I’m trying to fix computer that keeps getting Avast pop ups about an Infection URL:Mal. I am attaching the files from the FRST.
Await instruction.
Hi cllundberg,
My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):
- Please do not create any new threads on this while we are working on your system as it wastes another volunteer’s time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
- Please do not install any new software while we are working on this system as it may hinder our process.
- Malware removal is a complicated process so don’t stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
- Please do not try to fix anything without being ask.
- Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
- Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
- Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
- If you are confused about any instruction, stop and ask. Do not keep on going.
- Do not repeat the steps if you face any problems.
- I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
- Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
- The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
One or more of the identified infections is a rootkit.
This allows hackers to remotely control your computer, steal critical system information, and download and execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the rootkit has been identified and can be killed, because of how it exploits your system, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this rootkit, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can attempt to clean this machine but I can’t guarantee that it will be 100% secure afterwards.
- Step #1 Uninstall Programs
I want you to uninstall the following program(s) listed below due to poor reputation we receive about them. To uninstall a program, go to Start > Control Panel > Uninstall a program or Start > Control Panel > Programs and Features. Wait for the list to fill up and double-click on the items I have listed below and follow the on-screen instruction to remove/uninstall them.
[list][li]VideoDownloadConverter Internet Explorer Toolbar[/list][/li]
- Step #2 Fix with FRST
Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
[li]Open Notepad.exe. Do not use any other text editor software;
- Copy and Paste the contents inside the code-box to your Notepad –
[/li]
Start
Closeprocesses:
Emptytemp:
CustomCLSID: HKU\S-1-5-21-3857223159-2296464782-1543555500-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
AlternateDataStreams: C:\ProgramData\Temp:054203E4
AlternateDataStreams: C:\ProgramData\Temp:430C6D84
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2
AVG 2013 (Version: 13.0.2904 - AVG Technologies) Hidden
AVG 2013 (Version: 13.0.3222 - AVG Technologies) Hidden
HKLM\...\Run: [memtv] => ",SEEK
HKLM\...\Run: [VideoDownloadConverter Home Page Guard 64 bit] => C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\AppIntegrator64.exe [485448 2014-02-28] ( )
C:\Program Files (x86)\VideoDownloadConverter_4z
HKLM-x32\...\Run: [VideoDownloadConverter Search Scope Monitor] => C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zSrchMn.exe [55368 2014-02-28] (Mindspark)
HKLM-x32\...\Run: [VideoDownloadConverter_4z Browser Plugin Loader] => C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbrmon.exe [61512 2014-02-28] (VER_COMPANY_NAME)
HKLM-x32\...\Run: [VideoDownloadConverter_4z Browser Plugin Loader 64] => C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbrmon64.exe [71752 2014-02-28] (VER_COMPANY_NAME)
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\AVAST Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\Run: [RizovUvinu] => regsvr32.exe "C:\ProgramData\RizovUvinu\RizovUvinu.dat"
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\Run: [EodamDukfa] => regsvr32.exe "C:\ProgramData\EodamDukfa\EodamDukfa.dat"
C:\ProgramData\RizovUvinu
C:\ProgramData\EodamDukfa\
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\Run: [0d04fd] => C:\0d04fd5\0d04fd5.exe [274500 2014-11-11] ( )
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\RunOnce: [*d04fd] => C:\0d04fd5\0d04fd5.exe [274500 2014-11-11] ( )
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\RunOnce: [*d04fd5] => C:\Users\Carl Hoard II\AppData\Roaming\0d04fd5.exe
C:\0d04fd5
C:\Users\Carl Hoard II\AppData\Roaming\0d04fd5.exe
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...\Policies\Explorer\Run: [LogiShrd] => C:\Users\Carl Hoard II\AppData\Roaming\B20BF7.exe
HKU\S-1-5-21-3857223159-2296464782-1543555500-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
C:\Users\Carl Hoard II\AppData\Roaming\B20BF7.exe
Startup: C:\Users\Carl Hoard II\Start Menu\Programs\Startup\0d04fd5.exe ( )
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iwindsurf.com/myWeather.iws?home&
URLSearchHook: HKCU - (No Name) - {93a3111f-4f74-4ed8-895e-d9708497629e} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zSrcAs.dll (Mindspark)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - {88FB16D2-04EA-4ffe-8079-CFF68F1B9CE6} URL = http://www.search-results.com/web?q={searchTerms}&o=15868&l=dis&prt=BDIE&chn=retail&geo=US&ver=4.0.0.1884
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://mysearch.avg.com/search?cid={1A982503-33DD-4265-A0BA-DEB6A6212748}&mid=28791e66dc8147d3bf8a19d59abd8b95-f1e09d3cc8c910078b0f23a176f709a0d4709f29&lang=&ds=&coid=&cmpid=&pr=&d=&v=18.0.0.248&pid=safeguard&sg=&sap=dsp&q={searchTerms}
FF DefaultSearchEngine: Search Defender
FF SelectedSearchEngine: Search Defender
FF Plugin-x32: @VideoDownloadConverter_4z.com/Plugin -> C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\NP4zStub.dll (Mindspark)
FF Plugin-x32: @VideoDownloadConverter_ScriptHelper.com/Plugin -> C:\Program Files (x86)\VideoDownloadConverter\npVDCPlugin.dll (Mindspark)
2014-11-11 10:22 - 2014-11-11 10:22 - 00008512 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-11-11 10:22 - 2014-11-11 10:22 - 00004196 _____ () C:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-11-11 10:10 - 2014-11-11 10:10 - 00000000 ___HD () C:\0d04fd5
2014-11-10 11:36 - 2014-11-10 11:36 - 00000000 ____D () C:\ProgramData\EodamDukfa
2014-11-10 11:35 - 2014-11-10 11:35 - 00000000 ____D () C:\ProgramData\RizovUvinu
ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3857223159-2296464782-1543555500-1001\$0bd9f423f93b900d49170e838e09ec05
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$0bd9f423f93b900d49170e838e09ec05
C:\$Recycle.Bin\
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
Folder: C:\Users\Carl Hoard II\AppData\Roaming\麽鎒駓覜
End
-
[li]Click on [b]File[/b] > [b]Save as...[/b]
[list]
[li]Inside the File Name box type fixlist.txt
- From the Save as type drop down list, choose All Files
[/li]
- Save the file to your Desktop;
- Re-run FRST.exe and click Fix;
[li][b]Note[/b]: If FRST advises there is a new updated version to be downloaded, do so/allow this.
[/li]
- After the completion, a log will be produced;
- Attach the log in your next reply.
[/list][/li]
-
Step #3 Scan with RogueKiller
[li]Download [b]Rogue Killer[/b] from one of the suitable links below to your [i]Desktop[/i].
[list]
[li]Download link for 32 bit system
- Download link for 64 bit system
[/li]
- Click on Scan;
- The scan won’t take long;
- Click on Report to open the log.
- Attach the log in your next reply.
[/list][/li]
-
Required Log(s):
[li]FRST Fix Log - RogueKiller Report
[/li]
Regards,
Valinorum
Done.
Here are the files you requested. Sorry I put done in my last post but I just meant I was done doing what you asked. Sorry if I am causing more work
How is your PC performing?