Author Topic: Threat has been detected - Malicious URL Blocked  (Read 11629 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #15 on: May 20, 2011, 11:47:21 PM »
Still more going on though

On completion of this combofix run (it should be faster this time ) rerun aswMBR please

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
KillAll::

File::
c:\windows\System32\drivers\jbpii.sys

Driver::
sphnn


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • New aswMBR log.

Offline Coastal-Delaware

  • Newbie
  • *
  • Posts: 14
Re: Threat has been detected - Malicious URL Blocked
« Reply #16 on: May 21, 2011, 12:43:41 AM »
Both scans attached.

Thank you Thank you Thank You for taking the time to help with this.

Offline SafeSurf

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5203
Re: Threat has been detected - Malicious URL Blocked
« Reply #17 on: May 21, 2011, 10:42:11 AM »
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
When Essexboy is done with you, we need to have you update your machine to SP3 and IE8 as well as check your other software since this puts you at great risk for getting malware.  We will let Essexboy finish his malware removal first.

@ Essexboy,  Nice job on that Combofix.  ;)
Mac 10.9.4 /Safari and Firefox (NoScript/AdBlockPlus/BetterPrivacy/Ghostey)/
Vista Home Prem (same add-on's)/Avast Free/Online Armor Premium Firewall/MBAM Premium)/ Mobile MBAM.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #18 on: May 21, 2011, 04:58:09 PM »
Not overly happy about the MBR - what is the make of your computer i.e.  Dell Hp etc

Also what are your current problems ?

CF does the work - I just tell it what to do  ;D

Offline Coastal-Delaware

  • Newbie
  • *
  • Posts: 14
Re: Threat has been detected - Malicious URL Blocked
« Reply #19 on: May 21, 2011, 08:48:12 PM »
I built the computer many years ago.
Gigabyte Motherboard.
AMD Athlon 62 Dual Core Processor 3800
Two SATA drives
3GB RAM

She was a rally fast machine 6 years ago....

Not experiencing any problems now but Combofix is still detecting a rootkit every time it runs.

I turned it off yesterday when you logged off.

I don't use IE at all unless I'm making sure a website looks ok in older versions. I'm primarily a Firefox/Opera/Safari user.

If I can't get rid of the rootkit I may just wipe the drive & switch to Ubuntu

Please let me know if there is more I should do.
« Last Edit: May 21, 2011, 08:51:56 PM by Coastal-Delaware »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #20 on: May 21, 2011, 08:49:13 PM »
Yep lets get a second opinion on the MBR

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Offline Coastal-Delaware

  • Newbie
  • *
  • Posts: 14
Re: Threat has been detected - Malicious URL Blocked
« Reply #21 on: May 21, 2011, 09:06:10 PM »
Found rootkit.win32.tdss.tdl3 and cured it.
Computer rebooted.

logs attached. Too big to post.

Am I clean now?

 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #22 on: May 22, 2011, 12:11:50 AM »
I thought so it was a TDL3 not TDL4

What are your current problems ?

Offline Coastal-Delaware

  • Newbie
  • *
  • Posts: 14
Re: Threat has been detected - Malicious URL Blocked
« Reply #23 on: May 22, 2011, 01:09:41 PM »
I don't think I have any remaining problems.

tdsskiller got rid of the root kit. Avast is no longer notifying me of blocked url's, combofix auto updated itself and I ran one more combofix scan and it found no more rootkit.

I guess I'm clean again?

Who are you saints who have so much free time to help so many people out? All I can say is thank you thank you thank you and if you have a paypal account I'm happy to send a little love your way.

One last question. How much do I have to worry that some hacker may have found all my usernames and passwords? Should I go and change them all?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40632
  • Dragons by Sasha
    • Malware fixes
Re: Threat has been detected - Malicious URL Blocked
« Reply #24 on: May 22, 2011, 01:47:37 PM »
Quote
How much do I have to worry that some hacker may have found all my usernames and passwords? Should I go and change them all?
I feel it is always prudent to do that after an infection - no matter how minor.  I am always up for a drink  ;D I do have a paypal link at G2G in my sig there

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:


Click Start > Run  and copy/paste the following bolded text into the Run box and click OK: [color="#FF0000"]N.b. If used[/color]

ComboFix /Uninstall

Run OTS and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
 
Malwarebytes.  Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave: