URL Mal Help Needed

Hi,

I’ve recently been getting avast pop ups saying that Web Shield has blocked a harmful webpage or file. The object is https://codegv.ru. This occurs on any webpage I browse either through Chrome or Firefox.

I’ve followed the instructions on https://forum.avast.com/index.php?topic=53253.0 and have attached my logs for MBAM, FRST and aswMBR.

Any help will be appreciated.

Thanks

Let me know if this stops it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKU\S-1-5-21-2007394059-1171290527-3003554070-1000\...\Run: [AceStream] => C:\Users\Andy\AppData\Roaming\ACEStream\engine\ace_engine.exe [27904 2014-09-25] () FF NetworkProxy: "http", "220.69.189.39" FF NetworkProxy: "http_port", 2301 FF Plugin-x32: @pages.tvunetworks.com/WebPlayer -> C:\Windows\system32\TVUAx\npTVUAx.dll No File FF Plugin HKCU: @acestream.net/acestreamplugin,version=2.1.10.2 -> C:\Users\Andy\AppData\Roaming\ACEStream\player\npace_plugin.dll (Innovative Digital Technologies) FF Extension: TS Magic Player - C:\Users\Andy\AppData\Roaming\ACEStream\extensions\firefox\magicplayer@torrentstream.org [2013-11-23] CHR Extension: (Magic Player) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kpckgflgdapkpabemgkielbefdildaio [2014-10-04] 2014-10-05 22:04 - 2014-10-06 00:19 - 00000000 ___HD () C:\_acestream_cache_ C:\Users\Andy\AppData\Roaming\ACEStream CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Hi essexboy,

Thanks for your response. Unfortunately it didn’t work and I’m still getting avast pop ups on chrome. However it has stopped on firefox.

I’ve attached the fixlog.

That is because some numpty (moi) left an extension on Chrome that I meant to kill

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR Extension: (AS Magic Player) - C:\Users\Andy\AppData\Local\Google\Chrome\User Data\Default\Extensions\mfhnkgpdlogbknkhlgdjlejeljbhflim [2014-10-06] EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Ok ran fixlist and chrome is still popping up with URL Mal.

attached fixlog.

Thanks for all your help so far

Do you have an Acestreaming addon in chrome ? Could you disable that please

Also could you run a fresh FRST scan please

Hi essexboy,

yes I do have ace stream addon in chrome. i’ve just disabled it.

new FRST logs attached.

cheers

Could you confirm that the alerts stopped after that

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR HKCU\...\Chrome\Extension: [kpckgflgdapkpabemgkielbefdildaio] - C:\Users\Andy\AppData\Roaming\ACEStream\extensions\chrome_new\magicplayer.crx []

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

That seems to have done the trick.

not seeing anymore pop ups from avast.

fixlog attached

is there anything else i need to do?

Nope, just I need new glasses as I missed those two elements :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:

hi essexboy,

i thought i was in the clear, but for some reason, i’m now getting random pop ups from avast still telling me about this url mal on chrome.

should i do another FRST scan?

Do you have synch on chrome ? If so it is being re-installed every time you sign in.

Yes a fresh FRST will enable me to remove it

yes, by default chrome had apps and extensions synced. i have now unchecked these in the settings.

i re-downloaded FRST 64 bit version and tried to run it, but it came up with an error message saying that it was not valid Win32 application even though i’m running 64 bit. also tried downloading through incognito mode and still the same issue.

interestingly avast is now popping up with a message saying it’s blocked a harmful file from the FRST download page. snapshot attached.

is there a way to get around this?

Yes temporarily disable Avast whilst you download FRST.

ok thanks that worked

fresh FRST scan logs attached

Hmm it is showing in FF now but not chrome

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF HKCU\...\Firefox\Extensions: [magicplayer@torrentstream.org] - C:\Users\Andy\AppData\Roaming\ACEStream\extensions\firefox\magicplayer@torrentstream.org EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

hi essexboy,

fix log attached. i’ll monitor how things go over the next few days. hopefully it’s gone.

many thanks again for your help. keep up the good work

Once you are happy just delete FRST