Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: grover8t on August 25, 2013, 08:34:36 PM

Title: Malicious URL Blocked- over and over and over
Post by: grover8t on August 25, 2013, 08:34:36 PM
Hello there!  Like some others, I have a "threat has been detected" pop happening over and over again.  It is always Malicious URL Blocked, and the object always ends in /task/6/.  I read on another post that this is a virus trying to "phone home".

I am going through the process you have offered - Logs to assist in cleaning malware - running adwcleaner now, and hope someone out there will read my logs and help me.

Thank you!
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 25, 2013, 09:07:20 PM
adwcleaner log attached
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 25, 2013, 09:39:33 PM
Attached are the malware and the 2 OTL logs... anyone out there?  :)
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 25, 2013, 09:48:00 PM
And now I can't run aswMBR.exe because it is not a valid Windows 32 file or something.  Hopefully someone can help me with what I posted so far as the pops still going non stop... all objects ending in /task/6/
Title: Re: Malicious URL Blocked- over and over and over
Post by: Pondus on August 25, 2013, 10:51:12 PM
Quote
anyone out there?
yep....and next time, do this in the virus and Worms forum section...thats what is was made for   ;)

try run aswMBR from safe mode


malware removers are notified, it may take hours before they arrive.....

Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 25, 2013, 11:09:51 PM
Hey sorry.  I'll get on running that in safe mode. 

Shall I move now or remain here?
Title: Re: Malicious URL Blocked- over and over and over
Post by: essexboy on August 25, 2013, 11:13:17 PM
Stay here now

Could you let me know if this kills the alerts

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzutDtDtBtCyD0DtB0BtBtD0F0E0DtB0CtCtN0D0Tzu0CtBtDtBtN1L2XzutBtFtCtFtDtFtAtDtC&cr=120480611
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=fmtoby&chnl=fmtoby&cd=2XzuyEtN2Y1L1QzutDtDtBtCyD0DtB0BtBtD0F0E0DtB0CtCtN0D0Tzu0CtBtDtBtN1L2XzutBtFtCtFtDtFtAtDtC&cr=120480611
IE - HKU\S-1-5-21-1159065996-402827216-737821929-1004\..\SearchScopes\{36474992-3D9F-4B8A-9191-98E61750BB4A}: "URL" = http://search.conduit.com/Results.aspx?ctid=CT3300019&SearchSource=45&UM=2&q={searchTerms}
[2013/07/21 10:32:28 | 000,000,000 | ---D | M] ("Trusted Saver") -- C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\tk6znb9o.default\extensions\9b7182cf-0847-4d17-8a3f-c850f8c4a23e@51bca2a9-a5e9-4d98-8d77-40c0e8212d2a.com
[2013/07/20 14:34:19 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ken\AppData\Roaming\Mozilla\Firefox\Profiles\tk6znb9o.default\extensions\9b7182cf-0847-4d17-8a3f-c850f8c4a23e@51bca2a9-a5e9-4d98-8d77-40c0e8212d2a.com\chrome\content\extensionCode
[2013/06/26 12:22:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
[2013/06/26 12:22:03 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA}
O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKU\S-1-5-21-1159065996-402827216-737821929-1004..\Run: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe" File not found
[2013/08/25 14:58:46 | 000,001,842 | ---- | M] () -- C:\Windows\tasks\Trusted Saver-firefoxinstaller.job

:Commands
[resethosts]
[emptytemp]
[Reboot]
THEN

Run AdwCleaner again and scan, once completed select all and press clean 
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 26, 2013, 12:16:07 AM
Here is the OTL report after running your fix.  Pop ups still happening.  Will run the adwhere thing again.
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 26, 2013, 01:03:14 AM
Ran adwcleaner again.  Still have pop ups.  :(
Title: Re: Malicious URL Blocked- over and over and over
Post by: iroc9555 on August 26, 2013, 02:02:51 AM
Essexboy will be back tomorrow. It is almost 1 AM back in the UK.

Regards.
Title: Re: Malicious URL Blocked- over and over and over
Post by: essexboy on August 26, 2013, 11:36:57 AM
Could you attach a screenshot of the Avast alert please as that will give more information

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1  (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here  (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)

(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 27, 2013, 04:26:48 AM
Oops, had to go to work, screen shot attached, headed now to do other thing.
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 27, 2013, 04:45:47 AM
Cant find combotext log... rebooted and all, will perhaps run it again.

Attached two more visuals for ya of what is repeatedly and still happening...
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 27, 2013, 05:07:47 AM
Okay, took me a second time, but found the log from the combofix... read it was outputting to this 3277 file thingy dingy.

When I tried to attach and/or look at the file, I got a message saying I have no permission to do so.

I can't find the "text" file you refer to... searched computer for "combo" to no avail.

Avast blocking pop ups still happening over and over...

Please see attached file.  Sooooo thankful for your help in getting this laptop working!  Not sure what else a gal would do without the likes of folks like you!  :o

Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 27, 2013, 05:24:42 AM
Wait wait!  Something happening!  More soon.
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 27, 2013, 01:32:40 PM
Still can't find text log.  Have a computer icon called "Combofix" on my C drive.  Any ideas what next?
Title: Re: Malicious URL Blocked- over and over and over
Post by: bob3160 on August 27, 2013, 01:35:10 PM
Still can't find text log.  Have a computer icon called "Combofix" on my C drive.  Any ideas what next?
Wait for a reply from essexboy. He is the one helping you.
Patience is a virtue. :)
Title: Re: Malicious URL Blocked- over and over and over
Post by: essexboy on August 27, 2013, 03:15:27 PM
Hi could you now re-run combofix please as it will sometimes require two hits to kill the bad boy
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 29, 2013, 12:52:17 AM
Yes, Bob, thank you.  As evidenced by the many hour lapses in my responses I am happy to be patient.  But I will be sure and remember your sound advice.

Essex, ran combofix again... I think the attached is the log you are requesting- have a whole file of combofix stuff now.  Pop ups still happening.  :( Not sure combofix ran completely as there were multiple crashes along the way?  Maybe I will run it again while I await your response.

Soooo thankful for your continued work on this!!!!
Title: Re: Malicious URL Blocked- over and over and over
Post by: essexboy on August 29, 2013, 03:05:53 PM
That almost looks like an MBR infection but none of the other usual data points are there.  Does this happen in all browsers

Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.
 
 
(https://dl.dropbox.com/u/73555776/tdss%20report.JPG)
 
Please copy and paste its contents on your next reply.
Title: Re: Malicious URL Blocked- over and over and over
Post by: grover8t on August 30, 2013, 01:02:39 AM
So the avast threat detector was popping up with no browser open.

And.... holding my breath... wait a sec... THAT LAST THING WORKED!

Hip hip hurray!  (Essexboy up on my family's shoulders and carried jubilantly around the room.)

HUZZAH!  HUZZAH!  Below is log.  Does it look gone to you???   ;D ;D ;D ;D ;D ;D ;D

18:55:07.0605 3880  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
18:55:08.0244 3880  ============================================================
18:55:08.0244 3880  Current date / time: 2013/08/29 18:55:08.0244
18:55:08.0244 3880  SystemInfo:
18:55:08.0244 3880 
18:55:08.0244 3880  OS Version: 6.0.6002 ServicePack: 2.0
18:55:08.0244 3880  Product type: Workstation
18:55:08.0244 3880  ComputerName: SONYLAPTOP
18:55:08.0244 3880  UserName: Ken
18:55:08.0244 3880  Windows directory: C:\Windows
18:55:08.0244 3880  System windows directory: C:\Windows
18:55:08.0244 3880  Running under WOW64
18:55:08.0244 3880  Processor architecture: Intel x64
18:55:08.0244 3880  Number of processors: 2
18:55:08.0244 3880  Page size: 0x1000
18:55:08.0244 3880  Boot type: Normal boot
18:55:08.0244 3880  ============================================================
18:55:11.0770 3880  BG loaded
18:55:13.0377 3880  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
18:55:13.0470 3880  ============================================================
18:55:13.0470 3880  \Device\Harddisk0\DR0:
18:55:13.0486 3880  MBR partitions:
18:55:13.0486 3880  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x15EB800, BlocksNum 0x23E42AB0
18:55:13.0486 3880  ============================================================
18:55:13.0657 3880  C: <-> \Device\Harddisk0\DR0\Partition1
18:55:13.0657 3880  ============================================================
18:55:13.0657 3880  Initialize success
18:55:13.0657 3880  ============================================================

Title: Re: Malicious URL Blocked- over and over and over
Post by: essexboy on August 30, 2013, 01:49:42 PM
There will be a larger log at C:\TDSSKiller date time could you attach that please