URL:Mal infection fixed by MBAM?

This may be more appropriate in one of the other forums, so apologies in advance if that’s the case …

I’ve just started using Avast Free on our family computers (so first time on this forum) and on one of them, it very quickly began indicating that it was blocking an infection which I’ve seen mentioned in other posts in this category:

Infection details:
URL: <some random URL, often with a complex query string; sometimes with a host name and others with an IP address for the host>
Infection: URL:Mal
Process: C:\Windows\SysWOW64\regsvr32.exe

As mentioned, I found other posts for this same problem in this forum, so I began following the instructions in “Logs to assist in cleaning malware” thread (https://forum.avast.com/index.php?topic=53253.0). I followed the steps in downloading and running, in order: Malwarebytes Anti-malware (MBAM), FRST and aswMBR, collecting logs from each run.

MBAM indicated that it found 3 problems; one Registry value and two files, which I instructed it to quarantine. While I still ran the other two tools after rebooting post-MBAM, it’s now been about 2.5 hours, and Avast has not logged a single infection attempt. Before this, while they would come in spurts, it wouldn’t be longer than maybe 15-20 minutes before getting another.

I realize I may have just jinxed myself (or maybe just naive) by thinking it may be fixed … but could MBAM resolve this?

Thanks in advance for any feedback.

There may be leftover files to remove, so attach the two diagnostic logs from FRST

Since it is midnight in Europe you may not recive a reply from malware experts today

Attached are the logs from FRST (slightly obfuscated to remove computer and usernames). Also, I forgot to include … as mentioned, the problems were quarantined by MBAM, but should they be removed entirely (in case MBAM is uninstalled)?

but should they be removed entirely (in case MBAM is uninstalled)?
They already are (almost) quarantine, give you the option to restore in case of false positives or other problems. You can delete items in quarantine but there is no rush, I usually let items stay there for a couple of weeks before I empty And if Malwarebytes is uninstall everything in quarantine is also gone

We need the logs as they are created.
Do not alter/change them or we can not help you.

Looks like MBAM killed it all … Any further problems ?

Apologies, but the only information changed was the Windows computer and username as they conveyed PII; everything else is as generated by the tools.

Avast has yet to pop-up with another alert since rebooting after running MBAM, so fingers crossed that it has been resolved. :slight_smile:

Though I am curious as to why Avast’s own scanning didn’t pick it up … it obviously knew something was amiss because it was blocking it, but when I ran Avast’s full AV scan, it thought everything was fine. Is it just part of the idea of using multiple tools given malware evolution keeps leap-frogging products (and eventually Avast would pick this up too)?

As a follow-on to this (for my own personal edification), is there a resource to learn more about what exactly Avast was blocking? Was it indicating that regsvr32.exe was trying to initiate an outbound connection to those bogus URLs, or that it was blocking an inbound connection attempt? If the latter, I’ve run the GRC Shields Up scanner which indicates that my firewall is blocking all inbound ports, so not really sure what’s going on with this incident (and concerned something else may be involved).

If these are more appropriate questions for the general forum, I’m happy to repost there. Thanks!

OK you had a variant of the poweliks type Trojan http://www.zdnet.com/article/poweliks-trojan-goes-fileless-to-evade-detection-and-removal/
https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html

Now as there is no file associated with this, just a run entry it is hard to detect. However, Avast does block it from calling home, it just does not recognize it