Avast WEBforum

Other => Viruses and worms => Topic started by: buckeyerob39 on May 30, 2012, 05:29:54 PM

Title: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 30, 2012, 05:29:54 PM
This happens even with no browser open, the entire message is as follows: Infection Details
URL:   http://ololoshaface.com/x/
Process:   C:\WINDOWS\System32\svchost.exe
Infection:   URL:Mal
I know this is some kind of Trojan virus but after scans with avast, malware bytes, and a few others it is still there Sophos had a page describing the virus but their free scanner doesn't get rid of it either. This thing had my PC only able to boot in safe mode for a while but somehow it has recovered( Thank God ) but I am still getting these warnings, Thanks for any help anyone can give !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: Pondus on May 30, 2012, 05:34:11 PM
Attach The logs from The guide I gave you....
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 30, 2012, 05:43:23 PM
So sorry, that post has been deleted and I did not have it bookmarked...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: Pondus on May 30, 2012, 05:47:15 PM
http://forum.avast.com/index.php?topic=53253.0
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 30, 2012, 06:15:20 PM
 Thanks !
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.30.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Buckeye Rob :: BONE-936665D783 [administrator]

Protection: Disabled

5/30/2012 11:54:07 AM
mbam-log-2012-05-30 (11-54-07).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231847
Time elapsed: 17 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: Pondus on May 30, 2012, 07:06:46 PM
and the rest...... OTL and aswMBR....... attached, not copy and paste

when done a malware remover will be notified
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on May 30, 2012, 08:31:16 PM
Monitoring...  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 05:23:54 PM
The downloading of the OTL caused a crash and sent me back to safe mode. Avast warned me it was a suspicious file ( it wanted me to try it in some type of container, cannot remember the name)but I ignored it cause I figured coming from here it was safe...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: Pondus on May 31, 2012, 05:28:35 PM
if avast want to sandbox otl then select run normal
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 05:40:47 PM
I did that is when the crash occurred, is it possible the link has been corrupted?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 06:08:12 PM
Just tried to run OTL again and the system crashed again, any suggestions?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 06:24:22 PM
This page describes the virus to a tee : http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~TDLRtk-F/detailed-analysis.aspx
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on May 31, 2012, 06:36:20 PM
Hi,

Please download DDS from one of the following links and save it to your desktop.
-------------------------------------------------------------

Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Vista and Windows 7 users right click the icon and choose "Run as administrator".
(http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan-1.png) (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRscan.png)
Click the image to enlarge it
----------

In your next reply please post both of the logs created by DDS and the log created by aswMBR.exe.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 07:55:18 PM
Sorry If I am doing this wrong, I had to attach both because it said my message was too long.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on May 31, 2012, 08:01:36 PM
Here is the other, thanks !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on May 31, 2012, 08:30:55 PM
Yes...please attach the logs from now on.  I wrote that wrong earlier.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 02, 2012, 04:04:50 PM
So, should I keep trying to run the OTL even though it makes my PC crash ?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 02, 2012, 09:43:17 PM
Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 03, 2012, 09:09:06 AM
Here we go...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 03, 2012, 02:06:52 PM
Hi,

I notice that you have both Avast, AVG and PC Cleaner Pro as well as it looks like you had CA Antivirus as well running at the same time. Having more than one antivirus program running at the same time can seriously degrade the performance of your system. We will need to later uninstall either Avast or AVG or PC Cleaner Pro (which ever you prefer) using either the provided uninstall feature that is part of the antivirus program or through Add/Remove Programs (for Vista and Win 7 users to go to Programs and Features in the Control Panel).  As a rule of thumb one should run one firewall, one antivirus program in memory, and one antispyware utility in memory. It's fine to have other security tools available on an as-needed or on-demand basis, but when multiple tools simultaneously perform the same function, you're asking for trouble.

Let me know which one you would like to keep and we will remove the others.
----------

Code: [Select]
ClearJavaCache::

DDS::
mStart Page = hxxp://search.searchonme.com/

File::
c:\windows\system32\drivers\kdwijva.sys

Driver::
eltytq
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 04, 2012, 07:50:49 PM
Avast is the only program I was trying to run, I uninstalled AVG long ago and PC pro I uninstalled right after it ran. I even ran an uninstall tool to get rid of AVG, perhaps the system restores I have tried have left shadows of the programs on my PC. This latest program has sent me into safe mode again. Hope it worked, thanks for your help !

Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 04, 2012, 09:26:38 PM
Hi,

Ok let's try and get those antivirus programs knocked out of there...

Please do the following:

Hold down the Windows key and press R to open a run box
type the following text into the run box

appwiz.cpl

This will open your Programs And Features. A list of installed programs will populate

Remove the following programs if they are there:

AVG, PC Cleaner Pro, CA Yahoo! Anti-Spy (remove only)
----------

If AVG is not there (or after you remove it) download and run the tool found here >> http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe

Run a new scan with ComboFix and attach the new log that is created. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 05, 2012, 05:50:54 PM
One question, do I run the new scan by dragging those instructions to it again?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 05, 2012, 05:59:53 PM
No not this time....just run a normal scan.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 05, 2012, 08:24:49 PM
The AVG cleaner didn't do the job as CF was still detecting it but I ran it anyways...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 05, 2012, 09:26:19 PM
Hi,

Code: [Select]
ClearJavaCache::

File::
c:\windows\system32\drivers\kdwijva.sys

Folder::
c:\program files\Ask.com

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApnUpdater]

Driver::
eltytq
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 06, 2012, 05:26:21 PM
Hi, here it is...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 06, 2012, 08:10:55 PM
Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


[list=1]
ESET OnlineScan (http://eset.com/onlinescan)

scanning your computer. Please be patient as this can take some time.
http://www.eset.com/onlinescan/
----------

In your next reply please attach the logs made by Malwarebytes and ESET. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 06, 2012, 10:44:18 PM
9 objects found !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 06, 2012, 10:48:03 PM
Code: [Select]
ClearJavaCache::

File::
C:\Documents and Settings\Buckeye Rob\Application Data\Mozilla\Firefox\Profiles\cxcq3xmg.default\extensions\{c74d2683-d76b-40a2-a534-98330284414e}\chrome.manifest
C:\Documents and Settings\Buckeye Rob\My Documents\Driver Genius Professional Edition V9.0.0.180 (Retail) (Fully Updatable) [h33t] [blaze69]\Driver_Genius_9_Professional_US_Full.EXE
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\R3ZNQPQY\imp[4]
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RHGNSJPZ\imp[2]
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\RHGNSJPZ\imp[3]
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

In your next reply attach the new ComboFix log and let me know how your system is running.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 07, 2012, 03:47:55 AM
Well it is running pretty good except for I am still in safe mode  :o was I maybe not supposed to have unchecked remove all threats in that previous scan ?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 07, 2012, 02:08:37 PM
Hi,

So you are not able to boot to Normal Mode at all?  What happens when you try to do so?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 07, 2012, 05:10:48 PM
When I turn it on, it tries to boot normally then it reboots, then I get a choice of start normally, last good configuration, safe mode, safe with networking, safe with command. Trying the first two does not work...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 08, 2012, 03:21:31 AM
We may need to do a repair...

Go to Start >> Run >> type CMD and this will open the Command Prompt.

Once open I want you to copy/paste the following into the Command Prompt
chkdsk /r

Once complete try to boot to Normal Mode and let me know what happens. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 08, 2012, 07:35:16 AM
   Well, first it said it could not perform the function but i could schedule it to be done upon reboot; which I did the safe mode menu came up and I chose 'last good configuration' and it booted up into regular mode. But I am still getting the pop up messages about ololoshaface...Okay I'm the dummy and you're the experts but on the ESETScan which found 9 threats should I really have not checked the box to remove threats ?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 08, 2012, 01:52:23 PM
Hi,

Just because ESET detects something does not necessarily mean it is specifically bad.  It is better to ere on the side of caution in my opinion, but we can remove the other entries.  When you receive that popup could you take a screenshot of it and attach it here too?

Code: [Select]
ClearJavaCache::

File::
C:\Program Files\Uniblue\SpeedUpMyPC\Launcher.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sp_move_serial.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sp_track_install.exe
C:\Program Files\Uniblue\SpeedUpMyPC\sump.exe
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 08, 2012, 08:36:52 PM
A windows pop up came up during the scan saying grep.exe (I think that was the name should've jotted it down) needed to close I clicked do not send and let it run.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 08, 2012, 09:07:57 PM
SS are too big to attach on here, here is what the two most common ones say : Infection Details
URL: "http://ololoshaface.com/x/"
Process: "C:\WINDOWS\System32\svchost.exe"
Infection: "URL:Mal"

Infection Details
URL: "http://c2pokerface.com/x/"
Process: "C:\WINDOWS\System32\svchost.exe"
Infection: "URL:Mal"

There are a few others that pop up they are very similar but for the most part it is just these two that come up, my PC seems to booting up normally most of the time now, it has been going back and forth between normal and safe mode for around a month now.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 08, 2012, 10:09:51 PM
Hi,

Please delete your copy of OTL and then download a fresh copy to your system.  Once downloaded run a new scan and attach the new log to your reply. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 09, 2012, 02:21:54 PM
OTL ran with no crash this time.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 09, 2012, 02:54:06 PM
Hi,

Good job....

Run ERUNT to back up your registry again.
----------


Run OTL.exe
Code: [Select]
:Services

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] --  -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] --  -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] --  -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] --  -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] --  -- (Changer)
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\..\SearchScopes,DefaultScope = {BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://search.searchonme.com/?l=1&q={searchTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default = 2B 9C 04 02 11 1D E3 4C B3 32 38 C0 9D 2B 5A D9  [binary data]
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}: "URL" = http://search.searchonme.com/?l=1&q={searchTerms}
FF - prefs.js..browser.search.order.1: "SearchOnMe"
[2011/06/11 18:29:32 | 000,000,000 | ---D | M] (XUL Cache) -- C:\Documents and Settings\Buckeye Rob\Application Data\Mozilla\Firefox\Profiles\cxcq3xmg.default\extensions\{c74d2683-d76b-40a2-a534-98330284414e}
[2012/02/08 13:12:58 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 10, 2012, 04:45:24 PM
I had not run ERUNT before nor had I checked those ticks on any earlier scans, I did find ERUNT and run it and also ran the scan but it did not create a log. I was back in safe mode before the scan and am still there.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 10, 2012, 04:48:43 PM
Okay, when I opened up OTL again a log came up.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 10, 2012, 05:06:06 PM
Hi,

Run a new scan with OTL and attach that log.  What about the popups?  Still there?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 11, 2012, 05:36:25 PM
It is still in safe mode so I do not get the pop ups there. I set the scan for files up to 60 days old because the problem has been going on longer than 30 days, hope that was okay.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 11, 2012, 05:44:43 PM
Yes that is just fine to have set it back 60 days.

Just so you know.... I have seen where the popups you are receiving are in part due to the newer variant of the ZeroAccess rootkit infection....just so you are prepared. 
----------

Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------

Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 11, 2012, 07:30:10 PM
It said I could not run it as administrator in safe mode, but it ran under bone/administrator which was the guy who fixed my PC a long time ago I think. Anyways here it is...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 11, 2012, 07:55:05 PM
Hi,

I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis

To submit a file to virustotal, please click  VirusTotal (http://www.virustotal.com)

Browse to the following and press Open  (one at a time if more than one file is listed)

C:\Documents and Settings\NetworkService\Local Settings\Application Data\7c033384

C:\WINDOWS\uninst.exe

Click "Scan It", wait for the results and post them in your next reply.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 11, 2012, 10:01:50 PM
This is for uninst.exe
VirusBuster    -    20120611
ViRobot    -    20120611
VIPRE    -    20120611
VBA32    -    20120611
TrendMicro-HouseCall    -    20120610
TrendMicro    -    20120611
TotalDefense    -    20120611
TheHacker    -    20120611
Symantec    -    20120611
SUPERAntiSpyware    -    20120609
Sophos    -    20120611
Rising    -    20120611
PCTools    -    20120611
Panda    -    20120611
nProtect    -    20120611
Norman    -    20120611
NOD32    -    20120611
Microsoft    -    20120607
McAfee-GW-Edition    -    20120611
McAfee    -    20120611
Kaspersky    -    20120611
K7AntiVirus    -    20120611
Jiangmin    -    20120611
Ikarus    -    20120611
GData    -    20120611
Fortinet    -    20120611
F-Secure    -    20120611
F-Prot    -    20120611
eSafe    -    20120610
Emsisoft    -    20120611
Comodo    -    20120611
Commtouch    -    20120611
ClamAV    PUA.Win32.Packer.Upx-53    20120611
CAT-QuickHeal    -    20120611
ByteHero    -    20120606
BitDefender    -    20120611
AVG    -    20120611
Avast    -    20120611
Antiy-AVL    -    20120611
AntiVir    -    20120611
AhnLab-V3    -    20120611
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 11, 2012, 10:08:00 PM
I can't seem to find the 1st file, when I go to C/Documents and Settings it lists users no network service is under any of the users listed
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 11, 2012, 10:26:52 PM
Okay I did a search and located it by pasting it in...
AhnLab-V3    -    20120611
AntiVir    -    20120611
Antiy-AVL    -    20120611
Avast    -    20120611
AVG    -    20120611
BitDefender    -    20120611
ByteHero    -    20120606
CAT-QuickHeal    -    20120611
ClamAV    -    20120611
Commtouch    -    20120611
Comodo    -    20120611
DrWeb    -    20120611
Emsisoft    -    20120611
eSafe    -    20120610
F-Prot    -    20120611
F-Secure    -    20120611
Fortinet    -    20120611
GData    -    20120611
Ikarus    -    20120611
Jiangmin    -    20120611
K7AntiVirus    -    20120611
Kaspersky    -    20120611
McAfee    -    20120611
McAfee-GW-Edition    -    20120611
Microsoft    -    20120607
NOD32    -    20120611
Norman    -    20120611
nProtect    -    20120611
Panda    -    20120611
PCTools    -    20120611
Rising    -    20120611
Sophos    -    20120611
SUPERAntiSpyware    -    20120609
Symantec    -    20120611
TheHacker    -    20120611
TotalDefense    -    20120611
TrendMicro    -    20120611
TrendMicro-HouseCall    -    20120610
VBA32    -    20120611
VIPRE    -    20120611
ViRobot    -    20120611
VirusBuster    -    20120611
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 12, 2012, 12:33:18 AM
Hi,

If you are running Malwarebytes 1.6 or better, please disable it for the duration of this run.

To disable Malwarebytes
(http://i1224.photobucket.com/albums/ee380/jeffce74/MBAM16orgreater.jpg)

Once complete continue with the instructions...
----------

Run OTL.exe
Code: [Select]
:Services

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,XMLHTTP_UUID_Default =
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {95B7759C-8C7F-4BF1-B163-73684A933233}
IE - HKCU\..\SearchScopes\{20D707E3-184A-40FF-970A-572AC9BBB3F1}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=chr-yie8
IE - HKCU\..\SearchScopes\{2A83ED6A-969D-4EFB-A5CE-86F9951A1F8B}: "URL" = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
IE - HKCU\..\SearchScopes\{76E33316-A026-460E-A91F-EBB95A48D756}: "URL" = http://delicious.com/search?p={searchTerms}
IE - HKCU\..\SearchScopes\{794742FF-B1C3-4C08-9F7F-16093638A64B}: "URL" = http://www.flickr.com/search/?q={searchTerms}
IE - HKCU\..\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}: "URL" = http://isearch.avg.com/search?cid={46EC57AA-F3B4-4081-B60D-CC8C759BD140}&mid=5307ee3871ac47d1be38d1a90ba6db9f-8b144253687c63810fde9e6294ffe190b626129b&lang=en&ds=AVG&pr=fr&d=2012-01-15 11:29:04&v=10.0.0.7&sap=dsp&q={searchTerms}
IE - HKCU\..\SearchScopes\{D0FBA784-AAD4-45E4-9E70-E1302A6CC681}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=chr-tyc8
FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.defaulturl: "http://in.search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.order.1: ""
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://us.mg.mail.yahoo.com/neo/launch"
FF - prefs.js..extensions.enabledItems: {c74d2683-d76b-40a2-a534-98330284414e}:1.0
FF - prefs.js..extensions.enabledItems: avg@toolbar:10.0.0.7
FF - prefs.js..keyword.URL: "http://isearch.avg.com/search?cid=%7B80ba599f-43f5-475d-8175-fa7c87727350%7D&mid=5307ee3871ac47d1be38d1a90ba6db9f-8b144253687c63810fde9e6294ffe190b626129b&ds=AVG&v=10.2.0.3&lang=en&pr=fr&d=2012-01-15%2011%3A29%3A04&sap=ku&q="
[2012/03/21 10:35:52 | 000,000,464 | ---- | M] () -- C:\Documents and Settings\Buckeye Rob\Application Data\Mozilla\Firefox\Profiles\cxcq3xmg.default\searchplugins\SearchOnMe.xml

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 04:54:50 PM
Okay.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 12, 2012, 06:33:07 PM
Hi,

Are you able to boot to Normal Mode?  If so, are there still popups? 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 06:37:01 PM
Actually right before the scan it booted to normal mode and it is still doing so. But the pop ups are still there.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 12, 2012, 06:40:48 PM
Sorry if I asked this already but are you using a router?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 06:45:47 PM
I am but this computer has the direct line from it.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 12, 2012, 07:01:21 PM
What browsers are the popups occurring in?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 07:13:35 PM
They can occur with no browser open and usually do on start up. I use firefox almost exclusively.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 12, 2012, 07:30:24 PM
Ok....thanks.

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 10:22:18 PM
It ran for 4 hours and the PC seemed to be locked up, the log said very little; when I rebooted it went back into safe mode I ran it again and it only took a few seconds.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 12, 2012, 10:25:25 PM
Here is the 1st log in case it is relevant.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 04:47:24 PM
Hi,

Please do the following:

Hold down the Windows key and press R to open a run box
type the following text into the run box

appwiz.cpl

This will open your Programs And Features. A list of installed programs will populate and I want you to look and see what versions of Internet Explorer you have still installed on your system.  Don't remove any...just let me know what you see.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 13, 2012, 05:10:19 PM
Okay that opened my add or remove programs and all I saw was Windows Internet Explorer 8.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 05:12:56 PM
Is Internet Explorer what you would normally use for your browser or do you use others?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 13, 2012, 05:36:36 PM
I use firefox most of the time.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 05:43:00 PM
Ok...go ahead and uninstall Internet Explorer and then download and install a fresh copy from here http://windows.microsoft.com/en-US/internet-explorer/downloads/ie   

Once you get that completed run a new scan with OTL, attach the log that is created and let me know how your system is behaving. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 13, 2012, 07:13:10 PM
When I clicked on IE to remove it there was no remove button like a normal program. I clicked on add/remove windows programs and it was listed there, so I unchecked all the others and ran it but it did not remove it. It sent me back into safe mode.When I clicked on your link to reinstall, it said that the old version could not be removed and neither could the one I was about to install. I reinstalled anyways and when I rebooted it went back to normal mode.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 07:43:26 PM
OK
Uninstall FireFox and download a fresh copy.

http://www.mozilla.com/firefox/
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 13, 2012, 07:53:02 PM
okay done!
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 08:03:57 PM
How is your system acting?  Any more popups?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 13, 2012, 08:08:04 PM
Pop ups are still here, everything else seems fine though.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 13, 2012, 08:11:20 PM
 >:(   Do you have a screenshot of one that has popped up recently?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 14, 2012, 05:37:27 AM
Exactly as they have always been ololoshaface and cpoker
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 14, 2012, 01:37:46 PM
Hi,

Run new scans with TDSSKiller and aswMBR.exe please and attach the logs created. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 14, 2012, 05:17:46 PM
Okay here they are and I think the pop ups are gone ! Thanks so much for all the help so far, hopefully this nightmare is over lol
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: DavidR on June 14, 2012, 05:22:04 PM
Whilst I'm no malware removal specialist, the TDSSKiller log reports finding 2 detected objects and needs to reboot to cure one of them.

So if you haven't rebooted already then you should do so.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 14, 2012, 05:26:06 PM
I rebooted before I posted here, thanks !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: DavidR on June 14, 2012, 05:31:11 PM
OK, hopefully Jeff will be back on the scene soon to confirm/advice if anything else is required.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 14, 2012, 07:18:45 PM
Thanks David!  :)

Ok...could you run TDSSKiller once again and attach the new log please.  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 14, 2012, 10:06:36 PM
The default action was to skip on the locked file sptd  which I left alone on both scans.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 14, 2012, 10:11:28 PM
Ok that looks good.  The file that you skipped is related to a CD Emulator program.  How is your system behaving now?  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 14, 2012, 10:21:34 PM
seems to be fine, haven't done much on it yet; been watching the golf. But no problems so far...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 14, 2012, 10:24:20 PM
Ok great!  Run a new scan with aswMBR and attach that.

If it looks clean, we should let it run for a day or so and see how it acts.  If everything is ok I will clean up our tools and you will be good to go.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 15, 2012, 04:38:21 PM
Okay, still no problems so far...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 15, 2012, 07:55:34 PM
Ok there is still an Unknown popping up in aswMBR.

Run a new scan with TDSSKiller and attach the log but don't remove anything at all.  I just want to see what is there. 
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 15, 2012, 10:17:44 PM
ok
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: jeffce on June 16, 2012, 04:03:55 AM
Still running well?  :)
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 16, 2012, 04:10:28 PM
Seems to be fine, been working alot so I've only spent a few minutes on it, but no pop ups and seems to be fast...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on June 22, 2012, 08:20:36 PM
Have now spent a good 10-12 hours on it, no problems at all...Thank you so much !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on July 10, 2012, 06:09:41 PM
Still doing fine, thanks again; you mentioned doing some clean up when we were done?
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: DavidR on July 10, 2012, 07:34:55 PM
It may be that the topic has dropped off Jeff's notify reminders whilst he was on holiday/moving home.

Hopefully he can get on it soon (nothing critical though since your system is OK).
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: essexboy on July 10, 2012, 07:37:44 PM
I will pinch the glory  ;D ;D ;D

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove ComboFixRun OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change thatNow that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).

Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe  :wave:
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: DavidR on July 10, 2012, 07:45:01 PM
Ha, I was just about to post a link to your usual clean-up routine ;D
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on July 12, 2012, 04:00:15 PM
  Okay, did all that but OTL softonic tdss and goored are still here...
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: essexboy on July 12, 2012, 04:09:33 PM
Did you do the following:

Quote
Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on July 12, 2012, 04:17:16 PM
Yes sir !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: essexboy on July 12, 2012, 04:29:03 PM
Thanks I will pass that back to OT and see if he knows why.  We will use this tool which self deletes.  Let me know if that kills it 

Title: Re: Malicious URL Blocked msg every 30 sec
Post by: buckeyerob39 on July 18, 2012, 05:17:22 PM
    Okay, I went to run OTL again and it was gone, the shortcut was all that was left; same for the others except for TDSKiller. That one is still there but I reckon I can just search for it and delete it that way. I appreciate all the help, you guys rule !
Title: Re: Malicious URL Blocked msg every 30 sec
Post by: essexboy on July 18, 2012, 05:19:29 PM
My pleasure - keep safe