Yet Another URL:Mal

http://postimg.org/image/ewz3zitff

http://postimg.org/image/ngihxa1rv

Pops up as often as every few seconds, or as little as every few hours throughout the day, randomly. Pops up 10-15 times all at once on system startup.

Logs attached.

Edit: Not sure why images aren’t working… but ok then…

Links to images:
Threat Popup
Details(or lack thereof…)

Did you set the proxy in Firefox ? Could you let me know if the alerts cease after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKLM-x32 - DefaultScope {72186076-69CD-47DD-B644-BF519B48121E} URL = SearchScopes: HKCU - DefaultScope {72186076-69CD-47DD-B644-BF519B48121E} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN34891558232132210&UM=2 SearchScopes: HKCU - {72186076-69CD-47DD-B644-BF519B48121E} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3309758&CUI=UN34891558232132210&UM=2 SearchScopes: HKCU - {AFDBDDAA-5D3F-42EE-B79C-185A7020515B} URL = CHR StartupUrls: Default -> "hxxp://www.google.com/", "hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch", "hxxp://search.conduit.com/?ctid=CT3282812&SearchSource=48&CUI=UN15389328351854218&UM=2", "hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23", "hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2", "hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=15.4.0.5&pid=safeguard&sg=0&sap=hp", "hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp", "hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp", "hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=70&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp", "hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp|hxxp://www.google.com/|hxxp://search.yahoo.com?type=994519&fr=spigot-yhp-ch|hxxp://search.conduit.com/?ctid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&SearchSource=48&CUI=UN15389328351854218&UM=2|hxxp://start.sweetpacks.com/?barid={7C8A9325-DC0A-11E2-BF49-3085A98E0EEA}&src=10&crg=3.5000006.10043&st=23|hxxp://search.conduit.com/?ctid=CT3309758&SearchSource=48&CUI=UN35643427283331110&UM=2|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-08-25 03:56:14&v=17.1.3.3&pid=safeguard&sg=70&sap=hp|hxxp://mysearch.avg.com/?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&pr=fr&d=2013-09-03 21:48:17&v=15.6.1.2&pid=safeguard&sg=0&sap=hp|hxxp://mysearch.avg.com?cid={8D9BC038-8184-4C36-A9B4-55AED310EC7A}&mid=115ca95fa7ba47d39d7fe1ccef6ae719-377682202d4764676abe7fa62d91e5752ea8a5fb&lang=en&ds=AVG&coid=avgtbavg&pr=fr&d=2013-11-05 02:39:42&v=17.0.1.12&pid=safeguard&sg=0&sap=hp" CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter} C:\Users\Kyle\IP_Log_Data.js C:\Users\Kyle\jagex_cl_oldschool_LIVE.dat C:\Users\Kyle\jagex_cl_runescape_LIVE.dat C:\Users\Kyle\Network_Meter_Data.js C:\Users\Kyle\random.dat Task: {6688F0F8-9995-45C7-9E20-D1026CC30204} - System32\Tasks\Express FilesUpdate => C:\Program Files (x86)\ExpressFiles\EFUpdater.exe <==== ATTENTION C:\Program Files (x86)\ExpressFiles Task: {A2E140B4-670A-4492-AD7E-5928BDC960B2} - \Updater23986.exe No Task File <==== ATTENTION Task: {E8F0412E-8428-4224-AFAF-F100A0864D05} - System32\Tasks\Dexpot\2 => F:\Program Files (x86)\Dexpot\autodex.exe [2013-07-05] (Dexpot GbR) <==== ATTENTION F:\Program Files (x86)\Dexpot Task: {FA6B977B-A077-41B6-A6E9-72E1D707972C} - \YourFile DownloaderUpdate No Task File <==== ATTENTION AlternateDataStreams: C:\WINDOWS\SysWOW64\zlib.dll:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

I’ve run both, & it’s looking good so far. The 10-15 warnings I got on startup went away after the first tool was run. :slight_smile:

AdwCleaner created “S0” instead of “S1” but I’m assuming it’s the right file since it’s what came up on restart.

Both logs attached, Thanks for your help. :slight_smile:

Any further problems :slight_smile: