URL:Mal Popup for process C:\Windows\System32\rundll32.exe

Viruses and worms
1

Hi, I just got the following popup warning from avast:

Object: hxtp://download.newnext.me/spark.bin?rnd=314419664
Infection: URL:Mal
Process: C:\Windows\System32\rundll32.exe

The alarm popped up about 50 times during the last half our, than suddenly stopped. Before, it’s OK.

I already read others forum post and they use syswow64. Already download the OTL and the ADWCleaner. Need help on custom script looks like and of course the step-by-step to clean it.

2

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.



:OTL
O4 - HKCU..\Run: [NextLive] C:\Users\Aris\AppData\Roaming\newnext.me\nengine.dll (NewNextDotMe)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qvo6.com/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=hp&from=cor&uid=ST500DM002-1BD142_Z3TGF38GXXXXZ3TGF38G&ts=1379551743
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://search.qvo6.com/web/?utm_source=b&utm_medium=cor&utm_campaign=eXQ&utm_content=ds&from=cor&uid=ST500DM002-1BD142_Z3TGF38GXXXXZ3TGF38G&ts=1379551743&type=default&q={searchTerms}
IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2431}: "URL" = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=292&systemid=431&v=n9397-123&apn_uid=4440045440434495&apn_dtid=BND431&o=APN10656&apn_ptnrs=AGH&q={searchTerms}
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://websearch.searchere.info/?l=1&q={searchTerms}&pid=298&r=2013/10/02&hid=13327821368439613912&lg=EN&cc=ID&unqvl=37
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No CLSID value found.

:commands
[CREATERESTOREPOINT]
[emptytemp]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.

---- > next

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

3

Sorry Argus to jump in like this.

@nugienoa: Break your active malware link

4

hxtp://download.newnext.me/spark.bin?rnd=314419664

should look like

hxxp://download.newnext.me/spark.bin?rnd=314419664

anyway no problem