Author Topic: Malicious URL Blocked  (Read 13539 times)

0 Members and 1 Guest are viewing this topic.

Sithru22

  • Guest
Malicious URL Blocked
« on: November 02, 2010, 02:00:53 AM »
Malicious URL Blocked
avast! Network Shield has blocked a harmful site.
object:  z0g7yail0.com/Jvu0rYyL866ywQC6Y2xrPTIumMSZiaWQ9MDQ1MDkxYTIzl
Infection: URL:Mal
Action:  Blocked
Process:  C:\WINDOWS\System32\svchost.exe

Can anyone tell me what this is, and what I can do to stop it.
Thanks

SafeSurf

  • Guest
Re: Malicious URL Blocked
« Reply #1 on: November 02, 2010, 02:02:08 AM »
Hello Sithru22 and welcome to the forum.

Are you getting a red pop-up window with this alert?

Sithru22

  • Guest
Re: Malicious URL Blocked
« Reply #2 on: November 02, 2010, 02:09:32 AM »
Yes an I do not know how to print it.

SafeSurf

  • Guest
Re: Malicious URL Blocked
« Reply #3 on: November 02, 2010, 02:15:20 AM »
Malicious URL Blocked
avast! Network Shield has blocked a harmful site.
What you are seeing is an alert by Avast telling you that it detected something harmful on a site, and it blocked the action to protect you ("action blocked").  Avast was doing its job to protect you.

You can submit the url to Virus Total if you like for analysis: Virus Total: http://www.virustotal.com/, then if you like report back the results in this thread (cut and paste the report).

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malicious URL Blocked
« Reply #4 on: November 02, 2010, 02:18:12 AM »
There is something hidden/undetected on your system mis-using svchost.exe to connect. The only time the svchost.exe usually connects is for windows updates and this isn't the case here.

So whilst avast is blocking access to the malicious site we need to find the cause.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Sithru22

  • Guest
Re: Malicious URL Blocked
« Reply #5 on: November 02, 2010, 03:12:51 AM »
That will stop it?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malicious URL Blocked
« Reply #6 on: November 02, 2010, 03:21:18 AM »
I don't know, as it is currently unidentified/hidden we have to try other tools.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

SafeSurf

  • Guest
Re: Malicious URL Blocked
« Reply #7 on: November 02, 2010, 10:23:01 AM »
MBAM is a simple diagnostic tool that many of us here use, and in your situation can help us identify problems.

Check your computer for malware with Malwarebytes’ Anti-Malware (MBAM).
·   Download free http://www.malwarebytes.org/ for an on-demand scanner.
·   Double Click mbam-setup.exe to install the application.
·   After install, click update so you have latest database before scanning.
·   Under Settings:
o   General: Automatically Save File After Scan Completes is checked off
o   Scanner SettingsCheck all boxes
o   Updater: Download and install update if available is checked off
·   Once the program has loaded, select "Perform FULL Scan", then click Scan.
·   The scan may take some time to finish, so please be patient.
·   When the disinfection scan is complete, a log will appear in Notepad and you may be prompted to Restart. (See Extra Note).
·   Click the “remove selected” button to quarantine anything found.  You will find the infection details under the Quarantine tab.
·   The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
·   Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts -- Click OK to either and let MBAM proceed with the disinfection process; If asked to restart the computer, please do so immediately.

Please let us know if you have any questions.  Thank you.

Sithru22

  • Guest
Re: Malicious URL Blocked
« Reply #8 on: November 02, 2010, 01:16:30 PM »
Here it is. I could not post all of it, so I tried attaching it.


Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/1/2010 9:21:39 PM
mbam-log-2010-11-01 (21-21-39).txt

Scan type: Quick scan
Objects scanned: 168824
Time elapsed: 11 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 269

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\sapstri.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sfolo (Trojan.Hiloti) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Logs (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\PCOBackups (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280 (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Results (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\sapstri.dll (Trojan.Hiloti) -> Delete on reboot.
C:\Documents and Settings\Sharon Ruth\My Documents\downloads\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\BUDVWMQkCH.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\0.3744030822625166.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\FSWwLvAcjG.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temp\WINDOWS_SECURITY_CENTER.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\AGY99AY2\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\GZNQY52U\setup[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Local Settings\Temporary Internet Files\Content.IE5\I8EEBG7F\setup[1].exe (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\spy_ignore.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\Logs\2010-10-07 16-41-530.log (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\filelist.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-0.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-1.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-10.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-100.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-101.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-102.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-103.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-104.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-105.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-106.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-107.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-108.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-109.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-11.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-110.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-111.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-112.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-113.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-114.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-115.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharon Ruth\Application Data\Error Fix\QuarantineW\2010-10-07 16-43-280\regb-116.db (Rogue.ErrorFix) -> Quarantined and deleted successfully.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malicious URL Blocked
« Reply #9 on: November 02, 2010, 03:03:37 PM »
I take it that you have now rebooted to allow MBAM to remove this file C:\WINDOWS\sapstri.dll ?
This is the cause of the attempted downloads as the Trojan.Hiloti is a trojan downloader which is trying to access malicious sites to download more malware.

If you haven't yet done that you could add it to the avast chest and send to avast for analysis (see below) to have it added to the avast signatures.

- Send the sample to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Sithru22

  • Guest
Re: Malicious URL Blocked
« Reply #10 on: November 02, 2010, 09:48:05 PM »
Thank you so much for helping me. I found post that said I could use a tool from Microsoft to get rid of the Trojan.
It is gone know because I can use windows update, where I could not get into it earlier.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malicious URL Blocked
« Reply #11 on: November 02, 2010, 10:40:33 PM »
You're welcome.

Always nice if you can send a sample to avast when found to improve detections. Though I know when you are up to your as* in alligators the last thing on your mind is draining the swamp.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

SafeSurf

  • Guest
Re: Malicious URL Blocked
« Reply #12 on: November 03, 2010, 07:49:00 AM »
Sithru22,

I'm glad things are working well now.  To help prevent infections in the future:

- Keep your Avast definitions up to date.
- Quick scans with MBAM on-demand as a back up but remember to update prior to scanning .
- Keep your MS Updates current.
- Use safe browsing practices (see my, David's, and other's Signatures as examples to add to your browsers). 
- Make sure your software is current.  Check out free Secunia Sofware Inspector http://secunia.com/vulnerability_scanning/personal/.  Many of us here scan our system weekly since software is changing so rapidly and this site offers the vendor's direct download for patches to make it easy to fix. 
- You will find other helpful suggestions in our Avast Support forum section as well.

If you feel that your issue is now resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed. 

Feel free to come back any time you need help, to learn something new, or just to ask questions.  We are here 24/7 for your convenience.  Thank you.  :)

aquamutt

  • Guest
Re: Malicious URL Blocked
« Reply #13 on: November 17, 2010, 07:08:15 PM »
hi i'm havin the same problem as Sithru22 is but malwarebytes won't open

SafeSurf

  • Guest
Re: Malicious URL Blocked
« Reply #14 on: November 18, 2010, 09:45:12 AM »
@ aquamutt,

Why won't MBAM open?  Did you go to this site: http://www.malwarebytes.org/ (the blue button) to download it?

What error message are you getting?

Please give me more information about what your problem is.  Thank you.