URL:mal Popping out constantly..

Viruses and worms
1

Hi,

I need help xD Before 2-3 days somehow I infected my pc with PLATINUM SECURITY LIVE and I think I removed it using Malwerbytes but not fully because of the next reasons.

Avast is popping constantly with message:

http://www.image-upload.net/di/G1S6/edhem.jpg

And malwerbytes is also showing this:

http://www.image-upload.net/di/OHQ3/avasat2.jpg

But every time another Ip…

I tried tds and combofix because i read here on forum that they can fix this…but they didn’t…

2

It is very dangerous to run removal tools without the appropriate knowledge or assistance from a specialist. Doing so you agreed to the terms and risked a non-bootable PC. To get proper assistance, follow the instructions here → http://forum.avast.com/index.php?topic=53253.0 and attach specified logs in your next post.

3

Additionally attach both TDSSKiller and Combofix logs

4

Ok attached :slight_smile:

5

I should be able to clear this from OTL

6

OTL ??

Please help me and guide me on how to fix this

7

He needs your logs first…!! :wink:
See the link in Reply #1 how to get them…

8

Ok sending log soon :smiley:

And link for downloading OZL doesnt work please correct link in thread http://forum.avast.com/index.php?topic=53253.0

9

Ok here it is OTL Log attached! Please help

10

Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL FF - prefs.js..network.proxy.ftp: "173.208.176.145" FF - prefs.js..network.proxy.ftp_port: 55555 FF - prefs.js..network.proxy.gopher: "173.208.176.145" FF - prefs.js..network.proxy.gopher_port: 55555 FF - prefs.js..network.proxy.http: "173.208.176.145" FF - prefs.js..network.proxy.http_port: 55555 FF - prefs.js..network.proxy.socks: "173.208.176.145" FF - prefs.js..network.proxy.socks_port: 55555 FF - prefs.js..network.proxy.ssl: "173.208.176.145" FF - prefs.js..network.proxy.ssl_port: 55555 FF - prefs.js..network.proxy.type: 0 O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present [2012.08.10 11:45:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Velic\Application Data\b368dbc8e10967b0f90a5b6037a9743891deea09 [2012.08.10 11:42:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Velic\Application Data\log [2012.08.08 15:30:59 | 000,387,584 | ---- | C] (Microsoft) -- C:\Documents and Settings\Velic\Desktop\YtBot.exe [2012.08.06 01:30:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\036DFF980058F18B00001C817B07D287 [2012.08.01 15:42:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Velic\Desktop\bot [2012.08.02 14:20:11 | 000,119,068 | ---- | M] () -- C:\Documents and Settings\Velic\Desktop\yt2.rar [2012.08.02 14:16:12 | 000,086,617 | ---- | M] () -- C:\Documents and Settings\Velic\Desktop\yt.rar [2012.08.01 15:42:21 | 000,147,573 | ---- | M] () -- C:\Documents and Settings\Velic\Desktop\bot.rar

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

11

Ok here is log :slight_smile:

Also noticed some stuff from desktop are moved to C:

12

Are the alerts still present ?

13

Yes it is, but only when i use my software… I does not appear when I’m working on other stuff just when i use specific software.

14

What software causes the alert ? Could you attach a screenshot of it

15

It’s my private software, coder made it for me…

16

Is it also a website that you know… If so there is nothing I can do as long as you keep that software