Malicious URL blocked... a lot.

I know I’m not the only one with this, but I keep getting the red pop up stating Malicious URL blocked. I’ve run Malwarebytes and OTL and received the attached messages. There seem to be a lot of sites, but they all end with /task/23/, whatever that is.

MBAM isn’t attached… What about Adwcleaner?

Okay, trying again. I had to do MB and OTL again.

hey also attach aswmbr log here. if it not run in normal mode try safe mode.

Your malwarebytes log say NO ACTION TAKEN update MBAM, run New quick scan… click REMOVE SELECTED

run AdwCleaner again …click scan … when finish click clean

Malware removers are notified…

Hi, I will be working on your Malware issues.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN39353847742539125&UM=2&ctid=CT3289847
IE - HKCU\..\SearchScopes,DefaultScope = {F213A413-B343-4FA1-B4F8-8157444D4DF3}
IE - HKCU\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = http://vshareus.my-quick-search.com/search.aspx?q={searchTerms}&srch=dsp
IE - HKCU\..\SearchScopes\{F213A413-B343-4FA1-B4F8-8157444D4DF3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN39353847742539125&UM=2
[2013/08/29 19:47:56 | 000,000,000 | ---D | M] (WhiteSmoke New) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
[2013/08/29 19:51:14 | 000,000,000 | ---D | M] (WebProtect) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{AF58FD11-7BF2-4F0E-8315-05572D38DF07}
[2013/01/05 08:07:05 | 000,004,011 | ---- | M] () (No name found) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{5391280d-2dd4-11e2-8271-b8ac6f996f26}.xpi
[2013/08/29 19:48:00 | 000,001,005 | ---- | M] () -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\searchplugins\conduit.xml
[2013/08/29 20:20:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN32093413418161156&ctid=CT3289847&UM=2
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN32093413418161156&UM=2
CHR - homepage: http://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN32093413418161156&UM=2
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
CHR - Extension: Web Protect = C:\Users\Knapp\AppData\Local\Google\Chrome\User Data\Default\Extensions\oamhmngeopfinppeiiamgjhlijnmelgo\5.0_0\
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Web Protect) - {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} - C:\Program Files (x86)\Web Protect\WebProtect.dll (WebProtect)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKCU..\Run: [ConduitFloatingPlugin_klibnahbojhkanfgaglnlalfkgpcppfi] C:\Program Files (x86)\Conduit\CT3289847\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKCU..\Run: [dddafcaeebaec] "C:\ProgramData\dddafcaeebaec.exe" File not found
O4 - HKCU..\Run: [Dyhuoxby] C:\Users\Knapp\AppData\Roaming\Heyb\qobu.exe File not found
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: dddafcaeebaead = C:\Users\Knapp\AppData\Local\067d037d-d29a-4f51-898c-a8ee4368b7aead\dddafcaeebaead.exe
O8:[b]64bit:[/b] - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:[b]64bit:[/b] - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()

:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Program Files (x86)\Conduit
C:\Users\Knapp\AppData\Local\Conduit

:commands
[CREATERESTOREPOINT]
[emptytemp]


[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

.

  1. Please download ComboFix from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
[*]=> Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.


  1. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.


  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Thanks! I did ask you stated and attached the file. One odd development, there are sounds coming through the speakers, like a video or streaming audio, even when there is nothing playing on the computer.

Run ComboFix , you have instructions.

Sorry. I am trying to to this in between watching the kids. Here is the combofix file.

Open notepad and copy/paste the text present inside the code box below:



File::
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys 
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

DDS::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3



Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

I did it twice. The first time I am uncertain it finished and no log was generated. I’ve attached the log from the second run.

Thank you!

This is a report from the first run. Nothing has been done.

Open notepad and copy/paste the text present inside the code box below:



KillAll::

File::
c:\users\Knapp\AppData\Local\Google\Chrome\Application\chrome.exe
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys 
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_1188854577A12D18723E5D6124D4F6D4"=-

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

Firefox::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3





Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Here is the log.

Not sure if it means anything (yet) but the speakers were playing sounds with nothing else running about halfway through and after it was complete.

I did not understand the problem with the speakers , what you hear??

Log file looks good, no malware.

When we turn the computer on, it sounds like multiple audio streams at the same time. It’s not forever and turns off after a few minutes.

I am still seeing the /task/23/ malicious url blocked messages, though. 10 in the past minute and the only open program is explorer.

Please download Farbar Recovery Scan Tool and save it to your desktop.

[color=green]Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Here they are.

  1. Open notepad and copy/paste the text present inside the code box below.
    To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
HKLM-x32\...\Run: [Privoxy] - C:\Program Files (x86)\privoxy\starthelp.exe [51115 2013-08-26] ()
C:\Program Files (x86)\privoxy\starthelp.exe
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Knapp\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR DefaultSearchURL: (Conduit) - http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN32093413418161156&ctid=CT3289847&UM=2
CHR DefaultSuggestURL: (Conduit) - http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN32093413418161156&UM=2
CHR Plugin: (Skype Toolbars) - C:\Users\Knapp\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll No File
CHR Plugin: (Unity Player) - C:\Users\Knapp\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR HKLM-x32\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Knapp\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx
CHR HKLM-x32\...\Chrome\Extension: [oamhmngeopfinppeiiamgjhlijnmelgo] - C:\Program Files (x86)\Web Protect\chrome-wp.crx
CHR HKLM-x32\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\Knapp\AppData\Local\Torch\Plugins\TorchPlugin.crx
End

  1. Save notepad as fixlist.txt
    NOTE. It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  2. Run FRST/FRST64 and press the Fix button just once and wait.
    If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.

That was a quick one. Done.

What is the situation now?