URL:Mal Issue

Viruses and worms
1

Talk about a pain in the arse :frowning: I’ve tried so many things and have had this for a month or two.

Thank you!

2

Hello,

https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

[*]Right-click on
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/51a612a8b27e2-Zoek.png
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
[]Wait patiently until the main console will appear, it may take a minute or two.
[]In the main box please paste in the following script:

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b

[*]Make sure that Scan All Users option is checked.
[*]Push Run Script and wait patiently. The scan may take a couple of minutes.
[*]When the scan completes, a zoek-results logfile should open in notepad.
[*]If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

3

Reboot was required. Rebooted and zoek results:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Amy on 26/06/2015 at 12:53:05.05.
Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Amy\Desktop\zoek.exe [Scan all users] [Script inserted]

==== Older Logs ======================

C:\zoek-results2015-06-10-085814.log 37372 bytes

==== System Restore Info ======================

26/06/2015 12:54:14 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Lavasoft deleted successfully
C:\PROGRA~3\Lavasoft deleted successfully
C:\Users\Amy\AppData\Local\Lavasoft deleted successfully
C:\Users\Amy\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Lavasoft not found

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [11/05/2015 07:42 PM]

==== Chromium Look ======================

Google Chrome Version: 43.0.2357.130

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
eofcbnmajmjmplflapaojjnihcjkigck - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx[11/05/2015 07:42 PM]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[11/05/2015 07:42 PM]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bmkckgpgekmanipelfidlhmkfcjicion - No path found

Avast Online Security - Amy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki
Chrome Hotword Shared Module - Amy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Preferences
84468217.apps.googleusercontent.com",“scopes”:[“https://www.googleapis.com/auth/sierra",“https://www.googleapis.com/auth/sierrasandbox”,“https://www.googleapis.com/auth/chromewebstore”,“https://www.googleapis.com/auth/chromewebstore.readonly”]},“permissions”:[“identity”,“webview”,“https://wallet.google.com/”,“https://wallet-web.sandbox.google.com/”,“https://www.google.com/”,“https://www.googleapis.com/*”],“update_url”:“https://clients2.google.com/service/update2/crx”,“version”:“0.1.1.0”},“path”:“nmmhkkegccagdldgiimedpiccmgmieda\\0.1.1.0_0”,“preferences”:{},“regular_only_preferences”:{},“running”:false,“state”:1,“was_installed_by_default”:true,“was_installed_by_oem”:false},“pafkbggdmjlpgkdkcbjmhmfcdpncadgh”:{“active_permissions”:{“api”:[“alarms”,“gcm”,“identity”,“metricsPrivate”,“notifications”,“storage”,“tabs”,“webstorePrivate”],“explicit_host”:[“*://*.google.com/*”,“*://*.gstatic.com/*”,“https://*.googleapis.com/*”,“https://*.googleusercontent.com/*”],“manifest_permissions”:[]},“commands”:{},“content_settings”:[],“creation_flags”:1,“events”:[“alarms.onAlarm”,“gcm.onMessage”,“identity.onSignInChanged”,“notifications.onButtonClicked”,“notifications.onClicked”,“notifications.onClosed”,“notifications.onPermissionLevelChanged”,“notifications.onShowSettings”,“runtime.onInstalled”,“runtime.onStartup”,“runtime.onSuspend”,“storage.onChanged”],“from_bookmark”:false,“from_webstore”:false,“incognito_content_settings”:[],“incognito_preferences”:{},“initial_keybindings_set”:true,“install_time”:“13079613429688349”,“location”:5,“manifest”:{“background”:{“persistent”:false,“scripts”:[“utility.js”,“cards.js”,“background.js”]},“description”:"Integrates Google Now into Chrome.”,“icons”:{“128”:“images/icon128.png”,“16”:“images/icon16.png”,“48”:“images/icon48.png”},“key”:“MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkhqJr32OFD/bMXW4Md7jMfd7LbwHXVc6x5bBQG5U+dloofoxrICDR20yur/40mQ8O//0sS1b8srvbab1CRlSrxoNCr9T80NAkfzx0gHyVS+p1Zow+1FzLMu9PiGwwFyN80HIB7GI/dIa0wC9K/2OrrzcHEhVH96DacTtWQqjfDVtZPjT7Xwv23dgoWcpbkRC86jMJot3dmX9xnn0KzoVc9gDOHSIkBLbkkr6Sp3LGXCCM4L0DJgxdFwaLr5WBzgC3y5x0/wwPIwN4PtIaK3BhH6njlksfnKwwIJ9iRT41V4BqbWu4mszO/7VJ3HJyw2DBpIc2grU9ZRRxrV3fRQG4wIDAQAB”,“manifest_version”:2,“name”:“Google Now”,“oauth2”:{“auto_approve”:true,“scopes”:[“https://www.googleapis.com/auth/gcm",“https://www.googleapis.com/auth/googlenow”]},“optional_permissions”:[“background”],“permissions”:[“alarms”,“gcm”,“identity”,“metricsPrivate”,“notifications”,“storage”,“tabs”,“webstorePrivate”,“*://*.google.com/*”,“*://*.gstatic.com/*”,“https://*.googleapis.com/chromenow/v1/*”,“https://*.googleapis.com/gcm/*”,“https://*.googleusercontent.com/*”],“version”:“1.2.0.1”},“path”:"C:\\Program Files (x86)\Google\Chrome\Application\43.0.2357.130\resources\google_now”,“preferences”:{},“regular_only_preferences”:{},“state”:1,“was_installed_by_default”:false,“was_installed_by_oem”:false}}},“pinned_tabs”:,“protection”:{“macs”:{“browser”:{“show_home_button”:“FEB9EA9DB055C3474F5BC7AE612AACB6C8F6DD01170A90C3CE092E48A28A5994”},“default_search_provider”:{“keyword”:“ED7B12A8E974B3100BCF05DEF189C40739BAD91EA3565EBA7F0C04E3F2B283A6”,“name”:“0296A15810AE2171BFD886C61F7C999F96B912C000B797A30EF49704FBE5477E”,“search_url”:“315C93A94D3E92C0A572B426973E482232719FEAD196B63A59898A99998DA01E”},“default_search_provider_data”:{“template_url_data”:“FB39ADE1115D00370827DDB7894C6CCFEF153C255CE8978AFC9CA5C81AB42F9B”},“extensions”:{“settings”:{“ahfgeienlihckogmohjhadlkjgocpleb”:“7E825CE739CDA40594D01ED576D6B9A31EA0C0C3937AE373971325D0D8072AB8”,“bepbmhgboaologfdajaanbcjmnhjmhfn”:“9F030233430EB724E1E971BB94DCE627BBD5869964A35B64DEF504D181389127”,“bmkckgpgekmanipelfidlhmkfcjicion”:“FEE52F78C97C97A80C48823D9F3BEFFC0CCBBAA0DCE03C359C8AAC6DF2908035”,“eemcgdkfndhakfknompkggombfjjjeno”:“89BDA2907EEE1AF8E3F94BD418077FCEF4CCC711C764A53102E0B3FFE7D98D7B”,“ennkphjdgehloodpbhlhldgbnhmacadg”:“CD2A5C5F9755ED0CBE0B34BF63873D7674D9FD477238FFB1E6B933CC616E48D5”,“eofcbnmajmjmplflapaojjnihcjkigck”:“F618E78191DD6F647993416BC9066A0B85B9ECBD7218A72762286D490469E5D9”,“gfdkimpbcpahaombhbimeihdjnejgicl”:“2B326F2B769E863711D987A4FD1FC12BCC00AB027163D961E2D8460EC5E52FAB”,“gomekmidlodglbbmalcneegieacbdmki”:“58231CD276EED0314A6D6181303AA14C83DE7B801782B3BF159E2D1F603161E5”,“kmendfapggjehodndflmmgagdbamhnfd”:“49A43D37869A5D8A7FFC4602E634279BD45EA037A7D65FB405FFB1C55139D8A7”,“lccekmodgklaepjeofjdjpbminllajkg”:“0DC370CD37A08AE753C674E97F979BB16D6D10EC19B51BDD9B4EC8D9C39A1F14”,“mfehgcgbbipciphmccgaenjidiccnmng”:“CC389D5D922BF357DD11E02377BD452AAF0E10B318FC294F94F087AC448AA4BE”,“mfffpogegjflfpflabcdkioaeobkgjik”:“6F3D1C7D622E7E20C9D8803C8F43AA8B7EB8B8D47FA9C8D82ECE8B3CCCC8397E”,“mgndgikekgjfcpckkfioiadnlibdjbkf”:“C87526F96D3F48B9BBAFBEB7C5213D030819CB732E6F2CA7112706B649895EA9”,“mhjfbmdgcfjbbpaeojofohoefgiehjai”:“C395E28F8336FF59951F877F990627071EA1F71495EC74FC8A0C57C4F6580943”,“nbpagnldghgfoolbancepceaanlmhfmd”:“64E03B8172B6D3D230DE991F0B11926A7B9ED630CF84F49A6A847EF5C6073BFA”,“neajdppkdcdipfabeoofebfddakdcjhd”:“2D47D832D0C08379EDDB4202F135CD9F307CA0AD586FA78DAD24A08687645CC4”,“nkeimhogjdpnpccoofpliimaahmaaome”:“3E5077C7615095DB0BD9F3A952FC1DA1E35C2D5D14E8A39DA2CFEEB8A230EA77”,“nmmhkkegccagdldgiimedpiccmgmieda”:“32DA357B37A4094619FCBDAE32E5AC2FF377AD7EB3F9DEE35EC2E9908ABA805F”,“pafkbggdmjlpgkdkcbjmhmfcdpncadgh”:“FA6C8BC0543131D88982AC7425C22541EB38A6CEAD779A4C76FF2ACABA2CFE65”}},“google”:{“services”:{“last_username”:“7B9DD60A215DF097D7E7DDF2E5767FBF40846F8EB8B530960FEC29F69EFC21A7”,“username”:“D6EE58F54DBC5C39D59E85FA51E70FA20805B4EADECAAC7F578AB9B430BCF6E0”}},“homepage”:“95CFBF0F643D2313AFD10AB2A243EF204991C4EDC39D027B43978E59BD64D12E”,“homepage_is_newtabpage”:“46691A3C6A57C132287A9617F1BBA3F74F089C4AE7C949D7C86CAA37F3E45572”,“pinned_tabs”:“CF2DACCE0BDC6B2F3B2F59C80E7B3D0B8B069D1D223CABDBD9EDBE7D81191CA5”,“prefs”:{“preference_reset_time”:“CD0A98AFEB3C0A6BB1CBCEBB505EE9824F94D9C423788E3D5A02AFD5F3817812”},“profile”:{“reset_prompt_memento”:“CC193A42267BC18CAE7C0BB6405EFB4F5146D5797DA87EE35F30A75C041F0FA9”},“safebrowsing”:{“incidents_sent”:“DD099DBEB8421D84C80F22CEA26D6B35DA2DB12FA54DE7B85BC88684C7E1F721”},“search_provider_overrides”:“6BA4A09FFCB243FCFAA916301814CD5020D7488AAED27AD31767926B1E34C715”,“session”:{“restore_on_startup”:“2F002CDDFF2646F714D21F9BD97E0536067AAE1B0CED3091A21A37CB72BC4B22”,“startup_urls”:“DD53956712859EA500520EA79141B224F7526BE0761C6ECA7E7BB82C30CD1BAB”},“software_reporter”:{“prompt_reason”:“74DADD450256ECFA470AEB2391EFC969379092FDEDF3B427133902270B360BFB”,“prompt_seed”:“8CE91E8A0D723B7AF6E3B3A4FC30240FB5322D6552AAB8010E61533D673E3826”,“prompt_version”:“AB4267D70E440B2878D3567157B7C79F3DEFD1DCE9908836D0362548BEDF9C16”},“sync”:{“remaining_rollback_tries”:“EAE87BD7CB1B527820CBDD45896EEFC3701D69CC47A58DA96A78E34F5D2356FC”}},“super_mac”:“B515074A87FD432FB106CB5B57700987287E8C56845183F00B3CAE936E7DB55A”}}

==== Chromium Fix ======================

C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage deleted successfully
C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.azlyrics.com_0.localstorage-journal deleted successfully
C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage deleted successfully
C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.metrolyrics.com_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Old Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Old Start Page”=“http://go.microsoft.com/fwlink/?LinkId=69157

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0H0AJZ31 will be deleted at reboot
C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2DP3F6T will be deleted at reboot
C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG3SA8B9 will be deleted at reboot
C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O762UAZ8 will be deleted at reboot

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

C:\Users\Amy\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache is not empty, a reboot is needed

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=41 folders=17 83335640 bytes)

==== Empty Temp Folders ======================

C:\Users\Amy\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Amy\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0H0AJZ31” not found
“C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H2DP3F6T” not found
“C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LG3SA8B9” not found
“C:\Users\Amy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\O762UAZ8” not found
“C:\Users\Amy\AppData\Roaming\Macromedia\Flash Player#SharedObjects\VUQ82N48\cdn.livestream.com” not found
“C:\Users\Amy\AppData\Roaming\Macromedia\Flash Player#SharedObjects\VUQ82N48\static.xvideos.com” not found

==== EOF on 26/06/2015 at 13:13:19.53 ======================

Got the error again as soon as I opened chrome:

URL: http://bestdriverstar.net/4242/PathGeneration_142669364703102.dll
Infection: URL:Mal
Process: C:\Windows\System32\svchost.exe

4

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

5

Trying to figure out how to attach them since they’re too long to copy and paste

6

(see below)

7

https://docs.google.com/a/mtroyal.ca/document/d/1W4B_LTx6iVkyxcdo_RwIzHbc0DRSnIO6poTvbCR3TpI/edit?usp=sharing
https://docs.google.com/a/mtroyal.ca/document/d/1KFiiwrECQJaBrBtvk6ENvGP37EPpnHSE1vMzUjZT5hs/edit?usp=sharing

uploaded them

8

There is Attachments option below.

9

attached

10

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

11

attached

12

Good. How is the situation now?

13

Awesome! THanks so much! I have been delaying replying because I thought as soon as I did it would come back ahaha I think it’s safe to say it is gone now! Thank you!

14

Cheers :slight_smile:

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

[*]Run the tool by right click on the
http://www.imgdumper.nl/uploads6/51a5ce45267c1/51a5ce45263de-delfix.png
icon and Run as administrator option.
[*]Make sure that these ones are checked:

[]Remove disinfection tools
[]Purge system restore
[*]Reset system settings

[*]Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:[B]DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.