Web Shield harmful webpage blocking notification every five seconds

Viruses and worms
1

Basically from reading other posts, I have this infection that Avast! notifies that is blocking webpages such as ruggersneil(sic), rumberger-fom.com, robertolio-green.net , rottover-end, etc…every 10 seconds.

I have an OTL scans Extras and OTL for review. To Anyone on this board your guidance is most appreciated Thanks!

2

We also need Malwarebytes and aswMBR logs

Malware experts are in bed now, but will help you when back online…

3

Hello and Welcome on board rushdreamtheater ,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I’m in the ‘Senior Team of the GeeksToGo Forum’ and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don’t be worried if you don’t know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:

[*]Removing Malware is usually very difficult.
We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don’t answer every day!
[*]Please follow these instructions
If you don’t follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
[*]Please stay in contact with me until your problem is resolved
As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
[*]Please don’t run any other tools without consulting with me as this can complicate finding and removing all Malware
Don’t run any tools while I’m fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
[*]Read my post completely
If you don’t do so, you may make mistakes that could result in your System crashing by your own actions!

I am currently in training and my posts will need to be reviewed by an expert, so expect a slight delay between posts.

For now I don’t need an ASWMBR or MBAM Log. I will clean the infection on my way since it seems to be BlackBeard.

4

Hey,

Step 1: Registry cleaner warning

You have following Registry Cleaners installed: TweakNow RegCleaner 2011

These programs are called Registry Cleaners. This kind of programs aren’t good for your PC! A registry cleaner will not increase your system’s speed or performance and can damage your Registry, which lead to an unbootable PC. At AVAST Forum we strongly advise that users don’t use this kind of sketchy programs.

Here is some reading stuff for you:

[*]Registry Junk: A Windows Fact of Life

Step 2: OTL Fix

[*]Run OTL (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the OTL icon and select Run as Administrator).
[*]Copy (Ctrl+C) and Paste (Ctrl+V) all of the following text into the Custom Scans/Fixes box:

[CREATERESTOREPOINT]

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yhs4.search.yahoo.com/?hspart=avast&hsimp=yhs-001&type=avastbcl
IE - HKLM..\SearchScopes,DefaultScope = {9CB96984-43C3-4D44-90EF-01466EFCF7BB}
IE - HKLM..\SearchScopes{9CB96984-43C3-4D44-90EF-01466EFCF7BB}: “URL” = http://us.yhs4.search.yahoo.com/yhs/search?hspart=avast&hsimp=yhs-001&type=avastbcl&p={searchTerms}
IE - HKLM..\SearchScopes{c446e96a-4a4d-4499-8171-ff5eb6aef25f}: “URL” = http://s.mysearch.com/search/GGmain.jhtml?id=XMxdm0346Dus&ptb=4B34918E-352C-4EA9-9952-EDB2681DA64B&psa=&ind=2011021022&ptnrS=XMxdm0346Dus&si=&st=sb&n=77ddbede&searchfor={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.yhs4.search.yahoo.com/?hspart=avast&hsimp=yhs-001&type=avastbcl
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.yhs4.search.yahoo.com/yhs/search?hspart=avast&hsimp=yhs-001&type=avastbcl&p={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yhs4.search.yahoo.com/?hspart=avast&hsimp=yhs-001&type=avastbcl
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU..\SearchScopes{75658008-3CED-4C99-B5D5-FF10C399C1CC}: “URL” = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3295790&CUI=UN24425900619688121&UM=2
IE - HKCU..\SearchScopes{9CB96984-43C3-4D44-90EF-01466EFCF7BB}: “URL” = http://us.yhs4.search.yahoo.com/yhs/search?hspart=avast&hsimp=yhs-001&type=avastbcl&p={searchTerms}
IE - HKCU..\SearchScopes{AFA3B4E2-2862-4450-BD11-1470D2B67E99}: “URL” = http://dts.search-results.com/sr?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}
IE - HKCU..\SearchScopes{c446e96a-4a4d-4499-8171-ff5eb6aef25f}: “URL” = http://s.mysearch.com/search/GGmain.jhtml?id=XMxdm0346Dus&ptb=4B34918E-352C-4EA9-9952-EDB2681DA64B&psa=&ind=2011021022&ptnrS=XMxdm0346Dus&si=&st=sb&n=77ddbede&searchfor={searchTerms}
IE - HKCU..\SearchScopes{D4A815A5-5283-45E5-B904-EFCD401EF297}: “URL” = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKCU..\SearchScopes{DECA3892-BA8F-44b8-A993-A466AD694AE4}: “URL” = http://search.yahoo.com/search?fr=mcafee&p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyEnable” = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyOverride” = *.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: “ProxyServer” = http=127.0.0.1:51050
FF - prefs.js…browser.search.defaultenginename: “Conduit Search”
FF - prefs.js…browser.search.selectedEngine: “Conduit Search”
FF - prefs.js…browser.startup.homepage: “http://search.conduit.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=M4CB7592B-00DD-45D9-B9D0-8F9822703CA3&SearchSource=55&CUI=&UM=5&UP=SP0BBF5C22-60A1-4E93-90EC-969B66DC3B0A&SSPV=
FF - user.js - File not found
FF - HKLM\Software\MozillaPlugins@Apple.com/iTunes,version=: File not found
[2014/04/20 13:14:57 | 000,000,916 | ---- | M] () – C:\Users\uncletounouse\AppData\Roaming\Mozilla\Firefox\Profiles\c8gcj3zv.default-1374338456318\searchplugins\conduit-search.xml
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - HKCU..Trusted Domains: coned.com (http in Trusted sites)
O15 - HKCU..Trusted Domains: coned.com (https in Trusted sites)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.shockwave.com/content/peggle/sis/popcaploader_v10_en.cab (Reg Error: Unable to open value key)
[2014/04/20 13:14:48 | 000,000,000 | —D | C] – C:\Users\uncletounouse\AppData\Local\SearchProtect
[2014/03/23 16:10:02 | 000,000,000 | —D | C] – C:\Program Files\InstallConverter bundle uninstaller
[2007/11/08 13:05:39 | 000,711,160 | ---- | C] (Microsoft Corporation) – C:\Users\uncletounouse\setup.exe
[2007/11/08 01:44:04 | 000,054,272 | ---- | C] (Microsoft Corporation) – C:\Users\uncletounouse\autorun.exe
[2014/04/19 19:19:42 | 000,028,672 | ---- | M] () – C:\Windows\System32\qppwy.dkg
[2014/04/19 19:19:42 | 000,000,104 | ---- | M] () – C:\Windows\System32\vnmzwvq.hiv
[2014/04/19 18:54:33 | 000,000,080 | ---- | M] () – C:\Windows\System32\cpedx.swu
[2014/04/19 14:26:35 | 000,000,064 | ---- | M] () – C:\Windows\System32\lgjaaeo.nbx
[2014/04/19 14:10:48 | 000,301,959 | --S- | M] () – C:\Windows\System32\chifg.gam
@Alternate Data Stream - 444 bytes → C:\Users\uncletounouse\Documents\Site6.wpp:SummaryInformation
@Alternate Data Stream - 364 bytes → C:\ProgramData\TEMP:387A6F49
@Alternate Data Stream - 143 bytes → C:\ProgramData\TEMP:A1DDEA35
@Alternate Data Stream - 135 bytes → C:\ProgramData\TEMP:980D86EF
@Alternate Data Stream - 109 bytes → C:\ProgramData\TEMP:1AE68282

:Commands
[EMPTYTEMP]


[*]Click the [b]Run Fix[/b] button.
[*]After your computer has rebooted, run [b]OTL[/b] and click [b]Quick Scan[/b].
[*]Copy and paste the contents of the log that it produces into your next post.

[b]Step 3: ComboFix Run[/b]

[b]Warning:[/b] this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

Please download [b]Combofix[/b] from one of the following locations:

[url=http://download.bleepingcomputer.com/sUBs/ComboFix.exe][b]Download Mirror #1[/b][/url]
[url=http://subs.geekstogo.com/ComboFix.exe][b]Download Mirror #2[/b][/url]
[url=http://www.infospyware.net/antimalware/combofix][b]Download Mirror #3[/b][/url]

[b]Note:[/b] You must save this directly to your Desktop.

[*]Save any open documents, then close any open programs.
[*]Disable all anti-virus and anti-malware software to prevent them inhibiting Combofix in any way. If you are unsure how to do this, see [url=http://www.bleepingcomputer.com/forums/topic114351.html]THIS[/url]
[*][b]Double-click[/b] on [b]combofix.exe[/b] then follow the on screen prompts (If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on the ComboFix icon and select [b]Run as Administrator[/b])
[*]When Combofix finishes, it will open the log. Please [b]Copy (Ctrl + C)[/b] and [b]Paste (Ctrl + V)[/b] all of this text into your next post.

If, for whatever reason, the log does not open, it can be found in this location: [b]C:\combofix.txt[/b]
5

Are you still with me?

6

Machiavelli and Pondus:

sorry for delay. Death in the family and still catching up. Basically, ran script Machiavelli suggested and computer crashed. Did a restore, and back to original problem. Also, goes through endless updates during each startup (Have PC on Hibernation mode)

I reran OTL and Malwarebytes with updated logs attached. Thank you

7

I’m going to say you have blackbeard. Avoid running scans unless Mach says what he wants you to do.

8

Hello,
looks like you also have TDL4. Will check this with TDSSKiller.

Please redo Step #3 from my last post.

Additional, please do this:

Please download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://img189.imageshack.us/img189/5251/image000q.png

[*]Put a checkmark beside loaded modules.

http://img802.imageshack.us/img802/859/2012081514h0118.png

[*]A reboot will be needed to apply the changes. Do it.
[*]TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
[*]Then click on Change parameters in TDSSKiller.
[*]Check all boxes then click OK.
[*]Click the Start Scan button.

http://img202.imageshack.us/img202/1699/19695967.jpg

[*]The scan should take no longer than 2 minutes.
[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://img716.imageshack.us/img716/7638/67776163.jpg

[*] If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

http://img717.imageshack.us/img717/718/62117367.jpg

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
[*]A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

9

Combofix Run results

10

tdsskiller results

11

Please download FRST (by Farbar) from the link below and save it to your Desktop.

Download Mirror #1
If you are unsure whether you have 32-Bit or 64-Bit Windows, see here

[*]Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
[*]Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
[*]When the disclaimer appears, click Yes.
[*]Click Scan to start FRST.
[*]When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

12

Machiavelli,

as requested.

13

OK,

Start FRST again
type into the Search box:

rpcss.dll

click on Search File(s)
a log will open - post the content of it into your next reply

14

search attached…

15

Hey,

First,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It’s important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
 Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Then,

[*]Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
[*]Click Scan to start FRST.
[*]When FRST finishes scanning, a log, FRST.txt, will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

16

done see attached

17

Hello,

First,

You have following Registry Cleaners installed: TweakNow RegCleaner 2011

These programs are called Registry Cleaners. This kind of programs aren’t good for your PC! A registry cleaner will not increase your system’s speed or performance and can damage your Registry, which lead to an unbootable PC. At Geeks to Go we strongly advise that users don’t use this kind of sketchy programs.

Here is some reading stuff for you:

[*]Registry Junk: A Windows Fact of Life

Then,
Please follow these instructions here to reset chrome.

Then,

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1

[*]Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
[*]Click Scan and let the scan run.
[*]When it finishes, click Clean, following the on screen prompts
[*]After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.

Note: The log can also be found in here: [b]C:\AdwCleaner[/b]

Then,

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.

Then,

[*]Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
[*]Click Scan to start FRST.
[*]When FRST finishes scanning, a log, FRST.txt, will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Then,
how is your PC running?

18

the first link to Chrome did not work. Was it to remove extensions for search conduit? I proceeded to next instructions and all work well.
I brought up the Chrome browser and the search conduit is gone

PC no longer has that alarm and lady’s voice!

Great work Machiavelli!!! Let me know if there are any further instructions

19

Hello,
sorry that the link didn’t worked. This forums doesn’t like my BBCode. :o

First,
Please follow these instructions here to reset chrome.

Then,
Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

https://dl.dropboxusercontent.com/u/73555776/MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

https://dl.dropboxusercontent.com/u/73555776/MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

https://dl.dropboxusercontent.com/u/73555776/MBAMReboot.JPG

https://dl.dropboxusercontent.com/u/73555776/MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Then,
Please disable your AntiVirus before doing these steps!

[*]If you have Win Vista / Win 7 / Win 8 please start IE as Administrator!
[*]This will only work for Internet Explorer or FireFox
[*]Please download ESET Online Scanner from here

How to do this?

[]Visit this website here
[]You will see a screen like this:

http://s7.directupload.net/images/131201/e922iil8.png

[*]Click Run ESET Online Scanner

http://s14.directupload.net/images/131201/4e3svhbd.png

[]A Window will open (see above) - please click on the link
[]A window will pop up - please download the file to your Desktop
[*]When the download has finished please run the program (for Win Vista/ Win7 / Win 8 User please run it as Administrator)

http://s14.directupload.net/images/131201/p35jbmyy.png

[*]Tick the box next to YES, I accept the Terms of Use then click on: Start
[*]You may see a panel towards the top of the screen telling you the website wants to install an addon… click and allow it to install. If your firewall asks whether you want to allow installation, say yes.

http://s7.directupload.net/images/131201/p3b9meru.png

[*]Make sure that the option Remove found threats is NOT checked.
[*]Make sure that the option Scan archives is checked.
[*]Now click on Advanced Settings and select the following:

[list]
[*]Scan for potentially unwanted applications
[*]Scan for potentially unsafe applications
[*]Enable Anti-Stealth Technology

[*]Then click on Start
[*]virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
[*]When completed the Online Scan will begin automatically. The scan may take several hours.
[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]After the scan is finished please click on Finish
[/list]
[]Use notepad to open the logfile located at C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt
[]Copy and paste that log as a reply to this topic.

Then,
Download Security Check by screen317 from here or here.
[*]Save it to your Desktop.[*]Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.[*]A Notepad document should open automatically called checkup.txt; please post the contents of that document.

20

as requested