Author Topic: Malicious URL blocked... a lot.  (Read 12669 times)

0 Members and 1 Guest are viewing this topic.

psknapp

  • Guest
Malicious URL blocked... a lot.
« on: August 31, 2013, 02:38:41 AM »
I know I'm not the only one with this, but I keep getting the red pop up stating Malicious URL blocked.  I've run Malwarebytes and OTL and received the attached messages.  There seem to be a lot of sites, but they all end with /task/23/, whatever that is.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Malicious URL blocked... a lot.
« Reply #1 on: August 31, 2013, 03:19:12 AM »
MBAM isn't attached.... What about Adwcleaner?
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #2 on: August 31, 2013, 06:33:54 AM »
Okay, trying again.  I had to do MB and OTL again.

Offline mikaelrask

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1556
Re: Malicious URL blocked... a lot.
« Reply #3 on: August 31, 2013, 08:42:28 AM »
hey also attach aswmbr log here. if it not run in normal mode try safe mode.
Windows 8.1 amd a10-5700 64 bit
12 GB ram 1 tb hard drive. Avast 18, MBAM

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: Malicious URL blocked... a lot.
« Reply #4 on: August 31, 2013, 09:18:44 AM »
Your malwarebytes log say NO ACTION TAKEN  update MBAM, run New quick scan.... click REMOVE SELECTED

run AdwCleaner again ....click scan .... when finish click clean


Malware removers are notified...


argus

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #5 on: August 31, 2013, 09:59:59 AM »
Hi, I will be working on your Malware issues.


Re-run OTL.exe.

  • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

Code: [Select]

:OTL
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN39353847742539125&UM=2&ctid=CT3289847
IE - HKCU\..\SearchScopes,DefaultScope = {F213A413-B343-4FA1-B4F8-8157444D4DF3}
IE - HKCU\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = http://vshareus.my-quick-search.com/search.aspx?q={searchTerms}&srch=dsp
IE - HKCU\..\SearchScopes\{F213A413-B343-4FA1-B4F8-8157444D4DF3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN39353847742539125&UM=2
[2013/08/29 19:47:56 | 000,000,000 | ---D | M] (WhiteSmoke New) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{739df940-c5ee-4bab-9d7e-270894ae687a}
[2013/08/29 19:51:14 | 000,000,000 | ---D | M] (WebProtect) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{AF58FD11-7BF2-4F0E-8315-05572D38DF07}
[2013/01/05 08:07:05 | 000,004,011 | ---- | M] () (No name found) -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\extensions\{5391280d-2dd4-11e2-8271-b8ac6f996f26}.xpi
[2013/08/29 19:48:00 | 000,001,005 | ---- | M] () -- C:\Users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\searchplugins\conduit.xml
[2013/08/29 20:20:01 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
CHR - default_search_provider: Conduit (Enabled)
CHR - default_search_provider: search_url = http://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN32093413418161156&ctid=CT3289847&UM=2
CHR - default_search_provider: suggest_url = http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}&CUI=UN32093413418161156&UM=2
CHR - homepage: http://search.conduit.com/?ctid=CT3289847&SearchSource=48&CUI=UN32093413418161156&UM=2
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
CHR - Extension: Web Protect = C:\Users\Knapp\AppData\Local\Google\Chrome\User Data\Default\Extensions\oamhmngeopfinppeiiamgjhlijnmelgo\5.0_0\
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files (x86)\McAfee Security Scan\3.0.318\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Web Protect) - {2CEBF6C7-2B40-469B-B5D5-CD3F3676C3C4} - C:\Program Files (x86)\Web Protect\WebProtect.dll (WebProtect)
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKLM\..\Toolbar: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKLM\..\Toolbar: (Foxit Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (vShare Plugin) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Foxit Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll (Ask.com)
O4 - HKCU..\Run: [ConduitFloatingPlugin_klibnahbojhkanfgaglnlalfkgpcppfi] C:\Program Files (x86)\Conduit\CT3289847\plugins\TBVerifier.dll (Conduit Ltd.)
O4 - HKCU..\Run: [dddafcaeebaec] "C:\ProgramData\dddafcaeebaec.exe" File not found
O4 - HKCU..\Run: [Dyhuoxby] C:\Users\Knapp\AppData\Roaming\Heyb\qobu.exe File not found
O4 - HKCU..\Run: [Google Update] Reg Error: Value error. File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: dddafcaeebaead = C:\Users\Knapp\AppData\Local\067d037d-d29a-4f51-898c-a8ee4368b7aead\dddafcaeebaead.exe
O8:[b]64bit:[/b] - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8:[b]64bit:[/b] - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html File not found
O18 - Protocol\Handler\vsharechrome {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files (x86)\vShare\vshare_toolbar.dll ()

:files
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Program Files (x86)\Conduit
C:\Users\Knapp\AppData\Local\Conduit

:commands
[CREATERESTOREPOINT]
[emptytemp]

  • Then click the Run Fix button at the top.
  • Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log

.







1. Please download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.


--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:
  • Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
  • In the window that opens on the top right corner, click Settings.
  • In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.
  • => Again, right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
  • In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn on this option after the cleaning.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.

ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.

If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.


--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
 Attach log reports ( ComboFix.txt) back to topic.

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #6 on: August 31, 2013, 06:34:16 PM »
Thanks!  I did ask you stated and attached the file.  One odd development, there are sounds coming through the speakers, like a video or streaming audio, even when there is nothing playing on the computer.

argus

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #7 on: August 31, 2013, 06:38:43 PM »
Run ComboFix , you have instructions.

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #8 on: August 31, 2013, 07:39:55 PM »
Sorry.  I am trying to to this in between watching the kids.  Here is the combofix file.

argus

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #9 on: August 31, 2013, 08:17:05 PM »
Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

File::
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

DDS::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3


Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #10 on: September 01, 2013, 01:02:32 AM »
I did it twice.  The first time I am uncertain it finished and no log was generated.  I've attached the log from the second run.

Thank you!

argus

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #11 on: September 01, 2013, 08:26:37 AM »

This is a report from the first run. Nothing has been done.




Open notepad and copy/paste the text present inside the code box below:


Code: [Select]

KillAll::

File::
c:\users\Knapp\AppData\Local\Google\Chrome\Application\chrome.exe
c:\windows\SYSNATIVE\drivers\cnhpfrcf.sys
c:\windows\SYSNATIVE\drivers\ekdsmkik.sys
c:\windows\SYSNATIVE\drivers\nrmtsuet.sys
c:\program files (x86)\McAfee Security Scan\3.0.318\McCHSvc.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoogleChromeAutoLaunch_1188854577A12D18723E5D6124D4F6D4"=-

Driver::
cnhpfrcf
ekdsmkik
nrmtsuet
McComponentHostService

Firefox::
FF - ProfilePath - c:\users\Knapp\AppData\Roaming\Mozilla\Firefox\Profiles\bfjdp9si.default\
FF - ExtSQL: !HIDDEN! 2010-01-31 11:24; smartwebprinting@hp.com; c:\program files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3




Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
« Last Edit: September 01, 2013, 09:01:18 AM by argus »

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #12 on: September 01, 2013, 04:26:44 PM »
Here is the log. 

Not sure if it means anything (yet) but the speakers were playing sounds with nothing else running about halfway through and after it was complete. 

argus

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #13 on: September 01, 2013, 04:40:48 PM »
I did not understand the problem with the speakers , what you hear??

Log file looks good, no malware.

psknapp

  • Guest
Re: Malicious URL blocked... a lot.
« Reply #14 on: September 01, 2013, 07:00:09 PM »
When we turn the computer on, it sounds like multiple audio streams at the same time.  It's not forever and turns off after a few minutes. 

I am still seeing the /task/23/ malicious url blocked messages, though.  10 in the past minute and the only open program is explorer.