Constant "Malicious URL Blocked" warnings...

[Dr Colossus]

Hello, I've never posted here before, so I apologize if I'm not familiar with your protocol with dealing with problems! I've had an issue the past several days where a few times every hour Avast will inform me that a Malicious URL is being blocked.





I've ran several scans with Malwarebytes and every time it turns up results for Malware, which I then remove. Here's the latest log from the last scan I did:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6923

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

6/22/2011 11:45:36 PM
mbam-log-2011-06-22 (23-45-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 244415
Time elapsed: 57 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270s.manifest (Malware.Trace) -> Quarantined and deleted successfully.

In a further attempt to rid myself of this problem, I did a system restore to a couple of days before (I believe) these problems occurred, ran CCleaner, and it still persists.

I did a full system scan with Avast and got this, also:



Although I had to cancel the scan in favor of doing it tomorrow, I'll post those results then. Thanks for any help, and if there's further information about my problem that I failed to provide, please let me know.

[DavidR]

The processes in your first two images are highly suspect and avast is blocking them from accessing malicious sites, your firewall should also be involved here. What is your firewall ?

The third image again is at the very least highly suspect and I would advise following the recommended action in this case, Deletion. Generally I don't recommend deletion as a first action, but this is quite clear.

Try and find the two files in the first images and send them to the avast chest and then to the virus labs for analysis as they are most certainly malicious and undetected in that regard, but avast is at least blocking their downloading more malware.

Given MBAM has also found other traces of malware, I would suggest that you run a specific MBR rootkit scan (see #### below) as something could well be hiding other elements, as in the third image you already appear to have a rootkit running, which could already be masking malware. So you need to allow avast to delete that the next time it appears. or Run a Full System Scan which also does a rootkit scan as part of that.

####
You can check if you have an MBR rootkit using this tool:

Download aswMBR.exe ( 568KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[Dr Colossus]

Hello, thank you for your quick reply! To answer your first question, the firewall I'm running is Windows Firewall. And when I was prompted to delete that RootKit file, I did so before canceling the scan, which I will run shortly after the scan you suggested completes (the results of which I will post below.)

Secondly, to clarify, do you want me to find the .exe file listed in the first two images, or go through the sub-folders in my System32 folder until I find the objects that are listed? And how do I specifically send those files to the Avast chest for specific analysis?

Here are the results for my RootKit scan:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-23 14:50:18
-----------------------------
14:50:18.284    OS Version: Windows 6.0.6002 Service Pack 2
14:50:18.284    Number of processors: 2 586 0x6801
14:50:18.284    ComputerName: MABT  UserName:
14:50:26.396    Initialize success
14:50:27.036    AVAST engine defs: 11062300
14:51:27.813    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:51:27.813    Disk 0 Vendor: Hitachi_HTS725025A9A364 PC2OC70E Size: 238475MB BusType: 3
14:51:29.857    Disk 0 MBR read successfully
14:51:29.857    Disk 0 MBR scan
14:51:29.873    Disk 0 Windows XP default MBR code
14:51:31.901    Disk 0 scanning sectors +488392065
14:51:31.932    Disk 0 scanning C:\Windows\system32\drivers
14:51:44.349    Service scanning
14:51:45.925    Disk 0 trace - called modules:
14:51:45.941    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
14:51:45.941    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85dc9530]
14:51:45.941    3 CLASSPNP.SYS[837a88b3] -> nt!IofCallDriver -> [0x8565dc10]
14:51:45.941    5 acpi.sys[806136bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x848bcb98]
14:51:47.033    AVAST engine scan C:\Windows
15:00:46.341    File: C:\Windows\System32\clbcatq32.exe  **INFECTED** Win32:Downloader-HXD [Trj]
16:36:07.202    AVAST engine scan C:\Users\Keith
16:50:53.962    AVAST engine scan C:\ProgramData
16:55:33.986    Scan finished successfully
17:22:33.798    Disk 0 MBR has been saved successfully to "C:\Users\Keith\Desktop\MBR.dat"
17:22:33.810    The log file has been saved successfully to "C:\Users\Keith\Desktop\aswMBR.txt"

[DavidR]

Try scheduling an avast Boot-time scan from the avastUI, Scan Computer, Boot-Time scan, Settings; hopefully that will get rid of the C:\Windows\System32\clbcatq32.exe  **INFECTED** Win32:Downloader-HXD [Trj].

When you schedule the boot-time scan to speed things up, don't scan archives or pups, I can't recall if they are off by default or not. Personally I prefer to leave it at Ask, so when a detection is made you choose what to do, move to chest being the recommended choice (first do no harm). Once you have chosen your settings click OK and then click the Schedule now, it should ask to reboot.

It is that file a trojan downloader that is trying to access those sites. Hopefully its removal will resolve you problem.

[Dr Colossus]

The scan I ran turned up these results:



The bootscan, however, turned up 0 threats (I unchecked both archives and pups.) I checked, and the process clbcatq32.exe is still there.

[DavidR]

JAVA Exploits are normally associated with old versions of JAVA and it is important to keep it up to date. I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

I can't understand why the aswMBR if it can detect it why it can't have avast move it to the chest after all it is using the avast scanner. Otherwise the term standalone cleaning tool is somewhat misleading. Perhaps this needs modifying as it probably only relates to MBR detections of the previous versions.

OK my QuickScan finished in a little under 15 minutes.

Try right clicking on the clbcatq32.exe file and see if the right click scan can detect this aswQuick.exe (this is scanning one file) and shouldn't take 4 hours

If no joy, update MBAM and run another scan, if that doesn't find anything you could try the More Tools and select File Assassin, Run Tool button and navigate to the clbcatq32.exe file location and see if we can't get rid of it that way.

[Dr Colossus]

Aha! There we go, I moved the file successfully to the Avast chest by right-clicking it and scanning it. Do I need to go through with fully removing it through the Avast chest, or should this pretty much take care of it?

[DavidR]

No for the time being (a few weeks) leave it there where it can do no harm and scan it again in the chest if still infected, delete.

This should hopefully bring an end to the Malicious URL alerts, monitor your system for any other symptoms.

Have you had any recurrence of the Rootkit Found alert, image 3 in your first post (or did you have avast delete it as suggested) ?

[Dr Colossus]

Nope, I confirmed it's deletion when I was first prompted, and ever since then (several Avast scans later), it hasn't found anything like that since.

So for the next couple of weeks I should probably run routine scans to make sure nothing fishy is going on, and periodically scan the .exe file to see if it's still infected? Do I restore it if it no longer detects a threat or something during that time period?

[Lisandro]

Do I restore it if it no longer detects a threat or something during that time period?

You can. Safer will be extracting the file and submitting to www.virustotal.com
If clean, then you can restore.

[Dr Colossus]

Avast just told me it blocked another URL with the file in the chest. Does that mean there's still another on my computer that I still need to quarantine, or is it possible it's still doing this even when in the Avast chest?

[DavidR]

Nope, I confirmed it's deletion when I was first prompted, and ever since then (several Avast scans later), it hasn't found anything like that since.

So for the next couple of weeks I should probably run routine scans to make sure nothing fishy is going on, and periodically scan the .exe file to see if it's still infected? Do I restore it if it no longer detects a threat or something during that time period?

Just monitor the system for anything untoward, like avast detections and get back on the forums if required.

I rather doubt that after a period of time this file is no longer going to be detected, there really was too much going on with it for that to have been a false positive detection. But, that would be the procedure after a few weeks it is no longer detected then the original detection was likely to have been an FP, so you could restore it.

The reason for saying to follow this procedure even in such an obviously malicious file is to get into a routine of first do no harm (don't delete, unless specifically instructed to by someone you have confidence in), send it to the chest and investigate.

[DavidR]

Avast just told me it blocked another URL with the file in the chest. Does that mean there's still another on my computer that I still need to quarantine, or is it possible it's still doing this even when in the Avast chest?

We need the details of the detection, without that we are just guessing. It is possible there is still something undetected or hidden either recreating the file, but we need the information.

I will leave you with another tool to run before I call it a night, 2:15am here.

Second opinion now

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

I will try to pick up again tomorrow or another forum member may be able to do so.

[Dr Colossus]

I'm sorry, the alert was the 2nd image in my original post. I've only had those two alerts as far as I an recall popping up.

I'll give this new method a try now. Thanks so much for all your help, you've been most helpful. I'm sorry it's such a stubborn bug.

[DavidR]

Yes but was it the same file name responsible for the connection attempt ?

The vista firewall has outbound protection disabled by default and that should play a part in blocking unauthorised outbound connections (which this would be). Unfortunately the vista firewall isn't very friendly, so I would suggest a 3rd party firewall with outbound protection.