Malicious URL Blocked - Constant warning URL:Mal infection

system · September 1, 2013, 3:31am

Constant popup—>

Infection: URL: Mal
Process: C:\Users\maneesha\AppData\Local\GC\runne…
from www.clickered.org/cen?ag

NOt sure which program it came with.

Any help with getting rid of this shall be greatly appreciated.

Many thanks

mikaelrask · September 1, 2013, 5:24am

hey and welcome to the avast forum.

please follow this guide and attach your logs

http://forum.avast.com/index.php?topic=53253.0

a malware expert will help you from there when the logs is attached

system · September 1, 2013, 5:46am

Find OTL logs attached.

system · September 1, 2013, 5:53am

Malwarebytes file

Thank you so much for the prompt reply =)

system · September 1, 2013, 6:10am

ADW file

essexboy · September 1, 2013, 10:32am

Let me know how the computer is behaving after this

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - [2013/07/01 10:55:40 | 000,032,808 | ---- | M] (Just Develop It) [Auto | Stopped] -- C:\Program Files (x86)\MyPC Backup\BackupStack.exe -- (BackupStack)
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CH&userid=a0bb155d-4b03-4494-b5ac-2cc77d94bc01&searchtype=ds&q={searchTerms}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoIMonetizer&dpid=SnapdoIMonetizer&co=CH&userid=a0bb155d-4b03-4494-b5ac-2cc77d94bc01&searchtype=ds&q={searchTerms}
IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=72CBB2004EC97471&affID=119360&tsp=4964
IE - HKCU\..\SearchScopes\{21079A7B-E265-4173-AB28-78E2041BD70D}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN18356597411269117&UM=2
IE - HKCU\..\SearchScopes\{87F87ADE-15A4-408F-BCD6-6E0736A1AAD8}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3304761&SearchSource=45&UM=2&q={searchTerms}
IE - HKCU\..\SearchScopes\{ACE22F91-E2FC-4D30-969E-6A46F5FB2E01}: "URL" = http://www.mysearchresults.com/search?c=0000&t=01&q={searchTerms}
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&SearchSource=2&CUI=UN19551190839163192&UM=2&q="
[2013/08/03 19:38:14 | 000,006,507 | ---- | M] () -- C:\Users\maneesha\AppData\Roaming\Mozilla\Firefox\Profiles\kvfwuno6.default-1375049972342\searchplugins\babylon.xml
[2013/08/30 12:16:10 | 000,001,102 | ---- | M] () -- C:\Users\maneesha\AppData\Roaming\Mozilla\Firefox\Profiles\kvfwuno6.default-1375049972342\searchplugins\whitesmoke-new-customized-web-search.xml
[2013/08/30 12:02:52 | 000,000,000 | ---D | M] (DownloadTerms) -- C:\Program Files (x86)\Mozilla Firefox\extensions\cxfnl@nxazbwxrbgsgfqqp.net
O2 - BHO: (DownloadTerms) - {2C4BA31C-0C15-11E2-90C7-9BFCBEB168B3} - C:\Users\maneesha\AppData\Local\DownloadTerms\temp.dat ()
O2 - BHO: (PC Gizmos BHO) - {A817C286-3D6B-4ECD-A99C-E44E50DBC523} - C:\Users\maneesha\AppData\Roaming\PC-Gizmos\PCGizmosBHO.dll (PC Gizmos)
O4 - HKCU..\Run: [ConduitFloatingPlugin_klibnahbojhkanfgaglnlalfkgpcppfi] C:\Program Files (x86)\Conduit\CT3289847\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKCU..\Run: [Uxkil] C:\Users\maneesha\AppData\Roaming\Ynroy\niqiy.exe File not found
O4 - Startup: C:\Users\maneesha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk = C:\Program Files (x86)\MyPC Backup\MyPC Backup.exe (MyPCBackup.com)
O4 - Startup: C:\Users\maneesha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tcbhn.lnk = C:\Users\maneesha\AppData\Roaming\BrowserCompanion\tcbhn.exe ()
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Java Plug-in 1.5.0_04)
[2013/08/31 20:35:36 | 000,000,000 | ---D | C] -- C:\Users\maneesha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MyPC Backup
[2013/08/31 20:35:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup
[2013/08/30 12:02:59 | 000,000,000 | ---D | C] -- C:\Users\maneesha\AppData\Local\GC
[2013/08/30 12:02:50 | 000,000,000 | ---D | C] -- C:\Users\maneesha\AppData\Local\DownloadTerms
[2013/08/03 20:28:36 | 000,000,000 | ---D | C] -- C:\Users\maneesha\AppData\Roaming\DefaultTab
[2013/08/03 19:38:40 | 000,000,000 | ---D | C] -- C:\ProgramData\Symantec
[2013/08/03 19:38:00 | 000,000,000 | ---D | C] -- C:\ProgramData\Babylon
[2013/08/31 20:35:36 | 000,001,101 | ---- | M] () -- C:\Users\maneesha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk
[2013/08/31 20:35:36 | 000,001,091 | ---- | M] () -- C:\Users\maneesha\Desktop\MyPC Backup.lnk

:Files
C:\Users\maneesha\AppData\Local\GC
C:\Users\maneesha\AppData\Roaming\BrowserCompanion
C:\Users\maneesha\AppData\Local\Temp\_MEI51962
C:\Program Files (x86)\MyPC Backup
C:\Users\maneesha\AppData\Local\DownloadTerms
C:\Users\maneesha\AppData\Roaming\PC-Gizmos
C:\Program Files (x86)\Conduit
C:\Users\maneesha\AppData\Roaming\Ynroy

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · September 5, 2013, 3:48pm

Thank you very much. Plz find the file attached. It dint automatically reboot though and i dint loose my desktop also after the fix scan.

essexboy · September 5, 2013, 5:30pm

Have the alerts ceased now ?