Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Dorian Saignren on October 29, 2010, 06:05:35 AM

Title: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 06:05:35 AM
Alright, first an overview of the problems, the things i've tried, and my laptop...

Its a Gateway, been through the ringer a bit... pretty dinged up.  1.60 GHz, 896 mb of ram, Running Windows XP Media center Edition Version 2002 Service Pack 2.  I don't currently have any notable programs having uninstalled everything trying to get rid of this... Well, I didn't get rid of BitTorrent yet I don't think... But I haven't run it in months, since long before the problems started.

I have tried a system restore, I've scanned (IDK how many times now...) with Avast, and Maleware Bytes, Spybot S&D, CCleaner, and Housecall...  I've recently cleaned and defragged my computer (recently as in two days ago).  And everything keeps coming up clean or I fix minor issues I expected to have (like a PUP from a site I know, or emptiying the cache)  But still I'm seeing issues...

My computer has a hard time starting up or shutting down, usually it's slow and sometimes it freezes mid way.  I have a hard time shutting down my internet connection (sometimes it won't listen to me at all).  My internet browsers (IE and Firefox both) sometimes won't start up (freezing midway, I have to end the processes or I get a flood of half open browsers trying to get online).  Occasionally explorer.exe dies outright, usually when I'm in a folder with images or video (this started happening quite a while ago, it may or may not be related).  I frequently get "Trojan Imposter Repelled" and "Malicious URL Repelled" alerts from Avast, as well as "Virus Protection" or "You've won this!" popups, usually the same or similar ones.  Also, I have googled the IP address in the first URL blocked warnings (199.80.55.80, while scanning for this I got another with 199.80.55.19) and any site with it I am redirected from on the infected computer.  I checked the sites via another computer, but with everything in them I can't be absoutely sure it's the same problem, though I believe it is or at least it's a similar one.

I have and will post here screen shots of two of the Avast warnings, as well as one of the virus popups, and fresh scan logs from Avast, Spybot S&D, Maleware Bytes, Housecall, and HijackThis!.  I have used HijackThis! on recommendation from these forums before, and I know not to do anything in it without assistance, but often a log from it is requested, so I figured I'd provide one right away since I have the program.

Any help is appreciated.  I have used these forums once before to save a previous laptop from the grave, I hope to do the same this time.

[{(Images)}]
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast1.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast2.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avast3.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/viruspopup1.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/avastlog.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/spybotsdlog.jpg
http://i188.photobucket.com/albums/z12/Raziel_Shadowchild/Virus%20Shit/housecalllog.jpg
[{(END)}]
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Pondus on October 29, 2010, 09:00:05 AM
You did not update Malwarebytes before you scanned, so you have used a very old database: 4449 latest is 4985 ? Malwrebytes is releasing several updates a day....

So update Malwarebytes scan again and post new log
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: SafeSurf on October 29, 2010, 09:22:02 AM
In addition to what Pondus posted about updating and running MBAM again and posting your log, check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0 (http://forum.avast.com/index.php?topic=53253.0). 

Follow the directions for obtaining the OTL logs.  Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  Thank you.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: YoKenny on October 29, 2010, 01:38:15 PM
After you fix the problem then please read:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

You will need to update to SP3 as it has many Critical Updates and system performance improvements.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 05:41:08 PM
Thankyou for your help so far, I will get on these right away.

Also, Swarnava Sengupta (a Junior Member) sent me a PM saying the following:
"please reply me back..i will tell you the solution"
I cannot reply back to him being relatively a newb on here.  Few posts and whatnot.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Pondus on October 29, 2010, 05:45:28 PM
you need 20 post before you can reply to PM`s

Update MBAM and do a new scan and see if that may fix it......and post the log

OBS: SpyBot is no good, i would absolutely replace it with SUPERAntiSpyware   http://filehippo.com/download_superantispyware/

Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: DavidR on October 29, 2010, 06:05:08 PM
Quote from: Dorian Saignren on October 29, 2010, 05:41:08 PM
<snip>
Also, Swarnava Sengupta (a Junior Member) sent me a PM saying the following:
"please reply me back..i will tell you the solution"
I cannot reply back to him being relatively a newb on here.  Few posts and whatnot.

Even if you could reply or use the PM function I would advise against it.

Why, you don't know who they are or their experience level and this goes for anyone sending you a PM to offer the same. By helping outside of the forum only helps one person when the answer could help many others who might read this in the future or be following it now.

I can't see why they can't simply post the supposed solution in the topic/forum.

Solutions not posted on the forum don't have the benefit of others seeing what that solution might be and offer comments on said solution, especially if there are flaws in it.

This isn't to say the solution that might be offered by PM isn't going to be right, it just doesn't have any scrutiny and doesn't help others. This is why support via PM isn't advised and one of the reasons why I have the "No support PMs thanks" in my profile info as it only helps one person.

Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: DavidR on October 29, 2010, 06:14:24 PM
Registry Defender is a rogue security program so if you have installed it, then you need to remove it.

Quote from: Bleeping Computers
Registry Defender Platinum is a rogue registry cleaning program that is advertised via malware such as the Vundo Trojan. When infected with Vundo, pop-ups will be displayed that state your Windows Registry is corrupted and that you should download and install Registry Defender Platinum. If you decide to download and install the program it will be configured to start automatically when your computer turns on. When running, the program will perform a scan and state that you have numerous Windows Registry problems. It will not, though, allow you to fix these problems until you purchase the program. Even if the program was actually describing legitimate problems, we would never know. This is because it does not explicitly state what the problems are. Instead it just states you have a problem and asks you to spend money to fix it. Legitimate programs in this category, on the other hand, would provide specific details as to each problem that has been detected.

http://www.bleepingcomputer.com/virus-removal/registry-defender-removal
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 06:18:36 PM
I'm running MBAM right now, and I had actually just realized I should replace with SAS... I went through my old Avast forum posts and found it listed in there and I facepalmed that second... I got Spybot because I recognized it and I didn't know what else to run.  I also plan to get Webroot Desktop Firewall again...  Alright, for the hell of it... An updated list from various sources for what I plan to use for protecting and optimizing my computer.

The first six were recommended here.
Avast! Antivirus (of course :P)
SUPERAntiSpyware
Malewarebytes Anti-Maleware
Webroot Desktop Firewall
HijackThis!
OTL
CCleaner  (recommended to me actually by a 'mafia' dedicated to IMVU, mainly for the purpose of cleaning out your records before trying one of their cheat methods or the surveys for free credits)
Housecall (recommended to be by my father, who has used it repeatedly and has a degree in networking)

Also, in regards to the PM, I had planned to tell them to post in here in my reply, only to find out that I couldn't reply.  A friend of mine actually followed PM 'computer repair' advice once and it was just the oppisite, and I have been using forums avidly for over a decade, knowing full well the idiots and asses that sometimes abuse the PM feature on some.  So for something this important, I'm not about to trust a PM convo.  I was just hoping they were tracking this and would reply here since I couldn't reply via PM, or perhaps someone recognized them and could offer insight into their motives.

And as far as I can tell I have not installed Regestry Defender.  The only protection programs I have installed right now are as follows.

Avast! Antivirus
Malewarebytes Anti Maleware
Spybot S&D
CCleaner
HijackThis!
And I have used Housecall three times in the past few days.
I also have BitTorrent and Gamebooster on my computer, but aside from that Anything else on here SHOULD be factory... I've been uninstalling everything I usually use to increase the speed of scans and to narrow the search.

For the record, I'll also be scanning throughly my portable drives and flash drives after this is fixed, but until I have it fixed I'm not connecting them again.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 08:47:47 PM
Alright, attached are logs from MBAM (fully updated) and OTL.

Also, 2 things... Firstly, I don't think svchost.exe is supposed to take up 50% of my CPU ever...  And secondly, I can't access Avast forums from my computer anymore so updates will come more sporadically since I have to get to the public library simply to check it...

NOTE: I was able to get the site to work again using the 'Last Known Good Configuration' in the boot menue (where it has safemode and shit too) So these logs might need to be redone again...
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Pondus on October 29, 2010, 08:50:52 PM
Quote
And secondly, I can't access Avast forums from my computer anymore
Forum Down http://forum.avast.com/index.php?topic=65645.0


Quote
Webroot Desktop Firewall
My favorit Outpost free, almost fully automatic and that is why i like it http://free.agnitum.com/
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: DavidR on October 29, 2010, 08:51:15 PM
Quote from: Dorian Saignren
And as far as I can tell I have not installed Regestry Defender. 
It is just that one of your images (viruspopup1) has registry defender displayed on it, it would normally first start as a driveby download, trying to get you download and install, etc.

So it was more precautionary, but may be worth looking through the info on the link for any associated issues/files, etc...
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: essexboy on October 29, 2010, 09:57:56 PM
My first recommendation would be to update to IE8 as soon as possible as IE6 has more holes than a sieve  ;D
Once this run is complete can you let me know what your current problems are


Run OTL
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 10:28:19 PM
Here it is.  As for updating IE... well I never use it >.<  I used Firefox up until it bugged so bad it wouldn't open (I think it was the virus, not sure though) I plan to get it back when this is all taken care of.  Though which would you recommend? IE8 or Firefox?
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: essexboy on October 29, 2010, 10:45:36 PM
Unfortuunately it is a common misconception that if you do not use IE you do not need to update it.  IE is integral to windows and has hooks/shared files with other system elements.  So you definitely need IE8 even if you do not use it..  My personal preference is for IE, but the choice is yours  ;D 

I would like to run combofix now as a few of the BHO's have not gone

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 11:18:15 PM
Here it is.

Should I be worried if something in it said it failed to initialize right before it rebooted my computer?

Also, should I put on IE* right away or wait till I'm done running fixes here?
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: essexboy on October 29, 2010, 11:28:26 PM
OK that now looks good, I would get IE8 and SP3 asap to block any security holes..  Are you experiencing any problems ?
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: Dorian Saignren on October 29, 2010, 11:44:32 PM
Not at the moment, I will come back though if I do.  Thankyou for your help.  I am going to update and get rid of spybot tonight, as well as get either webroot or outpost (any other recommendations on which?) tonight, and keep a watch on things to see if problems persist.
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: essexboy on October 29, 2010, 11:46:24 PM
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
.
Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:
Title: Re: Malicious URL/Trojan Imposter Repelled Alerts
Post by: YoKenny on October 30, 2010, 01:46:09 PM
Please read
Quote
Windows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the monitor such as the taskbar and desktop. Controlling the computer is possible without Windows Explorer running (for example, the File | Run command in Task Manager on NT-derived versions of Windows will function without it, as will commands typed in a command prompt window). It is sometimes referred to as the Windows Shell, explorer.exe, or simply “Explorer”.
http://en.wikipedia.org/wiki/Windows_Explorer