Please help with Virus / Malware problem - Win32:Malware-gen URL:Mal

Within the last couple months my computer has been running slower-
some info and what I have noticed

I use the internet alot for all sorts of googling- I go to all sorts of sights for research as I run a couple blogs plus Im always searching for answers to something-

only recently, within a week, have I got these constant avast warning messages when I use IE-- They are constant— looking back on it now I did get a good amount of warnings in the last few months, but Im not sure if they were just standard avast blocks or abnormal-

My computer has had a problem for a few months where it will freeze sometimes when watching a video- any video- of some sort with no rhyme or reason, the screen will go black- I will then have to do a hard reboot
Im not sure if that has anything to do with this, but it may… Sometimes I will watch the same video a 2nd or 3rd time and it will freeze the computer and the screen will go black on the 2nd or 3rd time watching the video-- this happens once a week or so

I have also noticed recently alot of problems with adobe flash- seems to happen on all browsers, firefox, IE, chrome-- I try to use firefox or chrome mostly, but sometimes have to use IE
I will get a message that " a script has stopped working click to continue or cancel" and I click continue sometimes and the same message will popup- Somtimes it will go away… but sometimes It will continue popping up each time after a long hang in teh computer and I will have to hit cancel
This seems to happen when I am playing a game on facebook that requires flash- although it also happens at other times-

example-

warning: unresponsive script
A script on this page may be busy, or it may have stopped responding. You can stop the script now or you can continue to see if the script will complete

script: https://research.scottrade.com/qnr/resourcemanager/etcetc/content/packages/advancedchart.js.package.js:260

continue OR stop script

this time I tried hitting stop script and the same message popped back up- I then tried continue and it came back again-- computer hangs when I click

my constant avast warning that prompted me to investigate further has the info below-

It seems I get the messages mostly when I open IE. Then it seems I get more alerts when I go to google for a search.
I have had these messages popup from Avast and show as BLOCKED, but it will do it each time I use IE especially when I close the browser and reopen it

Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

Infection Details
URL: http://fbccdn.biz/MCheck/VersionRequest
Process: C:\WINDOWS\assembly\NativeImages_v2.0.50…
Infection: URL:Mal

Infection Details
URL: http://93.190.44.14/MCheck/VersionReques
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

Infection Details
URL: http://93.190.44.14/MCheck/VersionReques
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

Malware blocked
avast web shield has blocked a harmful webpage or file
object: http:/…/VersionRequest.ashx?codename=ac
Infection: Win32:Malware-gen
Process: C:\Program Files.…\iexplore.exe

After running adwcleaner the computer restarted but it hung after I logged in and I could only see my wallpaper and the mouse moved, but nothing else for 10 mins so I had to do a hard restart

I was able to get the log file then on that restart–

AdwCleaner v2.301 - Logfile created 05/24/2013 at 09:43:15

Updated 16/05/2013 by Xplode

Operating system : Microsoft Windows XP Service Pack 3 (32 bits)

User : Marwan - MSDSAWDLAB-PC

Boot Mode : Normal

Running from : C:\Documents and Settings\Marwan\My Documents\Downloads\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

File Deleted : C:\Documents and Settings\Marwan\Start Menu\Programs\iLivid.lnk
Folder Deleted : C:\Documents and Settings\Marwan\Local Settings\Application Data\Ilivid
Folder Deleted : C:\Program Files\Common Files\Software Update Utility

***** [Registry] *****

Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [Internet Browsers] *****

-\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\ Mozilla Firefox v21.0 (en-US)

File : C:\Documents and Settings\Marwan\Application Data\Mozilla\Firefox\Profiles\fgzxe0fk.default\prefs.js

[OK] File is clean.

-\ Google Chrome v27.0.1453.94

File : C:\Documents and Settings\Marwan\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[S1].txt - [3853 octets] - [24/05/2013 09:43:15]

########## EOF - C:\AdwCleaner[S1].txt - [3913 octets] ##########

attached AdwCleaner log file to this post

working on mbam

attached is most recent Mbam Log file-

hi marsd,

Good that you are now working on running and producing the logs for malware analysis.

Please attach all resulting logs, otherwise you will need several more posts to copy/paste them all in.

Use Attachments and other options link directly below the text reply box you are writing in.

Click that link and browse to the file you want to attach, and select ‘Open’. All files attached in this way will only be viewable by users logged into the web site; not viewable to those not logged in. You can attach up to four logs at one time, up to 512 KB per post. Additional attachments will require you use the (more attachments) link.

Much easier for you that way.

Once that is done, a certified malware removal expert will be notified. Help will be on the way.

  • OTL
  • aswMBR.exe

are also required. Please attach these logs as well.

[EDIT:] Fixed typo. Note you already are attaching logs whilst I was typing, so disregard instructions above. A malware expert has been notified and will come in as soon as possible. Time zone differences may come into play, so please be patient.

Thanks, I am working on the logs and attaching-

Please see attached Other MBAM logs recently made that could be of use with info–

sorry- this one is a duplicate-- same log-- the latest quick scan

mbam-log-2013-05-24 (15-31-03).txt

others are older an are a full scan I believe.

Last MBAM full scan on April 12th has positive hits, so that one can be useful. Thanks for posting. I’ve gone and notified a malware expert.

Could you attach the OTL log please

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir C:\ /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

I didnt know older MBAM scan could be useful-- here are more that may be useful with possible “hits”

plus I will attach MBAM as ANSI as I did not read that untill later–

2 of 3
older MBAM attached

3of 3
MBAM

essexboy + mchain-

Hi thank you in advance—

attached is OTL logs

Not a lot showing there, but the URL’s are bad

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

attached aswMBR

Will do Combofix now

Combofix attached-

I will check around with computer and report back

during the combofix progress I was asked to download and create a windows recovery console because I did not have one or it was out of date- So I did and it went through fine-
Everything seemed to run smoothly with Combofix- I only remember having to click yes for the windows Eula recovery console and nothing much else-

When I open IE I get the same malware popup from avast—

Infection Details
URL: http://93.190.44.14/MCheck/VersionReques
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

Infection Details
URL: http://fbccdn.biz/MCheck/VersionRequest
Process: C:\WINDOWS\assembly\NativeImages_v2.0.50…
Infection: URL:Mal

Infection Details
URL: http://ytimg.biz/MCheck/VersionRequest.a
Process: C:\Program Files\Internet Explorer\iexpl…
Infection: Win32:Malware-gen

I now get a message from IE that says-

Security alert

You are about to leave a secure internet connection. It will be possible for others to view information you send.

Do you want to continue?
in futer do not show this warning

yes, no, more info–

I clicked NO and closed the browser-

When you say bad, how bad do you mean?

can you tell what type of malware/virus I have?
Do you know if I am infected with any rootkits, or backdoor trojans. ??

Thanks

You are in good hands with essexboy. Every infection is different, which is why fixes are tailor-made and customized only for your system and no other.

essexboy knows quite a few people in the business, so if he encounters something new, you can be sure he will check it out. Aside from that, he also is a teacher in malware removal and repair in his other job. He learns much sometimes just by helping out people like you.

It is the URL’s that are bad … All I need to do now if find what is launching them

Please download to your desktop Short cut cleaner
Then run.

https://dl.dropbox.com/u/73555776/sc%20cleaner.JPG

When the Shortcut Cleaner has finished scanning your hard drive it will create a log file on your desktop called sc-cleaner.txt and then display it.
Please post that log