MAL:URL

Greetings all,

I’ve got a very stubborn redirect on my machine. Avast sometimes catches it, sometimes not. A few of the sites that I’ve been redirected through:

logicrubicle.c0m
rabbits.c0m
hemmapawebben.c0m
legendsanddeeds.c0m
editorsweblog.c0m
imoscar.c0m

I’ve tried clearing cache, running Malwarebytes, Spybot, Adaware, Avast, and so on. The things in my avast scanlog are:

File System:

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Monday, July 26, 2010 11:27:00 AM

7/26/2010 1:18:21 PM C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4XENSTMB\107ad766f9ab8c5bcfc92a9a05364faf0f123011411[1].js [L] JS:FakeAV-EX [Trj] (0)
File was successfully moved to chest…
7/26/2010 1:20:50 PM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LC09WIST\107ad766f9ab8c5bcfc92a9a05364faf0f123011511[1].js [L] JS:FakeAV-EX [Trj] (0)
File was successfully moved to chest…
*

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Wednesday, August 04, 2010 8:45:13 AM

8/4/2010 10:04:26 AM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LC09WIST\exemple[1].htm [L] JS:Downloader-TG [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
8/4/2010 10:04:35 AM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SO67DSCU\exemple[1].htm [L] JS:Downloader-TG [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
8/4/2010 10:04:38 AM C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\LC09WIST\exemple[1].htm [L] HTML:Downloader-F [Trj] (0)
While moving file to chest, error occurred: The process cannot access the file because it is being used by another process
During the file delete, error occurred: The process cannot access the file because it is being used by another process
8/4/2010 10:04:53 AM C:\WINDOWS\TEMP\svchost.exe [L] Win32:Malware-gen (0)
File was successfully moved to chest…

And Web:

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Monday, August 09, 2010 11:01:38 AM

8/9/2010 11:52:59 AM hxxp://radontheweb.mevio.cxm/|>{gzip} [L] HTML:Script-inf (0)
8/9/2010 12:02:30 PM hxxp://www.google.cxm/

Thanks for your time,

Tim

Have you tried Avast!'s boot-time scan? Or run Malwarebytes in safe mode?
You might also want to clean out your temp files.

On a side note, the mevio.com detection was called a false positive as of 8/10>>
http://forum.avast.com/index.php?topic=62682.0

see if this will help

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

I’ve run both the boot time scan and a safemode scan with Malwarebytes twice each. The first time they both got a few things, but the second scans were clean and the issue persists.

I’m running TFC now and will update the progress.

Thanks,

Tim

No luck. Opened google, searched mal:url and the second link clicked sent me to wxw.asklots.c0m… via wxw.powerdvd.c0m.

Then it is time for Essexboy`s tricks…

follow this guide and post the log`s http://forum.avast.com/index.php?topic=53253.0

lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt and MBAM scan log )

Ok, so much for clean scans. :slight_smile:

Attached.

now sit back and wait for Essexboy… :wink:

Ok a long fix so lets get at it

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - No CLSID value found. O33 - MountPoints2\{39f27c40-1ac0-11dd-a69f-0012178bb934}\Shell\AutoRun\command - "" = H:\AutoRun\AutoRun.exe -- File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

NEXT

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

FINALLY

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Files attached, recovery console installed.

Are you still getting re-directs ? Also the logs were saved in Unicode could you ensure that the file type is set as ANSI please as they are impossible to read

Ah, sorry about that. Here they are again.

So far so good. This thing has suckered me into thinking it was gone before, but keeping my fingers crossed.

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

All clear! I’ll follow your directions for cleanup.

A thousand thanks! ;D

My pleasure ;D