Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Sithru22 on November 02, 2010, 02:00:53 AM

Title: Malicious URL Blocked
Post by: Sithru22 on November 02, 2010, 02:00:53 AM
Malicious URL Blocked
avast! Network Shield has blocked a harmful site.
object:  z0g7yail0.com/Jvu0rYyL866ywQC6Y2xrPTIumMSZiaWQ9MDQ1MDkxYTIzl
Infection: URL:Mal
Action:  Blocked
Process:  C:\WINDOWS\System32\svchost.exe

Can anyone tell me what this is, and what I can do to stop it.
Thanks
Title: Re: Malicious URL Blocked
Post by: SafeSurf on November 02, 2010, 02:02:08 AM
Hello Sithru22 and welcome to the forum.

Are you getting a red pop-up window with this alert?
Title: Re: Malicious URL Blocked
Post by: Sithru22 on November 02, 2010, 02:09:32 AM
Yes an I do not know how to print it.
Title: Re: Malicious URL Blocked
Post by: SafeSurf on November 02, 2010, 02:15:20 AM
Malicious URL Blocked
avast! Network Shield has blocked a harmful site.
What you are seeing is an alert by Avast telling you that it detected something harmful on a site, and it blocked the action to protect you ("action blocked").  Avast was doing its job to protect you.

You can submit the url to Virus Total if you like for analysis: Virus Total: http://www.virustotal.com/ (http://www.virustotal.com/), then if you like report back the results in this thread (cut and paste the report).
Title: Re: Malicious URL Blocked
Post by: DavidR on November 02, 2010, 02:18:12 AM
There is something hidden/undetected on your system mis-using svchost.exe to connect. The only time the svchost.exe usually connects is for windows updates and this isn't the case here.

So whilst avast is blocking access to the malicious site we need to find the cause.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
Title: Re: Malicious URL Blocked
Post by: Sithru22 on November 02, 2010, 03:12:51 AM
That will stop it?
Title: Re: Malicious URL Blocked
Post by: DavidR on November 02, 2010, 03:21:18 AM
I don't know, as it is currently unidentified/hidden we have to try other tools.
Title: Re: Malicious URL Blocked
Post by: SafeSurf on November 02, 2010, 10:23:01 AM
MBAM is a simple diagnostic tool that many of us here use, and in your situation can help us identify problems.

Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·   Download free http://www.malwarebytes.org/ (http://www.malwarebytes.org/) for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner SettingsCheck all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

Please let us know if you have any questions.  Thank you.
Title: Re: Malicious URL Blocked
Post by: Sithru22 on November 02, 2010, 01:16:30 PM
Here it is. I could not post all of it, so I tried attaching it.


Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/1/2010 9:21:39 PM
mbam-log-2010-11-01 (21-21-39).txt

Scan type: Quick scan
Objects scanned: 168824
Time elapsed: 11 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 269

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\sapstri.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfolo (Trojan.Hiloti) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Logs (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\PCOBackups (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280 (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Results (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\sapstri.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Sharon Ruth\My Documents\downloads\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\BUDVWMQkCH.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\0.3744030822625166.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\FSWwLvAcjG.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\WINDOWS_SECURITY_CENTER.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\AGY99AY2\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\GZNQY52U\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\I8EEBG7F\setup[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\spy_ignore.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Logs\2010-10-07 16-41-530.log (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\filelist.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-0.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-1.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-10.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-100.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-101.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-102.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-103.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-104.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-105.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-106.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-107.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-108.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-109.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-11.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-110.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-111.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-112.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-113.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-114.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-115.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-116.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
Title: Re: Malicious URL Blocked
Post by: DavidR on November 02, 2010, 03:03:37 PM
I take it that you have now rebooted to allow MBAM to remove this file C:\WINDOWS\sapstri.dll ?
This is the cause of the attempted downloads as the Trojan.Hiloti is a trojan downloader which is trying to access malicious sites to download more malware.

If you haven't yet done that you could add it to the avast chest and send to avast for analysis (see below) to have it added to the avast signatures.

- Send the sample to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Title: Re: Malicious URL Blocked
Post by: Sithru22 on November 02, 2010, 09:48:05 PM
Thank you so much for helping me. I found post that said I could use a tool from Microsoft to get rid of the Trojan.
It is gone know because I can use windows update, where I could not get into it earlier.
Title: Re: Malicious URL Blocked
Post by: DavidR on November 02, 2010, 10:40:33 PM
You're welcome.

Always nice if you can send a sample to avast when found to improve detections. Though I know when you are up to your as* in alligators the last thing on your mind is draining the swamp.
Title: Re: Malicious URL Blocked
Post by: SafeSurf on November 03, 2010, 07:49:00 AM
Sithru22,

I'm glad things are working well now.  To help prevent infections in the future:

- Keep your Avast definitions up to date.
- Quick scans with MBAM on-demand as a back up but remember to update prior to scanning .
- Keep your MS Updates current.
- Use safe browsing practices (see my, David's, and other's Signatures as examples to add to your browsers). 
- Make sure your software is current.  Check out free Secunia Sofware Inspector http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/).  Many of us here scan our system weekly since software is changing so rapidly and this site offers the vendor's direct download for patches to make it easy to fix. 
- You will find other helpful suggestions in our Avast Support forum section as well.

If you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you.  :)
Title: Re: Malicious URL Blocked
Post by: aquamutt on November 17, 2010, 07:08:15 PM
hi i'm havin the same problem as Sithru22 is but malwarebytes won't open
Title: Re: Malicious URL Blocked
Post by: SafeSurf on November 18, 2010, 09:45:12 AM
@ aquamutt,

Why won't MBAM open?  Did you go to this site: http://www.malwarebytes.org/ (http://www.malwarebytes.org/) (the blue button) to download it?

What error message are you getting?

Please give me more information about what your problem is.  Thank you.

Title: Re: Malicious URL Blocked
Post by: raresh on May 30, 2013, 08:04:55 PM
Hello,
I have the same problem but I I cannot open anything I download. Can you help me?
Title: Re: Malicious URL Blocked
Post by: essexboy on May 30, 2013, 08:42:47 PM
This topic is a few years old, could you start your own on in the virus forum
Title: Re: Malicious URL Blocked
Post by: vargthandor on May 30, 2013, 08:58:02 PM
---skip---
Thanks

Yeah! as I understand you! the same problem, only with a different URL