URL:MAL infected - Avast Web Shield block outbound ledoborota every few seconds

I keep getting threat has been detected by Avast every few seconds. The infection is URL:MAL and the object is mostly http://ledoborota.com/aa/

how to recive help instructions https://forum.avast.com/index.php?topic=53253.0
attach requested logs

Read the instructions… attached are the four log files…

Try again, can’t see them.

attached are the log files…

Thanks…

OK, now you’ve to wait a bit…

You have a torpay encrypter onboard as well

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-3448572130-2369604375-1477226659-1003\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File 2014-10-28 22:00 - 2014-10-28 22:00 - 00000000 _____ () C:\Users\NLE\AppData\Roaming\fqthy.dll 2014-10-28 21:45 - 2014-10-28 21:45 - 00000000 _____ () C:\Windows\system32\fqthy.dll 2014-10-28 20:33 - 2014-10-28 20:33 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp 2014-10-28 20:33 - 2014-10-28 20:33 - 00008536 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:33 - 2014-10-28 20:33 - 00008536 _____ () C:\Users\NLE\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:33 - 2014-10-28 20:33 - 00004208 _____ () C:\Users\Public\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:33 - 2014-10-28 20:33 - 00004208 _____ () C:\Users\NLE\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:33 - 2014-10-28 20:33 - 00000272 _____ () C:\Users\Public\INSTALL_TOR.URL 2014-10-28 20:33 - 2014-10-28 20:33 - 00000272 _____ () C:\Users\NLE\INSTALL_TOR.URL 2014-10-28 20:32 - 2014-10-28 20:32 - 00008536 _____ () C:\Users\NLE\Documents\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:32 - 2014-10-28 20:32 - 00008536 _____ () C:\Users\NLE\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:32 - 2014-10-28 20:32 - 00008536 _____ () C:\Users\NLE\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:32 - 2014-10-28 20:32 - 00008536 _____ () C:\Users\NLE\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:32 - 2014-10-28 20:32 - 00004208 _____ () C:\Users\NLE\Documents\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:32 - 2014-10-28 20:32 - 00004208 _____ () C:\Users\NLE\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:32 - 2014-10-28 20:32 - 00004208 _____ () C:\Users\NLE\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:32 - 2014-10-28 20:32 - 00004208 _____ () C:\Users\NLE\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:32 - 2014-10-28 20:32 - 00000272 _____ () C:\Users\NLE\Documents\INSTALL_TOR.URL 2014-10-28 20:32 - 2014-10-28 20:32 - 00000272 _____ () C:\Users\NLE\AppData\Roaming\INSTALL_TOR.URL 2014-10-28 20:32 - 2014-10-28 20:32 - 00000272 _____ () C:\Users\NLE\AppData\Local\INSTALL_TOR.URL 2014-10-28 20:32 - 2014-10-28 20:32 - 00000272 _____ () C:\Users\NLE\AppData\INSTALL_TOR.URL 2014-10-28 20:30 - 2014-10-28 20:30 - 00008536 _____ () C:\Users\NDT\Documents\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:30 - 2014-10-28 20:30 - 00004208 _____ () C:\Users\NDT\Documents\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:30 - 2014-10-28 20:30 - 00000272 _____ () C:\Users\NDT\Documents\INSTALL_TOR.URL 2014-10-28 20:24 - 2014-10-28 20:24 - 00008536 _____ () C:\Users\hien\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:24 - 2014-10-28 20:24 - 00008536 _____ () C:\Users\hien\AppData\Roaming\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:24 - 2014-10-28 20:24 - 00008536 _____ () C:\Users\hien\AppData\Local\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:24 - 2014-10-28 20:24 - 00008536 _____ () C:\Users\hien\AppData\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:24 - 2014-10-28 20:24 - 00008536 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML 2014-10-28 20:24 - 2014-10-28 20:24 - 00004208 _____ () C:\Users\hien\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:24 - 2014-10-28 20:24 - 00004208 _____ () C:\Users\hien\AppData\Roaming\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:24 - 2014-10-28 20:24 - 00004208 _____ () C:\Users\hien\AppData\Local\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:24 - 2014-10-28 20:24 - 00004208 _____ () C:\Users\hien\AppData\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:24 - 2014-10-28 20:24 - 00004208 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT 2014-10-28 20:24 - 2014-10-28 20:24 - 00000272 _____ () C:\Users\hien\INSTALL_TOR.URL 2014-10-28 20:24 - 2014-10-28 20:24 - 00000272 _____ () C:\Users\hien\AppData\Roaming\INSTALL_TOR.URL 2014-10-28 20:24 - 2014-10-28 20:24 - 00000272 _____ () C:\Users\hien\AppData\Local\INSTALL_TOR.URL 2014-10-28 20:24 - 2014-10-28 20:24 - 00000272 _____ () C:\Users\hien\AppData\INSTALL_TOR.URL 2014-10-28 20:24 - 2014-10-28 20:24 - 00000272 _____ () C:\ProgramData\INSTALL_TOR.URL 2014-10-28 20:05 - 2014-10-28 20:05 - 00000000 _____ () C:\Windows\system32\mvaptyu.dll 2014-10-28 20:04 - 2014-10-28 20:04 - 00000944 ____H () C:\ProgramData\@system2.att 2014-10-28 22:00 - 2014-10-28 22:00 - 00000000 __SHD () C:\Users\NLE\AppData\Local\EmieUserList 2014-10-28 22:00 - 2014-10-28 22:00 - 00000000 __SHD () C:\Users\NLE\AppData\Local\EmieSiteList 2014-10-28 22:00 - 2014-10-28 22:00 - 00000000 _____ () C:\Users\NLE\AppData\Roaming\mvaptyu.dll 2014-10-28 22:00 - 2014-10-28 22:00 - 00000000 _____ () C:\Users\NLE\AppData\Roaming\fqthy.dll 2014-10-28 21:45 - 2014-10-28 21:45 - 00000000 _____ () C:\Windows\system32\fqthy.dll 2014-10-28 20:33 - 2014-10-28 20:33 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp CustomCLSID: HKU\S-1-5-21-3448572130-2369604375-1477226659-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download Anti-CryptorBit.zip to your desktop
Extract Anti-CryptorBitV2 to the desktop and run

https://dl.dropboxusercontent.com/u/73555776/anticrypt.JPG

Select the file type you wish to decrypt and then follow the instructions

Thanks…

I just applied the fix… attached is the fixlog file… will run the cryptobit fix now and will update the result later…

NDT

Seems like the issue of outbound url is fixed…

But for the torpay encryptor issue, when I tried to fix a folder of all JPG files by running the Anti-CryptoBitV2 scan, it scanned and completed but when I look at the folder, it is completely empty…no fixed nor original JPGs in that folder…

Any suggestion on where about those JPG ?

Thanks again

I will have to bring that up with the Author of the programme, meanwhile how is the computer running

Any words on where I can find those JPG files?

Thanks again…

There is no way that should have been done as the original files were left in their location

Are the files hidden

Follow these steps to display hidden files and folders.

:black_medium_small_square:Open Folder Options by clicking the Start button , clicking Control Panel, clicking Appearance and Personalization, and then clicking Folder Options.
:black_medium_small_square:Click the View tab.
:black_medium_small_square:Under Advanced settings, click Show hidden files and folders, and then click OK.

Did that… No files shown…

I tried one encrypted jpg file (I still have corrupted/encrypted in other folders) again and sure enough it disappeared after attempted fix… attached is screen shot what I did…

No reply from the author yet I will try again