URL:MAL Problem - favicon.ico/pop-up - Help Please! (Logs Attached)

[REDACTED]

I have a suspicion that this may have come from a zip file containing mulitple files including a image editor picture that was sent to me to edit for work, but I could be wrong.

Tried multiple tools to clean in safe mode, uninstalled/reinstalled brower (lasted 2 days without a detection), and now it's back again.  Detections on multiple page browsing.

Thank you for the help.

[REDACTED]

New logs (since windows updates and add'l scans)

[Eddy]

For a start, remove Spybot.
It is by far from as good as it once was.
Nowadays we advise to use MBAM.

[REDACTED]

For a start, remove Spybot.
It is by far from as good as it once was.
Nowadays we advise to use MBAM.

TY for the info!  I unistalled Spybot S&D.

[REDACTED]

Hi bb211,

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  
• Please do not install any new software while we are working on this system as it may hinder our process.
  
• Malware removal is a complicated process so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  
• Please do not try to fix anything without being ask.
  
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from internet and you will not always be able to access this thread.
  
• Back up your data. I will not knowingly suggest your any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  
• If you are confused about any instruction, stop and ask. Do not keep on going.
  
• Do not repeat the steps if you face any problems.
  
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  
• Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  
• The fixes are for your system only. Please refrain from using these fixes on other system as it may do serious damage.
  

• Step #1 Run ComboFix
  Download ComboFix by sUBs from one of the suitable locations listed below and save it to your Desktop.
  Download Link #1
  Download Link #2
  Donwload Link #3
  
  
  Warning
  Please acknowledged yourself this warning beforehand. The tool, ComboFix, is an extremely powerful malware removal tool if not one of the most powerful tools ever created. In the hands of an inept person or a simple mistake can render your machine un-bootable. Peruse every step I listed below unless you want a dreadful occurrence.
  
  ***
  
  
  • Disable your security software. For more information, peruse this thread;
    
  • Right-click and choose Run as administrator to run the program.
    
  • As a buit-in process, ComboFix will check if you system has Microsoft Windows Recovery Console installed. Let Combofix download and install Microsoft Windows Recovery Console.
    
    • It requires an active internet connection.
    • If your system already has Microsoft Windows Recovery Console installed, this step will be skipped
  • ComboFix will now scan your system for malwares and will attempt to remove them.
  • Note: ComboFix performs fifty steps during this fix. Please be patient.
  • After the scan your system will reboot and a log will be produced. The log is automatically saved in C:\ComboFix.txt.
    
  • Attach the log in your next reply.
  Crucial Notes:
  
  • Do not mouse-click when ComboFix is running as it may stall.
  • Do not re-run ComboFix if you face a problem. Ask for my instruction here.
  • ComboFix will make Internet Explorer your default browser and will change number of different Internet Explorer settings.
    
  • ComboFix prevents autorun functions of all CD and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you, please tell me.
    
  • It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.
  • ComboFix will disconnect your system from internet for security measures. The connection is automatically restored after the scan but if it does not, it can be restored by rebooting the PC.

• Required Log(s):
  
  • ComboFix Log

Regards,
Valinorum

[REDACTED]

My system did not auto-reboot after running combofix.  So, I didn't reboot on my own.

As instructed, I've attached the log.

[REDACTED]

Are you still having avast! warnings?

[REDACTED]

So far, so good.  No detections have appeared yet.  When I did disk clean-ups before, it took about 2 days to start getting detections again.  Is it okay to keep this thread open for a little while?

Thank you!

[REDACTED]

I spoke to soon.

I got a detection of URL:MAL -

http://69.39.239.161/

C:\Program Files\Internet Explorer|iexplorer.exe

Then another detection of URL:MAL -

http://Http://48896.bd429d.6715.5da.39.bff7c.f9b....(the rest would allow me copy)

C:\Program Files\Internet Explorer|iexplorer.exe

After this detection, I had multiple .exe's start eating a ton cpu memory.  It was like a memory leak where everything was slowing in speed.  They include, but are not limited to:

dplaysvr.exe
wextract.exe
upnpcont.exe
fixmapi.exe

I closed my programs, disconnected from the net, and shut down.  Upon reboot, the system regained stability for now.

[REDACTED]

Latest detection (which was the most common before)

URL:MAL

http://www.shavethis.com/favicon.ico

C:\ProgramFiles(x86)\MSN\MSNCoreFiles\msn.exe

[REDACTED]

Post a fresh FRST scan log.

[REDACTED]

Here you go.  Thanks!

[REDACTED]

Please uninstall Spybot - Search & Destroy for now.

• Step #2 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  • Open Notepad.exe. Do not use any other text editor software;
    
  • Copy and Paste the contents inside the code-box to your Notepad --
    

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-408397430-2629080013-721727374-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
URLSearchHook: HKU\S-1-5-21-408397430-2629080013-721727374-1000 - Default Value = (value not set)
SearchScopes: HKLM-x32 -> {1E43ED7E-11D6-4C6F-B068-949A4DD67685} URL =
SearchScopes: HKLM-x32 -> {39EE7564-711E-45B6-99D0-5609954268A3} URL =
SearchScopes: HKLM-x32 -> {5B377FAC-EC59-417D-929C-10F5404D7823} URL =
SearchScopes: HKLM-x32 -> {68D0842A-2A9A-47DB-B072-F693B1948911} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {1E43ED7E-11D6-4C6F-B068-949A4DD67685} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {39EE7564-711E-45B6-99D0-5609954268A3} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {5B377FAC-EC59-417D-929C-10F5404D7823} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {68D0842A-2A9A-47DB-B072-F693B1948911} URL =
SearchScopes: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> {FB962F7A-C3E8-4FDB-B715-52410CBFFD6E} URL = http://www.mypoints.com/emp/u/mysearch.vm?q={searchTerms}&mypoints_brw=1
Toolbar: HKU\S-1-5-21-408397430-2629080013-721727374-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CMD: ipconfig /flushdns
End

• Click on File > Save as...
  
  • Inside the File Name box type fixlist.txt
    
  • From the Save as type drop down list, choose All Files
• Save the file to your Desktop;
  
• Re-run FRST.exe and click Fix;
  
  • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
• After the completion, a log will be produced;
• Attach the log in your next reply.

• Step #3 Scan with RogueKiller
  
  • Download Rogue Killer from one of the suitable links below to your Desktop.
    
    • Download link for 32 bit system
      
    • Download link for 64 bit system
  • Click on Scan;
    
  • The scan won't take long;
  • Click on Report to open the log.
    
  • Attach the log in your next reply.

• Required Log(s):
  
  • FRST Fix Log
  • RogueKiller Scan Log

Regards,
Valinorum

[REDACTED]

Previously, I uninstalled Spybot S&D and found no traces of it in the add/remove programs.  I was just able to delete the shortcut.

Here's the requested logs. Ty!

[REDACTED]

How is your PC?