URL:Mal

Viruses and worms
1

Hi,

A few days ago, a laptop in the house was being swarmed by pop-ups in the chrome browser. I also noticed the presence of undesired software through control panel > programs (I can’t remember the name of these except one called LAVASOFT).

I then installed Avast which detected 5 threats using a full system scan. All of these were quarantined in the virus chest and subsequently deleted. Also, I noticed IE’s homepage had been changed to a page which looked like google, but the address bar was something else (can’t remember the name). I then ran Avast’s browser clean up tool which found and removed many low rated addons.

I then rescanned the computer which showed no threat. However, these undesired programs were still present. After searching for them, the setups for these were found in the AppData > local > temp folder. Again I scanned this folder and no threat was found, so I deleted the files in it along with chrome.
After restarting the computer, Avast kept detecting (maybe twice an hour) a threat which went something along the lines of:
Object: www.reddie…
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

Whilst these detections were happening, the laptop was downloading and installing windows updates. For whatever reason, these weren’t set to automatic prior to this and so this was about 900mb worth of updates. I noticed some of these updates were related to ‘security’ and thought they would maybe cure the problem.

After the necessary restart, Avast stopped detecting the above issue and instead detected this:
Object: C:\ProgramData\2355320829\BIT782D.tmp
Infection: Win32:Malware-gen
Action: Moved to chest
Process: C:\Windows\System32\regsvr32.exe

Since these (two files) have been moved to the chest, there has been no more detections (for days). Also, when running a full system scan no viruses are found. The browser tool doesn’t detect any issues and IE’s homepage has returned to bing.

I’m not entirely convinced the computer is safe and would like some help/advice to make it safe. During this time I’ve had a look online and seen in such cases there are necessary malware removal steps to take. Perhaps I should’ve done this initially, but it is too late now. Am I still required to go through these steps and if so where do I start?

Thanks in advance
Apologies for the long post. I just think it is helpful to note everything that has happened since the problem was first discovered.

UPDATE:
Since writing the above, I have found & read the pinned posts on this forum.

What to do if a file is infected?

  1. Detection: As described above, there were many pop-ups etc and then Avast was installed which found threats when running the first ‘Full System Scan’.
  2. Unsure
  3. Unsure
  4. Unsure
  5. Avast threat messages shown above

Logs to assist in cleaning malware

Logs attached

2
I also noticed the presence of undesired software through control panel > programs (I can’t remember the name of these except one called [b]LAVASOFT[/b]).
Lavasoft are the maker of AdAware, one of the first and oldest antispyware tools on the market http://www.lavasoft.com/ however today it is grown in to a full AV and should not be installed alongside avast to avoid conflicts
3

Ok, I was unaware of this. This was not deliberately installed and was deleted/uninstalled along with other unwanted software.

4

Could you let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-3734108538-4171573795-3532242721-1000\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10m_ActiveX.exe [234656 2014-10-15] (Adobe Systems, Inc.) AppInit_DLLs-x32: c:\users\my\appdata\local\linkey\ieexte~1\iedll.dll => "c:\users\my\appdata\local\linkey\ieexte~1\iedll.dll" File Not Found Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Best Buy pc app.lnk ShortcutTarget: Best Buy pc app.lnk -> C:\ProgramData\Best Buy pc app\ClickOnceSetup.exe (Microsoft) HKU\S-1-5-21-3734108538-4171573795-3532242721-1000\...\Run: [Best Buy pc app] => C:\Users\MY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Best Buy\Best Buy pc app.appref-ms CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: No Name -> {1a860f0e-95ad-414b-8fda-e13c24f11666} -> No File BHO: No Name -> {5b4383cd-0247-4cb0-9ce5-4dc33d6df091} -> No File BHO: No Name -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> No File BHO-x32: No Name -> {1a860f0e-95ad-414b-8fda-e13c24f11666} -> No File BHO-x32: No Name -> {5b4383cd-0247-4cb0-9ce5-4dc33d6df091} -> No File BHO-x32: No Name -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> No File FF Plugin: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy) FF Plugin-x32: @bestbuy.com/npBestBuyPcAppDetector,version=1.0 -> C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy) 2015-01-23 14:38 - 2015-01-23 14:38 - 00000000 __SHD () C:\Users\MY\AppData\Local\EmieUserList 2015-01-23 14:38 - 2015-01-23 14:38 - 00000000 __SHD () C:\Users\MY\AppData\Local\EmieSiteList 2015-01-23 14:38 - 2015-01-23 14:38 - 00000000 __SHD () C:\Users\MY\AppData\Local\EmieBrowserModeList 2015-01-15 17:46 - 2015-01-15 17:46 - 00000000 ____D () C:\ProgramData\ahlmpoekdbbhlbbcmeccplokadbfnjia 2015-01-15 17:45 - 2015-01-23 14:27 - 00000000 ____D () C:\ProgramData\freedeliivery 2015-01-15 17:44 - 2015-01-23 14:27 - 00000000 ____D () C:\ProgramData\FeReEdelivery 2015-01-15 17:44 - 2015-01-15 17:46 - 00000000 ____D () C:\ProgramData\32956b06f1fc5b03 2015-01-12 19:03 - 2015-01-12 19:03 - 00792288 _____ (DownloadAstro) C:\Users\MY\Downloads\itunes.exe 2014-12-26 13:18 - 2014-12-26 13:18 - 00000264 _____ () C:\prefs.js 2014-12-26 13:18 - 2014-12-26 13:18 - 00000000 ____D () C:\searchplugins EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

5

Here is the fixlog.

I’ll now do the AdwCleaner step and post that log shortly

6

…and here is the AdwCleaner log.

NOTE: As stated in the first post, the Avast threat detections ceased after the second full system scan (2 files moved to chest) which was performed before I posted on this forum. Also, the pop-ups occurred in chrome and I have since deleted the browser.

Should I reinstall Chrome now, as I’d like to resume using it, and let you know if any pop-ups occur?

Also, should I leave the software which aided the removal process (I.e. AdwCleaner, MBAM…etc) on the computer?

Do the logs tell you if the computer is still infected, if so is it?

Sorry for all the questions. I’m a complete fish/noob at this

7

No problem, questions are good

Should I reinstall Chrome now, as I'd like to resume using it, and let you know if any pop-ups occur?
Yes do that please
Also, should I leave the software which aided the removal process (I.e. AdwCleaner, MBAM...etc) on the computer?
I will safely remove these when you are happy
Do the logs tell you if the computer is still infected, if so is it?
It looks OK now but let me know how it behaves after you re-install Chrome
8

Ok, I’ve now installed and opened Chrome. I’ve had it open and been on a few sites for the last five minutes or so. Everything seems fine. I’ve been told the initial problem (multiple pop-ups) started as soon as chrome was launched. This problem is no longer occurring. Also, the Avast detections have completely stopped.

Thank you very much for your assistance and fast response!

9

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

10

It has been about a day and I’ve completed the final steps. Everything seems fine and back in working order.

Thank you very much Essex. Your help is much appreciated!

11

Glad to assist :slight_smile: