Malcious URL Already have ran MBAM and OTL

Hi All,

I kept getting a message that Avast has blocked a malcious URL.

//download.newnext.me/spark.bin?rnd… (link modified http removed to avoid that other people who click the link get in trouble)
Infection: URL:Mal
process: c:\windows\sysWOW64\rundll32.exe

I have followed the process and ran MBAM and OTL.
Herewith I attach my OTL logs.
Do I need to make any extra steps to remove the malware?

With kind regards,

Frederik

and Malwarebytes log ?

Hi,

Scan with Combofix:

[*] Please download ComboFix by sUBs and save it to your Desktop.
You may read how Combofix works here.

[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.

[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )

Argus,

I’ve ran combofix, hereby I attached my log,

Frederik

Open notepad and copy/paste the text present inside the code box below:



Firefox::
FF - ProfilePath - c:\users\frehes\AppData\Roaming\Mozilla\Firefox\Profiles\2mxigyts.default\
FF - prefs.js: browser.search.selectedEngine - Mysearchdial
FF - prefs.js: browser.startup.homepage - hxxp://start.mysearchdial.com/?f=1&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=87956812&ir=
FF - ExtSQL: 2014-01-03 10:51; {ad9a41d2-9a49-4fa6-a79e-71a0785364c8}; c:\users\frehes\AppData\Roaming\Mozilla\Firefox\Profiles\2mxigyts.default\extensions\{ad9a41d2-9a49-4fa6-a79e-71a0785364c8}
FF - ExtSQL: 2014-01-03 10:51; ffxtlbr@mysearchdial.com; c:\users\frehes\AppData\Roaming\Mozilla\Firefox\Profiles\2mxigyts.default\extensions\ffxtlbr@mysearchdial.com
FF - user.js: extensions.mysearchdial.hmpg - true
FF - user.js: extensions.mysearchdial.hmpgUrl - hxxp://start.mysearchdial.com/?f=1&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=87956812&ir=
FF - user.js: extensions.mysearchdial.srchPrvdr - Mysearchdial
FF - user.js: extensions.mysearchdial.newTabUrl - hxxp://start.mysearchdial.com/?f=2&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=87956812&ir=
FF - user.js: extensions.mysearchdial.tlbrSrchUrl - hxxp://start.mysearchdial.com/?f=3&a=irmsd0101&cd=2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=87956812&ir=&q=
FF - user.js: extensions.mysearchdial.id - 002564B3BB149FFC
FF - user.js: extensions.mysearchdial.instlDay - 16073
FF - user.js: extensions.mysearchdial.vrsn - 1.8.21.0
FF - user.js: extensions.mysearchdial.vrsni - 1.8.21.0
FF - user.js: extensions.mysearchdial_i.vrsnTs - 1.8.21.010:26
FF - user.js: extensions.mysearchdial.prtnrId - mysearchdial
FF - user.js: extensions.mysearchdial.prdct - mysearchdial
FF - user.js: extensions.mysearchdial.aflt - irmsd0101
FF - user.js: extensions.mysearchdial_i.smplGrp - none
FF - user.js: extensions.mysearchdial.tlbrId - base
FF - user.js: extensions.mysearchdial.instlRef - 
FF - user.js: extensions.mysearchdial.dfltLng - 
FF - user.js: extensions.mysearchdial.appId - {CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
FF - user.js: extensions.mysearchdial.excTlbr - false
FF - user.js: extensions.mysearchdial_i.hmpg - true
FF - user.js: extensions.mysearchdial.cr - 87956812
FF - user.js: extensions.mysearchdial.cd - 2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R
FF - user.js: extensions.irmysearch.aflt - irmsd0101
FF - user.js: extensions.irmysearch.instlRef - 
FF - user.js: extensions.irmysearch.cr - 87956812
FF - user.js: extensions.irmysearch.cd - 2XzuyEtN2Y1L1QzutDtDtByDyCyE0BtA0B0BtCyEzy0F0F0CtN0D0Tzu0SyBtAtAtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

.

Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.

combofix log 2 after pasting the report in combofix

Argus,

I ran AdwCleaner, removed adware with it, did a reboot, but it did not give a log file.

With Kind Regards,

Frederik

Repeat ComboFix script. Something is wrong.

I ran AdwCleaner, removed adware with it, did a reboot, but it did not give a log file.

Look to root C:\ partition

Hi,

Remove that active link in reply #1

Hi Argus,

Adwcleaner gives me no log also not in c:.

With Kind Regards,

Frederik

How’s your computer behaving now?

We’ll do one more check.

Please download zoek.zip or zoek.rar by smeenk (
http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive…

[*]Close any open browsers
[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log