I had some pest on my computer and followed the instructions on this site. (Installed and ran scans MBAM and OTL) MBAM removed a whole lot of stuff but I’m still getting constant notifications that access to a malicious website is being blocked (even without an explorer open), although it doesn’t actually state the website just various IP addresses.
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Please download aswMBR and save it to your desktop.
Double click aswMBR.exe to start the tool.
[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review. Note:do NOT attempt any Fix yet.
1. Open notepad and copy/paste the text present inside the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\...\Run: [News.net] - C:\Program Files\\BreakingNews\DesktopContainer.exe
C:\Program Files\\BreakingNews
URLSearchHook: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {B65E678C-5CA9-4056-BF9E-D40150AB1781} URL = http://www.mysearchresults.com/search?&c=2653&t=03&q={searchTerms}
SearchScopes: HKCU - {D99B5F0D-F274-4BC8-BAFD-7ED568309428} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
BHO-x32: TubeSaver - {72cb5562-f302-4356-ac85-bfe2fa0ca479} - C:\Program Files (x86)\TubeSaver\126.dll No File
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {7473B6BD-4691-4744-A82B-7854EB3D70B6} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Extension: TopArcadeHits - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\{0113D088-8ED1-468C-B225-585A9C53B5E3}
FF Extension: jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ@jetpack.xpi
CHR Plugin: (Conduit Chrome Plugin) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\2.3.15.10_0\plugins/ConduitChromeApiPlugin.dll No File
CHR Extension: (uTorrentControl_v2) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.22.3.518_0
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\Emily\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
Folder: C:\AdwCleaner
C:\Users\Emily\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\PACE:4F0E8CFC6A023E23
AlternateDataStreams: C:\Users\Emily\Cookies:iA4RzzJU1yiuPFYTq3kJ7VDum
AlternateDataStreams: C:\Users\Emily\Local Settings:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\Local Settings:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\Local Settings:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temp:z4hgVm9MfTu9vh46qGqGv9
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:aJ2zikVN8f6Szu70h2
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:m2UI34YDIyeslRWGUb41CDYAv
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- The Reality As You Know It Does Not Exist.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- Welcome To The Matrix.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Beethoven Symphony No.9.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Coeur De Pirate - Comme Des Enfants (Le Matos Andy Carmichael Remix).MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Desire Be Desire Go - Tame Impala.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Owen Wilson - TV Commercial.MP4:TOC.WMV
2. Save notepad as fixlist.txt to your Desktop. NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply. Note: If the tool warned you about the outdated version please download and run the updated version.
There is now a file on my desktop (unknown file type) named in Asian characters that has seemingly replaced the fixlist.txt file I made. It’s too large to attach but this is what’s inside:
[2012-10-11 16:44:19] ARM returns ERROR_SUCCESS
[2012-10-11 16:44:19] Adobe ARM 1.4.7.0 logging finished.
It actually says it was created on the 11th of October 2012 but I don’t know how it got on my desktop. It wasn’t there before the fix.
I’m also still getting notifications saying malwarebytes has blocked access to a potentially malicious site (ingoing and outgoing, processes include explorer, avast and utorrent)
Please download ComboFix by sUBsfrom here and save it to your Desktop. If you are unsure how ComboFix works please read this guide carefully. note: ComboFix must be downloaded to your Desktop.
Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix. If you are unsure how to do this please read this or this Instruction.
Instructions how to disable avast:
[*]Right click on the avast! system tray icon ( http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.
Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.
When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.
I'm also still getting notifications saying malwarebytes has blocked access to a potentially malicious site (ingoing and outgoing, processes include explorer, avast and utorrent)
does it happend when not doing anything? .....or when surfing
all in/outgoing requests will go true avast webshield, Malwarebytes may see this as comming from avast …it is not