Malicious URL Blocking/Detection Alerts

[Tisoran]

So I've run a number of different scans since the initial Alert/block.

First it was Malwarebytes Pro that started blocking an IP: 66.45.56.109
I was starting to get a bit concerned when the same block occurred the next day. Started cleaning up and removed a significant amount of malware with malwarebytes and  adwcleaner/aswMBR and thought it was overwith.

Later did I install Avast Home edition 2014, thinking it wouldn't hurt to run both programs since the 'block' had shown up more often.
However, now avast is blocking a URL: http://clickered.com/cen?ag

I've looked for any sort of toolbar or program in RevoUninstaller that looked suspicious and I came across a GigaClicks Crawler installation. I've no idea what its from or what it does. When promted to uninstall Avast kicked it and moved some process to a chest.

I stumbled upon this thread. Thinking I had a similar problem I followed the instructions for OTL off of this other thread.


And the OTL log is attached.

Any help to get rid of this would be very appreciated.

Much thanks.

[argus]

Hello

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE - HKU\S-1-5-21-3516740335-3617436455-440623508-1000\..\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN14654307485881244&UM=2
O4 -
O4 - HKLM..\Run: []  File not found
O4 - HKU\.DEFAULT..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-18..\Run: [SearchProtect] \SearchProtect\bin\cltmng.exe File not found

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn't appear, it can be found here:

c:\_OTL\MovedFiles\mmddyyyy_hhmmss.log


.






Please download zoek.zip or zoek.rar by smeenk () from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;
uninstall-list;

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[Tisoran]

I've run OTL and Zoek as instructed and the logs are attached, however the problem is still coming up.

Avast pops up with this:

" Object: http://clickered.com/cen?ag=a61d164abf0a767c25d33ee1a63e7473-11-3&g=BMW
 
  Infection: URL:Mal
 
  Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe  "

or this url: http://clickered.com/cen?ag=c8841473129879da1cafddf323c7ad82-11-2&g=PIG

Thank you for the quick reply.

[argus]

Download TDSSKiller  and save it to your desktop

  Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

•   Press Start Scan
  
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
  
•   If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.
.



----------- > Next








Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Tisoran]

Alerts have still been coming in however Malwarebytes Pro has been blocking the original IP however its now under an avastsvc process.

Also I've run TDSSKiller, no suspicious or malicious objects detected.

I've also ran Farbar Recovery Scan Tool and the logs are attached.

[argus]

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Code: [Select]

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job;f
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job;f
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB1F5DE8-681C-4096-B90E-4F20ECFB7A97}];r
FFdefaults;
chrdefaults;
iedefaults;
emptyalltemp;
autoclean;
emptyclsid;
ipconfig /flushdns >> %temp%\log.txt;b

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[Tisoran]

I've run Zoek as instructed, I had to run it twice as I forgot to disable antivirus.

Alerts are still popping up.

 I dont know if it matters but I've been watching the Shields Activity from the Avast Statistics Monitoring, I've noticed the shields spike up when something accesses something along the lines of  "AppData\Temp\scoped dir_4383_25439\CRZ_INSTAL\Locales\vi\messages.json"

Logs are attached and Thank you for your quick reply.

[magna86]

Hi Tisoran,

Argus is busy these days. I will assist you.

Re-run zoek as you did before but using this script:

Code: [Select]

autoclean;
C:\Windows\SysNative\tasks\Escolade;f
C:\Users\Admin1\AppData\Roaming\iPumper;fs
Post me fresh created zoek log.



NEXT...

Re-run FRST, check box for Addition.txt and press [Scan] button. Post me fresh created FRST.txt and Additional.txt reports.

[Tisoran]

Alright, Thank you magna.

I've re-run Zoek and as well as FRST, the logs are attached.

[magna86]

Posted logs looks good. Just one small fix...


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Task: {2CB7B523-420B-48AF-9A35-5EA176DDF1AD} - \Escolade No Task File
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

================================


How's your computer running now?

[Tisoran]

I've run FRST with the fixlist.txt and the log is attached.

The system is running about as smooth as it did when I first formatted the drive however the Alerts from Avast are still coming in.

[magna86]

The system is running about as smooth as it did when I first formatted the drive however the Alerts from Avast are still coming in.

Can you please post me screenshot of that avast pop-up alert?

Also, re-run FRST and post me fresh FRST.txt log.

[magna86]

Also, re-run zoek tool with this script:

Code: [Select]

StandardSearch;
When zoek finished, post me fresh created zoek logs.

[Tisoran]

I've posted a screenshot of the alerts, There was an instance where Malwarebytes and Avast blocked one at the same time. Both have been included in the picture as well as what Avast was scanning while the alert hit.

Re-ran FRST and Zoek, fresh logs have been attached.

[Tisoran]

I don't know if it applies but I've been experiencing nearly the exact same symptoms in this thread. With 2 different avast alerts back to back. The alerts range anywhere from 5-30 mins apart. I didn't notice the muting on Chrome until recently, as well as I've caught the 'spare' chrome with a radio station on mute.