URL:Mal Cannot Clean

I Have ran a full system scan and a boot time scan and have not been able to remove this Malware.
This is what my alert is leading me to http://puu.sh/7s1Q5.jpg
What is happening: Every time I open a webpage in Chrome the alert goes off, but not until I go to a actual website. It will let the home page load without a warning.
Just looking for any help in removing whatever is causing this.
Thank you for reading!
Chuck

Hello,
We’ll run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether and / or where malware may be running on your machine.

=> Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[
]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ]- save the report to the Desktop (named ARK );

[*]Then click the >>> button and select Autostart card;
[*]Click [ Scan ] button;
[*]After quick scan, click Copy button;
[*]Open notepad and Paste text. Save report to the Desktop (named autostart )

Attach here both Gmer logreports. (ARK.txt and autostart.txt)

As you requested magna86 here are the files.

The other 2 files

I just ran AVAST browser cleaner and after looking through the logs I seen savings bull in both of them and it was on there and I removed that as well. RIght now I am not getting that annoying Malware alert

Hi 20Chuck02,

After preliminary preparation (uninstall and msconfig) we shall tell FRST to target the bad staff. TFC is there to preform some temp & cache cleaning as it should be done and after that I will need the fresh FRST log for for re-test/check.


First from Control Panel > Programs and Features you shall need to uninstall the following PUP:
Torchlight 2


From posted log I can see you have been use msconfig utility to disable few startup items. I’ll need you to enable this item as I shall script that for FRST as removal target.

MSCONFIG\startupreg: Pando Media Booster => C:\Program Files (x86)[b]Pando Networks\Media Booster[/b]\PMB.exe
MSCONFIG\startupreg: SearchSettings => “C:\Program Files (x86)\Common Files[b]Spigot\Search Settings[/b]\SearchSettings.exe”


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start File: C:\Users\Chuck\Downloads\DL OLD\my_network_speed\my_network_speed\My_Network_Speed.exe Folder: C:\Windows\SysWOW64\AI_RecycleBin C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\searchplugins\sweetim.xml C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj C:\Program Files (x86)\Common Files\Spigot C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847} C:\Users\Chuck\AppData\Local\Temp\*.exe C:\Program Files (x86)\Pando Networks HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} SearchScopes: HKLM-x32 - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} SearchScopes: HKCU - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File BHO-x32: Define - {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Chuck\AppData\Local\DefineExt\temp.dat No File FF Homepage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} FF Homepage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E} FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}&q= FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File FF SearchPlugin: C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\searchplugins\sweetim.xml FF Extension: SweetPacks Toolbar for Firefox - C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi [2013-04-01] CHR Extension: (SweetPacks Chrome Extension) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj [2013-04-01] CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.1.crx [2013-10-14] CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\ErrorAssistant_1.3.crx [2013-12-27] CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files (x86)\Common Files\Spigot\GC\coupons_2.4.crx [2013-04-26] CHR HKLM-x32\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx [2013-04-01] CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx [2012-11-22] HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {5e98699c-01e5-11e3-bb41-bc5ff45bbd7e} - H:\TL-Bootstrap.exe HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {9f1241f4-7c7e-11e3-ab06-bc5ff45bbd7e} - H:\MotorolaDeviceManagerSetup.exe -a HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {cb9ea324-6dcb-11e2-96b5-bc5ff45bbd7e} - H:\ToolLauncher-Bootstrap.exe HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {e0d45140-6e5c-11e3-bfa7-bc5ff45bbd7e} - H:\VZW_Software_upgrade_assistant.exe AlternateDataStreams: C:\ProgramData:gs5sys AlternateDataStreams: C:\Users\All Users:gs5sys AlternateDataStreams: C:\Users\Chuck:gs5sys AlternateDataStreams: C:\ProgramData\Application Data:gs5sys AlternateDataStreams: C:\Users\Chuck\Application Data:gs5sys AlternateDataStreams: C:\Users\Chuck\Cookies:gs5sys AlternateDataStreams: C:\Users\Chuck\Local Settings:gs5sys AlternateDataStreams: C:\Users\Chuck\Templates:gs5sys AlternateDataStreams: C:\Users\Chuck\AppData\Local:gs5sys AlternateDataStreams: C:\Users\Chuck\AppData\Roaming:gs5sys AlternateDataStreams: C:\Users\Chuck\AppData\Local\Application Data:gs5sys AlternateDataStreams: C:\Users\Chuck\AppData\Local\History:gs5sys AlternateDataStreams: C:\Users\Chuck\Documents\desktop.ini:gs5sys AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys REBOOT: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


TempFileCleaner


Please download TFC by OldTimer to your desktop

[*]Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Re-check / FRST Scan


Re-run FRST64 . . .

[*]Double-click to run it and press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

Here is the FRST after adding Pando and Spigot back to msconfig

And here is the fix file, had to restart computer it did it automatically.

And here is the final FRST you asked for after TFC ran.

Hi 20Chuck02,

This fix shall contain two steps. First we will tell FRST to target malware and then we will preform additional cleaning using ComboFix. At the end we’re running re-scan.


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Start
C:\Windows\SysWOW64\AI_RecycleBin
C:\Program Files (x86)\Common Files\Spigot
C:\Program Files\Updater By SweetPacks
C:\Users\Chuck\AppData\Local\Temp\10d2ca4a-28d7-4d81-8c1e-dc42bb6c83fc\CliSecureRT64.dll
HKLM-x32\...\Run: [SearchSettings] - "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.
    ComboFix shall also create addition log. Please attach it to your reply.
    C:\Qoobox[b]ComboFix-quarantined-files.txt[/b]

Re-check . .


Re-run FRST64 . .

[*]Double-click to run it.
[*] [*]Under Optional Scan ensure “Addition.txt” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The tool shall create another log (Addition.txt). Please attach it to your reply as well.

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

[*]Type CliSecureRT64.dll;rsa64.dll into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
[*]Please attach it to your reply.

FRST’s FixList

ComboFix

Re-check . .

Hi 20Chuck02,

This loogs promising. How is the computer running now?

Btw, my uninstall instruction for 'Torchlight 2’isn’t valid. It’s my bad search. I apologize.

This is how I see the online game, re-install should save the day.

Haven’t had any avast alerts at all and was wondering that about Torchlight 2 as well, but its no big deal it can be re-installed I myself havent played it in such a long time. Thank you so much for this help you are the best!

Cool. :slight_smile:

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

I recommend you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from the following links:

MyCity - Official download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Will install that program and Thank you again for all your help sir!

:wink: