Author Topic: Threat has been detected - Malicious URL Blocked  (Read 15304 times)

0 Members and 1 Guest are viewing this topic.

Coastal-Delaware

  • Guest
Threat has been detected - Malicious URL Blocked
« on: May 20, 2011, 07:59:06 PM »
 ???

Object: Updateconnections.com/...  etc...
Infection: URL:Mal
Action: Blocked
Processes: C:\WINDOWS\System32\svchost.exe

This popup from avast has been going off for about a week. Last week soon after the pop up started I was infected with the Windows Restore Virus. After a day of fighting the virus I was able to remove most of it,  but if this pop up is still coming up I'm guessing I still have some evil code lurking in my computer.

Avast alerts me of it but gives no solutions for its removal.

Any suggestions?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Threat has been detected - Malicious URL Blocked
« Reply #1 on: May 20, 2011, 08:32:16 PM »
Since you posted the aswMBR.txt file contents in the other topic, can you place it here in your own topic, so all information is together.

Since it was also inconclusive (in my limited experience of it) you can try another analysis and data gathering tool that will be helpful to other malware removal specialists.

Quote from: essexboy
Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

Hopefully essexboy can pick up on this topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #2 on: May 20, 2011, 08:41:52 PM »
Will do, and I apologize for the thread hijack.

I just ran another mbam scan two minutes ago and it found something else.

I've been running Avast, Avira, AVG, Spybot and MBAM scans for almost a week. The AV programs find something here and there then remove it. A dozen or so scans will go by with no sign of a virus and then they come back again.



Avira just found TR/CRYPT.XPACK.Gen2

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 14:39:25
-----------------------------
14:39:25.609    OS Version: Windows 5.1.2600 Service Pack 2
14:39:25.609    Number of processors: 2 586 0x2302
14:39:25.609    ComputerName: GODMODE  UserName: 64Xdual
14:39:26.609    Initialize success
14:39:29.171    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
14:39:29.171    Disk 0 Vendor: WDC_WD1600JS-22MHB0 02.01C03 Size: 152626MB BusType: 3
14:39:29.171    Disk 1  \Device\Harddisk1\DR1 -> \Device\00000079
14:39:29.171    Disk 1 Vendor: ST3500630AS 3.AAK Size: 476940MB BusType: 3
14:39:29.171    Device \Device\00000077 -> \??\IDE#DiskWDC_WD1600JS-22MHB0_____________________02.01C03#2020202057202D4443574E41314D353036373331#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
14:39:29.171    Disk 0 MBR read error 0
14:39:29.171    Disk 0 MBR scan
14:39:29.171    Disk 0 unknown MBR code
14:39:29.171    MBR BIOS signature not found 0
14:39:29.171    Disk 0 scanning sectors +312576705
14:39:29.171    Disk 0 scanning C:\WINDOWS\system32\drivers
14:39:38.625    Service scanning
14:39:39.765    Disk 0 trace - called modules:
14:39:39.781    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a4d5ecc]<<
14:39:39.781    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a48fab8]
14:39:39.781    3 CLASSPNP.SYS[ba8e8fcf] -> nt!IofCallDriver -> \Device\00000078[0x8a431ac0]
14:39:39.781    5 ACPI.sys[ba77f620] -> nt!IofCallDriver -> [0x8a48f030]
14:39:39.781    [0x8a409748] -> IRP_MJ_CREATE -> 0x8a4d5ecc
14:39:39.781    Scan finished successfully
14:39:47.781    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\64Xdual\My Documents\Downloads\MBR.dat"
14:39:47.781    The log file has been saved successfully to "C:\Documents and Settings\64Xdual\My Documents\Downloads\aswMBR-2.txt"

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6609

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/20/2011 2:32:19 PM
mbam-log-2011-05-20 (14-32-19).txt

Scan type: Quick scan
Objects scanned: 239703
Time elapsed: 7 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\64Xdual\2gweorjqjutp92vjy9gake (Malware.Trace) -> Quarantined and deleted successfully.

I don't surf porn or hacker sites. Primarily I read the news and real estate related material. This machine has been running more or less virus free since 2006.

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #3 on: May 20, 2011, 09:13:54 PM »
My log file was so long for OTS I had to break it into two attachments.

Attachment 1

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #4 on: May 20, 2011, 09:16:14 PM »
Attachment 2

The machine has two physical internal hard drives and one external drive.

Please excuse the long list of firefox profiles. I build websites and have a different profile for each site.
local host is full of bad sites that probably have something to do with the redirects.

Thank you!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #5 on: May 20, 2011, 09:23:47 PM »
Hi first a question - did you create this task to run daily ?
C:\WINDOWS\tasks\rptp.job

If you did not I will add that to the fix I am creating, also I would recommend uninstalling two of the three antiviruses you have installed

I will await your reply before I create the fix

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Threat has been detected - Malicious URL Blocked
« Reply #6 on: May 20, 2011, 09:25:19 PM »
Well having multiple scanners installed isn't going to help as they will conflict with each other which could leave you less well protected rather better. Even if you disable their resident protection the low level drivers will be present.

The only way this could work would be bay uninstalling an AV before installing the next, but even then there are possibilities of remnants after an uninstall. So you haven't been doing yourself any favours, on-line scanners are an option for a backup second opinion type scan. All but avast should be uninstalled (MBAM is fine it isn't an AV).

One of the biggest problems is down to the number of legit sites which can get hacked, the avast web shield is very hot on these, but if you have multiple AVs also checking what avast is conflict could let something through.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #7 on: May 20, 2011, 09:54:35 PM »
deleted AVG, Spybot and Avira Anti Virus and restarted the machine. All that remains is Avast and MBAM.

Avast is going nuts with "A threat has been detected" every minute and a half.

I did not set C:\WINDOWS\tasks\rptp.job to run daily. I'm not sure what it is.

What is my next step?

Thank you!
« Last Edit: May 20, 2011, 09:56:11 PM by Coastal-Delaware »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88854
  • No support PMs thanks
Re: Threat has been detected - Malicious URL Blocked
« Reply #8 on: May 20, 2011, 09:59:26 PM »
That has to be answer essexboy's question, which is what he is waiting for, so he can compile the script to fix what has been found.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #9 on: May 20, 2011, 10:01:14 PM »
If you do find it is a job that you created you will have to recreate it, but I feel it is bad

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Files/Folders - Modified Within 30 Days]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  rptp.job -> C:\WINDOWS\tasks\rptp.job
NY ->  Elaheqimezo.bin -> C:\WINDOWS\Elaheqimezo.bin
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  Tvanexizo.dat -> C:\WINDOWS\Tvanexizo.dat
[Files - No Company Name]
NY ->  vpreekim.sys -> C:\WINDOWS\System32\drivers\vpreekim.sys
NY ->  ~16637732r -> C:\Documents and Settings\All Users\Application Data\~16637732r
NY ->  ~16637732 -> C:\Documents and Settings\All Users\Application Data\~16637732
NY ->  16637732 -> C:\Documents and Settings\All Users\Application Data\16637732
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q
NY ->  8ovx0wkt11gr8lvac32b080q -> C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.


Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #10 on: May 20, 2011, 10:14:55 PM »
User: Administrator
 
User: administrator.PENINSULA
 
User: All Users
 
User: Default User
 
User: Kelly West
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: martin
->Flash cache emptied: 0 bytes
 
User: mike
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: tony
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #11 on: May 20, 2011, 10:17:54 PM »
Are the alerts still coming ?

Could you attach the entire report please as the main part I need to see is the file deletions at the top

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #12 on: May 20, 2011, 10:20:41 PM »
Sorry about that, Here's all of it.

Yes, still receiving the "Threat has been Detected" alerts.

All Processes Killed
[Files/Folders - Modified Within 30 Days]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
C:\WINDOWS\tasks\rptp.job moved successfully.
C:\WINDOWS\Elaheqimezo.bin moved successfully.
C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732r moved successfully.
C:\Documents and Settings\All Users\Application Data\~16637732 moved successfully.
C:\Documents and Settings\All Users\Application Data\16637732 moved successfully.
C:\WINDOWS\Tvanexizo.dat moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\drivers\vpreekim.sys not found!
File C:\Documents and Settings\All Users\Application Data\~16637732r not found!
File C:\Documents and Settings\All Users\Application Data\~16637732 not found!
File C:\Documents and Settings\All Users\Application Data\16637732 not found!
File C:\Documents and Settings\All Users\Application Data\8ovx0wkt11gr8lvac32b080q not found!
File C:\Documents and Settings\64Xdual\Local Settings\Application Data\8ovx0wkt11gr8lvac32b080q not found!
[Empty Temp Folders]
 
 
User: 64Xdual
->Temp folder emptied: 813388 bytes
->Temporary Internet Files folder emptied: 33602 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 2284567576 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 129228319 bytes
->Flash cache emptied: 3703 bytes
 
User: Administrator
->Temp folder emptied: 823 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: administrator.PENINSULA
->Temp folder emptied: 61 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->FireFox cache emptied: 2637339 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Kelly West
->Temp folder emptied: 5041136 bytes
->Temporary Internet Files folder emptied: 71915238 bytes
->Java cache emptied: 286971 bytes
->FireFox cache emptied: 20505813 bytes
->Flash cache emptied: 11478 bytes
 
User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: martin
->Temp folder emptied: 67091 bytes
->Temporary Internet Files folder emptied: 10936431 bytes
->Java cache emptied: 392822 bytes
->FireFox cache emptied: 16255099 bytes
->Flash cache emptied: 1020 bytes
 
User: mike
->Temp folder emptied: 12755720 bytes
->Temporary Internet Files folder emptied: 9862313 bytes
->Java cache emptied: 3187771 bytes
->FireFox cache emptied: 62255637 bytes
->Apple Safari cache emptied: 4882432 bytes
->Flash cache emptied: 6935 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: tony
->Temp folder emptied: 699 bytes
->Temporary Internet Files folder emptied: 254830 bytes
->Java cache emptied: 123079 bytes
->FireFox cache emptied: 8393212 bytes
->Flash cache emptied: 348 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3261509 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 705618 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 7200 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 196446 bytes
RecycleBin emptied: 17656261 bytes
 
Total Files Cleaned = 2,543.00 mb
 
 
[EMPTYFLASH]
 
User: 64Xdual
->Flash cache emptied: 0 bytes
 
User: Administrator
 
User: administrator.PENINSULA
 
User: All Users
 
User: Default User
 
User: Kelly West
->Flash cache emptied: 0 bytes
 
User: LocalService
 
User: martin
->Flash cache emptied: 0 bytes
 
User: mike
->Flash cache emptied: 0 bytes
 
User: NetworkService
 
User: tony
->Flash cache emptied: 0 bytes
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05202011_160725

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_bot[8352].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_left_anchor_bubble_top[8353].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_bot[8357].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_no_anchor_bubble_top[8358].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_bot[8360].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\aim_right_anchor_bubble_top[8362].gif not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_bot[8393].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_left_anchor_bubble_top[8395].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_bot[8396].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_no_anchor_bubble_top[8398].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_bot[8401].png not found!
File\Folder C:\Documents and Settings\64Xdual\Local Settings\Application Data\Mozilla\Firefox\Profiles\ygz9twyj.BROKERS\Google Gears for Firefox\mail.google.com\http_80\WebCache-MAIN_IMAGES-mike.bwbeach@gmail.com-GoogleMail[6]#localserver\muc_right_anchor_bubble_top[8404].png not found!
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #13 on: May 20, 2011, 10:22:32 PM »
OK it is not seeing the sys file to delete

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Coastal-Delaware

  • Guest
Re: Threat has been detected - Malicious URL Blocked
« Reply #14 on: May 20, 2011, 11:38:10 PM »
Wow, that took a long time.

First trial it found a rootkit and rebooted.

Here's the log file: See Attached

   
The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (10000 characters).