Logs

Hi,

I had some pest on my computer and followed the instructions on this site. (Installed and ran scans MBAM and OTL) MBAM removed a whole lot of stuff but I’m still getting constant notifications that access to a malicious website is being blocked (even without an explorer open), although it doesn’t actually state the website just various IP addresses.

I’m attaching my logs. Help!

Emily

Extras

also attach Malwarebytes / aswMBR logs. http://forum.avast.com/index.php?topic=53253.0

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
Emily :: EMILY-PC [administrator]

30/11/2013 3:06:58 PM
mbam-log-2013-11-30 (15-06-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241155
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\AppID{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) → Quarantined and deleted successfully.
HKCR\CLSID{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCR\CLSID{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCR\TypeLib{39A17362-9C1D-4907-9428-0D28A94DC79D} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCR\Interface{627A968A-03E6-41C7-B11B-4E442B376F95} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
HKLM\SOFTWARE{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{C1C3E833-420E-4D78-9BA7-86AEBB272384} (Adware.GameVance) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{C1C3E833-420E-4D78-9BA7-86AEBB272384} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 10
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits (Adware.GameVance) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy\BD7C0C31F2E6451BA26F88CA365F0500 (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3} (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468 (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\xpi (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.

Files Detected: 26
C:\Users\Emily\AppData\Local\TopArcadeHits\Toparcadehits.dll (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\Downloads\converterlite_d793560.exe (PUP.Optional.InstallIQ.A) → Quarantined and deleted successfully.
C:\Users\Emily\Downloads\mediaplayerlite_d166371.exe (PUP.Optional.InstallIQ.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\uninstaller.exe (Adware.GameVance) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\updater.exe (Adware.GameVance) → Quarantined and deleted successfully.
C:\Users\Emily\Local Settings\Temporary Internet Files\Content.IE5\FMIKSLKQ\Setup[1].exe (PUP.Optional.LuckyLeap.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits\Play Toparcadehits Online.url (Adware.GameVance) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits\Uninstall Toparcadehits.lnk (Adware.GameVance) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\tah.config (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\uninstaller.exe (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\updater.exe (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Windows\Tasks\TopArcadeHits.job (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy\BD7C0C31F2E6451BA26F88CA365F0500\TuneUpUtilities2013_2200309_en-US.exe (PUP.Optional.OpenCandy) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome.manifest (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\icon.png (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\install.rdf (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\browser.xul (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\toparcadehits.js (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions{ec8030f7-c20a-464f-9b0e-13a3a9e97384}{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin\style.css (PUP.Optional.TopArcadeHits.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\conduitStatistics.csf (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\CT3220468.txt (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\CT3220468.xpi (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\initData.json (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\manifest.json (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\version.txt (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\xpi\install.rdf (PUP.Optional.Conduit.A) → Quarantined and deleted successfully.

(end)

Sorry, I didn’t know how to find the file on my computer…

Hi,

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.

AdwCleaner log

You need to press Clean in Adwcleaner.

Attach the reports from other two tools…

FRST

Addition

aswMBR

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

HKCU\...\Run: [News.net] - C:\Program Files\\BreakingNews\DesktopContainer.exe
C:\Program Files\\BreakingNews
URLSearchHook: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {B65E678C-5CA9-4056-BF9E-D40150AB1781} URL = http://www.mysearchresults.com/search?&c=2653&t=03&q={searchTerms}
SearchScopes: HKCU - {D99B5F0D-F274-4BC8-BAFD-7ED568309428} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
BHO-x32: TubeSaver - {72cb5562-f302-4356-ac85-bfe2fa0ca479} - C:\Program Files (x86)\TubeSaver\126.dll No File
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {7473B6BD-4691-4744-A82B-7854EB3D70B6} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Extension: TopArcadeHits - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\{0113D088-8ED1-468C-B225-585A9C53B5E3}
FF Extension: jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ@jetpack.xpi
CHR Plugin: (Conduit Chrome Plugin) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\2.3.15.10_0\plugins/ConduitChromeApiPlugin.dll No File
CHR Extension: (uTorrentControl_v2) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.22.3.518_0
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\Emily\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
Folder: C:\AdwCleaner
C:\Users\Emily\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\PACE:4F0E8CFC6A023E23
AlternateDataStreams: C:\Users\Emily\Cookies:iA4RzzJU1yiuPFYTq3kJ7VDum
AlternateDataStreams: C:\Users\Emily\Local Settings:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\Local Settings:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\Local Settings:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temp:z4hgVm9MfTu9vh46qGqGv9
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:aJ2zikVN8f6Szu70h2
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:m2UI34YDIyeslRWGUb41CDYAv
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- The Reality As You Know It Does Not Exist.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- Welcome To The Matrix.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Beethoven Symphony No.9.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Coeur De Pirate - Comme Des Enfants (Le Matos Andy Carmichael Remix).MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Desire Be Desire Go - Tame Impala.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Owen Wilson - TV Commercial.MP4:TOC.WMV

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Fixlog

So far, I haven’t received any notifications.

The fixlist file was changed. It is now named 㩃䙜卒屔畑牡湡楴敮Ȁ. Is this normal?

Just got a notification.

I do not understand?

There is now a file on my desktop (unknown file type) named in Asian characters that has seemingly replaced the fixlist.txt file I made. It’s too large to attach but this is what’s inside:

[2012-10-11 16:44:19] Adobe ARM 1.4.7.0 logging started.
[2012-10-11 16:44:19] Command Line:
[2012-10-11 16:44:19] ProductCode: {AC76BA86-7AD7-FFFF-7B44-AA0000000001}
[2012-10-11 16:44:19] ProductName: Adobe Reader X MUI
[2012-10-11 16:44:19] ProductVersion: 10.0.0
[2012-10-11 16:44:19] ProductRegistry: SOFTWARE\Adobe\Acrobat Reader\10.0
[2012-10-11 16:44:19] ProductInstallDir: C:\Program Files (x86)\Adobe\Reader 10.0
[2012-10-11 16:44:19] EULA not yet accepted
[2012-10-11 16:44:19] ** Setting Error Condition:
[2012-10-11 16:44:19] Error Code: 1007

[2012-10-11 16:44:19] ARM returns ERROR_SUCCESS
[2012-10-11 16:44:19] Adobe ARM 1.4.7.0 logging finished.

It actually says it was created on the 11th of October 2012 but I don’t know how it got on my desktop. It wasn’t there before the fix.

I’m also still getting notifications saying malwarebytes has blocked access to a potentially malicious site (ingoing and outgoing, processes include explorer, avast and utorrent)

That file belongs to Adobe Reader as is seems…

Let’s make another check:

  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
I'm also still getting notifications saying malwarebytes has blocked access to a potentially malicious site (ingoing and outgoing, processes include explorer, avast and utorrent)
does it happend when not doing anything? .....or when surfing

all in/outgoing requests will go true avast webshield, Malwarebytes may see this as comming from avast …it is not

also read this
Oh, the Sites You Will Never See http://blog.malwarebytes.org/development/2013/05/oh-the-sites-you-will-never-see/

ComboFix

@Pondus, they were happening without a browser open… They’ve sort of slowed down now.