Help with a stubborn virus, url:mal in explorer.exe

Viruses and worms
1

Hi, I am writing this on behalf of a family member who is less than familiar with computers, he accidentally downloaded a file from an advert and although I have removed as many as possible I am still getting an alert periodically from avast. I have done a scan with FRST as I see many with the problem have done so and will attach them to the post!

2

Reattach it. It didn’t work :frowning:

3

ok all 3 added! explorer.exe is from process explorer, sorry about the time its taking, trying to do this from the infected laptop

4

we need frst.txt and adidional.txt logs from farabar tool

5

Ok finally got them on there!

6

Let me know what problems you have after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM-x32\...\Run: [mbot_gb_254] => [X]  
HKU\S-1-5-21-954825246-1213422827-220952455-1001\...\Run: [ZiwzUrte] => regsvr32.exe "C:\ProgramData\ZiwzUrte\ZiwzUrte.dat"
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
HKU\S-1-5-21-954825246-1213422827-220952455-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hp&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hp&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hp&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://isearch.omiga-plus.com/?type=hp&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://isearch.omiga-plus.com/?type=hp&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://isearch.omiga-plus.com/?type=sc&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
SearchScopes: HKLM -> {35C3A9A4-80D2-4247-B523-CDF95AD4453C} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
SearchScopes: HKLM-x32 -> {35C3A9A4-80D2-4247-B523-CDF95AD4453C} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-954825246-1213422827-220952455-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://isearch.omiga-plus.com/web/?type=ds&ts=1417281020&from=tugs&uid=WDCXWD10JPVX-60JC3T0_WD-WXD1E63MVYU4MVYU4&q={searchTerms}
SearchScopes: HKU\S-1-5-21-954825246-1213422827-220952455-1001 -> {35C3A9A4-80D2-4247-B523-CDF95AD4453C} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-954825246-1213422827-220952455-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-29550-11896-25/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
Toolbar: HKU\S-1-5-21-954825246-1213422827-220952455-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
S2 wcejvfgvem32; C:\Program Files\010\wcejvfgvem32.exe run options=00100010100000000000000000000000 source=EA329A14-CB5F-442F-80BE-93D3DD5B55A2  [X]
2014-12-01 16:55 - 2014-12-03 08:17 - 00000000 ___HD () C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}
2014-12-01 16:55 - 2014-12-01 16:56 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-11-29 17:30 - 2014-11-29 17:30 - 00000000 ____D () C:\ProgramData\2355320829
2014-11-29 17:15 - 2014-11-29 17:15 - 00000000 ____D () C:\Program Files (x86)\predm
2014-11-29 17:12 - 2014-11-29 17:12 - 00000000 ____D () C:\Users\jason\AppData\Local\com
2014-11-29 17:11 - 2014-12-02 22:30 - 00000000 ____D () C:\Program Files (x86)\SupTab
2014-11-29 17:11 - 2014-12-02 18:16 - 00000000 ____D () C:\ProgramData\IePluginServices
2014-11-29 17:11 - 2014-11-29 23:16 - 00000000 ____D () C:\Program Files (x86)\globalUpdate
2014-11-29 17:11 - 2014-11-29 17:29 - 00000000 ____D () C:\Program Files (x86)\EA329A14-CB5F-442F-80BE-93D3DD5B55A2
2014-11-29 17:11 - 2014-11-29 17:11 - 00000005 _____ () C:\end
2014-11-29 17:11 - 2014-11-29 17:11 - 00000000 ____D () C:\Users\jason\AppData\Local\globalUpdate
2014-11-29 17:10 - 2014-11-29 17:33 - 00000000 ____D () C:\ProgramData\WindowsMangerProtect
2014-11-29 17:09 - 2014-12-02 18:32 - 00000000 ____D () C:\Program Files\010
CustomCLSID: HKU\S-1-5-21-954825246-1213422827-220952455-1001_Classes\CLSID\{A9F56A45-9E88-4BA0-8B81-F7130C2C2C16}\InprocServer32 -> C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}\crypt32.dll (Microsoft Corporation)
C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}
Task: {1DA7B5A0-CC10-416A-8780-BD506E36C01D} - \CLMLSvc_P2G8 No Task File <==== ATTENTION
Task: {230378D8-2F55-45B9-A9DD-EC7241D79319} - \CreateChoiceProcessTask No Task File <==== ATTENTION
Task: {2477371E-F8BD-42B5-8755-EC9CB3D1FB8B} - \CLVDLauncher No Task File <==== ATTENTION
Task: {3F717584-F3DB-4E89-9493-D8BFEA66CDE9} - \Optimize Start Menu Cache Files-S-1-5-21-954825246-1213422827-220952455-1001 No Task File <==== ATTENTION
Task: {B661E4F9-3184-4370-8BDE-9BBA3D2BCD7F} - \MirageAgent No Task File <==== ATTENTION
Task: {CAD3F2ED-0001-4ED0-9324-009B16C875DC} - \Synaptics TouchPad Enhancements No Task File <==== ATTENTION
EmptyTemp: 
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

7

Followed all instructions thus far, no notifications from avast to speak of yet, thanks for the quick replies guys! hopefully that has sorted it, here are the logs.

8

Ooops I missed a folder

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

C:\ProgramData\ZiwzUrte EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that