I get these warnings once in about every two hours

Welcome to avast!

[*] I will be working on your Malware issues this may or may not solve other issues you have with your machine.
[*] The fixes are specific to your problem and should only be used for this issue on this machine.
[*] If you don’t know or understand something, please don’t hesitate to ask.
[*]Please refrain from making any further changes to your computer (Install/Uninstall programs, delete files, edit the registry, etc…)
[*] Please DO NOT run any other tools or scans whilst I am helping you.
[*] It is important that you reply to this thread. Do not start a new topic.
[*] Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
[*] Absence of symptoms does not mean that everything is clear.


Start → All Programs → MCShield → Logs

Please attach here AllScans.txt

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds to run the tool.

* When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

Save both reports to your desktop. DDS.txt and Attach.txt attach back to topic.

I saved DDS in the desktop just like you said but wen I ran it it just terminated. No log files where created. The second time I tried to run it it showed a windo saing DDS is startngo for a moment and again it jist vanished.

Something is killing diagnostic tools.

Follow this guide from link below for running and posting logs from RogueKiller
http://forum.avast.com/index.php?topic=53253.0

Attach here all RKreport.txt logs.

THEN =====

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Just one question before I start with RogueKiller - it says I have to close all programs before executing the file. Does that include Skype (I’m not using it right now but I’m online and it’s on the taskbar notification area)?

EDIT: I ran RogueKiller without turning off my avast though (I simply forgot). I’m attaching the log files from both programs.

And why you don’t shut down skype? It will be started again after a system reboot.
Don’t worry too much. :wink: RK I also attempt to close all running programs and processes.

I turned it off ;D but I forgot to turn off other stuff.

Since apparently there’s a limit to the number of files one can attach I’ve edited my last post and attached there most of the files and here I’m attaching the last one.

Do you know where you have been download this malware? What did you do with your PC / browsers before problems hase been started.
I’m trying to catch the source of this malware, thats why I ask. You can send me that info on PM, if you will.

If you have something like this in Programs and Features, uninstall it.
Spigot, Inc or Application Updater or Search Settings

Uninstall:
FreeRIP Toolbar v7.2 (x32 Version: 7.2)
there is no need to remove “FreeRIP3 3.70 (x32 Version: 3.70)” , just it’s related toolbar

Malware Removal

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKCU\...\Run: [ee] C:\Users\Lenovo\AppData\Roaming\f81\ee.js [48929 2013-06-23] ()
MountPoints2: {15998a67-702c-11e2-9654-9439e59642f7} - F:\install.exe
Startup: C:\ProgramData\Start Menu\Programs\Startup\b349.js ()
Startup: C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b349.js ()
URLSearchHook: (No Name) - {E634228A-03CF-4BC8-B0AB-668257F1FD8C} -  No File
Toolbar: HKCU - No Name - {EBF2BA02-9094-4C5A-858B-BB198F3D8DE2} -  No File
(Spigot, Inc.) C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
HKLM-x32\...\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [1302336 2013-06-07] (Spigot, Inc.)
BHO-x32: FreeRIP Toolbar - {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - C:\Program Files (x86)\FreeRIP Toolbar\IE\7.2\freeripToolbarIE.dll (Spigot, Inc.)
Toolbar: HKLM-x32 - FreeRIP Toolbar - {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - C:\Program Files (x86)\FreeRIP Toolbar\IE\7.2\freeripToolbarIE.dll (Spigot, Inc.)
C:\Users\Lenovo\AppData\Roaming\f81
C:\ProgramData\Start Menu\Programs\Startup\b349.js
C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b349.js
C:\Users\Lenovo\AppData\Roaming\f81
C:\Program Files\e71
C:\f9955
C:\Program Files (x86)\Application Updater
C:\Program Files (x86)\Common Files\Spigot\Search Settings
C:\Program Files (x86)\FreeRIP Toolbar
Folder: C:\g09w
Folder: C:\Program Files (x86)\RegistryNuke 2012
Folder: C:\Users\Lenovo\AppData\Roaming\Systweak


  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

Re-check:

Re-run FRST, just click on Scan button ( no additional options requires ) and attach here fresh FRST.txt log

First I must say that my control panel stares at me blankly. I can’t get to the programs and features menu. ://

On your other question:

To be honest I’m not sure, but I’m afraid it’s caused by huge negligence on my part! :confused: I had my laptop “furnished” with whatever minimum of software one requires (Windows, internet browser and so on, including the avast antivirus and Malwarebytes) by a friend of a friend and I didn’t actually use Malwarebytes much. I used it only once or twice for the flash drives when I had doubts there’s a virus when avast wasn’t so effective but that was about it. A few months ago I noticed that there’s problem with Malwarebytes when I was at the university with my laptop and I tried to scan a colleague’s flash drive before opening it but the program didn’t start. I’m not much of a computer person and I tend to neglect things that don’t need my immediate attention so I thought I messed up when cleaning my computer and that’s why the program won’t start but til today I never actually tried to reinstall it.

Today for the first time things became critical and it’s just like I said in the first post but I have doubts about something else too. The computers in my university are old and in most cases have expired antivirus programs and are famous for being filled with viruses (and maintainence costs money so they don’t really fix that) (and I have had really big problems too with viruses caught from them) Truth is before going to the print shop I gave my professor my USB so he can give me the lectures which of course were on university computer and then I went straight to the print shop and then we get back to the begining of my first post.

Thanks for info.

Skip that step and create script for FRST and run it.

Ok it’s done.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


HKCU\...\Run: [ee] C:\Users\Lenovo\AppData\Roaming\f81\ee.js [x]
Startup: C:\ProgramData\Start Menu\Programs\Startup\bb.js ()
Startup: C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bb.js ()
C:\Users\Lenovo\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\ProgramData\Start Menu\Programs\Startup\*.js
C:\Users\Lenovo\AppData\Roaming\f81\*.js
C:\Users\Lenovo\AppData\Roaming\f81
C:\Program Files\e71
C:\f9955

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

========= Next =========

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Err… I haven’t restarted my computer… I unchecked the avast! self-defence then avast asked something of which I only read “unless the action was intentional” (Yes/No) and there were some countdown on the “No” option and I hurriedly clicked “Yes”. and Avast died and ComboFix won’t run >.<

There is no need to panic. All is well. :wink: Disable avast, delete old Combofix ( drag&drop into recycle.bin ) and download fresh Combofix and re-run it.

Attach here FRST created log after fixing and fresh CF log.

edit: Ok, I’ve now see FRST log. Please feel free to prosite with fresh Combofix. :wink:

Uhmmm… I can’t continue with the other steps on the avast disabling because avast won’t run again. Also should I skip that step and directly go on with downloading fresh CF? I’ve uploaded my FRST log file to my previous post.

How do you mean avast wont run?
ComboFix will run on enabled avast too. CF will warn you that avast is enabled but it will run. Try like that, if not, we will use other tool. :wink:

I deleted od CF downloaded again - it would not run. It starts and before I can click “I agree” on the disclamer it vanishes into nothingness ://

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
srinfo;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
f81;z
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

Well… that dies too ;D I’ll try downloading it again and try again XD

nope it doesn’t come to life XD