Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on December 23, 2014, 06:51:16 PM

Title: URL:MAL 67.159.200.132
Post by: REDACTED on December 23, 2014, 06:51:16 PM
Geeks to Go was helping me with URL:MAL warnings I've been getting. They've concluded that this issue should be handled here by Avast.

Here's the link to the thread.

http://www.geekstogo.com/forum/topic/345619-how-to-get-rid-of-urlmal/

Thanks!
Title: Re: URL:MAL 67.159.200.132
Post by: Eddy on December 23, 2014, 07:11:01 PM
https://forum.avast.com/index.php?topic=53253.0
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 23, 2014, 10:20:32 PM
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/23/2014
Scan Time: 10:54:42 AM
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.23.07
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nakamoto

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 369028
Time Elapsed: 13 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 23, 2014, 10:23:10 PM

FRST log
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 23, 2014, 10:24:38 PM
Addition log
Title: Re: URL:MAL 67.159.200.132
Post by: polonus on December 23, 2014, 10:36:51 PM
Additional info on IP 67.159.200.132- listed at DNS-BH / malwaredomains.com malicious with a severity 2
5 alerts for a PUP detection here: http://urlquery.net/report.php?id=1419167148929
Server vulnerable: System Details:
Running on: Apache/2.2.15
Powered by: PHP/5.3.3
Outdated Web Server Apache Found: Apache/2.2.15 - IDS alerts for "ET MALWARE PUP Win32.SoftPulse Retrieving data"
What is gonna be found is probably this: http://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/SoftPulse/detailed-analysis.aspx

This all apart from the malware cleansing routine here which I am not intruding and leave alone, just want to report on these aspects to the IP mentioned just to set your mind a bit at ease towards the severity of malcode detected eventually.

polonus (volunteer website security analyst and website error-hunter)
Title: Re: URL:MAL 67.159.200.132
Post by: Pondus on December 23, 2014, 10:54:25 PM
After reading the topic over at Geeks to Go it seems evrything is tried.
And from the conclusion in last post it seem you need to open a support ticket.....

Avast support   https://support.avast.com

Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 23, 2014, 11:30:29 PM
aswMBR file
Title: Re: URL:MAL 67.159.200.132
Post by: Eddy on December 23, 2014, 11:32:56 PM
Let's see:
Quote
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
Take your pick about what av you want to use. Do not use multiple at the same time.
Quote
HKLM-x32\...\Run: [TrojanScanner] => C:\Program Files (x86)\Trojan Remover\Trjscan.exe [1791856 2014-12-08] (Simply Super Software)
It is not free and research shows that it far worse then e.g. MBAM.
Quote
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
Spybot used to be good, but it isn't anymore for a long time.

Intuit sync manager? Are you using quickbooks?
Quote
HKU\S-1-5-21-3728143812-4245075021-3154152335-1000\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe [202080 2014-06-15] (Kaspersky Lab ZAO)
Another security software that can cause conflicts/problems when running multiple.

And I see more problems.
Title: Re: URL:MAL 67.159.200.132
Post by: polonus on December 24, 2014, 12:00:15 AM
Hi Eddy,

Are you saying that victim has two or more resident av solutions running at the same time, that is cause of a lot of false cross-detection  :o  Only one resident av solution should run on an operational system.
Just like two dogs on the porch before the house that start to fight amongst each other in stead of protecting their Boss from attacks.

polonus
Title: Re: URL:MAL 67.159.200.132
Post by: Eddy on December 24, 2014, 12:48:33 AM
Not just two av's are running in real time, but some other security software as well.
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 24, 2014, 01:18:08 AM
I normally only use Avast. I downloaded the other stuff to try to fix the URL:MAL myself.

I turned off Windows Defender, uninstalled Spybot, Trojan Remover, and Kaspersky and rebooted my computer. We'll see if I still get warnings.

I do use Quickbooks.
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 24, 2014, 05:17:41 AM
Still getting warnings.
Title: Re: URL:MAL 67.159.200.132
Post by: polonus on December 24, 2014, 12:42:40 PM
Hi HiHelen,

Post the logs attached like described here: https://forum.avast.com/index.php?topic=53253.0
and wait for a qualified remover to arrive.

polonus
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 24, 2014, 05:58:02 PM
Uninstall Spybot - Search and Destroy, SUPERAntiSpyware, Trojan Remover 6.9.1.2932, Web Companion, Kaspersky Security Scan, and Wise Registry Cleaner 8.26.
Are you connected to the internet via router? Provide myself a fresh FRST scan log after uninstalling the aforementioned programs.

Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 24, 2014, 09:29:15 PM
I uninstalled Spybot, Trojan Remover, Kasperky, SuperAntiSpyware, Web Companion, and Wise Registry Clean.

Here are the logs:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/24/2014
Scan Time: 8:02:37 AM
Logfile: MBAMlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.24.10
Rootkit Database: v2014.12.23.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Nakamoto

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 367602
Time Elapsed: 16 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

FRST, Addition, aswMRB logs at attached.

I did not do FixMBR.
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 25, 2014, 04:28:16 AM
Are you using router to connect to the internet?



Code: [Select]
Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
Ad-Aware Web Companion (x32 Version: 1.0.788.1475 - Lavasoft) Hidden
AlternateDataStreams: C:\Users\Nakamoto\Desktop\Hanahouoli Magazine.jpeg:3or4kl4x13tuuug3Byamue2s4b
AlternateDataStreams: C:\Users\Nakamoto\Desktop\QEP Preschool Yearbook.jpeg:3or4kl4x13tuuug3Byamue2s4b
HKU\S-1-5-21-3728143812-4245075021-3154152335-1000\...\Run: [Web Companion] => C:\Program Files (x86)\Lavasoft\Web Companion\Application\WebCompanion.exe --minimize
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-3728143812-4245075021-3154152335-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF Homepage: https://www.google.com/?trackid=sp-006
FF Keyword.URL: https://www.google.com/search/?trackid=sp-006
FF Extension: Bitdefender QuickScan - C:\Users\Nakamoto\AppData\Roaming\Mozilla\Firefox\Profiles\5g2iigem.default-1416507301759\Extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2014-11-20]
S2 SearchProtectionService; "C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe" [X]
CMD: type "C:\QooBox\ComboFix-quarantined-files.txt"
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
End

Regards,
Valinorum
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 25, 2014, 06:34:32 PM
Yes, I'm using a router to connect to the internet.

FRST fixlog attached.

I got a warning right after doing the fix (after the reboot):

URL: http://8941180.secure-services92329.com/c.php?aid=254&lid=10419

Infection: URL:MAL

Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 26, 2014, 07:32:35 AM
Can you reset your router to factory setting?
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 26, 2014, 10:35:47 AM
Okay, hit the reset button on the router and unplugged/plugged it back in.
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on December 27, 2014, 06:34:30 AM
Still getting threat warnings.
Title: Re: URL:MAL 67.159.200.132
Post by: REDACTED on January 13, 2015, 06:15:33 PM
I opened a support ticket with Avast, but after a few tries, they concluded that my computer needs deeper analysis and that I take it to a computer store. Is it really that bad? How expensive will that be?

Anyone have any more ideas of how to fix this?

Thanks!