Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Coastal-Delaware on May 20, 2011, 07:59:06 PM

Title: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 07:59:06 PM
 ???

Object: Updateconnections.com/...  etc...
Infection: URL:Mal
Action: Blocked
Processes: C:\WINDOWS\System32\svchost.exe

This popup from avast has been going off for about a week. Last week soon after the pop up started I was infected with the Windows Restore Virus. After a day of fighting the virus I was able to remove most of it,  but if this pop up is still coming up I'm guessing I still have some evil code lurking in my computer.

Avast alerts me of it but gives no solutions for its removal.

Any suggestions?
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: DavidR on May 20, 2011, 08:32:16 PM
Since you posted the aswMBR.txt file contents in the other topic, can you place it here in your own topic, so all information is together.

Since it was also inconclusive (in my limited experience of it) you can try another analysis and data gathering tool that will be helpful to other malware removal specialists.

Quote from: essexboy
Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS (http://oldtimer.geekstogo.com/OTS.exe) to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

Hopefully essexboy can pick up on this topic.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 08:41:52 PM
Will do, and I apologize for the thread hijack.

I just ran another mbam scan two minutes ago and it found something else.

I've been running Avast, Avira, AVG, Spybot and MBAM scans for almost a week. The AV programs find something here and there then remove it. A dozen or so scans will go by with no sign of a virus and then they come back again.



Avira just found TR/CRYPT.XPACK.Gen2

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 14:39:25
-----------------------------
14:39:25.609    OS Version: Windows 5.1.2600 Service Pack 2
14:39:25.609    Number of processors: 2 586 0x2302
14:39:25.609    ComputerName: GODMODE  UserName: 64Xdual
14:39:26.609    Initialize success
14:39:29.171    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
14:39:29.171    Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152626MB BusType: 3
14:39:29.171    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000079
14:39:29.171    Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
14:39:29.171    Device \Device\00000077 -> \??\IDE#DiskWDC_WD1600JS-22MHB0_____________________02.01C03#2020202057202D4443574E41314D353036373331#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:39:29.171    Disk 0 MBR read error 0
14:39:29.171    Disk 0 MBR scan
14:39:29.171    Disk 0 unknown MBR code
14:39:29.171    MBR BIOS signature not found 0
14:39:29.171    Disk 0 scanning sectors +312576705
14:39:29.171    Disk 0 scanning C:\WINDOWS\system32\drivers
14:39:38.625    Service scanning
14:39:39.765    Disk 0 trace - called modules:
14:39:39.781    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a4d5ecc]<<
14:39:39.781    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a48fab8]
14:39:39.781    3 CLASSPNP.SYS[ba8e8fcf] -> nt!IofCallDriver -> \Device\00000078[0x8a431ac0]
14:39:39.781    5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> [0x8a48f030]
14:39:39.781    [0x8a409748] -> IRP_MJ_CREATE -> 0x8a4d5ecc
14:39:39.781    Scan finished successfully
14:39:47.781    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\64Xdual\My Documents\Downloads\MBR.dat"
14:39:47.781    The log file has been saved successfully to "C:\Documents and Settings\64Xdual\My Documents\Downloads\aswMBR-2.txt"

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/20/2011 2:32:19 PM
mbam-log-2011-05-20 (14-32-19).txt

Scan type: Quick scan
Objects scanned: 239703
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\64Xdual\2gweorjqjutp92vjy9gake (Malware.Trace) -> Quarantined and deleted successfully.

I don't surf porn or hacker sites. Primarily I read the news and real estate related material. This machine has been running more or less virus free since 2006.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 09:13:54 PM
My log file was so long for OTS I had to break it into two attachments.

Attachment 1
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 09:16:14 PM
Attachment 2

The machine has two physical internal hard drives and one external drive.

Please excuse the long list of firefox profiles. I build websites and have a different profile for each site.
local host is full of bad sites that probably have something to do with the redirects.

Thank you!
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 20, 2011, 09:23:47 PM
Hi first a question - did you create this task to run daily ?
C:\WINDOWS\tasks\rptp.job

If you did not I will add that to the fix I am creating, also I would recommend uninstalling two of the three antiviruses you have installed

I will await your reply before I create the fix
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: DavidR on May 20, 2011, 09:25:19 PM
Well having multiple scanners installed isn't going to help as they will conflict with each other which could leave you less well protected rather better. Even if you disable their resident protection the low level drivers will be present.

The only way this could work would be bay uninstalling an AV before installing the next, but even then there are possibilities of remnants after an uninstall. So you haven't been doing yourself any favours, on-line scanners are an option for a backup second opinion type scan. All but avast should be uninstalled (MBAM is fine it isn't an AV).

One of the biggest problems is down to the number of legit sites which can get hacked, the avast web shield is very hot on these, but if you have multiple AVs also checking what avast is conflict could let something through.

Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 09:54:35 PM
deleted AVG, Spybot and Avira Anti Virus and restarted the machine. All that remains is Avast and MBAM.

Avast is going nuts with "A threat has been detected" every minute and a half.

I did not set C:\WINDOWS\tasks\rptp.job to run daily. I'm not sure what it is.

What is my next step?

Thank you!
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: DavidR on May 20, 2011, 09:59:26 PM
That has to be answer essexboy's question, which is what he is waiting for, so he can compile the script to fix what has been found.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 20, 2011, 10:01:14 PM
If you do find it is a job that you created you will have to recreate it, but I feel it is bad

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  rptp.job -> C:\WINDOWS\tasks\rptp.job
NY ->  Elaheqimezo.bin -> C:\WINDOWS\Elaheqimezo.bin
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  Tvanexizo.dat -> C:\WINDOWS\Tvanexizo.dat
[Files - No Company Name]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 10:14:55 PM
User: Administrator
 
User: administrator.PENINSULA
 
User: All Users
 
User: Default User
 
User: Kelly West
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: martin
->Flash cache emptied: 0 bytes
 
User: mike
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: tony
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 20, 2011, 10:17:54 PM
Are the alerts still coming ?

Could you attach the entire report please as the main part I need to see is the file deletions at the top
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 10:20:41 PM
Sorry about that, Here's all of it.

Yes, still receiving the "Threat has been Detected" alerts.

All Processes Killed
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
C:\WINDOWS\tasks\rptp.job moved successfully.
C:\WINDOWS\Elaheqimezo.bin moved successfully.
C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732r moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732 moved successfully.
C:\Documents and Settings\All Users\Application Data\16637732 moved successfully.
C:\WINDOWS\Tvanexizo.dat moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
File C:\Documents and Settings\All Users\Application Data\~16637732r not found!
File C:\Documents and Settings\All Users\Application Data\~16637732 not found!
File C:\Documents and Settings\All Users\Application Data\16637732 not found!
File C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q not found!
File C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q not found!
[Empty Temp Folders]
 
 
User: 64Xdual
->Temp folder emptied: 813388 bytes
->Temporary Internet Files folder emptied: 33602 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2284567576 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 129228319 bytes
->Flash cache emptied: 3703 bytes
 
User: Administrator
->Temp folder emptied: 823 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: administrator.PENINSULA
->Temp folder emptied: 61 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 2637339 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Kelly West
->Temp folder emptied: 5041136 bytes
->Temporary Internet Files folder emptied: 71915238 bytes
->Java cache emptied: 286971 bytes
->FireFox cache emptied: 20505813 bytes
->Flash cache emptied: 11478 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: martin
->Temp folder emptied: 67091 bytes
->Temporary Internet Files folder emptied: 10936431 bytes
->Java cache emptied: 392822 bytes
->FireFox cache emptied: 16255099 bytes
->Flash cache emptied: 1020 bytes
 
User: mike
->Temp folder emptied: 12755720 bytes
->Temporary Internet Files folder emptied: 9862313 bytes
->Java cache emptied: 3187771 bytes
->FireFox cache emptied: 62255637 bytes
->Apple Safari cache emptied: 4882432 bytes
->Flash cache emptied: 6935 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: tony
->Temp folder emptied: 699 bytes
->Temporary Internet Files folder emptied: 254830 bytes
->Java cache emptied: 123079 bytes
->FireFox cache emptied: 8393212 bytes
->Flash cache emptied: 348 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3261509 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 705618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 7200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 196446 bytes
RecycleBin emptied: 17656261 bytes
 
Total Files Cleaned = 2,543.00 mb
 
 
[EMPTYFLASH]
 
User: 64Xdual
->Flash cache emptied: 0 bytes
 
User: Administrator
 
User: administrator.PENINSULA
 
User: All Users
 
User: Default User
 
User: Kelly West
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: martin
->Flash cache emptied: 0 bytes
 
User: mike
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: tony
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 20, 2011, 10:22:32 PM
OK it is not seeing the sys file to delete

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 20, 2011, 11:38:10 PM
Wow, that took a long time.

First trial it found a rootkit and rebooted.

Here's the log file: See Attached

   
The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters).

Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 20, 2011, 11:47:21 PM
Still more going on though

On completion of this combofix run (it should be faster this time ) rerun aswMBR please

1. Please open Notepad2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

File::
c:\windows\System32\drivers\jbpii.sys

Driver::
sphnn


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.

(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 21, 2011, 12:43:41 AM
Both scans attached.

Thank you Thank you Thank You for taking the time to help with this.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: SafeSurf on May 21, 2011, 10:42:11 AM
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
When Essexboy is done with you, we need to have you update your machine to SP3 and IE8 as well as check your other software since this puts you at great risk for getting malware.  We will let Essexboy finish his malware removal first.

@ Essexboy,  Nice job on that Combofix.  ;)
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 21, 2011, 04:58:09 PM
Not overly happy about the MBR - what is the make of your computer i.e.  Dell Hp etc

Also what are your current problems ?

CF does the work - I just tell it what to do  ;D
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 21, 2011, 08:48:12 PM
I built the computer many years ago.
Gigabyte Motherboard.
AMD Athlon 62 Dual Core Processor 3800
Two SATA drives
3GB RAM

She was a rally fast machine 6 years ago....

Not experiencing any problems now but Combofix is still detecting a rootkit every time it runs.

I turned it off yesterday when you logged off.

I don't use IE at all unless I'm making sure a website looks ok in older versions. I'm primarily a Firefox/Opera/Safari user.

If I can't get rid of the rootkit I may just wipe the drive & switch to Ubuntu

Please let me know if there is more I should do.
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 21, 2011, 08:49:13 PM
Yep lets get a second opinion on the MBR

Please read carefully and follow these steps. 
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 21, 2011, 09:06:10 PM
Found rootkit.win32.tdss.tdl3 and cured it.
Computer rebooted.

logs attached. Too big to post.

Am I clean now?

 
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 22, 2011, 12:11:50 AM
I thought so it was a TDL3 not TDL4

What are your current problems ?
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: Coastal-Delaware on May 22, 2011, 01:09:41 PM
I don't think I have any remaining problems.

tdsskiller got rid of the root kit. Avast is no longer notifying me of blocked url's, combofix auto updated itself and I ran one more combofix scan and it found no more rootkit.

I guess I'm clean again?

Who are you saints who have so much free time to help so many people out? All I can say is thank you thank you thank you and if you have a paypal account I'm happy to send a little love your way.

One last question. How much do I have to worry that some hacker may have found all my usernames and passwords? Should I go and change them all?
Title: Re: Threat has been detected - Malicious URL Blocked
Post by: essexboy on May 22, 2011, 01:47:37 PM
Quote
How much do I have to worry that some hacker may have found all my usernames and passwords? Should I go and change them all?
I feel it is always prudent to do that after an infection - no matter how minor.  I am always up for a drink  ;D I do have a paypal link at G2G in my sig there

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:


Click Start > Run  and copy/paste the following bolded text into the Run box and click OK: [color="#FF0000"]N.b. If used[/color]

ComboFix /Uninstall

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave: