Infection URL: MAL

system · January 18, 2015, 12:24am

Hello,

I’m having an issue with my Surface Pro 3. Anytime I start-up the device, upon boot-up, Avast is telling me “Infection Blocked” with a URL that changes every time I start-up. It also tells me Infection URL: MAL and Process: C:\Windows\System32\svchost.exe.

I went through one of the pinned topics on this page to get the required information that you guys require to fix these types of problem. Hopefully I did everything correctly!

Any and all help is appreciated, because this is annoying the heck out of me!

system · January 18, 2015, 12:27am

Also, here’s the pop-up I’m receiving. Again, the URL changes.

polonus · January 18, 2015, 12:52am

While you are waiting for the qualified removal expert to appear and check out your logs.
You were most likely victim of Adware.Zusy, it comes in most cases bundled or blend with some software you have downloaded.
I think they will perform a “zoek” and “DelFix” on your computer, but be patient and follow up the malware remover’s advice to the dot.
You should wait until to-morrow, because at the moment the removers have "gone to the Swan mountains’ so to say,
(that is they are asleep).

polonus

system · January 18, 2015, 9:07am

Rather than start a new thread, I too am getting the same problem on reawakening (i.e. not browser specific),…

…BUT I have more than one site come up (but not simultaneously). The other website is ‘epictory’, not ‘reduled’ and the rest of the warning is precisely as in the screenshot above.

I’ve googled both (epictory and reduled) and it seem nobody is sure if they’re bad or not: however they do seem to be sneaking past my firewall. Local searches don’t seem to be able to find them on my PC.

Pondus · January 18, 2015, 11:00am

That is exactely what you have to do … as we need the logs from your computer if you want help

essexboy · January 18, 2015, 11:25am

Hi there, let me know if this stops the alerts

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieUserList 2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieSiteList 2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieBrowserModeList 2014-12-28 16:00 - 2014-12-28 16:00 - 00000000 ____D () C:\Program Files\File Association Helper 2014-08-13 20:06 - 2014-08-13 20:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl C:\Users\Jordan\jagex_cl_oldschool_LIVE.dat C:\Users\Jordan\random.dat EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · January 18, 2015, 2:55pm

AdwCleaner v4.108 - Report created 18/01/2015 at 09:50:34

Updated 17/01/2015 by Xplode

Database : 2015-01-13.2 [Live]

Operating System : Windows 8.1 Pro (64 bits)

Username : Jordan - JORDANSTABLET

Running from : C:\Users\Jordan\Downloads\AdwCleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Jordan\AppData\Roaming\Gameo
Folder Deleted : C:\Users\Jordan\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck

***** [ Scheduled Tasks ] *****

Task Deleted : gameo_update

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\gameo
Key Deleted : HKCU\Software\AppDataLow{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE{6791A2F3-FC80-475C-A002-C014AF797E9C}

***** [ Browsers ] *****

-\ Internet Explorer v11.0.9600.17416

-\ Google Chrome v39.0.2171.99

[C:\Users\Jordan\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Jordan\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

AdwCleaner[R0].txt - [1829 octets] - [18/01/2015 09:49:02]
AdwCleaner[S0].txt - [1690 octets] - [18/01/2015 09:50:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1750 octets] ##########

Here’s my log. I am no longer receiving any alerts from Avast. Thank you all so much for all of your help, it is truly appreciated as I would not have been able to do any of this!

Pondus · January 18, 2015, 3:05pm

Attach frst fix log also …

Essexboy will remove the tools used when all is ok, so check back later

system · January 18, 2015, 3:15pm

Whoops! Here’s the first log as well.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-01-2015
Ran by Jordan at 2015-01-18 09:44:49 Run:1
Running from C:\Users\Jordan\Downloads
Loaded Profiles: Jordan (Available profiles: Jordan)
Boot Mode: Normal

Content of fixlist:

CreateRestorePoint:
2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieUserList
2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieSiteList
2015-01-17 18:44 - 2015-01-17 18:44 - 00000000 __SHD () C:\Users\Jordan\AppData\Local\EmieBrowserModeList
2014-12-28 16:00 - 2014-12-28 16:00 - 00000000 ____D () C:\Program Files\File Association Helper
2014-08-13 20:06 - 2014-08-13 20:06 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\Jordan\jagex_cl_oldschool_LIVE.dat
C:\Users\Jordan\random.dat
EmptyTemp:
CMD: bitsadmin /reset /allusers

Restore point was successfully created.
C:\Users\Jordan\AppData\Local\EmieUserList => Moved successfully.
C:\Users\Jordan\AppData\Local\EmieSiteList => Moved successfully.
C:\Users\Jordan\AppData\Local\EmieBrowserModeList => Moved successfully.
C:\Program Files\File Association Helper => Moved successfully.
C:\ProgramData\DP45977C.lfl => Moved successfully.
C:\Users\Jordan\jagex_cl_oldschool_LIVE.dat => Moved successfully.
C:\Users\Jordan\random.dat => Moved successfully.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {95084CA4-17B8-4466-B50D-6DA98D8F16FE}.
Unable to cancel {EE4113A2-3CA9-4FA2-9D1E-5D5FE3A446A7}.
{0B2FE671-41A1-4CD8-AA27-D82B0CB2567F} canceled.
1 out of 3 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 299.5 MB temporary data.

The system needed a reboot.

==== End of Fixlog 09:45:07 ====

essexboy · January 18, 2015, 3:18pm

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

system · January 18, 2015, 3:39pm

Alright, I just completed everything else you suggested. Thanks again to everyone who helped!