need help with a url:mal

system · June 16, 2014, 2:39pm

hi ppl
Avast detects this file but cant do anything when I scan with it or malwarebytes.
Its a single file I accidentally clicked, it recreates itself if I try to remove it normally.
I will attach the OTL log here, but I dont know what to do from now on.
Hope for a quick help, thanks in advance.

avastuser3796 · June 16, 2014, 2:41pm

Remover Notified.

system · June 16, 2014, 2:43pm

just want to let you know that Im a real noob, so please write what to do step by step

avastuser3796 · June 16, 2014, 2:46pm

Hi,

That’s usually what they do. I’m not allowed (Currently) to help you beyond PM’ing removers and I am training. Be patient, it might take an hour or two before they answer.

Don’t Worry, That’s usually what they do.

Edit: If you need clarification. Always ask them. They will most certainly help clarify what they mean and won’t be offended by you asking. In some ways, it helps them.

Pondus · June 16, 2014, 2:49pm

Avast detects this file but cant do anything when I scan with it or malwarebytes.

what file? what is the message from avast?..... you may attach a screenshot

does Malwarebytes detect?.. if so attach Malwarebytes scan log also

system · June 16, 2014, 2:57pm

avast used to pop up a window like every 5-10 secs, now it stopped, which kinda scare me
it said something like avast detected this file that may be dangereous and few info like the type (URL:Mal) and the name of the link
malwarebytes didnt find anything (I tried scanning the entire drive and only the file but no result, same with avast besides that pop up notification my anti-virus consider that file not a virus)
I also read couple of tutorials and scanned the pc with another cleaner but I removed it coz no help from it… but when I open it, there was a little notification about that file, it looks like it changed something in the cleaner so it wouldnt consider it

Pondus · June 16, 2014, 3:01pm

if you right click avast tray icon … and select… show last popup… click pin in top right corner to make it stay on screen and take screenshot
it sounds as you may have a bug that is trying to phone home

anyway, not that important as the removal expert will see it from the OTL log

essexboy · June 16, 2014, 3:39pm

Could you resave the OTL log as ANSI please as it appears to be Unicode

system · June 16, 2014, 4:11pm

this is the screenshot, its in italian but should not be a problem to understand the message
how do I save it in ANSI? Do I need to do the otl scan again?

Pondus · June 16, 2014, 4:17pm

when you are going to save it, a new box pops up… at the bottom of that box should be a dropp down menu that say Unicode or ANSI … we want ANSI

avastuser3796 · June 16, 2014, 4:42pm

The original OTL file is corrupt.

However. I will provide instructions on how to save in ANSI

Open OTL.txt
File
Save As

http://i.imgur.com/LhlCUFT.png

system · June 16, 2014, 5:00pm

ye I got a couple errors while scanning with OTL, btw here’s the ANSI resave ^^

avastuser3796 · June 16, 2014, 5:05pm

OTL isn’t corrupt. So Essex can help you now. Wait a while. He’ll swing by some time soon most likely.

essexboy · June 16, 2014, 5:55pm

Once these steps have been completed can you let me know what problems remain

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
SRV - File not found [Auto | Stopped] -- C:\Users\Valentina\AppData\Local\SoftwareUpdater\SoftwareUpdService.exe -- (SoftwareUpd)
SRV - [2011/12/16 19:44:48 | 000,156,160 | ---- | M] (ServiceUpd) [Auto | Stopped] -- C:\Users\Valentina\AppData\Local\ServUpdater\ServiceUpd.exe -- (ServUpdater)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.sweet-page.com/web/?type=ds&ts=1389112641&from=cor&uid=MAXTORXSTM3250310AS_6RYBDP5TXXXX6RYBDP5T&q={searchTerms}
IE - HKLM\..\SearchScopes\{52db1893-8a90-4192-aede-08e00b8f8473}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=104&systemid=473&v=a11465-144&apn_uid=0466461338354036&apn_dtid=BND101&o=APN10640&apn_ptnrs=AG1&q={searchTerms}
[2014/06/11 15:48:45 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Programmi\Mozilla Firefox\defaults\k08k2g9w.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
O2 - BHO: (no name) - {376CA00C-3F95-46F7-8F04-E69906E52A1F} - No CLSID value found.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {376CA00C-3F95-46F7-8F04-E69906E52A1F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2970910876-2626351943-4154173461-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [manuela_photo_345353_53453535_3635645645_46765757] wscript.exe //B "C:\Users\Utente\AppData\Roaming\manuela_photo_345353_53453535_3635645645_46765757.vbs" File not found
O4 - HKU\S-1-5-21-2970910876-2626351943-4154173461-1000..\Run: [manuela_photo_345353_53453535_3635645645_46765757] wscript.exe //B "C:\Users\Utente\AppData\Roaming\manuela_photo_345353_53453535_3635645645_46765757.vbs" File not found
O4 - Startup: C:\Users\Utente\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manuela_photo_345353_53453535_3635645645_46765757.vbs ()
O20 - AppInit_DLLs: (C:\PROGRA~2\Wincert\WIN32C~1.DLL) - File not found
O27 - HKLM IFEO\bpsvc.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\browsersafeguard.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\dprotectsvc.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\protectedsearch.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\rjatydimofu.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotection.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\searchprotector.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\snapdo.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst32.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\stinst64.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
O27 - HKLM IFEO\utiljumpflip.exe: Debugger - C:\Windows\System32\tasklist.exe (Microsoft Corporation)
[2014/06/16 14:02:33 | 000,000,000 | ---D | C] -- C:\Users\Utente\AppData\Roaming\eCyber
[2014/06/16 14:01:22 | 000,000,000 | ---D | C] -- C:\Users\Utente\AppData\Roaming\iSafe
[2014/06/09 22:25:46 | 000,178,900 | ---- | M] () -- C:\Users\Utente\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manuela_photo_345353_53453535_3635645645_46765757.vbs
[2014/06/09 22:25:46 | 000,178,900 | ---- | M] () -- C:\Users\Utente\AppData\Roaming\manuela_photo_345353_53453535_3635645645_46765757.vbs
[2014/06/16 13:53:30 | 000,178,900 | ---- | C] () -- C:\Users\Utente\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\manuela_photo_345353_53453535_3635645645_46765757.vbs
[2014/06/15 20:31:35 | 000,178,900 | ---- | C] () -- C:\Users\Utente\AppData\Roaming\manuela_photo_345353_53453535_3635645645_46765757.vbs

:Files
C:\Users\Utente\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbmegnmpleoagolcnjnejdacakedpcgd

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

system · June 16, 2014, 7:33pm

ok here I give you the log of OTL just after the reboot, the one after the quick scan following the reboot, and the adw cleaner.
all of theme are saved as ANSI.
the file is still there tho

essexboy · June 16, 2014, 7:49pm

It is the vbs that you are talking about, is that correct ?

Download Anti VBS/VBE to your desktop

[]download the appropriate version (32 bit or 64 bit) and double click the file to run it.
[]After a couple of seconds (might also take a whole minute if the machine is heavily infected and/or slow) a report will open in Notepad.
[*]Post that report

Be aware this is a very new programme and as such is not recognised by any Antivirus or Windows, it is safe so allow it to run

system · June 16, 2014, 7:53pm

wow that was fast

essexboy · June 16, 2014, 9:17pm

Could you reboot please and run antivbs again please, then let me know how the computer is behaving

system · June 16, 2014, 9:19pm

the file is still there but icon changed and the end of the file is now .vbs.vir
avast not giving pop up anymore but I will do what u asked for now

system · June 16, 2014, 9:26pm

ok I did the thing again and same result, it says it deleted 4 files but the file is still there even tho it appears not dangerous anymore coz avast is silent. Should I try to delete it?

need help with a url:mal

Announcements