Custom scan revealed threats in memory

[RishR]

Hi I hope someone can help me with this.

I was using the internet when avast network shield popped up with a threat detected window and now every 5 minutes it comes up again regarding the same object and threat.

" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Windows\Explorer.EXE   "

After that kept coming up I decided to run a scan with Avast. The quick scan found nothing so I started a custom scan which was configured to scan memory. The scan found 28 threats, they are all different processes in memory blocks, all high severity and all stated as Threat: Win32:Zbot-NRC [Trj].
I have attached an image of the scan results

Should I delete them or move them to the virus vault?

How can i deal with the malicious URL problem

Thanks in advance.

Rish

[Pondus]

Should I delete them or move them to the virus vault?

not possible, as they are not files. 

the "scan memory" setting will give some veird results and should not be used unless you know/understand the result

this is the second most asked problem in this forum
search for   detection in memory    or   memory scan    and you find lots of info

[Pondus]

I was using the internet when avast network shield popped up with a threat detected window and now every 5 minutes it comes up again regarding the same object and threat.

this may indicate a infection

follow this guide and attach the logs....not copy and paste.   http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal experts will be notified

[RishR]

Hi Pondus,

Thanks for your advice as you said I searched for memory scans and I saw what has been put in other posts. I only selected memory scan and whole file scan as I thought the repeated network shield alert must be coming from something on my computer.

I will go to that guide now and attach the results shortly.

[RishR]

I have run Adw Cleaner and have attached the report, next I will do MBAM.

Thanks

[RishR]

After Adw Cleaner restarted and I started to scan my computer with MBAM avast network shield popped up again but this time it was different.

Firstly I was getting this message:
" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Windows\Explorer.EXE   "

Then I got this message:
" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe   "

Does this mean that the infection\virus or whatever it is has moved?

Thanks for all your help so far.

[RishR]

Just finished MBAM scan, log attached below.

Thanks

[RishR]

Hi Pondus,

Just Finished the OTL scan but only one notepad window opened which i saved as OTL, there was no second notepad window"extras.txt"?? If something has gone wrong please let me know.

However, in the meantime here is the result please see attachment. Btw I am still getting the Malicious URL alert from avast.

Thanks

[RishR]

Finished the aswMBR scan, log attached also a video cd.dat file named MBR was created by the program when the scan finished but I cant change the file extension or attach the file to this post, can anyone help with that??

 I hope someone can help me. Just as an update I am still getting the malicious URL pop up from avast.

Thanks to everyone who has viewed this post and I hope there is a fix for my problem.

Rish

[essexboy]

The dat file is a raw read of the MBR at the moment I do not need that so you can delete it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon -- (CLTNetCnService)
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc;version=8.6.5: C:\Program Files\Tripleplay\TPPlugins\npvlc.dll File not found
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000..\Run: [Yhugtaebh] C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe ()
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Ygkoi
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Iwfei
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Cuhe
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\Users\Rish!!\AppData\Local\37p0uy7hhp55hsb5e8b8j628bll7jy
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\ProgramData\37p0uy7hhp55hsb5e8b8j628bll7jy

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Let me know if this stops the alerts

[RishR]

Hi Essexboy,

I tried to run the custom fix in OTL, after initializing it was killing processes, a blue screen appeared  saying it had detected a problem and shutdown, then my system was rebooted. I don't think OTL had enough time to complete the custom fix before that happened. When my system restarted there are now a few files and icons on my desktop which are visible but appear transparent which I believe are hidden files. I have attached a screen shot of those.

I still completed another scan with OTL just in case it had managed to finish before the crash, results are attached as well.

Also this did not stop the Malicious URL notification.

Thank you for your help hope there is something I can try now.

Rishi

[essexboy]

Lets try one more time with a slightly different fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000..\Run: [Yhugtaebh] C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe ()
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Ygkoi
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Iwfei
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Cuhe
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\Users\Rish!!\AppData\Local\37p0uy7hhp55hsb5e8b8j628bll7jy
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\ProgramData\37p0uy7hhp55hsb5e8b8j628bll7jy

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[RishR]

Just completed the fix and the scan, the fix seemed to work and I have attached the log of that after my system rebooted. As the fix was working I did see that a file was transferred to the virus vault so should I delete that now?

The quick scan has just finished so I'll attach the log as well.

Thanks for all your help.

Rish

[essexboy]

How is the computer behaving now ?  You can clear the vault

[RishR]

Umm so far everything is behaving like it should although I did notice in the log after the fix was complete something a bit weird:
"File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot." - is this file part of avast??

So far not a single Malicious URL blocked

I do have some questions is you have the time.
1. In the first OTL log that I attached there are some strange websites under this section C:\Windows\System32\drivers\etc\hosts what are hosts?

2. All my problems started I think when Firefox did not block a pop up window even though my settings are configured to do so. Is there a plug in or add-on I can get to stop this happening again in the future?

3. I remember reading somewhere on a anti virus website that a lot of infections use java to penetrate your system so bearing that in mind I don't think my java has been updated for ages should I update it?

4. I use Avast Free, MBAM free(to be honest I wasn't using it regularly) and Spybot search and destroy and Windows Firewall turned on, are there any products that you would recommend to use in addition or to replace the ones I have been using?

Finally I have to say a massive thank you to you and everyone else that has helped me. Its great to have my computer working again .

Rish