I had the same problem that others have recently described, with each new site opened in the browser (Chrome) eliciting the “Malicious URL Blocked” pop-up message, so I ran all the initial scans detailed in the instructions provided, and will attach those logs here. The message actually stopped happening after the reboot required by the first tool (AdwCleaner), but even so, I am now very worried about what may still be lurking, mostly because I use this beast for online banking… in addition to my job and everything else. The Malwarebytes quick scan came up with four problems that it was then able to successfully remove… Not sure if that’s pertinent info, but there it be. If someone on here can take a gander at the attached logs and let me know what, if anything, still needs to be done, I’d really appreciate it… Thanks.
hey and welcome to the forum. and thanks for attaching the necessary logs i will drop a note to one of our malware expert here on the forum on your thread.
Monitoring
Hi,
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:files
C:\ProgramData\Best Buy pc app
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:OTL
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
FF - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll (Best Buy)
CHR - plugin: Best Buy pc app Detector (Enabled) = C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O3 - HKU\S-1-5-21-1594937037-3753336031-2259013305-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O33 - MountPoints2\{1752014f-57ae-11e1-bbed-e069958c9783}\Shell - "" = AutoRun
O33 - MountPoints2\{1752014f-57ae-11e1-bbed-e069958c9783}\Shell\AutoRun\command - "" = K:\setup.exe -a
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
As help for AdwCleaner, let’s reset your browser settings.
Download AT-Destroyer by @Infospyware from here to your desktop.
http://www.infospyware.com/antispyware/at-destroyer/
( Click the green button Descarag )
note: The entire tool is on Spanish language.
[*] Run AT-Destroyer
[*] A pop-up warning, disclaimer appears tool. Press YES
Black windows will open
[*] Press Option 1 ( Buscar y Destruir ) [aka Search and Destroy]
AT-Destroyer momentarily disconnect the desktop.
If infected, the AT-Destroyer red lines indicate where the infection is detected, it will be green lines.
After the scan, you can again see the desktop and it will open a report, to be copied into your next reply commenting on how the system works.
If a program does not start, restart the PC.
Restart your computer. How is your computer running now?
Hi, thanks for getting back to me… I re-ran the OTL scan with the text you provided in the box and have attached the report here. I also downloaded the AT-Destroyer and ran it as instructed. That log report is also attached. I saw one red line in the report, with the rest being green, but I have no idea what it said, as my Spanish is lacking to say the least. Aside from all my Google Chrome settings being reset (which I’m assuming was by design), the computer seems to be working fine… But it was pretty much working fine before that. I had just been getting the “Malicious URL Blocked” notice, but even that went away after the initial AdwCleaner scan. I did however start getting a semi-regular pop up from Malwarebytes saying that a malicious site was being blocked, but I’m not seeing that now. I’m just really concerned about my banking stuff and passwords, and whether or not I’ll be able to change them from this computer, so let me know what these log reports are telling you and what else, if anything I need to do.
I saw one red line in the report, with the rest being green, but I have no idea what it said, as my Spanish is lacking to say the least. Aside from all my Google Chrome settings being reset (which I'm assuming was by design)...
Yes, it was by design. From the log I see what the AT-Destrojer done. That’s why I’m looking for feedback with logs.
I always know the current state of the system and I know what specific tools did…
I'm just really concerned about my banking stuff and passwords, and whether or not I'll be able to change them from this computer, so let me know...When we finished case I'll tell you whether there is a need for it. Of course it is advised to do.
Delete current OTL and download fresh one. Re-run OTL, click on RunScan and attach here fresh OTL.txt log.
Please download aswMBR and save it to your desktop.
Double click aswMBR.exe to start the tool. Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
Note: do NOT attempt any Fix yet.
Here are the two logs you asked for. How we lookin?
Temporarily disable your Malwarebytes and AntiVirus program.
If you are unsure how to do this please read this or this Instruction.
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@bestbuy.com/npBestBuyPcAppDetector,version=1.0: C:\ProgramData\Best Buy pc app\npBestBuyPcAppDetector.dll File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKLM..\Run: [Conime] %windir%\system32\conime.exe File not found
:files
C:\ProgramData\Best Buy pc app /d
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
How’s your computer running now?
Here is the last OTL report you requested. Computer still seems to be running fine… possibly even a tad quicker opening programs/sites (hard to tell, as it was already fairly quick).
…Awaiting further instructions.
Logs also looks clean.
You did not have any kind of malware that is known to steal any data.
Anyway, if you do any banking or other financial transactions on the PC, it is always desirable to change the important password just for precaution.
We will remove used tool.
Re-run OTL and click on CleanUp! button.
You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.
Everything seems to be a-ok… Thanks for all your help.