Malicious URL Blocked...Help Please!!

[Nails]

Hi there, I'm struggling with a malicious URL. Avast! pops up every 5-10 minutes telling me 'malicious url blocked'.

What is strange is that it isnt doing it when I visit a new webpage, but just all the time, no matter what webpage.

It says it is found in C:\windows\explorer.exe and it also has another file, "vatnaya0.com/003.so" I have searched for this but it returns no results. Avast! and malwarebytes' dont seem to find anything.

Any help would be greatly appreciated guys!

Thanks, Nails.

[Nails]

Hi there, I'm struggling with a malicious URL. Avast! pops up every 5-10 minutes telling me 'malicious url blocked'.

What is strange is that it isnt doing it when I visit a new webpage, but just all the time, no matter what webpage.

It says it is found in C:\windows\explorer.exe and it also has another file, "vatnaya0.com/003.so" I have searched for this but it returns no results. Avast! and malwarebytes' dont seem to find anything.

Any help would be greatly appreciated guys!

Thanks, Nails.

EDIT:
Object: vatnaya0.com/003.so

Process: C:\windows\explorer.exe

[DavidR]

You have problem, either explorer.exe is infected or you have malware that is either hidden (likely) or undetected, which is using explorer.exe to connect. If my fears are correct this could be difficult to remove.

I have always blocked windows explorer.exe making outbound connections in my firewall as there should be no need for it to do so. The reason it can connect is that you can type a URL into the Address: field in windows explorer and it will open the web page, that I feel is a vulnerability and if you do that you should use your browser for that purpose.

I will try and get someone with more experience and the tools for the job to look at this topic.

[essexboy]

Hi there - first I need to see what you have

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    

[DavidR]

Thanks for joining essexboy.

[essexboy]

Thats what I be here for 

[Nails]

Hi guys, ok Essexboy I've done that, would you like me to attach extras.txt and otl.txt for you to have a look at?  

[essexboy]

Yes please

[Nails]

K

[essexboy]

OK lets start

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  O4 - HKU\S-1-5-21-1957994488-854245398-725345543-1004..\Run: [{B507B403-8344-82F2-13DB-994BEDAEE808}] C:\Documents and Settings\User\Application Data\Gielg\qaugm.exe File not found
  O20 - Winlogon\Notify\geede: DllName - C:\WINDOWS\system32\geede.dll - C:\WINDOWS\System32\geede.dll File not found
  2007/07/30 15:06:17 | 001,059,269 | -HS- | C] () -- C:\WINDOWS\System32\edeeg.ini2
  [2007/07/29 18:01:08 | 000,001,726 | -HS- | C] () -- C:\WINDOWS\System32\fhgdbcvv.ini
  [2007/07/29 17:22:10 | 000,001,366 | -HS- | C] () -- C:\WINDOWS\System32\maudgium.ini
  [2007/07/28 16:56:39 | 000,001,306 | -HS- | C] () -- C:\WINDOWS\System32\jjivypvn.ini
  [2007/07/28 08:47:39 | 000,001,186 | -HS- | C] () -- C:\WINDOWS\System32\lyshjlmu.ini
  [2007/07/26 15:55:42 | 000,064,438 | -HS- | C] () -- C:\WINDOWS\System32\ugncilal.ini
  [2007/07/26 14:52:42 | 003,298,284 | -HS- | C] () -- C:\WINDOWS\System32\eituwepd.ini
  [2007/07/23 21:18:00 | 003,172,228 | -HS- | C] () -- C:\WINDOWS\System32\hcywybpx.ini
  [2007/07/22 19:05:55 | 003,115,262 | -HS- | C] () -- C:\WINDOWS\System32\gigsdpfj.ini
  [2007/07/21 20:44:08 | 003,119,136 | -HS- | C] () -- C:\WINDOWS\System32\wpldsiya.ini
  [2007/07/20 12:07:41 | 003,119,016 | -HS- | C] () -- C:\WINDOWS\System32\svwyuold.ini
  [2007/07/19 11:27:29 | 002,929,439 | -HS- | C] () -- C:\WINDOWS\System32\xawofiak.ini
  [2007/07/17 16:02:30 | 002,930,513 | -HS- | C] () -- C:\WINDOWS\System32\mxnadopb.ini
  [2007/07/17 15:02:43 | 002,935,609 | -HS- | C] () -- C:\WINDOWS\System32\xlnvintw.ini
  [2007/07/16 06:47:24 | 002,805,563 | -HS- | C] () -- C:\WINDOWS\System32\vfsktvdv.ini
  [2007/07/14 20:42:36 | 002,805,444 | -HS- | C] () -- C:\WINDOWS\System32\cnallewr.ini
  [2007/07/14 19:30:37 | 002,550,299 | -HS- | C] () -- C:\WINDOWS\System32\dsfritxk.ini
  [2007/07/13 12:01:51 | 002,551,298 | -HS- | C] () -- C:\WINDOWS\System32\lcqnpqxi.ini
  [2007/07/12 09:06:29 | 002,556,097 | -HS- | C] () -- C:\WINDOWS\System32\wfplxalq.ini
  [2007/07/11 20:13:31 | 002,312,934 | -HS- | C] () -- C:\WINDOWS\System32\ttjvmidv.ini
  [2007/07/09 18:22:52 | 002,316,200 | -HS- | C] () -- C:\WINDOWS\System32\tiugsknv.ini
  [2007/07/09 17:22:52 | 002,321,019 | -HS- | C] () -- C:\WINDOWS\System32\nixworas.ini
  [2007/07/08 08:43:47 | 002,372,462 | -HS- | C] () -- C:\WINDOWS\System32\pltiysih.ini
  [2007/07/07 06:09:23 | 002,438,835 | -HS- | C] () -- C:\WINDOWS\System32\itihkdct.ini
  [2007/07/05 19:26:10 | 002,263,874 | -HS- | C] () -- C:\WINDOWS\System32\vhijbsnq.ini
  [2007/07/03 18:00:30 | 002,266,563 | -HS- | C] () -- C:\WINDOWS\System32\jmaghuuc.ini
  [2007/07/02 18:01:13 | 002,268,594 | -HS- | C] () -- C:\WINDOWS\System32\digabdkq.ini
  [2007/07/01 17:00:22 | 002,269,029 | -HS- | C] () -- C:\WINDOWS\System32\sfquuhhb.ini
  [2007/06/30 12:48:24 | 002,272,315 | -HS- | C] () -- C:\WINDOWS\System32\luxvsarf.ini
  [2007/06/28 22:04:03 | 002,093,379 | -HS- | C] () -- C:\WINDOWS\System32\ddnhxppk.ini
  [2007/06/27 19:00:25 | 002,094,445 | -HS- | C] () -- C:\WINDOWS\System32\ohfttjig.ini
  [2007/06/26 13:36:25 | 001,975,410 | -HS- | C] () -- C:\WINDOWS\System32\damqdxtm.ini
  [2007/06/25 13:36:25 | 001,903,077 | -HS- | C] () -- C:\WINDOWS\System32\pejdaxkf.ini
  [2007/06/23 14:17:53 | 001,905,814 | -HS- | C] () -- C:\WINDOWS\System32\qgbsepwq.ini
  [2007/06/23 13:11:52 | 001,908,026 | -HS- | C] () -- C:\WINDOWS\System32\hrchdvkw.ini
  [2007/06/22 12:45:38 | 001,846,711 | -HS- | C] () -- C:\WINDOWS\System32\cdatccrk.ini
  [2007/06/21 12:44:29 | 001,812,456 | -HS- | C] () -- C:\WINDOWS\System32\opwjgcfn.ini
  [2007/06/20 12:41:29 | 000,905,160 | -HS- | C] () -- C:\WINDOWS\System32\cktuyogd.ini
  [2007/06/18 18:49:06 | 000,000,405 | -HS- | C] () -- C:\WINDOWS\System32\iqjmpghs.ini
  [2007/06/16 12:08:53 | 000,000,765 | -HS- | C] () -- C:\WINDOWS\System32\qotptcua.ini
  [2007/06/14 14:41:01 | 000,000,645 | -HS- | C] () -- C:\WINDOWS\System32\nvmakyrh.ini
  [2010/08/13 09:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
  [2009/02/13 17:40:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
  [2010/01/06 16:15:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\AVG9
  [2007/08/02 14:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Grisoft
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Nails]

Okey dokey...
 

[essexboy]

That does not look to bad a further run to check out your MBR - What problems are you having at the moment ?

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

MBR::

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[Nails]

OK the problem seems to have gone away after the original combofix and OTL runs. I shall check MBR with combofix for good measure and post results 

[Nails]

Here goes...

[essexboy]

Hmm it is still reporting a possible infection - but that can sometimes be a false positive.  Are you having any further problems ?