Author Topic: "Malicious URL Blocked" message over and over again.  (Read 33380 times)

0 Members and 1 Guest are viewing this topic.

jeffc_lenovo

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #15 on: April 15, 2010, 06:10:59 PM »
I don't know if this is helps or not, but I'm seeing exactly the same behavior. Investigating the network shield log gives a PID for a slew of services hosted by svchost.exe (Process Explorer). Nothing looks odd. I've tried numerous scanners (malwarebytes, superantispyware, hijackthis, housecall, rootkitbuster, ad-aware, and aVast of course) and none have yet found anything. The topic on bleepingcomputer is of little help (suggesting that this in an aVast false-positive). A reverse-lookup gives a domain hosted from the British VI and I'm completely sure I've got nothing to do with them.

I'm sorry if there's not a lot of new info in this post, but I think there's something really nasty in this and it's able to hide itself really well.

In addition to whatever service it is that's doing this, I'm seeing a DNS redirection on search hits from a search-results page (google, yahoo, you name it). I believe that the problems are linked in my case.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #16 on: April 15, 2010, 07:17:50 PM »
Hi Druidsmith

Like Jeffc says, there's something really nasty in this.
Lets do a preliminary anyway. But you may be needing more help

Fix this entry - relatively straightforward
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
To fix the entry - put checkmark in box next to the entry and click Fix Checked in bottom left hand corner of the screen
- after fixed checked, you need to run Scan to bring up a new log - I prefer to fix one entry at a time


O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
Are these on demand for online scanner? - if you can try and disable these in yr browser under Manage add-ons - It would be good to have them out of way for the time being - but wait for second opinion if you want


You may need to fix these others by running a HjT scan in Safe Mode - even then may be very difficult to delete
Perhaps do everything in Safe mode - so copy this post  as a file to yr hard drive first so you have a reference

O4 - HKUS\S-1-5-19\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [remekulobe] Rundll32.exe "C:\WINDOWS\system32\wirahahe.dll",s (User 'NETWORK SERVICE')
Fix checked both of these - wirahe.dll is suspect trojan and appears to have locked yr system
- see screenshot   (edited)

Edit - on second thoughts, wait for second opinion on this - you may need more in depth help for these.
Since we are talking pretty much the whole system, lets not be hasty.

O20 - AppInit_DLLs: C:\WINDOWS\system32\piyuzuju.dll noqmqx.dll c:\windows\system32\ruvaluno.dll
This is suspect
http://www.techspot.com/vb/topic119190.html

O21 - SSODL: Autapbi - {950F4790-CDED-424D-8C4C-6C5B6EA25D15} - C:\WINDOWS\system32\exewebro.dll
This is suspect but have no information on it  - second opinion perhaps

As for your keyboard I can only suggest go into bios - as computer first starts, you need to start tapping should be either F1, F2, or DEL to take the computer into Setup and look for which F Key will allow you to load setup defaults (or optimal failsafe defaults) and press that, then go to Save and Exit - if keyboard port is working then things should be okay.

Usually before you go into setup, if the keyboard is not working then  you will get the error message and thats about it - you wont be able to use it. try a USB keyboard and see if that works.
« Last Edit: April 17, 2010, 09:00:18 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Druidmisanth

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #17 on: April 15, 2010, 10:23:35 PM »
Well, for the moment, the keyboard is working. Seems to be an on again off again phenomenon without any discernible pattern that I can see- restarts and uninstall/reinstalls seem to eventually remedy the situation at least until the next conniption my machine throws.

mkis, being nothing if not hasty, I went ahead and jettisoned everything you listed. I am now going to reboot and see what happens. If I'm not back in an hour, I may be at the store buying something with Ubuntu preinstalled. ; ) Thanks for your help. Oh, here's the latest hijack log:

Quote
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 4:24:55 PM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 6594 bytes

« Last Edit: April 15, 2010, 10:25:24 PM by Druidmisanth »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #18 on: April 15, 2010, 11:54:41 PM »
you appear to have jettisoned a bit more than that

what happened to Internet Explorer / Internet connection?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://broadband.zoomtown.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
« Last Edit: April 16, 2010, 12:20:49 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Druidmisanth

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #19 on: April 16, 2010, 01:35:09 AM »
I think I failed at the elementary copy and paste function because I didn't delete those things. Let me scan again. Hmm, not there and, yet, I didn't... Anyway, the notification is still there- though everything else seems to be working properly. Maybe I should just be happy with the way things are?
« Last Edit: April 16, 2010, 01:37:21 AM by Druidmisanth »

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #20 on: April 16, 2010, 03:18:29 AM »
so are you on the computer now?

okay the cleanup was a bit blunt thats all. we can work to restore to smooth running bit by bit.
I don't suppose you have a windows CD disk that came with yr computer, or with yr operating system if you bought it.

and what is the notification? Do you mean the avast warning in your original post?
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Druidmisanth

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #21 on: April 16, 2010, 06:05:53 AM »
Yep, that same old 77.74.48.111 thing.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #22 on: April 16, 2010, 08:31:57 AM »
okay here are a couple of things you will have to do at length --so keep them in mind

- if you have Windows CD put it to one side because I wouldn't run a Repair in the current state of yr computer - can do later
- uninstall Adobe reader - as looks well out of date
- update your Java - to make sure you are running latest version
- reset yr Internet Explorer / Internet Options


Is possible that your computer will lock up again so lets for a start take of the peripheral stuff off - whish you can load back on later
- do this for start - just to clear the field a bit so to speak

Fix these entries - we say they are helpers not essential to system running - we can reload later
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

Fix checked on this but may prove hard to budge - you dont need it at startup anyway - but fix checked on this
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Fix checked
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


uninstall your ADOBE Reader
update your java - Control Panel -> Java -> update java tab

HijackThis not much use to us anymore so go to this link
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

follow directions - Run mbam as it says but update to latest version before running
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #23 on: April 16, 2010, 05:01:33 PM »
Hi Druidsmith
If we still working on this and I think we should be

when we get near to finish with a clean computer (hopefully) there some finishing up tasks to see to
but if yr computer is still running okay do them at yr own free time and will -

Here is a preliminary for Reset of IE and Internet Options

Are your Internet Options (other than home page and search) set to default?
- if not, is there any reason why we cannot run at default as best case scenario?

Open Internet Options in Control Panel
- go to Advanced tab - Reset both Internet Explorer and advanced settings to default in that order

Go to General tab and set home page as what you want (mine is http://google.co.nz)
Then on same page go to Settings in Change search defaults (mine in screenshot)
- use find more search providers in lower left corner of screen if you need to find more
- make sure whatever is yr home page is also yr default Search Provider (mine is google)
- probably best to disable all search suggestions for now (going bit over the top now, but all good considering situation)

Then do this same page -
- checkmark in delete browsing history and also press Delete
- go to Settings there and delete any temp internet files that may still be there in 'View files'
- finally for now, also open up 'View objects' and see if there is anything in there that is broken
- (i think we probably fixed anything broken when we were in HijackThis, but have look anyway

Also -
you might as well go to Secunia website and run an OSI test
- even just to check yr flashplayer is perform at optimum - checks java is up to date as well

http://secunia.com/vulnerability_scanning/online/ 
click Start Scanner - choose display only insecure, click start - scanner runs, generates report at finish - follow directions
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

jeffc_lenovo

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #24 on: April 16, 2010, 08:02:53 PM »
Following my own path on this (on the belief that my DNS redirection stuff  is related to this problem), I've come up with the following:

1) I've got some sort of thing hanging onto atapi.sys. It's reported by GMER and found (but not fixed) by TDSSKiller. ComboFix will not function on this box for some reason (BSODs with something about mbr.sys).

2) The thing that's apparently generating the calls out to the malicious URL appears to be generating the following as well (watch Network Shield--is there anyway to get it to log everything it sees?):

mfdclk001.org/zk.............(really long url--no query string--just path)
dns://cdnmfdclk.org (I'm pretty sure it blasted by before I could get it all recorded)
dns://cesoftware.com
dns://img.mfdclk001.org

I may be completely off-track here, this is my first time with any serious infection, but I just get the feeling that the atapi.sys thing is linked to these weird network accesses.

Druidsmith: Are you seeing browser link redirection?

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #25 on: April 16, 2010, 09:45:17 PM »
If you haven't got to these links yet jeffc_lenovo

http://www.threatexpert.com/report.aspx?md5=cabf86f75e24ff6949a2ece21f4e7a7e

http://www.threatexpert.com/report.aspx?md5=50955e13c8e5e220901ecc4328ae76cc

oh sorry, I should have said that you have to go down the page a bit to find the url
« Last Edit: April 16, 2010, 10:10:42 PM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: "Malicious URL Blocked" message over and over again.
« Reply #26 on: April 16, 2010, 10:33:47 PM »
Hi mkis,

Good find and analysis,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

jeffc_lenovo

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #27 on: April 16, 2010, 11:13:59 PM »
MKIS,

First, thank you!

Second, if I read the links correctly, this stuff just creates a bunch of new registry values not actually modifying anything. I'm right about that? Please confirm, as it looks like I can use regedit to just blow this stuff off, right?

And third, thanks again, profusely.

Offline mkis

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1618
Re: "Malicious URL Blocked" message over and over again.
« Reply #28 on: April 17, 2010, 03:02:00 AM »
sorry I have been having a bit of a break

My advise on a quick look at threat expert info just this minute
- generally such black and white deletion of trojan is not really a feasible method of removal
- I see here reference to trojan downloader and virtool, which is not good

I cannot give any kind of affirmative without information about yr system, because how long malware has been active, etc..
- but generally no - if caught straight away possibly as you say - also these things can be variant as well as can mutate

Above definition is more likely just a behavioral guideline - I wouldn't say an exact example of what is yr infection

In short I simply don't know - sorry, just woke up, so I would throw yr question open to the forum members

I would advise to start here
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

If you run mbam, make sure to update to latest version before you run
« Last Edit: April 17, 2010, 03:06:38 AM by mkis »
Avast7 Free, MBAM (on demand), MVPS Hosts

Intel DG41TY, Windows 7 Ultimate, IE9, Google Chrome, 4 GB ram, Secunia PSI, ccleaner, Foxit Reader, Faststone Image viewer, MWSnap.

jeffc_lenovo

  • Guest
Re: "Malicious URL Blocked" message over and over again.
« Reply #29 on: April 19, 2010, 03:51:39 PM »
MKIS, any, all,

The information provided did not lead me to a solution, just more information. Whatever this is, it sits on the NetworkService account and uses that to communicate with the world. The IE browser history and temporary internet files for the NetworkService profile continue to grow. And, as I noted in an earlier post, the PID reported by aVast's network scanner is a PID associated with a slew of services hosted by svchost.exe.

I determined that with Microsoft's procexp (Process Explorer). A closer look with that tool illustrates that the PID used to host whatever's doing the internet accesses is holding the index.dat files from the NetworkService profile (for the history, the cookies, and the temporary files) in memory. That is, if you view the lower pane in Process Explorer and select 'View DLLS' for the lower pane, the pane displays the index.dat files with paths, etc. Right clicking the .dat file for the browse history and viewing the strings illustrates up our friend mfdclk001.org and a number of other successful connects. There's no history entry for 77.74.48.111, but I expect that's due to the fact that aVast blocks the access attempt.

So it appears that there's a memory image here that scanners should be able to get to and kill (aVast, help please!). I just can't figure out any reasonable explanation for the PID to keep this data in memory. It seems like an obvious marker for something.

Finally, on another forum someone with what sounds like the same problem was unable to fix it using the 'standard' set of tools (malwarebytes, combofix, gmer, mbr, etc.), and the suggestion was made to reformat and reinstall the operating system. That user noted that by doing that two things happened: 1) the infection is lost so a solution becomes impossible; 2) the bad guys win. He was fighting on. I'd like to do that too. That is, I'm not particularly interested in the 'reformat' solution yet.

Thanks for all help to this point. Anyone have any other ideas?