Last week noticed I had new tabs opening which were downloads, I closed them out if caught in time, or if download completed I removed it, all URL started with api. Next I started getting notice from Avast blocking URL (sorry had saved url info but someone closed my computer so lost it). Now it actually downloaded one which I have removed it was called: api_ Downloader. exe
http://www. anyfiledownloader. com/get/api_Downloader_9100001.exe?st=fkK2IgsWKUxLGi9gbl1j6w&e=1373557205. I added spaces in some areas so the URL can’t be accidentally clicked by someone. Attached are files requested.
Hello,
the Webpage is at the moment being blocked.
There is no file called api_ Downloader.exe on my system.
Maybe there was something that was not blocked by Avast.
And is now trying to download something.
Have you done everything in the post here? http://forum.avast.com/index.php?topic=53253.0
Thera are no Malware removers online yet, please check back later.
See here: https://www.virustotal.com/en/ip-address/195.66.79.27/information/
You need help from a qualified malware removal expert here, your DNS settings may have been tampered with and you have a search hijacker like searchscopes BHO,
polonus
On completion of this could you let me know what problems you are seeing
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
https://dl.dropbox.com/u/73555776/OTL_Fix.GIF
:Commands
[CREATERESTOREPOINT]
:OTL
O3 - HKU\S-1-5-21-2731395502-1286736164-1658964139-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2013/07/17 11:01:14 | 000,000,406 | ---- | M] () -- C:\Windows\tasks\PC Optimizer Pro64 startups.job
[2013/07/17 08:52:00 | 000,000,390 | ---- | M] () -- C:\Windows\tasks\update-sys.job
[2013/07/17 08:52:00 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\update-S-1-5-21-2731395502-1286736164-1658964139-1001.job
[2013/03/13 03:23:08 | 000,000,000 | ---- | M] ()(C:\Windows\SysNative\?o) -- C:\Windows\SysNative\?o
[2013/03/13 03:23:08 | 000,000,000 | ---- | C] ()(C:\Windows\SysNative\?o) -- C:\Windows\SysNative\?o
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Yes the one URL i posted actually was able to download avast did not block it, but it did block others previous. this one actually downloading: api_ Downloader. exe
http://www. anyfiledownloader. com/get/api_Downloader_9100001.exe?st=fkK2IgsWKUxLGi9gbl1j6w&e=1373557205. I did remove it from computer because the download had completed.
Ok Essexboy I see your comment for fix, completed fix and txt document is attached, will let you know if I notice any other problems. I forgot to mention earlier because I had to leave, but also was noticing my preference on Chrome was being changed, such as home page setting. I would get the following message when Chrome is first loaded(see screenshot attached. I believe you fix may have included fix for that also if it was hijacked as mentioned above.
Sorry forgot to attached other document showing scan after fix.
It is now almost 1:15am in the UK so essexboy will be in bed now, but he should be back on line later today.
As it stands I can currently see no malware, for chrome you may have to create another user profile
Ok today I logged on Facebook, then 1 hour later, got URL blocked by Avast and it was for the same webpage: http://www. freefilesdownloader .com /download/1/91000/api (addes spaces so webpage can’t be accessed accidentally. I didn’t click anything on facebook other than farmville game requests? You mentioned creating a new user profile for chrome?, so set up another user that will not be administrative? Do you need scans ran again. Please advise.
Could you post the screenshot for the Avast alert, as I believe the link you clicked was infected… Hence no apparent malware on the logs
i tried to get a copy of it but lost it after i hit the printscreen. I hit numerous links when I play farmville, I have to help others out, or claim items from them. Will try to save screenshot next time i get 1. But I noticed that it did show up on my avast security info when I checked Avast network shield, showed the 1 being blocked and it was the same one api download thing. I just remember that after i rebooted I had an update request for flash, so that was the only thing I downloaded new after we did the cleanup. And if I recall correctly I wasn’t clicking any links when I got the message, I was actually on the farm and not facebook page clicking any links. But will see if it happens again and try to save it.
I would suspect that the page is infected, is it a malicious URL block
ok got it again, this time was doing nothing on facebook, i tried to get screenshot of avast but it cleared off page before I could save it, however I did capture a screenshot of avast showing it blocked that download, and the tab the opened to download it only said page is not available. I share this computer with my son’s, i tell them over and over not to click certain items on their facebook pages. After we fixed the problem one son did use it, wonder if he infested it again? I believe my account is set up as admin, I should only give them access to their own account this way maybe I cant have a virus took over the administrative account. See attached it’s the same downlown api thing as before. Thanks for your help.
Right click the orange blob and select show last popup message
no blocks by Avast but tonite i got this (see attached screenshot), also couldn’t X page out, had to right click tab and close tab. Also noticed when I signed on my fonts had been changed, so something is going on.
You may be right.
microsoft antivirus is this: http://www.2-spyware.com/remove-microsoft-antivirus-has-found-critical-process-activity-on-your-pc.html
BTW, take no action on any advice on this website. Wait for essexboy to come back. This link provided just fyi.
[EDIT:] Site recommends downloading and running SpyHunter. Do not run this program, not worth the trouble, and it may make things worse.
Microsoft is the vendor of this program: http://windows.microsoft.com/en-us/windows/security-essentials-download
Not the same thing.
Again, I’d wait 'til essexboy comes online again, to see what he says, as you are in the best of hands here.
OK lets try a little fishing expedition
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1
Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
- IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png
http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png
[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.
Notes:
- Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
- Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
- If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Ok I Avast, windows defender, malwarebytes and superantispyware. I turned off windows defender, malwarebytes and superantispyware free version does not have real time so didn’t have to disable. I tried to disable Avast by right clicking icon, and also by looking for “shield control” to disable it, was unable to find it. Is Avast the same as others, I have the free version of Avast, so is there a way to disable it?
Right click the orange blob
Select Shield control > Disable until reboot
If combofix still complains then accept the warning and allow to run