Malicious URL blocked

[badger66]

When running IE 8.0 on my home computer, I get a message from avast! about every minute or two with the following format:

MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.
Object:  213.155.22.144/Ocentra/gate.php?guid=5.1.2600!GLENN!28A9229D&ve
Infection:  URL:Mal
Action:  Blocked
Process: C:\WINDOWS\Explorer.EXE

At times the "213.155.22.144" is replaced with "1gt5324dx.ru" or "1gt6342dx.ru"

I've run MBAM, SuperAntiSpyware, avast!, and avast! boot scan.  Several items showed up which were quarantined, after which I restarted (running XP).  This message continues to come up and I cannot figure out what is causing it.

[Pondus]

have you tried cleaning your temp files?

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.


can you post Malwarebytes and Superantispyware scan logs

[polonus]

Look here: https://spyeyetracker.abuse.ch/monitor.php?host=213.155.22.144&id=9e73b6e03b992d84b1ba718071ea90a4
and
http://wepawet.iseclab.org/view.php?hash=ea1a480886ce0d25ad1c86d40e4c1154&t=1298070992&type=js
SPAMHAUS info:

   SBL103869   213.155.4.32/32   hosting.ua
18-Feb 20:33 GMT   SpyEye Botnet C&C server @213.155.4.32
Has not been removed yet, C & C server in Ukraina for a bot (known as SpyEye), which has properties similar to Zeus Bot,

polonus

[badger66]

Update........

I needed to do some on-line banking.  When I signed into the banking website, a screen came up headlined by "Security Alert", with entries asking for account number, password, mother's maiden name, etc.  I quickly closed the internet webpage, then went to my wife's computer, accessed the banking webpage and changed my user name and password.

I alos have seen the original "Threat Detected" message when I've just been using e-mail, not even in IE.  I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.

Any suggestions?

[polonus]

You could run a full scan with MBAM, get it from here http://www.malwarebytes.org/mbam-download.php

After this run the CCleaner (freeware) installer by downloading from here http://www.filehippo.com/download_ccleaner/download/1d59b13e3d0824a0c054077615cab5c3/
, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run the CCleaner by clicking its icon on your Desktop or "Start" => "All programs" => "CCleaner".
The following should be selected by default, if not, please select: see attached GIF

Then please click options and choose advanced

Please uncheck Only delete files in Windows Temp older than 48 hrs

Then go back to Run Cleaner  and click  to run it.

After the virus and Trojans are removed, the registry is still destroyed or modified, so the computer still has problems. That's why you need to repair the registry. Use this program download from here: http://www.regsofts.com/download/RegpairSetup.exe

polonus

[Pondus]

I alos have seen the original "Threat Detected" message when I've just been using e-mail, not even in IE.  I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.

'
The newest post there is from june 2009, so all bugs should be fixed......

[essexboy]

The problems with TFC were user induced by placing important data in temporary files or the recycle bin for safekeeping !

There are currently no known problems with TFC

EDIT : Check your proxy settings

Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer


And for Firefox there are instructions on this page and you want the setting to be no proxy

[badger66]

Update........

I did check my Internet Explorer proxy settings and the Proxy Server box was checked.  I unchecked it and restarted my system.  However, the problem still exists.

The situation has changed relative to when the "Malicious URL Blocked" message comes up.  I do not have to be in IE or e-mail.  It comes up even if I have no programs active other than what normally runs in the background.

Unless someone suggesta anything different, I'm going to rerun MBAM, then TFC, then CCleaner.  I assume there is a rogue program running that must be started by my startup procedure but I don't know how to track that down.

At least it doesn't appear that anything critical is going on.  I can still use all my programs and avast! still is catchng any attempt to get to the malicious url.

Also, i tried yesterday to do a system restore but was unsuccessful.

[badger66]

Another question...........

I've heard about a program called HiJackThis - should I run this also???

[essexboy]

No that does not go deep enough

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

[badger66]

After fixing my proxy setting in IE, I reran MBAM.  It came up with the following:

Scan type: Full scan (C:\|)
Objects scanned: 242376
Time elapsed: 1 hour(s), 2 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\821hbfs.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp910\a0090586.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp916\a0092792.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\821hbfs.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.

This appears to have fixed my problem as I have not seen the "MALICIOUS URL BLOCKED" message in the last 10 minutes.

Should I still run OTS as was last advised??

Thanks to everyone for their help so far!!

IS it safe to delete old entries from the avast! virus chest?

[essexboy]

If you could run OTS please as the automated tools cannot catch everything.  Then attach the log 

[DavidR]

He needs to (and I have told him to report this in this topic) as there is still something else going on as is apparent from another of his topic, http://forum.avast.com/index.php?topic=71728.0.

I've spent many hours fighting a "MALICIOUS URL BLOCKED" report from avast!.  I've finally got the problem taken care of.  However, while looking for possible problems I ran across both of these entries in the System Configration Utility Start list.  I unchecked NCPMFCD and have not seen any problems after restarting and the box stays unchecked.  When I uncheck the box associated with agapadewiyohu.dll , apply, then restart, when I'm back running and check the SCU Start List, the box has been rechecked.  I'm trying to make sure I have all my problems taken care of.

The entry reads:
    rundll32.exe "C:\WINDOWS\agapadewiyohu.dll", Startup

Which according to this it isn't taken care of as it keeps being restored in startup.

[essexboy]

And that from my point of view is definitely malware

[DavidR]

Absolutely and that is what I have been telling him and trying to get him back into this topic.