Virus favicon.ico

Every time I enter into bittorrent, opens the program and also trys to redirect my browser into:
Virus

I tried ccleaner, cleaning temp files, malwarebits, but nothing showed up and the redirection into this website still comes.

Any clues?

Hi,

Could you post the screenshot of avast detection? Also, let’s check the system.


FRST’s Primary analysis


Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.


GMER’s AntiRootKit analysis


Please download GMER, the AntiRootKit tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.

[*]Wait for initial scan to finish - if there is any query, click No;
[*]Click [ Scan ] button and wait until the full scan is complete;
[*]Click [ Save … ] button - save the report to the Desktop (named ARK );

Please attach here Gmer’s (ARK.txt) logreports.


http://s2.subirimagenes.com/privadas/previo/thump_2179785warning.png

Im running right now both programs, but just a few seconds after start GMER, said “root kit activity”.

Logs in:
http://goo.gl/cYupl2
https://drive.google.com/folderview?id=0Bz8n53qa09MBSDB6cHUtWVFRcjQ&usp=sharing

“Warning !!! GMER has found system modification caused by ROOTKIT activity”

Under the answer box use the option attachments and other options to attach it. :wink:

Here are. Btw, reading about rootkits makes me think that its almost impossible to be 100% they are out.
How do I back up files now, might I copy now corrupted files into a pendrive?

Hi 125124,

Both FRST and GMER are very powerful, currently the best diagnostic tools, they record and format the generic reports using a varius techniques and heuristics. They mostly do not know what is legitimate and what malicius. It is on expert face to determine is the recorded entries related to some loaded malicious or legitimate software.

"Warning !!! GMER has found system modification caused by ROOTKIT activity"
GMER has been detected the avast! related drivers (because their driver behavior). Of course, detection is legitimate. There is not RootKit on your system. GMER log is clean.

Let’s proceed further with the system analysis …

Do you know for this progam?
AaaaaAAaaaAAAaaAAAAaAAAAA!!! for the Awesome (HKLM-x32.…\Steam App 15560) (Version: - Dejobaan Games, LLC)

PS: I would recommend to uninstall/remove the Pando Media Booster from your system. This isn’t malware, it’s legit tools so the choice is yours.

Next, you have been disable the “TP-LINK Wireless Configuration Utility” via MSConfig tool. My recommendation is to take it back.
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TP-LINK Wireless Configuration Utility.lnk => C:\Windows\pss\TP-LINK Wireless Configuration Utility.lnk.CommonStartup

Next, FRST shows the traces of possible USB - malware related infections. We shall use MCShield tool/software to check all USB’s devices. If malware exists on any USB device, MCShield shall clean it for you and provide the future protections.

Next, can you take a look at this folder?
C:\Users\SM\AppData\Roaming[b]rcru[/b]
If folder is empty (as it should be), you can delete this.

Every time I enter into bittorrent, opens the program and also trys to redirect my browser into:
I can not tell you why exactly avast! detects the bittorrent URL but judging by the rules, bittorrent is illegal actions, malicious action. So ...

Btw, posted FRST and GMER logs doesn’t show any trace of any malware. FRST log is clean as well. Your PC is malware free.
As I said before, according to FRST, we should check the USB device, just to make shure.


MCShield’s Scan


Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.


Uninstall


We shall remove used diagnostic tools via DelFix.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Before continuing let me thank you spending your time and work.

AaaaaAAaaaAAAaaAAAAaAAAAA!!! for the Awesome is a game, but anyhow I just deleted.

Pando Mmedia Booster is uninstalled now.

TP-LINK Wireless Configuration Utility - My pc wasn’t going to have network cable, so I bought the Tp-wireless, but in the end I managed to get the network through the house, so I disabled it. (unless you tell me to activate it again knowing this)

The folder “rcru” is not empty, has a nprcplugin.dll
C:\Users\SM\AppData\Roaming\rcru\plugins\nprcplugin.dll

I’m still doing the next steps, but thought a good idea to post how is going

Here are the last 2 logs, seems clean, but I still get the warning

Yes, MCShield log is clean. As there is no malware on your system nor on your USB devices, we’re finished here.

Regarding to avast! detections, you can ask avast Tim for this:
http://www.avast.com/contact-form.php

FRST is seen as malware by windows 8.1

I am also having the same issue trying to send me to utorrent.inspsearch.com/favicon.ico can not find any reason for this as malwarebytes says my system is clean and every time i run a virus scan it comes up clean.

Hi 125124,

C:\Users\SM\AppData\Roaming\rcru\plugins\nprcplugin.dll
nprcplugin.dll is part of RaidCall module. You may delete or not, live it be ... File is legit so the choice is yours. ;)

Hi lordmace2001,

FRST is seen as malware by windows 8.1
Do you meant to say Windows Defender (on Win8.1) sees FRST.exe as a threat? On my Windows 8.1 system I have no detections. Btw, FRST is legit tool, I guess that's clear, right.? :) Could you post screenshot of that detection?
I am also having the same issue trying to send me to utorrent.inspsearch.com/favicon.ico can not find any reason for this as malwarebytes says my system is clean and every time i run a virus scan it comes up clean.
The AV/AM programs actually reads the cache I thing which fires the detection. The same thing applys for you I'm afraid. Might be good idea for you as well to use "contact-form" for resolving this.