Avast WEBforum

Other => Viruses and worms => Topic started by: sannjay kumar on May 08, 2012, 09:30:13 PM

Title: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 08, 2012, 09:30:13 PM
hi, frnds. i m new in avast forum. plz help me to get rid of a problem.
now a day avast show "malicious url blocked" msg  while using chrome, no such msg in internet explorer.
msg comes in every 10-15 second and specially when i click on any webpage. in msg  every time this site "http://www.footprintsit.com/search/antic..." is blocked, though i did not open this site.
i installed Malwarebytes' Anti-Malware. scaned and deleted malware but the problem continue. even Malwarebytes' Anti-Malware  show msg "Malwarebytes Antivirus Successfully blocked access to a poentially malicious website: "
how to stop this annoying thing. plz help.
Title: Re: malicious url blocked pop-up. plz help
Post by: Pondus on May 08, 2012, 09:47:12 PM
follow this guide and attach ( not copy and paste) the malwarebytes log that show what was removed / OTL and aswMBR logs
http://forum.avast.com/index.php?topic=53253.0
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 08, 2012, 11:14:11 PM
how to attach logs. while replying there is no attach file option or  "Additional options" 
Title: Re: malicious url blocked pop-up. plz help
Post by: Pondus on May 08, 2012, 11:17:43 PM
the attach option is just belowe the box you write the txt in

"attachment and other options"
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 09, 2012, 12:08:01 AM
i attached logs.
Title: Re: malicious url blocked pop-up. plz help
Post by: REDACTED on May 09, 2012, 09:19:33 AM
HOSTS File  is bаd    - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1       localhost
O1 - Hosts: 127.0.0.1   ххх.007guard.com
O1 - Hosts: 127.0.0.1   007guard.com
O1 - Hosts: 127.0.0.1   008i.com
O1 - Hosts: 127.0.0.1   ххх.008k.com
and so on.

and Alternate Data Streams problems.

Windows XP Professional Edition Service Pack 2  :( ...need SP3 аnd all the patches.

Very similar to Kido

[2011/06/11 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2011/06/11 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job

Install Microsoft patches MS08-067, MS08-068, MS09-001 (on these pages you will have to select which operating system is installed on the infected PC, download corresponding patch and install it).

Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 09, 2012, 01:19:16 PM
i downloaded MS08-067, MS08-068, MS09-001 but did not install it yet , but now avast pop ups "malicious url blocked" is not coming. do i install them ???
Title: Re: malicious url blocked pop-up. plz help
Post by: REDACTED on May 09, 2012, 01:23:14 PM
Quote from: sannjay kumar on May 09, 2012, 01:19:16 PM
i downloaded MS08-067, MS08-068, MS09-001 but did not install it yet , but now avast pop ups "malicious url blocked" is not coming. do i install them ???

In any case, you need to install SP3 and all latest patches.

And wait for the professionals, they will help you clean up your computer from unnecessary.
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 09, 2012, 03:16:39 PM
Hi,

Let me look these over and I will return as quickly as I can.  :)
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 09, 2012, 03:29:32 PM
Hi,

Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop. ----------
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 09, 2012, 10:30:13 PM
CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\corel\corel graphics 11\custom data\bumpmap\cracks.cpt
c:\program files\corel\corel graphics 11\custom data\canvas\cracks2c.pcx
c:\program files\corel\corel graphics 11\custom data\tiles\cracks2m.cpt
c:\program files\spiderman 2 cracked\system\game0.ini
c:\program files\spiderman 2 cracked\system\game1.ini
c:\program files\spiderman 2 cracked\system\game2.ini
c:\program files\spiderman 2 cracked\system\running.ini
c:\windows\crackpdf.ini
scanner sequence 3.DD.11.VLAPWG
 ----- EOF -----
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 10, 2012, 10:49:17 AM
problem still exist plz help
Title: Re: malicious url blocked pop-up. plz help
Post by: Pondus on May 10, 2012, 10:55:37 AM
Quote from: sannjay kumar on May 10, 2012, 10:49:17 AM
problem still exist plz help
be patient...... jeffce cant be online 24hours......he also have work.  ;)
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 10, 2012, 01:33:17 PM
Hi,

Sorry for the delay....I had to work a double shift and didn't get home until late last night. 
-------------

P2P - I see you have P2P software BitTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page (http://malwareremoval.com/p2pindex.php) will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------

Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
Code: [Select]
:Services

:OTL
SRV - File not found [Auto | Stopped] -- C:\WINDOWS\system32\fimeve.exe -- (peaa5j0yhvna)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\kphaecetqxbm.sys -- (xbjonpfmky)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\tqsnqvcfu.sys -- (tmeyj)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\uvpjce.sys -- (qiezhkssl)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\ajvifj.sys -- (ntisjxdipoy)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\ejbmallkqc.sys -- (kuqiwki)
DRV - File not found [Kernel | Auto | Stopped] -- C:\DOCUME~1\User\LOCALS~1\Temp\ndxcwexrqvssd.sys -- (biqwpzaatejkxp)
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-1078081533-1844237615-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 AF 5E A2 23 F6 CB 01  [binary data]
IE - HKU\S-1-5-21-1078081533-1844237615-839522115-1003\..\SearchScopes,DefaultScope = {7F4EFF06-7032-458e-AE16-1C1D8255C28A}
IE - HKU\S-1-5-21-1078081533-1844237615-839522115-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1078081533-1844237615-839522115-1003\..\SearchScopes\{7D9D7989-3CCD-46C1-AE94-87BFB378C658}: "URL" = http://in.search.yahoo.com/search?p={searchTerms}&fr=chr-spt_gen
IE - HKU\S-1-5-21-1078081533-1844237615-839522115-1003\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://home.speedbit.com/search.aspx?aff=106&q={searchTerms}
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1078081533-1844237615-839522115-1003..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 4\imc.exe File not found
O33 - MountPoints2\{3900d2bc-62a1-11e1-aa88-00241df35572}\Shell - "" = AutoRun
O33 - MountPoints2\{3900d2bc-62a1-11e1-aa88-00241df35572}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{3900d2bc-62a1-11e1-aa88-00241df35572}\Shell\AutoRun\command - "" = H:\AutoRun.exe
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2012/05/05 03:27:15 | 000,078,848 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/11 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At1.job
[2011/06/11 09:00:00 | 000,000,350 | ---- | M] () -- C:\WINDOWS\Tasks\At2.job

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 11, 2012, 07:07:27 PM
thanks jeffce. yes i was using bit torrent, now i uninstalled it.

i run OTL.exe copy past the written code into the Custom Scans/Fixes box and Then click the Run Fix button at the top. after click "Run Fix" cursor change into Hourglass, i thought program is running i waited for more than 1 hr but  nothing happen, i thought program is not working properly, so click on the otl window then it was showing "not responding"  so i have to restart my computer. i tried  two time. it is normal to take so much time for this process ?
could u tell me how approximate  time it will take ?
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 11, 2012, 07:49:39 PM
Hi,

If you are having problems running in Normal Mode try to do so in Safe Mode.  :)
Title: Re: malicious url blocked pop-up. plz help
Post by: green727 on May 11, 2012, 08:12:06 PM
I'm having the same problem:

Quote
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.11.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Nick :: NICK-LAPTOP [administrator]

Protection: Enabled

5/11/2012 11:28:16 AM
mbam-log-2012-05-11 (11-28-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210733
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Users\Nick\AppData\Local\Temp\FH\extension.exe (PUP.Soge) -> Quarantined and deleted successfully.

(end)


Avast gives me this when I open Chrome:

Quote
URL:   http://www.website-unavailable.com/?url
Process:   file://C:\Users\Nick\AppData\Local\Google\Chrome\Application\chrome.exe
Infection:   al
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 11, 2012, 08:15:32 PM
@ Green727

Please start your own topic and we will get to your topic as quickly as we can.  While you are waiting, follow the instructions here >> http://forum.avast.com/index.php?topic=53253.0 and attach the logs to your topic.  :)
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 11, 2012, 08:36:37 PM
this is the log.
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 11, 2012, 08:40:04 PM
Ok great!  When you get the new scan with OTL complete please attach that as well.  :)
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 11, 2012, 09:05:20 PM
2nd
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 11, 2012, 10:37:07 PM
No....I need you to just run a new scan with OTL.  You just need to open OTL and press the Run Scan button.  :)  Attach the log that is made.
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 11, 2012, 11:15:44 PM
try to "run scan' in both normal n safe mode but nothing happening.
even try to run quick scan but nothing happening.
 
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 11, 2012, 11:29:05 PM
Hi,

Ok...

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 12, 2012, 11:58:52 AM
hi, jeffce. how r u ?
I Disable  AntiVirus and AntiSpyware applications n run the ComboFix.exe, it try the download Microsoft Windows Recovery Console BUT FAILED but continue the
malware removal procedures.
here is the log
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 12, 2012, 10:02:07 PM
Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Code: [Select]
:filefind
*sfcfiles.dll

Note: The log can also be found on your Desktop entitled SystemLook.txt
----------
Title: Re: malicious url blocked pop-up. plz help
Post by: sannjay kumar on May 13, 2012, 12:06:15 AM
 i will format c:.
thanks jeffce
Title: Re: malicious url blocked pop-up. plz help
Post by: jeffce on May 13, 2012, 12:14:17 AM
Ok....thanks for letting me know.  :)
Title: Re: malicious url blocked pop-up. plz help
Post by: Lisandro on May 13, 2012, 12:14:22 AM
Quote from: sannjay kumar on May 13, 2012, 12:06:15 AM
i will format c:.