Anytime I do a search on google or yahoo avast warns of a malicious URL, http://13.ppcclickfeed.com/
It just started today, and I haven’t done anything I can think of. Any ideas?
Hi,
Follow this guide for running ( AdwCleaner ) Malwarebytes, OTL and aswMBR logreports.
http://forum.avast.com/index.php?topic=53253.0
Attach here logreports.
Thanks, will do. It seemed weird, I couldn’t find any reference to it.
Detecting malware can be a tricky thing.
Especially the detection of rootkits because some of them may lives outside of the windows operating system.
When and if you attach logs, I will be able to analyze them and tell you a little more. 
hi lucasbuck,
Please modify the live http link in your first post to hXXp: to avoid infecting new or unsuspecting users.
Doing so will make your link non-clickable.
http://zulu.zscaler.com/submission/show/f46040f77c57bc7d619757d96a28ed8c-1347618990
http://www.urlvoid.com/scan/13.ppcclickfeed.com/
http://urlquery.net/report.php?id=178756
http://sitecheck.sucuri.net/results/13.ppcclickfeed.com/ Securi is reporting a pay-per-click scheme under the Website Details tab/“List of links found” dropdown.
If it helps, it happens running either IE or Firefox (the warning about the ppc site). I did do an Avast boot time scan, and it didn’t find anything. Thanks again for the help.
Other logs
Step#1
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKU\S-1-5-21-3280474366-2115025290-3991797552-1001\..\SearchScopes\{B1E06153-F21B-44AD-A2D5-EF9B3509A0FD}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=NCH2&o=APN10111&src=kw&q={searchTerms}&locale=&apn_ptnrs=^A5M&apn_dtid=^YYYYYY^YY^US&apn_uid=4024961c-6880-4a57-b22c-ff0138b97e6b&apn_sauid=0A61987A-D1B9-4325-931E-6FC4CB860023
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://www.ask.com/?l=dis&o=APN10111&gct=hp"
[2012/06/17 09:34:22 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6647546855.tpmpp
[2012/06/17 09:34:10 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 3294293522.tpmpp
[2012/06/17 09:34:02 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2183182411.tpmpp
[2012/06/15 22:10:11 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2182181399.tpmpp
[2012/06/15 22:09:22 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7758757966.tpmpp
[2012/06/15 22:07:40 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 4325324633.tpmpp
[2012/06/15 22:06:16 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7426435744.tpmpp
[2012/06/11 11:37:47 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2183192411.tpmpp
[2012/06/11 11:37:01 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 4294213522.tpmpp
[2012/06/11 10:02:57 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7648647855.tpmpp
[2012/06/11 10:02:17 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 3861879288.tpmpp
[2012/06/11 09:16:26 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6769768177.tpmpp
[2012/06/11 01:49:42 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6972971288.tpmpp
@Alternate Data Stream - 196 bytes -> C:\ProgramData\TEMP:8E5EA40F
@Alternate Data Stream - 181 bytes -> C:\ProgramData\TEMP:1A15E356
@Alternate Data Stream - 131 bytes -> C:\ProgramData\TEMP:260575F1
@Alternate Data Stream - 1197 bytes -> C:\Users\User\AppData\Local\Temp:GQEvRFmplgbTdm5ko0GgrN
:files
C:\Users\User\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
ipconfig /flushdns /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Step#2
Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
How to disable avast:
[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
Okay, for the record neither program initiated a restart. I wasn’t sure if that was okay.
What’s the ¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈ… file? I notice it didn’t get removed or anything.
That folder should be gone by now…
Download TDSSKiller and save it to your desktop
Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.
[*] Press Start Scan
[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]
Please post the contents of that log in your next reply.
Open notepad and copy/paste the text present inside the code box below:
ClearJavaCache::
Firefox::
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\j8loigon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?l=dis&o=APN10111&gct=hp
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
TDS didn’t find anything. Here’s my logs and thanks for bearing with me!
Open notepad and copy/paste the text present inside the code box below:
DeQuarantine::
C:\Qoobox\Quarantine\c\windows\SysWow64\drivers\hwinterface.sys.vir
Quit::
Save this as CFScript.txt
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows and refering to the picture above.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:processes
killallprocesses
:files
c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
:Commands
[Reboot]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
How’s your computer running now?
Combo just made a file called Dequarantine, I posted it and the OTL file. If it means anything, neither program rebooted the computer. I did do it manually when finished, and still have the warning when going to a search site.
Combofix Quarantine is Ok.
About OTL you should press RunFix not RunScan !
Again, run OTL Fix. Follow my guide carfile.
Re-run OTL.exe.
[*]Copy and paste the all following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKU\S-1-5-21-3280474366-2115025290-3991797552-1001\..\SearchScopes\{B1E06153-F21B-44AD-A2D5-EF9B3509A0FD}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=NCH2&o=APN10111&src=kw&q={searchTerms}&locale=&apn_ptnrs=^A5M&apn_dtid=^YYYYYY^YY^US&apn_uid=4024961c-6880-4a57-b22c-ff0138b97e6b&apn_sauid=0A61987A-D1B9-4325-931E-6FC4CB860023
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - user.js - File not found
[2012/07/08 11:56:24 | 000,002,343 | ---- | M] () -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\j8loigon.default\searchplugins\askcom.xml
[2012/09/14 22:02:14 | 000,000,000 | ---- | M] () -- C:\Users\User\AppData\Local\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/06/17 09:34:22 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6647546855.tpmpp
[2012/06/17 09:34:10 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 3294293522.tpmpp
[2012/06/17 09:34:02 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2183182411.tpmpp
[2012/06/15 22:10:11 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2182181399.tpmpp
[2012/06/15 22:09:22 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7758757966.tpmpp
[2012/06/15 22:07:40 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 4325324633.tpmpp
[2012/06/15 22:06:16 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7426435744.tpmpp
[2012/06/11 11:37:47 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 2183192411.tpmpp
[2012/06/11 11:37:01 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 4294213522.tpmpp
[2012/06/11 10:02:57 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 7648647855.tpmpp
[2012/06/11 10:02:17 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 3861879288.tpmpp
[2012/06/11 09:16:26 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6769768177.tpmpp
[2012/06/11 01:49:42 | 000,000,051 | ---- | C] () -- C:\Users\User\AppData\Local\tmp. & 6972971288.tpmpp
@Alternate Data Stream - 1197 bytes -> C:\Users\User\AppData\Local\Temp:GQEvRFmplgbTdm5ko0GgrN
:files
c:\windows\E10DB5DAE57640EAA7FC1CB2A7B283A6.TMP
:commands
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
That was totally my fault. I reran, but still have the problem. Should I go and do the others you posted, but do runfix?
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
FF - prefs.js..extensions.enabledAddons: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:2.0.7
FF - prefs.js..extensions.enabledAddons: {BE264805-FC7E-11E1-8270-B8AC6F996F26}:2.0.14
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\mine\Program Files (x86)\Mozilla Firefox\components [2012/09/06 23:44:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{BE264805-FC7E-11E1-8270-B8AC6F996F26}: C:\Users\User\AppData\Local\{BE264805-FC7E-11E1-8270-B8AC6F996F26}\ [2012/09/11 22:08:38 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\mine\Program Files (x86)\Mozilla Firefox\components [2012/09/06 23:44:55 | 000,000,000 | ---D | M]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
Re-run OTL , click on QuickScan and attach here fresh OTL.txt logreport
Here you go. I noticed it was focusing on Firefox. It’s happening in IE too, but didn’t know if that made a difference. Just throwing that out there.
Go to C:[b]Qoobox[/b] folder and attach here ComboFix-quarantined-files.txt
C:\Qoobox\ ComboFix-quarantined-files.txt
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
File not found (No name found) -- C:\USERS\USER\APPDATA\LOCAL\{BE264805-FC7E-11E1-8270-B8AC6F996F26}
:files
C:\USERS\USER\APPDATA\LOCAL\{BE264805-FC7E-11E1-8270-B8AC6F996F26}
dir /s /a "C:\symbols" /c
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered;
When it is done it will open notepad with logreport. Copy-paste or attach here that logreport.
Note: If logreport do not show , then go to C:\ _OTL \ MovedFiles and attach logreports with the latest date.
Example: 15092012_Time
Do you still have pop ups?
Here you go. No popups. Out of curiosity, ever seen this before? I thought it was weird I couldn’t find any info about that popping up on a search. Any idea what it comes from (download, visiting site, etc.)?
There are many similar symptoms but for me it is only needed to find the source of the problem.
Your source is something new but not surprising (There is a lot of malware using the same method) but it can not hide from me. ;D
Any idea what it comes from (download, visiting site, etc.)?
I would not know.
No popups.
Nice.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
You can delete the used tools.
Keep OTL for now, keep monitor your system, and let me know tomorrow how is it running now.