Author Topic: malcious url blocked  (Read 16642 times)

0 Members and 1 Guest are viewing this topic.

Offline davidz

  • Jr. Member
  • **
  • Posts: 37
malcious url blocked
« on: November 17, 2010, 03:50:47 PM »
Hi !

I recently have been receiving new browsers opening while I'm on trusted sites (such as the bbc.co.uk), so I installed Avast!.  I've run a quick and deep scan and cleaned the note book.

However, I am still experiencing an alert "malcious url blocked", here is he file.

It appears that the file is located at:

C:\windows\system32\svchost.exe.

Does anyone know why this keeps happening and what I need to do to stop this from continuing?


Best,

David


Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3060
Re: malcious url blocked
« Reply #1 on: November 17, 2010, 03:56:04 PM »
Hi Davidz,

You surely need to clean up your system. So I have asked essexboy to jump in.

Make sure you obey him ;)

nmb

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: malcious url blocked
« Reply #2 on: November 17, 2010, 09:10:50 PM »
Hi there lets see what you have

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
svchost.exe
userinit.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Offline davidz

  • Jr. Member
  • **
  • Posts: 37
Re: malcious url blocked
« Reply #3 on: November 18, 2010, 06:46:20 AM »
Thanks a lot for the assistance you've afforded.

I've got those two txt files, now what action should I take?

Brgds,

David

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: malcious url blocked
« Reply #4 on: November 18, 2010, 10:26:03 AM »
I've got those two txt files, now what action should I take?
Post the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). 

Essexboy will review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine now that you have provided the logs.  Thank you.
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline davidz

  • Jr. Member
  • **
  • Posts: 37
Re: malcious url blocked
« Reply #5 on: November 18, 2010, 12:14:12 PM »
Thanks very much.  I am "new" to this so humble apologies for asking such questions.

Best Regards,

David


Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: malcious url blocked
« Reply #6 on: November 18, 2010, 12:19:29 PM »
Did you used to use Symantec/Norton on your machine?  Are you/have you used Advanced System Care (ASC)?
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: malcious url blocked
« Reply #7 on: November 18, 2010, 12:27:59 PM »
David,

*** Please back up your data but no .EXE, .SCR or HTM(L) files. ***

Do you have another machine you can use to read the forum so that you are not using the infected one?  If not, please limit the time you are using this one.

Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline davidz

  • Jr. Member
  • **
  • Posts: 37
Re: malcious url blocked
« Reply #8 on: November 18, 2010, 01:42:02 PM »
Did you used to use Symantec/Norton on your machine? 

I think I am, should I disable Sumantec/Norton?


Are you/have you used Advanced System Care (ASC)?
Not sure what this is.


I do have other notebooks, I'm also experencing the issue with them.. :(

Thanks a lot..

David


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: malcious url blocked
« Reply #9 on: November 18, 2010, 10:00:05 PM »
Hi two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one

Also are you saying that all computers are getting redirected ? Are you on a wireless router ?

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    [2007/12/25 09:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\DT\Application Data\Mozilla\Firefox\Profiles\3ys21ry6.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
    O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
    O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{4406ba60-8955-11dd-9268-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{55070428-7517-11df-9944-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{602df7dd-8fc5-11dd-924c-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{63784838-07ed-11df-97ac-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{6d39ab1c-5d78-11dd-91f6-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{73a32bb5-e4a2-11df-9a90-00038a000015}\Shell\AutoRun\command - "" = E:\APPInst.exe -- File not found
    O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{96661a18-49d6-11dc-8e6e-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell - "" = AutoRun
    O33 - MountPoints2\{b2da9e34-9b6b-11dc-8f11-00038a000015}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell - "" = AutoRun
    O33 - MountPoints2\{c2e3612a-a81f-11dc-8f52-00038a000015}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{c4beafa2-1e49-11df-9811-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\AutoRun\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found
    O33 - MountPoints2\{f6a6dfcc-d888-11df-9a63-00038a000015}\Shell\open\command - "" = E:\RECYCLER\k-1-3542-4232123213-7676767-8888886\hn.exe -- File not found

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: malcious url blocked
« Reply #10 on: November 19, 2010, 10:41:08 AM »
@ davidz,

Here is the uninstaller tool for Symantec/Norton when Essexboy is ready for you to use it:

Download and run the Norton removal tool from here to clear them  http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN.  Or you can go here for additional information: http://uninstallers.blogspot.com/.

@ Essexboy,

I thought I saw in the OTL log ASC (Advanced System Care), another security software, and this has given a LOT of users on the forum grief and seems to conflict with Avast, and they have needed to uninstall ASC (NOTE: leaves lots of remnants behind).  Can you check to see if you see this?  Thanks.
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: malcious url blocked
« Reply #11 on: November 19, 2010, 10:33:52 PM »
For sure  ;D

Offline davidz

  • Jr. Member
  • **
  • Posts: 37
Re: malcious url blocked
« Reply #12 on: November 20, 2010, 04:13:49 PM »
Hi,

Sorry for my late reply.

 two antivirus programmes do not make you twice as secure, they mak you less secure - please uninstall one
(DZ) Norton has been removed

Also are you saying that all computers are getting redirected ? Are you on a wireless router ? appear
(DZ) all of my notebooks have this warning message appearing "malcious url blocked.  However, sometimes the web page appears in a new window (which I close)


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: malcious url blocked
« Reply #13 on: November 20, 2010, 04:18:30 PM »
In that case either the router is infected or all systems are -  Continue with Combofix and reset the router


Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).


Offline davidz

  • Jr. Member
  • **
  • Posts: 37
Re: malcious url blocked
« Reply #14 on: November 20, 2010, 04:20:32 PM »
Are you on a wireless router ?
(DZ) yes i am.  alas happends to the other nb which is connected to the router

Also, attached are the results of the 2nd quick scan.


Thanks so much,

DZ