Logs

[Emilystrokes]

Hi,

I had some pest on my computer and followed the instructions on this site. (Installed and ran scans MBAM and OTL) MBAM removed a whole lot of stuff but I'm still getting constant notifications that access to a malicious website is being blocked (even without an explorer open), although it doesn't actually state the website just various IP addresses.

I'm attaching my logs. Help!

Emily

[Emilystrokes]

Extras

[Pondus]

also attach Malwarebytes / aswMBR logs.    http://forum.avast.com/index.php?topic=53253.0

[Emilystrokes]

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.11.30.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16736
Emily :: EMILY-PC [administrator]

30/11/2013 3:06:58 PM
mbam-log-2013-11-30 (15-06-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 241155
Time elapsed: 8 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 12
HKCR\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} (PUP.Optional.DefaultTab.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCR\CLSID\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCR\TypeLib\{39A17362-9C1D-4907-9428-0D28A94DC79D} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCR\Interface\{627A968A-03E6-41C7-B11B-4E442B376F95} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CF190686-9E72-403C-B99D-682ABDB63C5B} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} (PUP.Optional.OptimzerPro.A) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1C3E833-420E-4D78-9BA7-86AEBB272384} (Adware.GameVance) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C1C3E833-420E-4D78-9BA7-86AEBB272384} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 10
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits (Adware.GameVance) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy\BD7C0C31F2E6451BA26F88CA365F0500 (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3} (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468 (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

Files Detected: 26
C:\Users\Emily\AppData\Local\TopArcadeHits\Toparcadehits.dll (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\Downloads\converterlite_d793560.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Users\Emily\Downloads\mediaplayerlite_d166371.exe (PUP.Optional.InstallIQ.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\uninstaller.exe (Adware.GameVance) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\updater.exe (Adware.GameVance) -> Quarantined and deleted successfully.
C:\Users\Emily\Local Settings\Temporary Internet Files\Content.IE5\FMIKSLKQ\Setup[1].exe (PUP.Optional.LuckyLeap.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits\Play Toparcadehits Online.url (Adware.GameVance) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\TopArcadeHits\Uninstall Toparcadehits.lnk (Adware.GameVance) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\tah.config (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\uninstaller.exe (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\TopArcadeHits\updater.exe (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Windows\Tasks\TopArcadeHits.job (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\OpenCandy\BD7C0C31F2E6451BA26F88CA365F0500\TuneUpUtilities2013_2200309_en-US.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome.manifest (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\icon.png (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\install.rdf (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\browser.xul (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\chrome\content\toparcadehits.js (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\{0113D088-8ED1-468C-B225-585A9C53B5E3}\skin\style.css (PUP.Optional.TopArcadeHits.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\conduitStatistics.csf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\CT3220468.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\CT3220468.xpi (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\initData.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\manifest.json (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\version.txt (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Emily\AppData\Local\Temp\CT3220468\xpi\install.rdf (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end)

[Emilystrokes]

Sorry, I didn't know how to find the file on my computer..

[TwinHeadedEagle]

Hi,


Please download AdwCleaner by Xplode and save to your Desktop.

Double click on AdwCleaner.exe to run the tool.

• Click on the Scan button.
  
• After the scan has finished click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  
• Post logfile will also be saved in the C:\AdwCleaner folder.

Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

• Select Yes if prompted to download the Avast database.
   
• Click Scan
   
• Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
  Note: do NOT attempt any Fix yet.

[Emilystrokes]

AdwCleaner log

[TwinHeadedEagle]

You need to press Clean in Adwcleaner.

Attach the reports from other two tools...

[Emilystrokes]

FRST

[Emilystrokes]

Addition

[Emilystrokes]

aswMBR

[TwinHeadedEagle]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

HKCU\...\Run: [News.net] - C:\Program Files\\BreakingNews\DesktopContainer.exe
C:\Program Files\\BreakingNews
URLSearchHook: HKLM-x32 - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
URLSearchHook: HKCU - uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {B65E678C-5CA9-4056-BF9E-D40150AB1781} URL = http://www.mysearchresults.com/search?&c=2653&t=03&q={searchTerms}
SearchScopes: HKCU - {D99B5F0D-F274-4BC8-BAFD-7ED568309428} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
BHO-x32: TubeSaver - {72cb5562-f302-4356-ac85-bfe2fa0ca479} - C:\Program Files (x86)\TubeSaver\126.dll No File
BHO-x32: uTorrentControl_v2 Toolbar - {7473b6bd-4691-4744-a82b-7854eb3d70b6} - C:\Program Files (x86)\uTorrentControl_v2\prxtbuTor.dll (Conduit Ltd.)
Toolbar: HKCU - No Name - {7473B6BD-4691-4744-A82B-7854EB3D70B6} -  No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Extension: TopArcadeHits - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\{0113D088-8ED1-468C-B225-585A9C53B5E3}
FF Extension: jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ - C:\Users\Emily\AppData\Roaming\Mozilla\Firefox\Profiles\w5al8gkk.default\Extensions\jid0-Z0Vu9hJlqV0fhIAPqPfmUCNubYQ@jetpack.xpi
CHR Plugin: (Conduit Chrome Plugin) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\2.3.15.10_0\plugins/ConduitChromeApiPlugin.dll No File
CHR Extension: (uTorrentControl_v2) - C:\Users\Emily\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejpbbhjlbipncjklfjjaedaieimbmdda\10.22.3.518_0
CHR HKLM-x32\...\Chrome\Extension: [ejpbbhjlbipncjklfjjaedaieimbmdda] - C:\Users\Emily\AppData\Local\CRE\ejpbbhjlbipncjklfjjaedaieimbmdda.crx
Folder: C:\AdwCleaner
C:\Users\Emily\AppData\Local\Temp
cmd: ipconfig /flushdns
AlternateDataStreams: C:\ProgramData\PACE:4F0E8CFC6A023E23
AlternateDataStreams: C:\Users\Emily\Cookies:iA4RzzJU1yiuPFYTq3kJ7VDum
AlternateDataStreams: C:\Users\Emily\Local Settings:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\Local Settings:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\Local Settings:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:LQ2upgSwH51WyvtkPuVuYbI
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:No50mwmlzqoTIgjku2qiEN
AlternateDataStreams: C:\Users\Emily\AppData\Local\Application Data:xsMJvCi8iGMISZoDyAGGayzajf
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temp:z4hgVm9MfTu9vh46qGqGv9
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:aJ2zikVN8f6Szu70h2
AlternateDataStreams: C:\Users\Emily\AppData\Local\Temporary Internet Files:m2UI34YDIyeslRWGUb41CDYAv
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- The Reality As You Know It Does Not Exist.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\-Quantum Physics- Welcome To The Matrix.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Beethoven Symphony No.9.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Coeur De Pirate - Comme Des Enfants (Le Matos Andy Carmichael Remix).MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Desire Be Desire Go - Tame Impala.MP4:TOC.WMV
AlternateDataStreams: C:\Users\Emily\Documents\Owen Wilson - TV Commercial.MP4:TOC.WMV

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[Emilystrokes]

Fixlog

So far, I haven't received any notifications.

[Emilystrokes]

The fixlist file was changed. It is now named 㩃䙜卒屔畑牡湡楴敮Ȁ. Is this normal?

[Emilystrokes]

Just got a notification.