Need Help On Blocked Malicious URL

[circumstances]

Hi. I downloaded avast a couple of days ago and ran it. Ever since installation I have been getting the following pop-up windows every several minutes:

MALICIOUS URL BLOCKED
Object: borekoso.com/get/fgr.html
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

MALICIOUS URL BLOCKED
Object: borekoso.com/set/task.html
Infection: URL:Mal
Action: Blocked
Process: C:\Windows\system32\svchost.exe

MALICIOUS URL BLOCKED
Object: borekoso.com/get/fgr.html
Infection: URL:Mal
Action: Blocked
Process: C:\Program Files\Internet Explorer\iexplore.exe


Reading the forums I downloaded TFC and ran it and rebooted last night, but it didn't stop these warnings. Can anyone help me? Thanks.

[Pondus]

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs HERE in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )


Essexboy will look at the log`s when he arrives here later today

[doktornotor]

http://forum.avast.com/index.php?topic=72808.0

We need the logs (MBAM, OTS). Read the sticky threads here.

The site has been infected for almost one month, plain ridiculous.

# nslookup borekoso.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   borekoso.com
Address: 46.161.11.196


# gwhois 46.161.11.196
Process query: '46.161.11.196'
Query recognized as IPv4.
Querying whois.ripe.net:43 with whois.

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '46.161.10.0 - 46.161.11.255'

inetnum:        46.161.10.0 - 46.161.11.255
netname:        DRAGAN-NET
descr:          net for Dragan  S.R.L.
country:        RO
admin-c:        TD2121-RIPE
tech-c:         TD2121-RIPE
status:         ASSIGNED PA
mnt-by:         MNT-PIN
mnt-routes:     MNT-DRAGAN
mnt-routes:     MNT-PIN
mnt-routes:     ECATEL-MNT
mnt-domains:    MNT-DRAGAN
mnt-lower:      MNT-DRAGAN
mnt-lower:      ECATEL-MNT
source:         RIPE # Filtered

person:         Tatiana Dicu
address:        140 Ferdinand Blvd.,  Bucharest,  RO
mnt-by:         MNT-DRAGAN
phone:          +40745378190
abuse-mailbox:  dragan.abuse@yahoo.ro
nic-hdl:        TD2121-RIPE
source:         RIPE # Filtered

% Information related to '46.161.10.0/23AS29073'

route:          46.161.10.0/23
descr:          AS29073 temporary route object for 32 bit AS AS197425
origin:         AS29073
mnt-by:         ECATEL-MNT
source:         RIPE # Filtered

[circumstances]

Thank you guys. Here is the MBAM quick scan log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6203

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/29/2011 12:06:34 PM
mbam-log-2011-03-29 (12-06-34).txt

Scan type: Quick scan
Objects scanned: 186479
Time elapsed: 7 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I will post the OTS information in the next reply.

[circumstances]

figured out how to attach the log. see below.

[circumstances]

figured out how to attach the log. see below.

[circumstances]

figured it out. log below.

[doktornotor]

Please use Additional Options - Attach feature.

[circumstances]

doktornotor, could you please explain how to run the attach feature for the ots scan? the mbam scan i already posted in one reply. thank you.

[circumstances]

I figured out how to attach the OTS log.

[Pondus]

There is also a EDIT option, so if you fail, you can try again...and again...and again...in the same post     

well you did it, and Essexboy should be here in about 2 - 3 hours 

[circumstances]

Pondus, it took a bit, but I got there. 

I'm looking forward to essexboy's assistance, hopefully it isn't bad news.

[essexboy]

Yes and no - you have a Purity infection so if you see an apparent system32 folder going do not be afraid
C:\WINDOWS\s?stem32

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< HOSTS File > ([2004/04/10 12:30:34 | 000,003,233 | ---- | M] - 112 lines) -> C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
YN -> Reset Hosts ->
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Aida" -> ["C:\WINDOWS\SSTEM3~1\taskmgr.exe" -vt yazb]
YN -> "Hiexe" -> [C:\WINDOWS\SYSTEM32\Οracle\sсanregw.exe]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\] > -> HKEY_USERS\S-1-5-21-3944651745-3248677297-1107779084-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{A75C6120-9B36-11d4-A3F0-009027427750}" [HKLM] -> [Reg Error: Key error.]
YN -> CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> [Reg Error: Key error.]
< AppCertDlls [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
YN -> \\"coniTUTL" -> [C:\WINDOWS\system32\EVENaint.dll]
[Files/Folders - Modified Within 30 Days]
NY ->  Pdasejuhediqad.dat -> C:\WINDOWS\Pdasejuhediqad.dat
NY ->  Kdizacocuw.bin -> C:\WINDOWS\Kdizacocuw.bin
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\Robert\Local Settings\Application Data\lnjd024uh5mjq03i
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\All Users\Application Data\lnjd024uh5mjq03i
[Files - No Company Name]
NY ->  Pdasejuhediqad.dat -> C:\WINDOWS\Pdasejuhediqad.dat
NY ->  Kdizacocuw.bin -> C:\WINDOWS\Kdizacocuw.bin
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\Robert\Local Settings\Application Data\lnjd024uh5mjq03i
NY ->  lnjd024uh5mjq03i -> C:\Documents and Settings\All Users\Application Data\lnjd024uh5mjq03i
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Purity]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

[circumstances]

thanks so much essexboy. i had to come to my office for a bit, but i will follow your instructions as soon as i get home and report the results back here for you to look at.

[circumstances]

by the way, what is a purity infection?