Author Topic: "Malicious URL Blocked" randomly pops up when I click on reputable links  (Read 4758 times)

0 Members and 1 Guest are viewing this topic.

Jringo7

  • Guest
This is a cross-post from the forums here: http://forum.avast.com/index.php?topic=78666.0
I am only putting it here because this is probably where I should have posted in the first place. If a mod needs to lock either thread for redundancy, I understand.

I ran an avast! scan and a malwarebytes scan; both came back clean.
Here is the message:
http://i.imgur.com/dLSmi.png

When I click on a google search link that I regularly visit (yahoo/youtube/etc.), this message will randomly pop up. But after clicking the same link again, it opens with no problem. If there is anything else I can provide someone who might be able to direct me, I will get it as soon as possible.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Jringo7

  • Guest
Thank you for your help. Here are the logs from the two scans:

Edit: removed attachments
« Last Edit: May 27, 2011, 06:26:32 PM by Jringo7 »

Jringo7

  • Guest
Here is the aswMRB log that you also asked for:

Edit: removed attachment
« Last Edit: May 27, 2011, 06:26:57 PM by Jringo7 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Could you let me know if you still get the alerts after this fix

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< FireFox Settings [Prefs.js] > -> C:\Users\AMD Tri-core\AppData\Roaming\Mozilla\FireFox\Profiles\1eda8jwk.default\prefs.js
YN -> extensions.enabledItems -> vshareus@toolbar:1.0.0
< FireFox Extensions [Program Folders] > ->
YY -> XULRunner -> C:\USERS\AMD TRI-CORE\APPDATA\LOCAL\{52FCEEBA-395E-4382-9A8E-2E8F2E02E737}
YY -> vShare -> C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {043C5167-00BB-4324-AF7E-62013FAEDACF} [HKLM] -> C:\Program Files (x86)\vShare\vshare_toolbar.dll [vShare Plugin]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{043C5167-00BB-4324-AF7E-62013FAEDACF}" [HKLM] -> C:\Program Files (x86)\vShare\vshare_toolbar.dll [vShare Plugin]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1967815349-2296150461-847603945-1000\] > -> HKEY_USERS\S-1-5-21-1967815349-2296150461-847603945-1000\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\"{043C5167-00BB-4324-AF7E-62013FAEDACF}" [HKLM] -> C:\Program Files (x86)\vShare\vshare_toolbar.dll [vShare Plugin]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Jringo7

  • Guest
I've been clicking through several links and no problems yet... But when I do have the issue, it's so random that I'm not about to celebrate. ;) I just got really worried when I read all of those comments on ipillion.com b/c they are the same problems I've been having, so I figured it really was malware and not a false alarm. Either way, here is what came up after the reboot:

All Processes Killed
[Registry - Safe List]
Prefs.js: vshareus@toolbar:1.0.0 removed from extensions.enabledItems
C:\USERS\AMD TRI-CORE\APPDATA\LOCAL\{52FCEEBA-395E-4382-9A8E-2E8F2E02E737}\chrome\content folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\LOCAL\{52FCEEBA-395E-4382-9A8E-2E8F2E02E737}\chrome folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\LOCAL\{52FCEEBA-395E-4382-9A8E-2E8F2E02E737} folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR\modules folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR\locale\en-US folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR\locale folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR\components folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR\chrome folder moved successfully.
C:\USERS\AMD TRI-CORE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\1EDA8JWK.DEFAULT\EXTENSIONS\VSHAREUS@TOOLBAR folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ deleted successfully.
C:\Program Files (x86)\vShare\vshare_toolbar.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{043C5167-00BB-4324-AF7E-62013FAEDACF} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
File C:\Program Files (x86)\vShare\vshare_toolbar.dll not found.
Registry value HKEY_USERS\S-1-5-21-1967815349-2296150461-847603945-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{043C5167-00BB-4324-AF7E-62013FAEDACF} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{043C5167-00BB-4324-AF7E-62013FAEDACF}\ not found.
File C:\Program Files (x86)\vShare\vshare_toolbar.dll not found.
[Custom Items]
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\AMD Tri-core\Downloads\cmd.bat deleted successfully.
C:\Users\AMD Tri-core\Downloads\cmd.txt deleted successfully.
[Empty Temp Folders]
 
 
User: All Users
 
User: AMD Tri-core
->Temp folder emptied: 49292 bytes
->Temporary Internet Files folder emptied: 180100 bytes
->Java cache emptied: 2833067 bytes
->FireFox cache emptied: 115964504 bytes
->Flash cache emptied: 2634 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56466 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 557056 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67630 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 114.00 mb
 
 
[EMPTYFLASH]
 
User: All Users
 
User: AMD Tri-core
->Flash cache emptied: 0 bytes
 
User: Default
->Flash cache emptied: 0 bytes
 
User: Default User
->Flash cache emptied: 0 bytes
 
User: Public
 
Total Flash Files Cleaned = 0.00 mb
 
Restore point Set: OTS Restore Point
< End of fix log >
OTS by OldTimer - Version 3.1.42.0 fix logfile created on 05252011_150037

Files\Folders moved on Reboot...
C:\Users\AMD Tri-core\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...
« Last Edit: May 25, 2011, 10:13:32 PM by Jringo7 »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Could you now run for a while and if it happens again could you make a note of the site please

Jringo7

  • Guest
Yessir

Edit: I haven't had this problem pop up since you've helped me. It wasn't exactly frequent when I came to you, but I am feeling a lot better about it now. I will keep running periodic scans and hope it's added to the definitions. Thank you so much for your help.
« Last Edit: May 27, 2011, 06:28:28 PM by Jringo7 »