Malicious URL Blocked

Repeatedly popping up to no avail. Might have been from infected file on USB

Could be an infection.

Just do what is show in this topic and ATTACH logs: http://forum.avast.com/index.php?topic=53253.0
Best is to run in listed order.

When all logs are attached malware removers will be notified. :wink:

There are 26 things that have been blocked as you can see on the top right of the alert.

Why do you think this came from an infected USB?

I downloaded a file onto a usb last week Steven and have been inundated with similar notifications since. I will upload the logs as soon as i can, thanks for helping.

No problem.

You have time enough for that 8) 8)

AdwCleaner v3.003 - Report created 13/09/2013 at 13:16:32

Updated 07/09/2013 by Xplode

Operating System : Windows 7 Home Premium Service Pack 1 (32 bits)

Username : Power User - POWERUSER-PC

Running from : C:\Users\Power User\Downloads\adwcleaner.exe

Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\ConduitEngine
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\Users\Power User\AppData\Local\Conduit
Folder Deleted : C:\Users\Power User\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\POWERU~1\AppData\Local\Temp\Smartbar
Folder Deleted : C:\Users\Power User\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Power User\AppData\LocalLow\ConduitEngine
Folder Deleted : C:\Users\Power User\AppData\LocalLow\MyAshampoo
File Deleted : C:\END
File Deleted : C:\Users\Power User\AppData\Roaming\Mozilla\Firefox\Profiles\mhnyloif.default\searchplugins\whitesmoke-new-customized-web-search.xml
File Deleted : C:\Users\Power User\AppData\Roaming\Mozilla\Firefox\Profiles\mhnyloif.default\user.js
File Deleted : C:\Windows\Tasks\AmiUpdXp.job
File Deleted : C:\Windows\System32\Tasks\AmiUpdXp

***** [ Shortcuts ] *****

***** [ Registry ] *****

[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AmiUpdXp
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{77527D11-60E6-4E60-98F9-3710FDDB6BB3}
[#] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon{77527D11-60E6-4E60-98F9-3710FDDB6BB3}
Key Deleted : HKLM\SOFTWARE\Classes\Conduit.Engine
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2475029
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{30F9B915-B755-4826-820B-08FBA6BD249D}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{878B8524-AED5-4870-9A96-A515440DAC75}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{BFB99EDC-F32A-443A-AD86-16E67DD9A7D3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{3AED9CE0-1F60-4F5A-9FD4-5E9EE1CF518B}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{30F9B915-B755-4826-820B-08FBA6BD249D}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{A1E75A0E-4397-4BA8-BB50-E19FB66890F4}]
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\SmartbarLog
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\conduitEngine
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\MyAshampoo\toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\AppDataLow\Software\MyAshampoo
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\conduitEngine
Key Deleted : HKLM\Software\MyAshampoo\toolbar
Key Deleted : HKLM\Software\MyAshampoo
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\conduitEngine

***** [ Browsers ] *****

-\ Internet Explorer v10.0.9200.16660

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]

-\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Users\Power User\AppData\Roaming\Mozilla\Firefox\Profiles\mhnyloif.default\prefs.js ]

Line Deleted : user_pref(“CT3289847_Firefox.csv”, “[{"from":"Abs Layer","action":"loading toolbar","time":1372360178019,"isWithState":"","timeFromStart":0,"timeFromPrev":0}]”);
Line Deleted : user_pref(“Smartbar.ConduitHomepagesList”, “”);
Line Deleted : user_pref(“Smartbar.ConduitSearchEngineList”, “”);
Line Deleted : user_pref(“Smartbar.ConduitSearchUrlList”, “”);
Line Deleted : user_pref(“Smartbar.SearchFromAddressBarSavedUrl”, “”);
Line Deleted : user_pref(“Smartbar.keywordURLSelectedCTID”, “CT3289847”);
Line Deleted : user_pref(“browser.search.defaultthis.engineName”, “WhiteSmoke New Customized Web Search”);
Line Deleted : user_pref(“browser.search.defaulturl”, “hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289847&CUI=UN61937745427106121&UM=2&SearchSource=3&q={searchTerms}&sspv=TB_CER”);
Line Deleted : user_pref(“smartbar.machineId”, “TAPXFNR7UKC2VBEO9FYQR2S81OXEWQREQZECZVJOMWG4XT1EC/AKNE7RGWVTYSDXHHG696RGHX9VYBMADVOGCA”);


AdwCleaner[R0].txt - [8454 octets] - [13/09/2013 13:14:13]
AdwCleaner[S0].txt - [7025 octets] - [13/09/2013 13:16:32]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7085 octets] ##########

Thats a ton of Adware in your browser man. :wink:

For the next Attachments choose the Attachments and other options below the Answer box.(Screenshot)

The text would be too long for these boxes.

You can keep Malwarebytes later as free version or you can purchase a LIFETIME LICENSE for 24,99 Dollars i think. :wink:

I’m not in the market right now. I will definitely refer it to any friends I know having the same difficulties.

Oh, wait

OTL, Steven, are you with me chap?

Alright lad, here goes the final log.

Yes im here.

I will notify an malware remover now.

If one is online he will maybe help you now.

OK. I notified Essexboy, he or someone other will help you when he/they are/is online.

But please be patient. :wink:

Fine work!

No problem Dude.

Now you can just wait. 8) 8) 8)

OK lets get at it then :slight_smile:

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then run the OTL fix and follow with a fresh scan

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-3529407486-3263922826-3036042399-1000\..\SearchScopes\{0211CF49-BFA0-40E5-976F-FCE67AEDA439}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3300018&SearchSource=45&UM=2&q={searchTerms}

:Files
C:\Users\Power User\AppData\LocalLow\EA74.tmp 

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

FINALLY

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

Ok Essexboy here we go.

Here’s next

22:26:45.0547 4800 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
22:26:46.0327 4800 ============================================================
22:26:46.0327 4800 Current date / time: 2013/09/14 22:26:46.0327
22:26:46.0327 4800 SystemInfo:
22:26:46.0327 4800
22:26:46.0327 4800 OS Version: 6.1.7601 ServicePack: 1.0
22:26:46.0327 4800 Product type: Workstation
22:26:46.0327 4800 ComputerName: POWERUSER-PC
22:26:46.0327 4800 UserName: Power User
22:26:46.0327 4800 Windows directory: C:\Windows
22:26:46.0327 4800 System windows directory: C:\Windows
22:26:46.0327 4800 Processor architecture: Intel x86
22:26:46.0327 4800 Number of processors: 2
22:26:46.0327 4800 Page size: 0x1000
22:26:46.0327 4800 Boot type: Normal boot
22:26:46.0327 4800 ============================================================
22:26:47.0762 4800 BG loaded
22:26:48.0698 4800 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type ‘K0’, Flags 0x00000050
22:26:48.0714 4800 ============================================================
22:26:48.0714 4800 \Device\Harddisk0\DR0:
22:26:48.0729 4800 MBR partitions:
22:26:48.0729 4800 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
22:26:48.0729 4800 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x253FB800
22:26:48.0729 4800 ============================================================
22:26:48.0745 4800 C: ↔ \Device\Harddisk0\DR0\Partition2
22:26:48.0745 4800 ============================================================
22:26:48.0745 4800 Initialize success
22:26:48.0745 4800 ============================================================