Author Topic: URL:Mal http://www.google.com  (Read 11862 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #15 on: April 06, 2012, 10:47:56 PM »
Rexaar could you start your own topic please and post the necessary logs there

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #16 on: April 07, 2012, 03:04:39 AM »
Now blocking CF8003.EXE

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #17 on: April 07, 2012, 03:35:55 PM »
That is a combofix file

Remove ComboFix
  • Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
  • In the Run box, type in ComboFix /Uninstall
     (Notice the space between the "x" and "/")
    then click OK



  • Follow the prompts on the screen
  • A message should appear confirming that ComboFix was uninstalled
Then could you run a fresh OTL quick scan selecting all users and let me know if the problem is still apparent

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #18 on: April 09, 2012, 12:11:31 AM »
Ping still gets same result, no pages load.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #19 on: April 09, 2012, 12:15:45 PM »
OK lets check out the registry net settings

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    O3 - HKU\S-1-5-21-3690017174-2536532145-703111426-500\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

ennosphere

  • Guest
Re: URL:Mal http://www.google.com
« Reply #20 on: April 12, 2012, 09:10:08 AM »
Farbar Service Scanner Version: 01-03-2012
Ran by Administrator (administrator) on 12-04-2012 at 02:07:46
Running from "C:\Documents and Settings\administrator.CHEMISPHEREINC.000\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x080000000400000001000000020000000300000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: URL:Mal http://www.google.com
« Reply #21 on: April 12, 2012, 08:34:20 PM »
Everything there appears OK, I notice that one of the IP adresses is a to school network.  Do you use that a lot ?

Lets have a different look.  With the Zip file produced at the end could you upload to a sharing site like Mediafire and post the sharing link 

Download AVPTool from Here to your desktop 
   
Run the programme you have just downloaded to your desktop (it will be randomly named ) 
 
First we will run a virus scan  
 
Click the cog in the upper right 

 
 
Select down to and including your main drive, once done select the Automatic scan tab and press Start Scan 

 
Allow AVP to delete all infections found
Once it has finished select report tab (last tab)
Select Detected threats report from the left and press Save button
Save it to your desktop and attach to your next post
 
 
Now the Analysis
 
Rerun AVP and select the Manual Disinfection tab and press Start Gathering System Information 
 

 
On completion click the link to locate the zip file to upload upload to a file sharing site