Malicious URL http://specrtop.org/a/

Viruses and worms
21

No FRST needs to run when you are in the recovery console (i.e. running from the CD ) as from the safe mode menu FRST cannot access all the run keys

22

Could you plz tell me a little more about how to run FRST in recovery console running from the cd? Because when I reach here (plz see the photo), i dont know how to proceed.

23

Once you get to that point then insert the USB with FRST on it

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.

https://dl.dropbox.com/u/73555776/FRST%20Start%20scan.gif

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

24

Here are the log files.

I’d just like to make sure if I did it right.

To do the first scan in recovery console, I pressed esc on startup. And I chose F10 recovery option from startup menu. Then window loads as usual. Is it normal that I see the normal window appearance in recovery mode? I don’t see any difference from normal window. (I mean when we enter safemode, the window appearance is different)

No problem with the second scan while booting from cd.

25

Download the attached fixlist.txt to the same USB as FRST
Run FRST as before and press fix
Once it has run then reboot to normal windows and run a fresh OTL scan please

26

Here is OTL log file.

After running FRST fix, I’m now seeing my previously deleted old word files on my desktop as hidden files (they appear fade).

27

The ghost files will disappear again when we reset the system at the end

I see you also have AVG on the system, either it or Avast will have to go

How is the computer behaving now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=4.0002002
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6OyOlrdEk9&i=26
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..extensions.enabledAddons: canitbecheaper%40trafficbroker.co.uk:3.8.28
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\searchpredict@speedbit.com: C:\Program Files (x86)\SearchPredict\PRFireFox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}: C:\Program Files (x86)\SPEEDbit Video Downloader\SPFireFox
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension
[2012-12-09 17:48:32 | 000,093,072 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\canitbecheaper@trafficbroker.co.uk.xpi
[2013-04-01 14:56:41 | 000,617,362 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\check4change-owner@mozdev.org.xpi
[2013-02-05 15:17:24 | 000,218,916 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\info@priceblink.com.xpi
O2:64bit: - BHO: (SearchCore for Browsers) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (SearchCore for Browsers) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {EEE6C35C-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b4de90bb-150d-4b33-95fe-6baac97e1c21} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll) - File not found
[2013-05-05 07:46:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2013-05-05 07:46:28 | 000,000,000 | ---D | C] -- C:\Users\Nanda\AppData\Local\Conduit
[2013-05-04 06:36:55 | 000,000,000 | ---D | C] -- C:\FRST
[2013-05-03 14:09:07 | 001,712,312 | ---- | C] (Farbar) -- C:\Users\Nanda\Desktop\FRST64.exe
[2013-05-03 14:08:08 | 000,453,048 | ---- | C] (Akeo Consulting (http://akeo.ie)) -- C:\Users\Nanda\Desktop\rufus_v1.3.2.exe
[2012-11-15 09:25:38 | 000,000,000 | ---D | M] -- C:\Users\Nanda\AppData\Roaming\Babylon

:Files
C:\PROGRAM FILES\WEB ASSISTANT
C:\Program Files (x86)\SearchPredict
C:\ProgramData\Browser Manager
C:\Program Files (x86)\SearchCore for Browsers

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

28

Here is OTL log file.

My computer seems alright now. I don’t see that malicious url alert anymore. Thank you very much for your help.

I just installed AVG only after I had this problem hoping it can solve it. I’ve uninstalled it now.

But I see a problem that I can’t go to control panel to uninstall it. Message box showing ‘Window Explorer has stopped working’ appears whenever I try to enter control panel. I had to use Tuneup to uninstall avg.

29

Could you confirm that windows is up to date by running windows updates

30

Same thing happens when I go to Action Center to check window update or when I try to see properties on My Computer. Same message showing ‘Window Explorer has stopped working’

31

I also try to go to window update from start menu. The same message appears.

32

Site was registered one month ago with a specific reason → https://www.virustotal.com/en/domain/specrtop.org/information/
A Wscript infesting site → https://www.virustotal.com/en/domain/specrtop.org/information/

polonus

33

OK I do have a tool that should fix that

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

34

Even though I’ve already disabled avast and other antimalware, I’m getting message showing ‘real time scanner are still active’.

Actually I’ve already uninstalled AVG as well.

35

I’m still at that point. Not sure if I can press Ok and dont know how to stop that scan.

36

I didn’t press OK and I just restarted my computer from that point now.

I’ll be awaiting your further instructions.

Thanks.

37

even i am getting the same message again and again

URL: http://specrtop.org/a/
Process: C:\Windows\System32\wscript.exe
Infection: URL:Mal
and i have done all possible scanning to delete this virus. kindly please help me to remove this from my laptop. it is very annoying that with avast antivirus installed on my system, i have got this Malware in my system.
please help

38

Look for the downloaded file that is flagged: apexnew-bold.exe
see: https://www.virustotal.com/en/file/c87fb40fd6f090c9e023b1a883a8d1f1c934d5e9f58f7092df441a91b476371c/analysis/1367278465/
= FBI Moneypak virus

Damian

39

i am asking how to remove this malware??

40

Hi garima1588,

That is why you have the help of a qualified removal expert here. I am just throwing in some additional info,

polonus