Author Topic: URL Blocked Malicious (Read 6327 times)

wendyr1674 · « **on:** September 17, 2012, 09:49:48 PM »

I ran avast and it said i have a Trojan-gen and moved it to chest but will not let me delete.
I ran Malware
Malwarebytes Anti-Malware (Trial) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.14.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
wendy :: WENDY-4K7CO2TYJ [administrator]

Protection: Enabled

9/17/2012 1:30:00 PM
mbam-log-2012-09-17 (13-30-00).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243079
Time elapsed: 31 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

And it did not find anything.

How do i get this off my computer?

DavidR · « **Reply #1 on:** September 17, 2012, 10:05:41 PM »

What is the file name, location of the detection ?
What reason was given for being unable to deal with it ?

wendyr1674 · « **Reply #2 on:** September 17, 2012, 10:13:56 PM »

it moved it to the chest but grey out where you delete and apply.
I have a print screen of the internet error that i am getting but i do not know how to attach here?

DavidR · « **Reply #3 on:** September 17, 2012, 10:17:17 PM »

Use the Attachments and other options link (expands) in the reply window to attach the screenshot.

wendyr1674 · « **Reply #4 on:** September 17, 2012, 10:36:27 PM »

Here are the logs. I am working on the screen shot says its to large

wendyr1674 · « **Reply #5 on:** September 17, 2012, 10:40:30 PM »

Infection Details
URL:   hxxp://17.feedadvertising12.com/2feed?ty...
Process:   C:\Program Files\Mozilla Firefox\firefox...
Infection:   URL:Mal

I can't get the screen shot to send but here is what it says.

DavidR · « **Reply #6 on:** September 18, 2012, 12:20:21 AM »

A malware removal specialist has been informed of your topic.

There may be some delay due to differing time zones and availability of the volunteer malware removal specialists.

Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

essexboy · « **Reply #7 on:** September 18, 2012, 03:20:32 PM »

Let me know if this stops it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:OTL
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1QzutDtDtCyBtAtCyE0B0AtBtBtDtC0CtDzytN0D0TzutBtDtCtBtDyCtCtB&cr=1531058913
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{14D3E54A-5163-A1DA-9E7D-3FD7FF3038A1}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=060612_8_&babsrc=SP_ss&mntrId=0cd31c090000000000000017314ba220
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{69023299-FD32-11E1-8271-B8AC6F996F26}: C:\Documents and Settings\wendy\Local Settings\Application Data\{69023299-FD32-11E1-8271-B8AC6F996F26}\ [2012/09/12 19:34:46 | 000,000,000 | ---D | M]
[2012/09/12 19:34:46 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\WENDY\LOCAL SETTINGS\APPLICATION DATA\{69023299-FD32-11E1-8271-B8AC6F996F26}
[2012/06/12 10:20:32 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O4 - HKLM..\Run: [lcsas] C:\Documents and Settings\wendy\Application Data\lcsas.dll ()
[2012/09/17 15:12:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/06/12 10:27:10 | 000,302,425 | ---- | C] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\funmoods-speeddial.crx

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

wendyr1674 · « **Reply #8 on:** September 18, 2012, 07:13:39 PM »

How long should this take i think it may be froze up? Will i get a message when it is done?

essexboy · « **Reply #9 on:** September 18, 2012, 07:18:58 PM »

OK that is MBAM blocking it

Stop OTL and then re-run it with this fix script

Code: [Select]

:OTL
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=iron2&chnl=iron2&cd=2XzutAtN2Y1L1QzutDtDtCyBtAtCyE0B0AtBtBtDtC0CtDzytN0D0TzutBtDtCtBtDyCtCtB&cr=1531058913
IE - HKU\S-1-5-21-746137067-1993962763-839522115-1004\..\SearchScopes\{14D3E54A-5163-A1DA-9E7D-3FD7FF3038A1}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=060612_8_&babsrc=SP_ss&mntrId=0cd31c090000000000000017314ba220
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{69023299-FD32-11E1-8271-B8AC6F996F26}: C:\Documents and Settings\wendy\Local Settings\Application Data\{69023299-FD32-11E1-8271-B8AC6F996F26}\ [2012/09/12 19:34:46 | 000,000,000 | ---D | M]
[2012/09/12 19:34:46 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\WENDY\LOCAL SETTINGS\APPLICATION DATA\{69023299-FD32-11E1-8271-B8AC6F996F26}
[2012/06/12 10:20:32 | 000,002,352 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\babylon.xml
O4 - HKLM..\Run: [lcsas] C:\Documents and Settings\wendy\Application Data\lcsas.dll ()
[2012/09/17 15:12:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
[2012/06/12 10:27:10 | 000,302,425 | ---- | C] () -- C:\Documents and Settings\wendy\Local Settings\Application Data\funmoods-speeddial.crx

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptyjava]
[CREATERESTOREPOINT]
[Reboot]

wendyr1674 · « **Reply #10 on:** September 18, 2012, 09:33:26 PM »

Here is the log with new script

essexboy · « **Reply #11 on:** September 18, 2012, 09:40:58 PM »

Are you still getting the alerts ?

wendyr1674 · « **Reply #12 on:** September 19, 2012, 02:01:35 PM »

Quote from: essexboy on September 18, 2012, 09:40:58 PM

Are you still getting the alerts ?

No but now i am getting this.

DavidR · « **Reply #13 on:** September 19, 2012, 02:36:54 PM »

Your text file attachment is empty.

essexboy · « **Reply #14 on:** September 19, 2012, 03:05:04 PM »

Could you expand slightly

Author Topic: URL Blocked Malicious (Read 6327 times)

wendyr1674

URL Blocked Malicious

DavidR

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

DavidR

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

DavidR

Re: URL Blocked Malicious

essexboy

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

essexboy

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

essexboy

Re: URL Blocked Malicious

wendyr1674

Re: URL Blocked Malicious

DavidR

Re: URL Blocked Malicious

essexboy

Re: URL Blocked Malicious