Author Topic: URL:Mal Cannot Clean  (Read 7241 times)

0 Members and 1 Guest are viewing this topic.

20Chuck02

  • Guest
URL:Mal Cannot Clean
« on: March 12, 2014, 02:17:02 AM »
I Have ran a full system scan and a boot time scan and have not been able to remove this Malware.
This is what my alert is leading me to http://puu.sh/7s1Q5.jpg
What is happening: Every time I open a webpage in Chrome the alert goes off, but not until I go to a actual website. It will let the home page load without a warning.
Just looking for any help in removing whatever is causing this.
Thank you for reading!
Chuck

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: URL:Mal Cannot Clean
« Reply #1 on: March 12, 2014, 02:26:21 AM »
Hello,
We'll run system diagnostics with these two powerful tools. That will allow us to quickly ascertain whether and / or where malware may be running on your machine.



=> Please download Farbar Recovery Scan Tool () by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
---    ---    ---    ---    ---    ---


=> Please download GMER, the RootKit Detector tool from the link below and save it to your Desktop:

Gmer download link
Note: file will be random named

Double-clicking to run GMER.
  • Wait for initial scan to finish - if there is any query, click No;
  • Click [ Scan ] button and wait until the full scan is complete;
  • Click [ Save ... ]- save the report to the Desktop (named ARK );

  • Then click the >>> button and select Autostart card;
  • Click [ Scan ] button;
  • After quick scan, click Copy button;
  • Open notepad and Paste text. Save report to the Desktop (named autostart )
> Attach here both Gmer logreports. (ARK.txt and autostart.txt)


20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #2 on: March 12, 2014, 02:40:23 AM »
As you requested magna86 here are the files.

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #3 on: March 12, 2014, 02:41:40 AM »
The other 2 files

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #4 on: March 12, 2014, 03:23:38 AM »
I just ran AVAST browser cleaner and after looking through the logs I seen savings bull in both of them and it was on there and I removed that as well. RIght now I am not getting that annoying Malware alert

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: URL:Mal Cannot Clean
« Reply #5 on: March 12, 2014, 03:34:06 AM »
Hi 20Chuck02,

After preliminary preparation (uninstall and msconfig) we shall tell FRST to target the bad staff. TFC is there to preform some temp & cache cleaning as it should be done and after that I will need the fresh FRST log for for re-test/check.

---     ---     ---



First from Control Panel > Programs and Features you shall need to uninstall the following PUP:
Torchlight 2

---     ---     ---

From posted log I can see you have been use msconfig utility to disable few startup items. I'll need you to enable this item as I shall script that for FRST as removal target.

MSCONFIG\startupreg: Pando Media Booster => C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe
MSCONFIG\startupreg: SearchSettings => "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"





---     ---     ---
FRST's FixList
---     ---



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Quote

Start
File: C:\Users\Chuck\Downloads\DL OLD\my_network_speed\my_network_speed\My_Network_Speed.exe
Folder: C:\Windows\SysWOW64\AI_RecycleBin
C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\searchplugins\sweetim.xml
C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi
C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
C:\Program Files (x86)\Common Files\Spigot
C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}
C:\Users\Chuck\AppData\Local\Temp\*.exe
C:\Program Files (x86)\Pando Networks
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
SearchScopes: HKLM-x32 - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
SearchScopes: HKLM-x32 - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
SearchScopes: HKCU - DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
SearchScopes: HKCU - {EEE6C360-6118-11DC-9C72-001320C79847} URL = http://start.sweetpacks.com/?src=6&q={searchTerms}&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
BHO-x32: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} -  No File
BHO-x32: Define - {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Chuck\AppData\Local\DefineExt\temp.dat No File
FF Homepage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
FF Homepage: hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10043&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}
FF Keyword.URL: hxxp://start.sweetpacks.com/?src=2&st=12&barid={14FBFE79-9B28-11E2-98EC-BC5FF45BBD7E}&q=
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF SearchPlugin: C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\searchplugins\sweetim.xml
FF Extension: SweetPacks Toolbar for Firefox - C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\f9g2vo6c.default\Extensions\{EEE6C361-6118-11DC-9C72-001320C79847}.xpi [2013-04-01]
CHR Extension: (SweetPacks Chrome Extension) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj [2013-04-01]
CHR HKLM-x32\...\Chrome\Extension: [hbcennhacfaagdopikcegfcobcadeocj] - C:\Program Files (x86)\Common Files\Spigot\GC\saebay_1.1.crx [2013-10-14]
CHR HKLM-x32\...\Chrome\Extension: [icdlfehblmklkikfigmjhbmmpmkmpooj] - C:\Program Files (x86)\Common Files\Spigot\GC\ErrorAssistant_1.3.crx [2013-12-27]
CHR HKLM-x32\...\Chrome\Extension: [mhkaekfpcppmmioggniknbnbdbcigpkk] - C:\Program Files (x86)\Common Files\Spigot\GC\coupons_2.4.crx [2013-04-26]
CHR HKLM-x32\...\Chrome\Extension: [ogccgbmabaphcakpiclgcnmcnimhokcj] - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\External Extensions\{EEE6C373-6118-11DC-9C72-001320C79847}\SweetNT.crx [2013-04-01]
CHR HKLM-x32\...\Chrome\Extension: [pfndaklgolladniicklehhancnlgocpp] - C:\Program Files (x86)\Common Files\Spigot\GC\saamazon_1.0.crx [2012-11-22]
HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {5e98699c-01e5-11e3-bb41-bc5ff45bbd7e} - H:\TL-Bootstrap.exe
HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {9f1241f4-7c7e-11e3-ab06-bc5ff45bbd7e} - H:\MotorolaDeviceManagerSetup.exe -a
HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {cb9ea324-6dcb-11e2-96b5-bc5ff45bbd7e} - H:\ToolLauncher-Bootstrap.exe
HKU\S-1-5-21-3399705442-796983185-888733733-1000\...\MountPoints2: {e0d45140-6e5c-11e3-bfa7-bc5ff45bbd7e} - H:\VZW_Software_upgrade_assistant.exe
AlternateDataStreams: C:\ProgramData:gs5sys
AlternateDataStreams: C:\Users\All Users:gs5sys
AlternateDataStreams: C:\Users\Chuck:gs5sys
AlternateDataStreams: C:\ProgramData\Application Data:gs5sys
AlternateDataStreams: C:\Users\Chuck\Application Data:gs5sys
AlternateDataStreams: C:\Users\Chuck\Cookies:gs5sys
AlternateDataStreams: C:\Users\Chuck\Local Settings:gs5sys
AlternateDataStreams: C:\Users\Chuck\Templates:gs5sys
AlternateDataStreams: C:\Users\Chuck\AppData\Local:gs5sys
AlternateDataStreams: C:\Users\Chuck\AppData\Roaming:gs5sys
AlternateDataStreams: C:\Users\Chuck\AppData\Local\Application Data:gs5sys
AlternateDataStreams: C:\Users\Chuck\AppData\Local\History:gs5sys
AlternateDataStreams: C:\Users\Chuck\Documents\desktop.ini:gs5sys
AlternateDataStreams: C:\Users\Public\Documents\desktop.ini:gs5sys
REBOOT:
End




2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.





---     ---     ---
TempFileCleaner
---     ---


 Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
---     ---     ---
Re-check / FRST Scan
---     ---


Re-run FRST64 . . .

  • Double-click to run it and press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #6 on: March 12, 2014, 03:57:26 AM »
Here is the FRST after adding Pando and Spigot back to msconfig

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #7 on: March 12, 2014, 04:04:55 AM »
And here is the fix file, had to restart computer it did it automatically.

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #8 on: March 12, 2014, 04:19:17 AM »
And here is the final FRST you asked for after TFC ran.

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: URL:Mal Cannot Clean
« Reply #9 on: March 12, 2014, 02:59:03 PM »
Hi 20Chuck02,

This fix shall contain two steps. First we will tell FRST to target malware and then we will preform additional cleaning using ComboFix. At the end we're running re-scan.



---     ---     ---
FRST's FixList
---     ---





1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]
Start
C:\Windows\SysWOW64\AI_RecycleBin
C:\Program Files (x86)\Common Files\Spigot
C:\Program Files\Updater By SweetPacks
C:\Users\Chuck\AppData\Local\Temp\10d2ca4a-28d7-4d81-8c1e-dc42bb6c83fc\CliSecureRT64.dll
HKLM-x32\...\Run: [SearchSettings] - "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
FF HKLM\...\Firefox\Extensions: [{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}] - C:\Program Files\Updater By SweetPacks\Firefox
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.





---     ---     ---
ComboFix
---     ---



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
  • Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.
ComboFix shall also create addition log. Please attach it to your reply.
C:\Qoobox\ComboFix-quarantined-files.txt






---     ---     ---     ---     ---     ---     ---     ---     ---     ---     
Re-check . .
---     ---



Re-run FRST64 . .
  • Double-click to run it.
  • Under Optional Scan ensure "Addition.txt" are ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The tool shall create another log (Addition.txt). Please attach it to your reply as well.
Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:
  • Type CliSecureRT64.dll;rsa64.dll into the Search: field in FRST then click the Search File(s) button.
  • FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
  • Please attach it to your reply.

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #10 on: March 12, 2014, 06:05:04 PM »
FRST's FixList

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #11 on: March 12, 2014, 06:06:44 PM »
ComboFix

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #12 on: March 12, 2014, 06:10:50 PM »
Re-check . .

Offline magna86

  • Anti Malware Fighter
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4235
    • Ambulanta MyCity Forum - ASAP Member
Re: URL:Mal Cannot Clean
« Reply #13 on: March 12, 2014, 07:07:19 PM »
Hi 20Chuck02,

This loogs promising. How is the computer running now?




Btw, my uninstall instruction for 'Torchlight 2'isn't valid. It's my bad search. I apologize.

This is how I see the online game, re-install should save the day.
« Last Edit: March 12, 2014, 07:10:18 PM by magna86 »

20Chuck02

  • Guest
Re: URL:Mal Cannot Clean
« Reply #14 on: March 12, 2014, 08:43:16 PM »
Haven't had any avast alerts at all and was wondering that about Torchlight 2 as well, but its no big deal it can be re-installed I myself havent played it in such a long time. Thank you so much for this help you are the best!