Malicious URL http://specrtop.org/a/

[ndmd]

Yes I see window disc image burner.

[ndmd]

And I ve already burned an image cd.

[essexboy]

OK copy FRST to a USB drive
Boot to the recovery console
And then run FRST

Insert the CD into the sick computer and start the computer.  First ensuring that the system is set to boot from CD 
Note: If you are not sure how to do that follow the instructions Here
 
 
When you reboot you will  see this although yours will say windows 7.
 Click repair my computer  
 
 
Select your operating system  
 
 
Select Command prompt 
 

Insert the USB with FRST64 on it
 
At the command prompt type the following  :
 
notepad and press Enter. 
The notepad opens. Under File menu select Open. 
Select "Computer" and find your flash drive letter and close the notepad. 
In the command window type e:\frst64.exe and press Enter 
Note: Replace letter e with the drive letter of your flash drive. 
The tool will start to run. 
When the tool opens click Yes to disclaimer. 

Press Scan button. 
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[ndmd]

Sorry.. I'm a little confused. When should I run FRST for the first time. Before the recovery boot?

[ndmd]

I assume it to run the first scan before the recovery boot and here r the log files.

[essexboy]

No FRST needs to run when you are in the recovery console (i.e. running from the CD ) as from the safe mode menu FRST cannot access all the run keys

[ndmd]

Could you plz tell me a little more about how to run FRST in recovery console running from the cd? Because when I reach here (plz see the photo), i dont know how to proceed.

[essexboy]

Once you get to that point then insert the USB with FRST on it

Select Command prompt 
 
 
At the command prompt type the following  :
 
notepad and press Enter. 
The notepad opens. Under File menu select Open. 
Select "Computer" and find your flash drive letter and close the notepad. 
In the command window type e:\frst64.exe and press Enter 
Note: Replace letter e with the drive letter of your flash drive. 
The tool will start to run. 
When the tool opens click Yes to disclaimer. 

Press Scan button. 
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[ndmd]

Here are the log files.

I'd just like to make sure if I did it right.

To do the first scan in recovery console, I pressed esc on startup. And I chose F10 recovery option from startup menu. Then window loads as usual. Is it normal that I see the normal window appearance in recovery mode? I don't see any difference from normal window. (I mean when we enter safemode, the window appearance is different)

No problem with the second scan while booting from cd.

[essexboy]

Download the attached fixlist.txt to the same USB as FRST
Run FRST as before and press fix
Once it has run then reboot to normal windows and run a fresh OTL scan please

[ndmd]

Here is OTL log file.

After running FRST fix, I'm now seeing my previously deleted old word files on my desktop as hidden files (they appear fade).

[essexboy]

The ghost files will disappear again when we reset the system at the end

I see you also have AVG on the system, either it or Avast will have to go

How is the computer behaving now ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKLM\..\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}: "URL" = http://search.sweetim.com/search.asp?src=6&q={searchTerms}&crg=4.0002002
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {EEE6C360-6118-11DC-9C72-001320C79847}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2413}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=413&sr=0&q={searchTerms}
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\SearchScopes\{CFF4DB9B-135F-47c0-9269-B4C6572FD61A}: "URL" = http://mystart.incredibar.com/mb178/?search={searchTerms}&loc=IB_DS&a=6OyOlrdEk9&i=26
IE - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - prefs.js..extensions.enabledAddons: canitbecheaper%40trafficbroker.co.uk:3.8.28
64bit-FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\PROGRAM FILES\WEB ASSISTANT\FIREFOX
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{336D0C35-8A85-403a-B9D2-65C292C39087}: C:\Program Files\Web Assistant\Firefox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\searchpredict@speedbit.com: C:\Program Files (x86)\SearchPredict\PRFireFox
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{0329E7D6-6F54-462D-93F6-F5C3118BADF2}: C:\Program Files (x86)\SPEEDbit Video Downloader\SPFireFox
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Browser Manager\2.3.796.11\{16cdff19-861d-48e3-a751-d99a27784753}\FirefoxExtension
[2012-12-09 17:48:32 | 000,093,072 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\canitbecheaper@trafficbroker.co.uk.xpi
[2013-04-01 14:56:41 | 000,617,362 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\check4change-owner@mozdev.org.xpi
[2013-02-05 15:17:24 | 000,218,916 | ---- | M] () (No name found) -- C:\Users\Nanda\AppData\Roaming\Mozilla\Firefox\Profiles\7o3kt8uy.default\extensions\info@priceblink.com.xpi
O2:64bit: - BHO: (SearchCore for Browsers) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\x64\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (SearchCore for Browsers) - {9D717F81-9148-4f12-8568-69135F087DB0} - C:\Program Files (x86)\SearchCore for Browsers\SearchCore for Browsers\BrowserConnection.dll (Bandoo Media, inc)
O2 - BHO: (no name) - {EEE6C35C-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b4de90bb-150d-4b33-95fe-6baac97e1c21} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - No CLSID value found.
O3 - HKU\S-1-5-21-3356719268-1121121202-4279899874-1000\..\Toolbar\WebBrowser: (no name) - {EEE6C35B-6118-11DC-9C72-001320C79847} - No CLSID value found.
O20 - AppInit_DLLs: (c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll) - File not found
[2013-05-05 07:46:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit
[2013-05-05 07:46:28 | 000,000,000 | ---D | C] -- C:\Users\Nanda\AppData\Local\Conduit
[2013-05-04 06:36:55 | 000,000,000 | ---D | C] -- C:\FRST
[2013-05-03 14:09:07 | 001,712,312 | ---- | C] (Farbar) -- C:\Users\Nanda\Desktop\FRST64.exe
[2013-05-03 14:08:08 | 000,453,048 | ---- | C] (Akeo Consulting (http://akeo.ie)) -- C:\Users\Nanda\Desktop\rufus_v1.3.2.exe
[2012-11-15 09:25:38 | 000,000,000 | ---D | M] -- C:\Users\Nanda\AppData\Roaming\Babylon

:Files
C:\PROGRAM FILES\WEB ASSISTANT
C:\Program Files (x86)\SearchPredict
C:\ProgramData\Browser Manager
C:\Program Files (x86)\SearchCore for Browsers

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[ndmd]

Here is OTL log file.

My computer seems alright now. I don't see that malicious url alert anymore. Thank you very much for your help.

I just installed AVG only after I had this problem hoping it can solve it. I've uninstalled it now.

But I see a problem that I can't go to control panel to uninstall it. Message box showing 'Window Explorer has stopped working' appears whenever I try to enter control panel. I had to use Tuneup to uninstall avg.

[essexboy]

Could you confirm that windows is up to date by running windows updates

[ndmd]

Same thing happens when I go to Action Center to check window update or when I try to see properties on My Computer. Same message showing 'Window Explorer has stopped working'