Virus/malware http://ledoborota.com/aa/ issue

Viruses and worms
1

Please help:

I am using a Windows 7 Enterprise Service Pack 1 laptop

Avast Web Shield is popping up alerts frequently whether a browser window is open or not with the below messages and the system performance (speed) is very bad

Avast Webshield has blocked a harmful web page or file:
url: http//ledoborota.com/aa/
infection: URL: Mal
Process: C:\Windows\SysWow64\svchost.exe

Avast Webshield has blocked a harmful web page or file:
url: http//5.45.73.129/aa/
infection: URL: Mal
Process: C:\Windows\SysWow64\svchost.exe

these pop up alternately every minute or so.

I ran Malwarebytes, Spyhunter and Ad-aware but this didn’t help

Any advice will be appreciated

2

Attach your basic logs. (MBAM, FRST and aswMBR…!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0

3

Hi Asyn

Please find attached the requested scan logs

4

OK, now you’ve to wait a bit…

5

Let me know if this cures it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-3334297939-1607799122-1342077548-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks! CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: No Name -> {8F0A6D91-0239-8F9F-526C-ABE83BC2DE26} -> No File BHO-x32: No Name -> {8F0A6D91-0239-8F9F-526C-ABE83BC2DE26} -> No File 2014-10-28 22:10 - 2014-10-28 22:11 - 00000000 ____D () C:\ProgramData\MFAData 2014-10-28 22:10 - 2014-10-28 22:10 - 00000000 ____D () C:\Users\user2\AppData\Local\MFAData 2014-10-28 22:10 - 2014-10-28 22:10 - 00000000 ____D () C:\Users\user2\AppData\Local\Avg2015 2014-10-28 21:42 - 2014-10-28 21:43 - 00000000 ____D () C:\Windows\ACF5FE1B377240688B872D2A6EFD0A05.TMP 2014-10-28 19:51 - 2014-10-28 19:51 - 00070144 _____ () C:\Users\user2\AppData\Roaming\iewkzz.dll 2014-10-28 19:51 - 2014-10-28 19:51 - 00004040 _____ () C:\Windows\System32\Tasks\{4E32FC5A-8CBE-F61B-A8E6-D5A773AC47B4} 2014-10-28 19:51 - 2014-10-28 19:51 - 00000000 _____ () C:\Users\user2\AppData\Roaming\rmxvpr.dll 2014-10-23 20:15 - 2014-10-23 20:15 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7 CustomCLSID: HKU\S-1-5-21-3334297939-1607799122-1342077548-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks? Task: {17A7233C-242E-4E89-AC93-3FBCAD76D081} - System32\Tasks\{4E32FC5A-8CBE-F61B-A8E6-D5A773AC47B4} => C:\Users\user2\AppData\Roaming\iewkzz.dll [2014-10-28] () <==== ATTENTION EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

6

Thanks essexboy and Asyn

The pop seems to have gone. However I am seeing that the system performance has slowed down a bit, not sure what could be the problem.

Here are the latest logs

Thanks

7

Could you defragment the hard drive as nearly 8Gb of junk was also removed by FRST