URL:Mal

[davidle]

Similar problem to this user, http://forum.avast.com/index.php?topic=99535.0 and have been advised by Asyn to start my own topic.

The problem happens when I load pages using Chrome. Things seem to be fine with Internet Explorer.

This is what Avast comes up with:
     Object: "hxxp://includeit.info/scripts/inl_dmmtc/inldmmtch.js
     Infection: "URL:Mal"
     Process: chrome.exe

I have followed the steps here, http://forum.avast.com/index.php?topic=53253.0

[davidle]

The log from MBAM:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.15.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
David Le :: DAVIDLE-LAPTOP [administrator]

15/06/2012 4:24:19 PM
mbam-log-2012-06-15 (16-24-19).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216444
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: VShareTB -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://startsear.ch/?aff=1&cf=bb799703-1dab-11e1-a6bb-ea7e163ecfb7) Good: (http://www.google.com) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://startsear.ch/?aff=1&cf=bb799703-1dab-11e1-a6bb-ea7e163ecfb7) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files (x86)\vShare.tv plugin\BarLcher.dll (PUP.VShareRedir) -> Quarantined and deleted successfully.

(end)

[davidle]

Having trouble getting past OTL with

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
services.exe
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT

entered in. It scans for firefox files and then doesn't respond.

[davidle]

Installed firefox as I previous didn't have it. It still stop at "Scanning FireFox settings".

[davidle]

Malwarebytes' Anti-Malware seems to have solved the problem. Will report back if it comes up again.

EDIT: Problem is still there =[

[davidle]

Any suggestions for getting stuck at Scanning FireFox settings with OTL?

[essexboy]

Try once more but without the script this time just press run scan

[davidle]

It still hangs unfortunately.

[essexboy]

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------
 
Please attach the contents of the following in your next reply:
 
DDS.txt
 
Please attach the second file; Attach.txt. To attach a file, do the following:

• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
  
• Once it has uploaded, click the Manage Current Attachments drop down box
  
• Click on to insert the attachment into your post

[davidle]

I couldnt upload the files, but I have put them in to my dropbox public folder.

https://dl.dropbox.com/u/28272193/Attach.txt
https://dl.dropbox.com/u/28272193/DDS.txt

Hope you can help!

[essexboy]

According to that Firefox has a plethora of entries which is why OTL appears to be stalling there

The main problem with using DDS is that it forces me to use combofix for the cleaning

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  
• Accept the disclaimer and allow to update if it asks

• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.[/b]
  

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[davidle]

Essexboy, ComboFix ran and completed, here is the log https://dl.dropbox.com/u/28272193/ComboFix.txt

It took longer than I thought.

Anyway my laptop no longer seems to be coming up with the Avast warning. I'm not sure if it's due to the processes I've been doing or the recent Java update.

Could you please have a look at the log and see if you find anything?

I will post back in a few days to let you know if the warning comes up again.

Thank you again for your help so far.

[true indian]

wait until evening for essex to reply please

[essexboy]

That log looks OK.  What I would recommend is a clean install of Firefox as it appears to be corrupted.  Could you do that and then retry OTL please.  Also how is the system behaving now ?

Clean install http://kb.mozillazine.org/Uninstalling_firefox

[davidle]

I've done the clean install of FireFox but have not installed it again as I use Chrome. Would you still suggest installing FireFox and running OTL?

My laptop is running fine now!!! Woohoo!!! No more pop-ups. Thanks a lot Essexboy. Have a great weekend.

Hope to hear from you soon.