Avast WEBforum

Other => Viruses and worms => Topic started by: psknapp on August 31, 2013, 02:38:41 AM

Title: Malicious URL blocked... a lot.
Post by: psknapp on August 31, 2013, 02:38:41 AM
I know I'm not the only one with this, but I keep getting the red pop up stating Malicious URL blocked.  I've run Malwarebytes and OTL and received the attached messages.  There seem to be a lot of sites, but they all end with /task/23/, whatever that is.
Title: Re: Malicious URL blocked... a lot.
Post by: Michael (alan1998) on August 31, 2013, 03:19:12 AM
MBAM isn't attached.... What about Adwcleaner?
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on August 31, 2013, 06:33:54 AM
Okay, trying again.  I had to do MB and OTL again.
Title: Re: Malicious URL blocked... a lot.
Post by: mikaelrask on August 31, 2013, 08:42:28 AM
hey also attach aswmbr log here. if it not run in normal mode try safe mode.
Title: Re: Malicious URL blocked... a lot.
Post by: Pondus on August 31, 2013, 09:18:44 AM
Your malwarebytes log say NO ACTION TAKEN  update MBAM, run New quick scan.... click REMOVE SELECTED

run AdwCleaner again ....click scan .... when finish click clean


Malware removers are notified...

Title: Re: Malicious URL blocked... a lot.
Post by: argus on August 31, 2013, 09:59:59 AM
Hi, I will be working on your Malware issues.


Re-run OTL.exe.

Code: [Select]

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN39353847742539125&UM=2&ctid=CT3289847
IE - HKCU\..\SearchScopes,DefaultScope = {F213A413-B343-4FA1-B4F8-8157444D4DF3}
IE - HKCU\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = http://vshareus.my-quick-search.com/search.aspx?q={searchTerms}&srch=dsp
IE - HKCU\..\SearchScopes\{F213A413-B343-4FA1-B4F8-8157444D4DF3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN39353847742539125&UM=2
[2013/08/29 19:47:56 | 000,000,000 | ---D | M] (WhiteSmoke New) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
[2013/08/29 19:51:14 | 000,000,000 | ---D | M] (WebProtect) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{AF58FD11-7BF2-4F0E-8315-05572D38DF07}
[2013/01/05 08:07:05 | 000,004,011 | ---- | M] () (No name found) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{5391280d-2dd4-11e2-8271-b8ac6f996f26}.xpi
[2013/08/29 19:48:00 | 000,001,005 | ---- | M] () -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\searchplugins\conduit.xml
[2013/08/29 20:20:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN32093413418161156&ctid=CT3289847&UM=2
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN32093413418161156&UM=2
CHR - homepage: http://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN32093413418161156&UM=2
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
CHR - Extension: Web Protect = C:\Users\Knapp\AppData\Local\Google\Chrome\User Data\Default\Extensions\oamhmngeopfinppeiiamgjhlijnmelgo\5.0_0\
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Web Protect) - {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} - C:\Program Files (x86)\Web Protect\WebProtect.dll (WebProtect)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKCU..\Run: [ConduitFloatingPlugin_klibnahbojhkanfgaglnlalfkgpcppfi] C:\Program Files (x86)\Conduit\CT3289847\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKCU..\Run: [dddafcaeebaec] "C:\ProgramData\dddafcaeebaec.exe" File not found
O4 - HKCU..\Run: [Dyhuoxby] C:\Users\Knapp\AppData\Roaming\Heyb\qobu.exe File not found
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: dddafcaeebaead = C:\Users\Knapp\AppData\Local\067d037d-d29a-4f51-898c-a8ee4368b7aead\dddafcaeebaead.exe
O8:[b]64bit:[/b] - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:[b]64bit:[/b] - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()

:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Program Files (x86)\Conduit
C:\Users\Knapp\AppData\Local\Conduit

:commands
[CREATERESTOREPOINT]
[emptytemp]

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log

.







1. Please download ComboFix from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your Desktop.
If you are unsure how ComboFix works please read this guide (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) carefully.
note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this (http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html) or this (http://www.bleepingcomputer.com/forums/topic114351.html) Instruction.

Instructions how to disable avast:
Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on August 31, 2013, 06:34:16 PM
Thanks!  I did ask you stated and attached the file.  One odd development, there are sounds coming through the speakers, like a video or streaming audio, even when there is nothing playing on the computer.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on August 31, 2013, 06:38:43 PM
Run ComboFix , you have instructions.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on August 31, 2013, 07:39:55 PM
Sorry.  I am trying to to this in between watching the kids.  Here is the combofix file.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on August 31, 2013, 08:17:05 PM
Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

File::
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

DDS::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3


Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 01:02:32 AM
I did it twice.  The first time I am uncertain it finished and no log was generated.  I've attached the log from the second run.

Thank you!
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 08:26:37 AM

This is a report from the first run. Nothing has been done.




Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

KillAll::

File::
c:\users\Knapp\AppData\Local\Google\Chrome\Application\chrome.exe
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_1188854577A12D18723E5D6124D4F6D4"=-

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

Firefox::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3




Save this as CFScript.txt

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 04:26:44 PM
Here is the log. 

Not sure if it means anything (yet) but the speakers were playing sounds with nothing else running about halfway through and after it was complete. 
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 04:40:48 PM
I did not understand the problem with the speakers , what you hear??

Log file looks good, no malware.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 07:00:09 PM
When we turn the computer on, it sounds like multiple audio streams at the same time.  It's not forever and turns off after a few minutes. 

I am still seeing the /task/23/ malicious url blocked messages, though.  10 in the past minute and the only open program is explorer.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 07:03:16 PM

Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 07:39:50 PM
Here they are.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 08:16:52 PM

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Code: [Select]
Start
HKLM-x32\...\Run: [Privoxy] - C:\Program Files (x86)\privoxy\starthelp.exe [51115 2013-08-26] ()
C:\Program Files (x86)\privoxy\starthelp.exe
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 - C:\Users\Knapp\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR DefaultSearchURL: (Conduit) - http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN32093413418161156&ctid=CT3289847&UM=2
CHR DefaultSuggestURL: (Conduit) - http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN32093413418161156&UM=2
CHR Plugin: (Skype Toolbars) - C:\Users\Knapp\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\5.6.0.8442_0\npSkypeChromePlugin.dll No File
CHR Plugin: (Unity Player) - C:\Users\Knapp\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
CHR HKLM-x32\...\Chrome\Extension: [klibnahbojhkanfgaglnlalfkgpcppfi] - C:\Users\Knapp\AppData\Local\CRE\klibnahbojhkanfgaglnlalfkgpcppfi.crx
CHR HKLM-x32\...\Chrome\Extension: [oamhmngeopfinppeiiamgjhlijnmelgo] - C:\Program Files (x86)\Web Protect\chrome-wp.crx
CHR HKLM-x32\...\Chrome\Extension: [kiplfnciaokpcennlkldkdaeaaomamof] - C:\Users\Knapp\AppData\Local\Torch\Plugins\TorchPlugin.crx
End
2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 08:40:38 PM
That was a quick one.  Done.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 08:47:38 PM
What is the situation now?
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 09:08:27 PM
Still the same.  I rebooted and the sounds came back and the popups are still here.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 09:10:34 PM
Download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe)  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 09:37:18 PM
It ran twice.  First, as you instructed and then after the reboot.  Both are attached.
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 09:41:41 PM
This is now OK. You have now popup?

Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 01, 2013, 09:45:09 PM
It looks okay right now.  No sounds, no pop-ups.  I'll keep checking, but I am hopeful!  Thank you!
Title: Re: Malicious URL blocked... a lot.
Post by: argus on September 01, 2013, 09:51:43 PM
You had 0Access and Rootkit.Boot.Harbinger infections  >:(  two infections.



It is necessary to uninstall ComboFix :
Code: [Select]
ComboFix /Uninstall Note that there is a space between "  ComboFix  " and "  /Uninstall  " .

Wait for the uninstall process is complete.


***********




Please download  DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.
Title: Re: Malicious URL blocked... a lot.
Post by: psknapp on September 02, 2013, 02:21:42 AM
This is done.  Thank you so much for all of your help.  I am certain I would have ended up having to re-install windows if it wasn't for your assistance.  I really appreciate all you have done for me and continue to do for everybody!