Malicious URL Blocked Issue (same as problem in davidle thread)

[dobber82]

Hello,

Any help you guys could give me would be greatly appreciated.

I am experiencing the very same problem as outlined in another recent thread called "Topic: URL:Mal" by davidle. Every single web page I visit gives me a malicious URL warning and even clicking for more information from the Avast warning results in a further malicious url warning.

I posted there earlier today but an now creating my own thread as advised by davidle and DavidR (alot of Davids on here as I am also David).

Anyway, I have followed DavidR's recommendations and read through the "Logs to assist in cleaning malware" thread by Essexboy (http://forum.avast.com/index.php?topic=53253.0)

I installed and ran MBAM as per the tread instructions and am pasting below the log that resulted after if found and deleted 20 malware problems.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.26.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
O'Byrne :: OBYRNE-PC [administrator]

6/26/2012 1:41:30 PM
mbam-log-2012-06-26 (13-41-30).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 213506
Time elapsed: 11 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 15
HKCR\CLSID\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\TypeLib\{BB7256DD-EBA9-480B-8441-A00388C2BEC3} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\Interface\{3D782BB2-F2A5-11D3-BF4C-000000000000} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncherBHO (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{78F3A323-798E-4AEA-9A57-88F4B05FD5DD} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\CLSID\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher.1 (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCR\MyNewsBarLauncher.IE5BarLauncher (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Quarantined and deleted successfully.

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar|{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data: VShareTB -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} (PUP.VShareRedir) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (Hijack.StartPage) -> Bad: (http://startsear.ch/?aff=1&cf=4d9af31e-4518-11e1-8270-b870f4deedfc) Good: (http://www.google.com) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Program Files (x86)\StartSearch plugin\BarLcher.dll (PUP.VShareRedir) -> Quarantined and deleted successfully.
C:\Users\O'Byrne\Downloads\SetupPoker.exe_2dbcf3.exe (PUP.Casino) -> Quarantined and deleted successfully.

(end)

[dobber82]

I then downloaded and ran OTL as Essexboy's steps outlined.

The run has now finished and I have the two txt file logs in ANSI format as required.

I think thats as far as I'm going to get on this today but I will continue on with the next phase of Essexboy's steps tomorrow unless I hear from you guys in the meantime telling me to do something else.

Hopefully we can get this fixed.

Thanks again for taking a look and your time. 

[jeffce]

Hi and welcome.

Could you also download and run aswMBR from the same page you found the instructions for OTL. 

[dobber82]

Hi Jeffce,

Yeah, I took a look back at those instructions and as you said I have run the aswMBR scan and attached the log for that here too.

Looking forward to hearing what you think I can do now to solve this after you have a chance to look over the logs.

Cheers

David

[jeffce]

Hi,

Please download ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1163044022-3439133069-2077064740-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-1163044022-3439133069-2077064740-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://startsear.ch/?aff=1&src=sp&cf=4d9af31e-4518-11e1-8270-b870f4deedfc&q={searchTerms}
IE - HKU\S-1-5-21-1163044022-3439133069-2077064740-1001\..\SearchScopes\{53DDEF8A-E1C8-4404-A2BD-96B57C2935A5}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=FF&o=14594&src=kw&q={searchTerms}&locale=en_NL&apn_ptnrs=FV&apn_dtid=YYYYYYYYNL&apn_uid=82e2ae5f-c596-490e-ac24-6e4bfcd08812&apn_sauid=79D2DBB6-9E5F-41F4-AEC6-A02CA51F9844
O2:[b]64bit:[/b] - BHO: (VshareComplete) - {222f31fb-a14e-4af2-bb14-997f28294370} - C:\Users\O'Byrne\AppData\Roaming\VshareComplete\64\VshareComplete64.dll (SimplyGen)
O2:[b]64bit:[/b] - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll File not found
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (VshareComplete) - {222f31fb-a14e-4af2-bb14-997f28294370} - C:\Users\O'Byrne\AppData\Roaming\VshareComplete\VshareComplete.dll (SimplyGen)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2 C:\Users\O'Byrne\Desktop\*.tmp files -> C:\Users\O'Byrne\Desktop\*.tmp -> ]
[2012/01/22 18:44:26 | 000,000,000 | ---D | M] -- C:\Users\O'Byrne\AppData\Roaming\VshareComplete

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot when it is done
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[dobber82]

Good morning Jeffce,

I decided to just leave a full run of that scanning program Malwarebytes' Anti-Malware on the computer before I went to bed. Anyway, it came back and said there is no malware detected.

I logged on here this morning to see that you've come back with the next steps to follow... but then I realized that the pages I was opening were no longer giving me the malicious url warning and, infact, everything seems to be working perfectly again. I tried several random web pages from Google news and still no warnings and everything looks to be fine. 

Do you think the additional full run of Malwarebytes' Anti-Malware could have sorted the problem?

Do you still think I should follow the ERUNT and OTL steps that you outlined above? 

Let me know what you think and thanks again for your help.

Cheers,

David

[Pondus]

Do you still think I should follow the ERUNT and OTL steps that you outlined above? 

yes....as ERUNT will give you a backup....and the OTL fix will remove additional problems....and the new log will show if all is gone   

[jeffce]

Hi,

Yes please go ahead with running ERUNT and OTL.  Those are definitely entries that we need to remove.  A good rule to remember when removing malware is that an absence of symptoms is not necessarily an absence of infection.  We want to try to prevent anything from respawning later. 

When you get the new OTL logs please attach those.  Thanks. 

[dobber82]

Okay, thanks Jeffce and Pondus.

I went ahead with running ERUNT and OTL. I have attached the OTL log output txt file here in ANSI format again (assumed that would be the same but let me know if that is not the most convenient).

I noticed in some other threads a problem with VShare in general. Is that a program to stay away from? I have used it for streaming sports in the past many times and hadn't seemed to cause problems before. What are your thoughts on this?

Thanks,

David

[Pondus]

OTL log is posted correct...if not in ANSi it would look like chinese. 

[jeffce]

Hi,

Good job getting that ran.  You were wondering about VShare and I will let you look at what I find so you can make your own decision if you want to continue its use...  http://www.systemlookup.com/CLSID/75688-VshareComplete_dll.html
----------

I noticed that you still have McAfee on your system.  Did you get a chance to run the removal tool that I had provided?
---------

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  

Code: [Select]

:Services

:OTL
O2:[b]64bit:[/b] - BHO: (Expat Shield Class) - {3706EE7C-3CAD-445D-8A43-03EBC3B75908} - C:\Program Files (x86)\Expat Shield\HssIE\ExpatIE_64.dll File not found
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered.  There will be a log created when it completes that I will need in your next reply.  Reboot when it is done.
• Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
  

[dobber82]

Okay thanks Jeffce.

I did run that second round of OTL this morning with the copy and paste of your commands in to the custom code box.

I will do it again though with the one you just pasted.

Cheers,

David

[jeffce]

Ok. 

[dobber82]

Here's what came up after running the copy and paste of your commands and the computer rebooted and opened this file:

(I also attached this in the ANSI format too)

Let me know what you think when you take a look or whether you think I should do a final OTL scan?

Cheers,

David

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\O'Byrne\Desktop\cmd.bat deleted successfully.
C:\Users\O'Byrne\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56468 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: O'Byrne
->Temp folder emptied: 1577319931 bytes
->Temporary Internet Files folder emptied: 327060421 bytes
->Java cache emptied: 218371 bytes
->Google Chrome cache emptied: 520941996 bytes
->Flash cache emptied: 155152 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 238170516 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 4280465547 bytes
 
Total Files Cleaned = 6,623.00 mb
 
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
OTL by OldTimer - Version 3.2.53.0 log created on 06272012_163535

Files\Folders moved on Reboot...
C:\Users\O'Byrne\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\O'Byrne\AppData\Local\Temp\MMDUtl.log moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\dsiwmis.log scheduled to be moved on reboot.
File move failed. C:\Windows\temp\LMutilps32.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\mcafee_NqTOYuVI8pm2pcP not found!

PendingFileRenameOperations files...
File C:\Users\O'Byrne\AppData\Local\Temp\FXSAPIDebugLogFile.txt not found!
File C:\Users\O'Byrne\AppData\Local\Temp\MMDUtl.log not found!
[2012/06/27 16:41:34 | 000,000,000 | ---- | M] () C:\Windows\temp\_avast_\Webshlock.txt : Unable to obtain MD5
[2012/06/27 16:41:24 | 000,432,523 | ---- | M] () C:\Windows\temp\dsiwmis.log : Unable to obtain MD5
[2012/06/27 16:41:24 | 000,657,323 | ---- | M] () C:\Windows\temp\LMutilps32.log : Unable to obtain MD5
File C:\Windows\temp\mcafee_NqTOYuVI8pm2pcP not found!

Registry entries deleted on Reboot...

[dobber82]

I definitely seem to still have McAfee anyway as I just got a pop up from them saying I'm exposed to viruses etc and a link to buy a subscription