Malicious URL Blocked

[Speedracer82]

Hi, just not long ago ive been receiving the "Malicious URL Blocked" pop up from avast anti virus. This block appears whenever i navigate through webpages on google chrome, so i tried using internet explorer and to no avail the same block pops up. Can anyone advise me the steps i should undertake? do i follow this topic? http://forum.avast.com/index.php?topic=53253.0

Thanks.

[magna86]

Hi,
I will be working on your Malware issues.  During this case I will use multiple tools for the best possible analysis and malware removal.



Please download Farbar Recovery Scan Tool and Zoek.exe and save both tools to your Desktop.

Note for Farbar Recovery Scan Tool (aka FRST):
You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

Note for Zoek.exe:
Do not launch Zoek.exe yet! We shall use it later.


FRST Scan:

• Double-click on FRST/FRST64 to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

[Speedracer82]

Thanks for assistance and quick reply.

I have downloaded both programs and attached the requested logs from the Farbar recovery tool.

[magna86]

Hi,

Both Zoek and FRST needs to be on Desktop.
2013-07-27 20:32 - 2013-07-27 20:33 - 01275420 _____ C:\Users\Cynthia\Downloads\zoek.exe
2013-07-27 20:31 - 2013-07-27 20:32 - 01780407 _____ (Farbar) C:\Users\Cynthia\Downloads\FRST64.exe


My personal recommendation to you is to remove (Control Panel > Programs and Features) Optimizer Pro v3.0 (x32 Version: 3.0).
Thouse tools are just crap/bloat_ware and nothing else...





The fix procedure consists two steps. Running through FRST's script and then running through zoek's script.



Step#1


FRSTScript:
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE:
This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system.

Code: [Select]


Start
Hosts:
Task: {7F64E0AF-B49D-4FAE-8A9D-976557B4C426} - System32\Tasks\Lyrics-Pal Update => C:\Program Files (x86)\LyricsPal\Lyrics.exe No File
Task: C:\windows\Tasks\Lyrics-Pal Update.job => C:\Program Files (x86)\LyricsPal\Lyrics.exe
MountPoints2: {d9c89934-d6ac-11e0-bc63-c0cb38e41cc5} - E:\unlock.exe autoplay=true
MountPoints2: {f04ac1c0-f07f-11e2-8e54-c0cb38e41cc5} - H:\Setup.exe
URLSearchHook: (No Name) - {88c7f2aa-f93f-432c-8f0e-b7d85967a527} -  No File
SearchScopes: HKLM - DefaultScope value is missing.
BHO-x32: Lyrics-Pal - {AB9778AB-BAEF-49B9-96EE-D6E4BD0BCE68} - C:\Program Files (x86)\LyricsPal\125.dll No File
Toolbar: HKCU - No Name - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} -  No File
CHR HKLM-x32\...\Chrome\Extension: [mmiopbgcekanlhpjkonogoljpfmhpkhf] - C:\Program Files (x86)\LyricsPal\125.crx
File: C:\Users\Cynthia\Downloads\Setup.exe
C:\Program Files (x86)\LyricsPal
CMD: ipconfig /flushdns
End


2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.








Step#2

ZOEKScript:

1. Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.


2. Double-click on zoek.exe to run it;
Please wait while the tool does not start...

3. Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]


filesrcm;
startupall;
firefoxlook;
chromelook;



4. Click on button

Upon completion it will create zoek-results.log. Please wait until a logreport opens (this can be after reboot).


5. Save notepad to your Desktop and attach here zoek-results.log[/list]
Note: It will also create a log in the C:\ directory named "zoek-results.log"





Summary:
Please attach it to your next reply;

• Fixlog.txt created by FRST
  
• zoek-results.log created by Zoek
  

[Speedracer82]

I have moved both zoek and FRST to my desktop along with any relevant files. Optimizer has also been uninstalled on the computer.

Here are the fixlog from FRST and the zoek results log.

[magna86]

Hi,

- Please attach here C:\AdwCleaner[S1].txt log that was created by AdwCleaner,


THEN ...


- Re-run Zoek.exe as you did before via this ZOEKScript;

Code: [Select]

emptyclsid;
chrdefaults;
C:\Users\Cynthia\Downloads\Setup.exe;f
C:\Users\Cynthia\AppData\Local\Temp\lyricsPaltmp.exe;f
C:\Users\Cynthia\AppData\Local\Temp\OptimizerPro.exe;f
C:\Users\Cynthia\AppData\Local\Temp\LyricsPal_1060-8101_v122.exe;f
C:\Users\Cynthia\AppData\Local\Temp\bitool.dll;f
C:\windows\Sysnative\Tasks\{1D7773A6-5388-41F0-B50F-0909089ECBCB};f
emptyalltemp;
autoclean;

- Wait for zoek to finish his fix and the attach fresh created zoek log.



=========== THEN =========


Re-check;


1. Re-run FRST, just click on Scan button and attach here fresh created FRST.txt logreport.




RootkitCheck:



2. Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

[Speedracer82]

I have attached all logs as requested.

[magna86]

Ok, last FRST fix ...



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
AppInit_DLLs-x32:   [0 ] ()
C:\Users\Cynthia\jagex_cl_runescape_LIVE.dat
C:\Users\Cynthia\jagex_runescape_preferences.dat
C:\Users\Cynthia\jagex_runescape_preferences2.dat
End

2. Save notepad as fixlist.txt
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Note: If the tool warned you about the outdated version please download and run the updated version.


---    ---    ---    ---    ---    ---    ---    ---    ---    ---   


Tell me, how is your computer running now? Any malware warnings?

[Speedracer82]

The malware warnings have not been popping up since my last restart or so, Im still a bit confused as to what may have caused all this but the problem seems to have been resolved?

[magna86]

Malicious extensions has been trigger for avast warning. Extensions came across with malicious program belike as part of some legitimate software or it has been use another exploit... how it got into your computer exactly, I do not know.


You are malware free. Logs doesn't show active malware. We need to remove used tools now. 
Please download DelFix by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.




I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

[Speedracer82]

Thank you very much for your help.  Though i have a few questions i would like to ask:

Am i free to remove the notes i created for zoek, FRST etc?

I now seem to have many more programs installed such as tdsskiller, malwarebytes, adwcleaner, frst64, zoek. Should i keep them all installed for future references?

[magna86]

 

Am i free to remove the notes i created for zoek, FRST etc?

I now seem to have many more programs installed such as tdsskiller, malwarebytes, adwcleaner, frst64, zoek. Should i keep them all installed for future references?

All of these tools, their files and entries, their logreports will be removed by DelFix. That's why I told you to download and run DelFix. DelFix will also create registry backup and reset the old system and create a new restore point.

edit:
Malwarebytes will not be removed by DelFix. If you wish to remove malwarebytes, you need to uninstall but I recommend that you leave it as it is a great addition to your AV

[Speedracer82]

Oh ok thanks, i ran delfix and it deleted them, its just they remained on the desktop.
Thanks again for your help.

[magna86]

Oh ok thanks, i ran delfix and it deleted them, its just they remained on the desktop.

Hm ... If 'Remove disinfection tools' option was ticked then all tools should be gone.
Nevertheless, feel free to delete them manualy.