Avast WEBforum
Other => Viruses and worms => Topic started by: badger66 on February 18, 2011, 09:52:37 PM
-
When running IE 8.0 on my home computer, I get a message from avast! about every minute or two with the following format:
MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.
Object: 213.155.22.144/Ocentra/gate.php?guid=5.1.2600!GLENN!28A9229D&ve
Infection: URL:Mal
Action: Blocked
Process: C:\WINDOWS\Explorer.EXE
At times the "213.155.22.144" is replaced with "1gt5324dx.ru" or "1gt6342dx.ru"
I've run MBAM, SuperAntiSpyware, avast!, and avast! boot scan. Several items showed up which were quarantined, after which I restarted (running XP). This message continues to come up and I cannot figure out what is causing it.
-
have you tried cleaning your temp files?
TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
can you post Malwarebytes and Superantispyware scan logs
-
Look here: https://spyeyetracker.abuse.ch/monitor.php?host=213.155.22.144&id=9e73b6e03b992d84b1ba718071ea90a4
and
http://wepawet.iseclab.org/view.php?hash=ea1a480886ce0d25ad1c86d40e4c1154&t=1298070992&type=js
SPAMHAUS info:
SBL103869 213.155.4.32/32 hosting.ua
18-Feb 20:33 GMT SpyEye Botnet C&C server @213.155.4.32
Has not been removed yet, C & C server in Ukraina for a bot (known as SpyEye), which has properties similar to Zeus Bot,
polonus
-
Update........
I needed to do some on-line banking. When I signed into the banking website, a screen came up headlined by "Security Alert", with entries asking for account number, password, mother's maiden name, etc. I quickly closed the internet webpage, then went to my wife's computer, accessed the banking webpage and changed my user name and password.
I alos have seen the original "Threat Detected" message when I've just been using e-mail, not even in IE. I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.
Any suggestions?
-
You could run a full scan with MBAM, get it from here http://www.malwarebytes.org/mbam-download.php
After this run the CCleaner (freeware) installer by downloading from here http://www.filehippo.com/download_ccleaner/download/1d59b13e3d0824a0c054077615cab5c3/
, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run the CCleaner by clicking its icon on your Desktop or "Start" => "All programs" => "CCleaner".
The following should be selected by default, if not, please select: see attached GIF
Then please click options and choose advanced
Please uncheck Only delete files in Windows Temp older than 48 hrs
Then go back to Run Cleaner and click to run it.
After the virus and Trojans are removed, the registry is still destroyed or modified, so the computer still has problems. That's why you need to repair the registry. Use this program download from here: http://www.regsofts.com/download/RegpairSetup.exe
polonus
-
I alos have seen the original "Threat Detected" message when I've just been using e-mail, not even in IE. I looked into the TFC - Temp File Cleaner by OldTimer
suggestion but was scared off by some of the user comments about running the program - such as losing all of their My Documents files.
'
The newest post there is from june 2009, so all bugs should be fixed......
-
The problems with TFC were user induced by placing important data in temporary files or the recycle bin for safekeeping !
There are currently no known problems with TFC
EDIT : Check your proxy settings
Go to Control Panel and select Internet Options
Select the Connections TAB
Select LAN settings button
Ensure there is no tick in the Proxy Server box
Select OK and restart Internet explorer
And for Firefox there are instructions on this page (http://davidtse916.wordpress.com/2008/07/05/university-of-otago-firefoxs-proxy-auto-detection-problem-in-vista/)and you want the setting to be no proxy
-
Update........
I did check my Internet Explorer proxy settings and the Proxy Server box was checked. I unchecked it and restarted my system. However, the problem still exists.
The situation has changed relative to when the "Malicious URL Blocked" message comes up. I do not have to be in IE or e-mail. It comes up even if I have no programs active other than what normally runs in the background.
Unless someone suggesta anything different, I'm going to rerun MBAM, then TFC, then CCleaner. I assume there is a rogue program running that must be started by my startup procedure but I don't know how to track that down.
At least it doesn't appear that anything critical is going on. I can still use all my programs and avast! still is catchng any attempt to get to the malicious url.
Also, i tried yesterday to do a system restore but was unsuccessful.
-
Another question...........
I've heard about a program called HiJackThis - should I run this also???
-
No that does not go deep enough
Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
- Make sure you close all other programs and don't use the PC while the scan runs.
- Select All Users
- Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan
- Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
- When the scan is complete Notepad will open with the report file loaded in it.
- Please attach the log in your next post.
-
After fixing my proxy setting in IE, I reran MBAM. It came up with the following:
Scan type: Full scan (C:\|)
Objects scanned: 242376
Time elapsed: 1 hour(s), 2 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\821hbfs.Bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
Files Infected:
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp910\a0090586.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\rp916\a0092792.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\821hbfs.Bin\config.bin (Trojan.SpyEyes) -> Quarantined and deleted successfully.
This appears to have fixed my problem as I have not seen the "MALICIOUS URL BLOCKED" message in the last 10 minutes.
Should I still run OTS as was last advised??
Thanks to everyone for their help so far!!
IS it safe to delete old entries from the avast! virus chest?
-
If you could run OTS please as the automated tools cannot catch everything. Then attach the log
-
He needs to (and I have told him to report this in this topic) as there is still something else going on as is apparent from another of his topic, http://forum.avast.com/index.php?topic=71728.0 (http://forum.avast.com/index.php?topic=71728.0).
I've spent many hours fighting a "MALICIOUS URL BLOCKED" report from avast!. I've finally got the problem taken care of. However, while looking for possible problems I ran across both of these entries in the System Configration Utility Start list. I unchecked NCPMFCD and have not seen any problems after restarting and the box stays unchecked. When I uncheck the box associated with agapadewiyohu.dll , apply, then restart, when I'm back running and check the SCU Start List, the box has been rechecked. I'm trying to make sure I have all my problems taken care of.
The entry reads:
rundll32.exe "C:\WINDOWS\agapadewiyohu.dll", Startup
Which according to this it isn't taken care of as it keeps being restored in startup.
-
And that from my point of view is definitely malware
-
Absolutely and that is what I have been telling him and trying to get him back into this topic.
-
Sorry for the delay - here is the OTS log I ran yesterday afternoon.
I also used CCleaner to look into the System Configuration Utility Startup. It says that aqapadewiyohu.dll executes a program called Idefatiwojiliquw which a search on my computer cannot find. I tried to disable the entry vis CCleaner and it comes right back again.
-
Give this a whirl, and once it has run update and run MBAM again please - posting the resultant log
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Modules - Safe List]
YY -> aqapadewiyohu.dll -> C:\WINDOWS\aqapadewiyohu.dll
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Idefatiwojiliquw" -> C:\WINDOWS\aqapadewiyohu.dll [rundll32.exe "C:\WINDOWS\aqapadewiyohu.dll",Startup]
< Run [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "821hbfs.Bin.exe" -> [C:\821hbfs.Bin\821hbfs.Bin.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{39FD89BF-D3F1-45b6-BB56-3582CCF489E1}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}" [HKLM] -> [Reg Error: Value error.]
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\] > -> HKEY_USERS\S-1-5-21-3566469885-1729203438-2106367328-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
YN -> mcafee.com .[http] -> Trusted sites
YN -> mcafee.com .[https] -> Trusted sites
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} [HKLM] -> http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab [Reg Error: Key error.]
YN -> {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [HKLM] -> http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5236/mcfscan.cab [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\AutoRun\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\AutoRun\command\\"" -> [F:\BOOTEX\thumbcache_131.exe]
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\explore\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\explore\command\\"" -> [F:\BOOTEX/thumbcache_131.exe]
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\open\command ->
YN -> \{77b197fd-48cb-11db-a4ac-000fb5ce3a21}\Shell\open\command\\"" -> [F:\.////BOOTEX/thumbcache_131.exe]
[Files/Folders - Modified Within 30 Days]
NY -> Ygavazayujup.dat -> C:\WINDOWS\Ygavazayujup.dat
NY -> Iyehuvubovis.bin -> C:\WINDOWS\Iyehuvubovis.bin
NY -> 8536.84E -> C:\Documents and Settings\Glenn Peterson\Application Data\8536.84E
NY -> kuhzmn.dat -> C:\Documents and Settings\Glenn Peterson\Application Data\kuhzmn.dat
[Files - No Company Name]
NY -> 8536.84E -> C:\Documents and Settings\Glenn Peterson\Application Data\8536.84E
NY -> Ygavazayujup.dat -> C:\WINDOWS\Ygavazayujup.dat
NY -> Iyehuvubovis.bin -> C:\WINDOWS\Iyehuvubovis.bin
NY -> kuhzmn.dat -> C:\Documents and Settings\Glenn Peterson\Application Data\kuhzmn.dat
NY -> aqapadewiyohu.dll -> C:\WINDOWS\aqapadewiyohu.dll
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here
I will review the information when it comes back in.
-
OTS hung with its' window frozen and the rest of the desktop was blank. I used the Window Task Manager to execute explorer to get my desktop back, then answered yes to complete deleting of files, it then did a system restart. The log is attached....
-
OTS did not freeze it was removing the temporary files 420.00 mb
Could you now run MBAM please and let me know what problems remain
-
I checked the System Configuration Utility Startup list - aqapadewiyohu.dll is disabled.
I will run MBAM - it usually takes about an hour.
-
Remove the tick from msconfig please - and once MBAM is done run a new OTS scan selecting the same elements as before
Also when you get a chance open Avast > Virus chest
Right click in the chest area and select add
Navigate to C:\_OTS\C;\windows\aqapadewiyohu.dll
And add to the chest
Once it is in the chest right click and select send to virus labs
You may put my name as reporter if you wish
-
MBAM is clean - no errors.
The OTS log is attached.
I already sent a copy of aqapadewiyohu.dll to the virus lab this morning.
The box next to aqapadewiyohu.dll in SCU Startup is unchecked.
-
Clean as a babys bum ;D Any further problems ?
-
No problems I am aware of. However, I'm not sure what just happened. Can you tell me in a few simplified words what you just did? I feel comfortable with doing some things you asked but my understanding and expertise is limited......
Also, aqapadewiyohu.dll is still in SCU Startup (although unchecked). Can/should it be deleted using CCleaner?
by the way, thanks a lot for your help! I really appreciate it.......
-
Personally I wouldn't want it left there if the aqapadewiyohu.dll is no longer in the original location (which it shouldn't be) then you would get an error when you restart windows about a missing file (aqapadewiyohu.dll) error when windows tries to register the aqapadewiyohu.dll file.
If you run ccleaner it should find the redundant/orphan entry in the startup so you can remove it, ccleaner should make a backup of the change (just in case).
-
Very basically I removed the reg start entry and the file, I also cleared the file that was initiating it 821hbfs.Bin.exe via the HKCU key
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.
[Empty Temp Folders]
[EmptyFlash]
[ClearAllRestorePoints]
[Reboot]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished.
Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Do not show hidden files and folders.
- Click Yes to confirm.
- Click OK.
(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif) Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
- Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 24 (http://java.sun.com/javase/downloads/index.jsp).
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u24-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u24-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)
For the first run I would recommend a boot defrag and disk check
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Bootdefrag.jpg)
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe :wave:
-
Thanks for your help. I'll follow your instructions. Just FYI, I have MBAM installed and run it regularly. I also have Microsoft Update set to run automatically. FileHippo looks like a very useful tool. Obviously I have avast! running continuously. Do you have any suggestions for a firewall?
I'll read "How did I get infected in the first place" before I ask any more questions.
Thanks again......
-
Alas I am on Win 7 using AIS so I have no real data on other firewalls - apart from steer clear of Zone Alarm
-
OK - no Zone Alarm. I did everything you recommended and my system seems very stable. Probably needed some cleaning up.
Thanks again for all your help!
-
A little TLC always helps ;D
-
I HAVE A PROBLEM WITH MINE WHEN I DOWNLOADED SOMETHING IN INTERNET AND WHEN I OPENED IT IT VANISH AND MY AVAST START TO MALICIOUS URL BLOCKED
THIS IS MY PROBLEM WHEN I OPEN MY PC I SAYS MALICIOUS URL BLOCKED IT SAYS IT EVERYTIME
AND THEN IT SAYS THIS
MALICIOUS URL BLOCKED
OBJECT:cloudanonconnection.com... bla bla bla
INFECTION:URL:MAL
ACTION:BLOCKED
PROCESS:C:\WINDOWS\system32\svchost.exe