Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: davidz on November 17, 2010, 03:50:47 PM

Title: malcious url blocked
Post by: davidz on November 17, 2010, 03:50:47 PM

Hi !

I recently have been receiving new browsers opening while I'm on trusted sites (such as the bbc.co.uk), so I installed Avast!.  I've run a quick and deep scan and cleaned the note book.

However, I am still experiencing an alert "malcious url blocked", here is he file.

It appears that the file is located at:

C:\windows\system32\svchost.exe.

Does anyone know why this keeps happening and what I need to do to stop this from continuing?


Best,

David

Title: Re: malcious url blocked
Post by: nmb on November 17, 2010, 03:56:04 PM

Hi Davidz,

You surely need to clean up your system. So I have asked essexboy (http://forum.avast.com/index.php?action=profile;u=11091) to jump in.

Make sure you obey him ;)

nmb

Title: Re: malcious url blocked
Post by: essexboy on November 17, 2010, 09:10:50 PM

Hi there lets see what you have

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
svchost.exe
userinit.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

Title: Re: malcious url blocked
Post by: davidz on November 18, 2010, 06:46:20 AM

Thanks a lot for the assistance you've afforded.

I've got those two txt files, now what action should I take?

Brgds,

David

Title: Re: malcious url blocked
Post by: SafeSurf on November 18, 2010, 10:26:03 AM

Quote from: davidz on November 18, 2010, 06:46:20 AM

I've got those two txt files, now what action should I take?

Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

Essexboy will review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.  Thank you.

Title: Re: malcious url blocked
Post by: davidz on November 18, 2010, 12:14:12 PM

Thanks very much.  I am "new" to this so humble apologies for asking such questions.

Best Regards,

David

Title: Re: malcious url blocked
Post by: SafeSurf on November 18, 2010, 12:19:29 PM

Did you used to use Symantec/Norton on your machine?  Are you/have you used Advanced System Care (ASC)?

Title: Re: malcious url blocked
Post by: SafeSurf on November 18, 2010, 12:27:59 PM

David,

*** Please back up your data but no .EXE, .SCR or HTM(L) files. ***

Do you have another machine you can use to read the forum so that you are not using the infected one?  If not, please limit the time you are using this one.

Title: Re: malcious url blocked
Post by: davidz on November 18, 2010, 01:42:02 PM

Did you used to use Symantec/Norton on your machine? 

I think I am, should I disable Sumantec/Norton?


Are you/have you used Advanced System Care (ASC)?
Not sure what this is.


I do have other notebooks, I'm also experencing the issue with them.. :(

Thanks a lot..

David

Title: Re: malcious url blocked
Post by: essexboy on November 18, 2010, 10:00:05 PM

Hi two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one

Also are you saying that all computers are getting redirected ? Are you on a wireless router ?

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :OTL
  [2007/12/25 09:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DT\Application Data\Mozilla\Firefox\Profiles\3ys21ry6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
  O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
  O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
  O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{73a32bb5-e4a2-11df-9a90-00038a000015}\Shell\AutoRun\command - "" = E:\APPInst.exe -- File not found
  O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell - "" = AutoRun
  O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell - "" = AutoRun
  O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Title: Re: malcious url blocked
Post by: SafeSurf on November 19, 2010, 10:41:08 AM

@ davidz,

Here is the uninstaller tool for Symantec/Norton when Essexboy is ready for you to use it:

Download and run the Norton removal tool from here to clear them  http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN (http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN).  Or you can go here for additional information: http://uninstallers.blogspot.com/ (http://uninstallers.blogspot.com/).

@ Essexboy,

I thought I saw in the OTL log ASC (Advanced System Care), another security software, and this has given a LOT of users on the forum grief and seems to conflict with Avast, and they have needed to uninstall ASC (NOTE: leaves lots of remnants behind).  Can you check to see if you see this?  Thanks.

Title: Re: malcious url blocked
Post by: essexboy on November 19, 2010, 10:33:52 PM

For sure  ;D

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 04:13:49 PM

Hi,

Sorry for my late reply.

 two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one
(DZ) Norton has been removed

Also are you saying that all computers are getting redirected ? Are you on a wireless router ? appear
(DZ) all of my notebooks have this warning message appearing "malcious url blocked.  However, sometimes the web page appears in a new window (which I close)

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 04:18:30 PM

In that case either the router is infected or all systems are -  Continue with Combofix and reset the router


Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 04:20:32 PM

Are you on a wireless router ?
(DZ) yes i am.  alas happends to the other nb which is connected to the router

Also, attached are the results of the 2nd quick scan.


Thanks so much,

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 04:22:20 PM

Did you see my previous re resetting the router

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 04:28:04 PM

I suspect all note books are, as they all had the same usb drive (which had a virus) plugged in...

DZ..

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 04:31:44 PM

OK run Combofix on all notebooks, then post the logs giving each a name so that we can get the right fix for the right system

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 05:06:58 PM

Thanks.

Here is the combofix.txt file (nookbook1)

DZ....

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 05:16:17 PM

Notebook 1

Quote

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.

Main miscreant dead  ;D Now run MBAM on that one please

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 05:50:25 PM

Hey,

Here you go (notebook1), there was one infected file which has been removed.

Thanks a million,

David

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 06:35:53 PM

Could you now cntinue to the next system - have the redirects ceased on notebook 1 ?

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 06:57:39 PM

Notebook 1, yes! 

I'm nearly finished with 2 and 3.

Where were you from in Essex, I lived there for some time too..

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 07:00:29 PM

No longer in Essex - now in Cornwall  ;D  Originally from Romford

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 07:06:26 PM

Notebook2, it appears that this is clean! :)

Yep, I know it, I lived for sometime in Billericay. 

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 07:11:31 PM

Hope you don't mind me asking another question.

I also have a hard drive and a camera which I'm sure are infected. These have both been cleaned with Avast.  Could there be something on there and how do I find out? For the hard drive, I copied (or my wife did) photos off one notebook1.

Thanks so much,

David

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 07:12:44 PM

Mountpoints to remove from Notebook 2 - how is that running now ? I will need a further OTL run on system one when 3 is finished.  Scan the externals with Avast  ;D 

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :OTL
  O33 - MountPoints2\{83f0a34a-4eb9-11df-88a2-00224384bbe2}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{83f0a34a-4eb9-11df-88a2-00224384bbe2}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{bb853c54-8597-11df-88c2-00224384bbe2}\Shell\AutoRun\command - "" = E:\RESTORE\c-1-3-64-8794238531-8742492-9897532\DriveFix.exe -- File not found
  O33 - MountPoints2\{bb853c54-8597-11df-88c2-00224384bbe2}\Shell\open\command - "" = E:\RESTORE\c-1-3-64-8794238531-8742492-9897532\DriveFix.exe -- File not found
  O33 - MountPoints2\{c0597d3d-4570-11de-87f7-00224384bbe2}\Shell - "" = AutoRun
  O33 - MountPoints2\{c0597d3d-4570-11de-87f7-00224384bbe2}\Shell\AutoRun - "" = Auto&Play
  O33 - MountPoints2\{d24ecbe8-e57a-11de-887d-00224384bbe2}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{d24ecbe8-e57a-11de-887d-00224384bbe2}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
  O33 - MountPoints2\{ec152226-e8f5-11df-8917-002243e21c9f}\Shell\AutoRun\command - "" = E:\APPInst.exe -- File not found
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 07:35:18 PM

USB device_1

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 07:37:21 PM

Where are we at, at the moment ?  How many systems are running good ? 

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 07:41:58 PM

2 systems :)

The 3rd system must have frozen because the screen hasn't moved (see attached).  I'm at the combofix stage (which I'm sure you know!)

The response is:

Scanning for infected files
This typically doesn't take more than 10 minutes
However, scan times for badly infected machines may easily double

The screen hasn't moved in the last 40 mins..

Any thoughts!?

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 07:45:01 PM

Yep close - reboot to safe mode and try comboifx again, give it ten minutes and if it is not running throught the stages reboot again and run an OTL scan on that system - but the two done are OK ? 

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 07:49:58 PM

but the two done are OK ? 
(DZ) Yes, they are fixed.

Here is the file for usb_device_2.

Thank you,
David

Title: Re: malcious url blocked
Post by: essexboy on November 20, 2010, 07:52:34 PM

As far as I can see, are they behaving now ?

Title: Re: malcious url blocked
Post by: davidz on November 20, 2010, 08:01:36 PM

the usb devices, yes

Title: Re: malcious url blocked
Post by: davidz on November 21, 2010, 04:45:37 PM

Hi,

Unable to run combofix on notebook3, keeps hanging in normal mode or safe.
  So, i ran mbam programme which returned 2 virus (see attached)

However, a malcious url appeared moments afte I closed down mbam programme.

Do you have any further bright ideas...

DZ...

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 05:10:27 PM

Could you run an OTL scan on number 3 please - also what is the AV on that system ?

Title: Re: malcious url blocked
Post by: davidz on November 21, 2010, 05:40:04 PM

No AV, as I couldn't pause Avast during the combi-fix stage..

See attached OTL.txt for notebook3

Thanks so much,

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 06:10:56 PM

Combofix appears to have run as it quarantined some items

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :OTL
  [2010/10/01 18:12:07 | 000,155,648 | ---- | M] () -- C:\HTGD0007.exe
  [2010/11/09 10:19:49 | 000,000,332 | -HS- | C] () -- C:\WINDOWS\tasks\rvlrcah.job
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Title: Re: malcious url blocked
Post by: davidz on November 21, 2010, 06:26:42 PM

Here is the log from the OTL scan.

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 06:43:07 PM

OK what is the status of your systems now

Can you reel them off 1-2-3

Title: Re: malcious url blocked
Post by: davidz on November 21, 2010, 06:46:12 PM

1/2 = no issues
3 = no pop ups, no av

Ran malwarebytes and no malicious items were found

shall I re-install Avast AV?

DZ

Title: Re: malcious url blocked
Post by: davidz on November 21, 2010, 06:47:07 PM

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5163

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

21/11/2010 17:44:37
mbam-log-2010-11-21 (17-44-37).txt

Scan type: Quick scan
Objects scanned: 137100
Time elapsed: 12 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 06:53:11 PM

Yep re-install AV and then once you are happy I will remove my tools and tidy up your systems

Title: Re: malcious url blocked
Post by: YoKenny on November 21, 2010, 07:00:13 PM

I see Windows 5.1.2600 Service Pack 2

Windows XP Service Pack 3 has been available for over 2 years that provides many Critical Updates and performance improvements:
Support for Windows XP Service Pack 2 ends on July 13, 2010
http://support.microsoft.com/gp/lifean31

I see that you now have more than 20 posts which will permit you to update your profile to include signature information.

Go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 07:02:44 PM

I can't say anything as I have just installed a VM with XP SP1  ::)

Title: Re: malcious url blocked
Post by: essexboy on November 21, 2010, 07:14:17 PM

OK clear up time - did you have a Vista amongst this lot ? Do this for each system

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  Quote

  :Commands
  [resethosts]
  [purity]
  [emptytemp]
  [EMPTYFLASH]
  [CLEARALLRESTOREPOINTS]
  [Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove along with ERUNT.  But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
  
• Click Yes to confirm.
• Click OK.

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22 (http://java.sun.com/javase/downloads/index.jsp).
  
• Click the "Download" button to the right.
  
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  
• Click on Continue.
  
• Click on the link to download Windows Offline Installation (jre-6u22-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586-p.exe and select "Run as an Administrator.")
  

SPRING CLEAN

Vista systems only

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
• Select Delete

You are now done

 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
I would recommend a boot defrag and disc check for the first run (piccy below)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
  (http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Run weekly to keep your system clean
  

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update (http://windowsupdate.microsoft.com)
  

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:

Title: Re: malcious url blocked
Post by: davidz on November 23, 2010, 06:11:42 PM

Hi,

Sorry for my late reply (again).  I was travelling the last few days, therefore hence my silence.

I'm still having issues with notebook3 (nb3).  Avast URL blocker is appearing, twice in the last 5 minutes (after I turned my nb3 on).

I'm unable to run "combo fix" whilst in normal mode and now I'm trying in safe mode.

Stay tuned..

DZ..

Title: Re: malcious url blocked
Post by: davidz on November 23, 2010, 06:43:11 PM

Ok, that didn't work.  Hung ofr 30 minutes doing ZERO.

The NB3 is quite old and is using 32 bit.  I couldn't manage to download SP3.

What now...

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 23, 2010, 10:10:06 PM

OK as it is only 3 being a pain now lets use a different tool

Download avz4.zip from here (http://z-oleg.com/avz4.zip)

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window: (http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png)
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

(http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png)

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to Mediafire (http://www.mediafire.com/) and post the sharing link.

Title: Re: malcious url blocked
Post by: davidz on November 24, 2010, 07:25:38 PM

http://www.mediafire.com/?89xrd6fi3kgljf2

http://www.mediafire.com/?7x76didjdajnc3c

Here you go..

DZ

Title: Re: malcious url blocked
Post by: essexboy on November 24, 2010, 09:10:55 PM

Hmm that showed nothing that would stop CF - lets re-run TDSSKiller again

Please read carefully and follow these steps. 

• Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png)
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png)
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png)
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  (http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png)
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Title: Re: malcious url blocked
Post by: davidz on November 25, 2010, 05:24:24 PM

Here is the txt file.

I took a picture of the Malcious object found too

Thanks a lot.

David

Title: Re: malcious url blocked
Post by: DavidR on November 25, 2010, 06:25:51 PM

I can't see the image detail, too smal, but it looks like an alert on tdsskiller.exe, is that right ?

If so it means you haven't disabled your security applications before running this tool, which I think is necessary ?

Title: Re: malcious url blocked
Post by: davidz on November 25, 2010, 07:45:25 PM

Hi..

The images says:

Malicious Objects
rookkit.win32.TDSS.TDL4

Title: Re: malcious url blocked
Post by: DavidR on November 25, 2010, 08:22:56 PM

OK, that window ask you to select an option, so is there an option on that screen ?

Your log shows that the User select action = Cure.

It didn't mention anything about a boot being required, so I can only presume that it has cured the problem. If you ran it again I wonder if it would find it again or whether you should reboot in any case and then check again.

However, I'm not too familiar with this tool so it may be best to wait for essexboy getting back to the topic.

Title: Re: malcious url blocked
Post by: essexboy on November 25, 2010, 09:19:24 PM

David is correct you do need to select cure for it to work - Could you run TDSSKiller again please and save the file as ANSI and not unicode please.  Allow TDSSKiller to cure the affected bit 

Title: Re: malcious url blocked
Post by: davidz on November 26, 2010, 05:38:54 AM

Hi,

I followed your instructions from the thread November 24, 2010, 07:10:55 PMPosted by: essexboy - that's when I took a photo of the screen (inlcuded this for your reference)

So, to recap.  I clicked on cure, the rebooted the notebook and attached the text file and is available in a previous thread  Posted on: Yesterday at 03:24:24 PM

What next...

Thank you,

David

Title: Re: malcious url blocked
Post by: SafeSurf on November 26, 2010, 09:01:44 AM

Wait for Essexboy to give you further instructions.  He is the main person at this point for your malware removal, while we support you in the background.  Thank you.

Title: Re: malcious url blocked
Post by: essexboy on November 26, 2010, 08:49:08 PM

Could you now retry combofix please - delete your current copy and download a fresh one

Title: Re: malcious url blocked
Post by: davidz on November 27, 2010, 07:20:08 AM

Deleted Combo Fix and tried again - Same experience as previously, the screen hangs and doesn't move.

However, I've not had any malicious alerts in the last 24 hours.

What should I do now?

Title: Re: malcious url blocked
Post by: davidz on November 27, 2010, 07:23:36 AM

Reply #45 on: November 21, 2010, 05:14:17 PM »

With respect to this post, I've cleared up notebook1 and followed your instructions within this thread.  No issues have been found for the last 5 days ;D ;D ;D

I will clean up notebook2, later today.

DZ!

Title: Re: malcious url blocked
Post by: essexboy on November 27, 2010, 02:34:19 PM

Lets run MBAM one more time to see if it detects anything

Title: Re: malcious url blocked
Post by: davidz on November 27, 2010, 03:26:05 PM

yah, tried that and that = ZERO!  ;D ;D

Shall I leave it for a few days and take a check from there?

Thanks a lot EB.

DZ...

Title: Re: malcious url blocked
Post by: essexboy on November 27, 2010, 03:29:22 PM

Yes please.  I think that the combofix non running is going to remain a mystery.  It may just be something specific to that one system 

Title: Re: malcious url blocked
Post by: davidz on December 04, 2010, 05:24:41 PM

Hi All,

Thanks a lot to all of you that helped with my issues, whether it be publicly or in the shadows.  All 3 notebooks have been working perfectly for the last week.

Also, I followed your instructions on page 4 of this thread.

Thanks so much,

All for now and roll on 2022!

DZ

Title: Re: malcious url blocked
Post by: essexboy on December 04, 2010, 05:57:48 PM

Glad to hear that - enjoy  ;D

Title: [RESOLVED] Re: malcious url blocked
Post by: SafeSurf on December 05, 2010, 10:01:52 AM

@ davidz,

We are happy to hear that your machines are working well now.  :D

Here are a few suggestions in addition to the ones given to you by Essexboy to keep you and your machineS safer in the future:

1.   Keep your definitions up to date for both Avast and MBAM. 
2.   Keep all your shields on with Avast.
3.   Update MBAM prior to scanning, then do Quick scans.
4.   Keep your MS Updates current.
5.   Add things to your browsers for safer browsing.  See my and DavidR's Signature as an example.
6.   Use common sense when browsing and do not go to risky sites.
7.   When downloading software, read what you are clicking and do not download adware toolbars, which are commonly opted in; look before you click or do a Custom installs to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
8.   Check to see that your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ (http://secunia.com/vulnerability_scanning/personal/) since software is changing all the time.  This site gives you the vendor's direct download link making it easy to upgrade your software.  Many of us here scan our machines weekly.

Please let us know if you have any questions.

-> Now that your issue is resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you for allow us to assist  you.