Hey.
For a few days now my avast has been popping up with a warning saying “Malicious Url Blocked”. This happens even when I’m not browsing websites. It comes up like every 15 seconds or so. I’ve tried running a full scan of Anti Malware Bytes but no luck. I did the scans that the thread said I should do and I attached the necessary files.
Hi,
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.
[*]Click on the Scan button.
[*]After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
[*]After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
[*]Post logfile will also be saved in the C:\AdwCleaner folder.
Then…
Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Hey
Sorry it took so long one of the programs gave me some trouble. Here are the logs you wanted, also the aswMBR one I held onto.
Hi,
Step 1.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x91569AEC8C33CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US,ko-KR;q=0.8,ja-JP;q=0.6,ko;q=0.4,ja;q=0.2
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {19CC4C7B-D93E-4222-9D25-894D54CA6D7A} URL = http://www.mysearchresults.com/search?&c=4001&t=10&q={searchTerms}
SearchScopes: HKCU - {4A9A9398-7D67-4814-A3D4-082FFF37EBB3} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN18853568591632019&UM=2
SearchScopes: HKCU - {838B23D7-D828-434C-85EA-BB5C195D65FB} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd1202&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzyzyyEyDyEzytCtAtD0CyCtN0D0Tzu0SyBtCyEtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=1586713685&ir=
CHR HKLM\...\Chrome\Extension: [apjkpjchfbckhjhokinlgdbmibpbbjak] - C:\Users\User\AppData\Local\CRE\apjkpjchfbckhjhokinlgdbmibpbbjak.crx
C:\Users\User\AppData\Roaming\Camdata.ini
C:\Users\User\AppData\Roaming\CamLayout.ini
C:\Users\User\AppData\Roaming\CamShapes.ini
C:\Users\User\jagex_cl_runescape_LIVE.dat
C:\Users\User\random.dat
C:\Users\User\AppData\Local\Temp\bitool.dll
C:\Users\User\AppData\Local\Temp\bi_cleaner.exe
C:\Users\User\AppData\Local\Temp\CommonInstaller.exe
C:\Users\User\AppData\Local\Temp\DrvInst64.exe
C:\Users\User\AppData\Local\Temp\EAD8C.exe
C:\Users\User\AppData\Local\Temp\i4jdel0.exe
C:\Users\User\AppData\Local\Temp\ntdll_dump.dll
C:\Users\User\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\User\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\User\AppData\Local\Temp\nvStInst.exe
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\sonarinst.exe
C:\Users\User\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\User\AppData\Local\Temp\tbentr.dll
C:\Users\User\AppData\Local\Temp\tbSwe0.dll
C:\Users\User\AppData\Local\Temp\uninst1.exe
C:\Users\User\AppData\Local\Temp\uninstalloption.exe
C:\Users\User\AppData\Local\Temp\x2blapi.dll
2013-12-30 17:03 - 2013-12-30 17:03 - 00028672 _____ C:\Windows\system32\qjdwr.ejz
2013-12-30 16:51 - 2014-01-04 15:04 - 00000090 _____ C:\Windows\system32\iobyt.zwd
2013-12-30 16:50 - 2013-12-30 17:03 - 00000099 _____ C:\Windows\system32\cioco.pwn
2013-12-30 16:50 - 2013-12-30 16:50 - 00000064 _____ C:\Windows\system32\xkwrnot.wys
2013-12-30 16:32 - 2013-12-30 16:32 - 00101213 ____S C:\Windows\system32\kqsjzj.qqr
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\TEMP:28BF1793
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
=====================================================================
Step 2.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
The problem still occurs. I attached the logs onto the reply.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Unlock: C:\Windows\system32\cioco.pwn
Unlock: C:\Windows\system32\kqsjzj.qqr
C:\Windows\system32\cioco.pwn
C:\Windows\system32\kqsjzj.qqr
Replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll C:\Windows\System32\rpcss.dll
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Then…
Re-run FRST and attach fresh report…
After running the fix my computer won’t start, safe mode or otherwise. It gets passed the windows logo then I get a black screen with just my mouse. What do I do about this.
Sent from an android phone
Do you have USB flash and access to another PC, so we can download FRST and fix this outside windows?
Yes. How would I go about doing this
Please download Farbar Recovery Scan Tool x86 and save it to a flash drive.
[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.
[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.
It is late now, attach report and we’ll continue tomorow…
I’m starting to get a lot of problems with my computer, like control panel not opening and saying stuff like “Handle is Invalid” or something.
How did you managed to enter Normal mode? This shouldn’t happen, did you do something on your own, or computer got unbootable after FRST?
It got unbootable after FRST
Very strange… ???
Can you now access Normal mode? If you can, re-run FRST and attach fresh report…
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
[*]Type rpcss.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.
Here you go. I was wondering what are these things looking for.
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x91569AEC8C33CD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US,ko-KR;q=0.8,ja-JP;q=0.6,ko;q=0.4,ja;q=0.2
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {19CC4C7B-D93E-4222-9D25-894D54CA6D7A} URL = http://www.mysearchresults.com/search?&c=4001&t=10&q={searchTerms}
SearchScopes: HKCU - {4A9A9398-7D67-4814-A3D4-082FFF37EBB3} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN18853568591632019&UM=2
SearchScopes: HKCU - {838B23D7-D828-434C-85EA-BB5C195D65FB} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=irmsd1202&cd=2XzuyEtN2Y1L1QzuyB0AyBzytCzyzyyEyDyEzytCtAtD0CyCtN0D0Tzu0SyBtCyEtN1L2XzutBtFtBtFtCyEtFtCtAyBzytN1L1CzutCyD1B1P1R&cr=1586713685&ir=
C:\Users\User\AppData\Roaming\Camdata.ini
C:\Users\User\AppData\Roaming\CamLayout.ini
C:\Users\User\AppData\Roaming\CamShapes.ini
C:\Users\User\AppData\Local\Temp\bitool.dll
C:\Users\User\AppData\Local\Temp\bi_cleaner.exe
C:\Users\User\AppData\Local\Temp\CommonInstaller.exe
C:\Users\User\AppData\Local\Temp\DrvInst64.exe
C:\Users\User\AppData\Local\Temp\EAD8C.exe
C:\Users\User\AppData\Local\Temp\i4jdel0.exe
C:\Users\User\AppData\Local\Temp\ntdll_dump.dll
C:\Users\User\AppData\Local\Temp\nv3DVStreaming.dll
C:\Users\User\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\User\AppData\Local\Temp\nvStereoApiI.dll
C:\Users\User\AppData\Local\Temp\nvStInst.exe
C:\Users\User\AppData\Local\Temp\Quarantine.exe
C:\Users\User\AppData\Local\Temp\sonarinst.exe
C:\Users\User\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\User\AppData\Local\Temp\tbentr.dll
C:\Users\User\AppData\Local\Temp\tbSwe0.dll
C:\Users\User\AppData\Local\Temp\uninst1.exe
C:\Users\User\AppData\Local\Temp\uninstalloption.exe
C:\Users\User\AppData\Local\Temp\x2blapi.dll
replace: C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7600.16385_none_69a1321f9f3393ad\rpcss.dll C:\Windows\System32\rpcss.dll
2013-12-30 17:03 - 2013-12-30 17:03 - 00028672 _____ C:\Windows\system32\qjdwr.ejz
2013-12-30 16:51 - 2014-01-05 11:18 - 00000084 _____ C:\Windows\system32\iobyt.zwd
2013-12-30 16:50 - 2013-12-30 17:03 - 00000099 _____ C:\Windows\system32\cioco.pwn
2013-12-30 16:50 - 2013-12-30 16:50 - 00000064 _____ C:\Windows\system32\xkwrnot.wys
2013-12-30 16:32 - 2013-12-30 16:32 - 00101213 ____S C:\Windows\system32\kqsjzj.qqr
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
Solaris
I tried doing that stuff, nothing was out of the ordinary, or at least nothing to my untrained eye :
Also, is the fixlist going to make my computer inaccessible. i want to know so I can prepare the other computer.
Ok so it became unbootable again. This time I did what l you told me to do last time it was unbootable. After the scan finished how do I get it to boot normally.
System file is infected so we need to replace it with clean one. In the process of replacing something went wrong…
Follow my previous instruction http://forum.avast.com/index.php?topic=144082.msg1045262#msg1045262
I did. Here is the FRST.