Author Topic: Malicious URL Blocked.. Annoying problem wont go away.  (Read 12244 times)

0 Members and 1 Guest are viewing this topic.

Offline acuk

  • Newbie
  • *
  • Posts: 9
Malicious URL Blocked.. Annoying problem wont go away.
« on: July 02, 2011, 03:55:46 PM »
I keep getting alerts from Avast for Malicious URL's it seems to be rundll32.exe causing the problem but not sure.
The IP addresses it reports as Malware are 64.111.211.158 and 64.11.211.165
I have checked these at Virus Total and it reports the IP addresses as clean.
http://tinyurl.com/5vh4hmh
http://tinyurl.com/62xnm3p
Malwarebytes finds nothing
Ran full scan on c:/Windows/System32 Nothing.
The Alert is Frequent at least once/twice every couple of minutes.

Hope someone can help.

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4124
  • There is no magic, only lost physics
    • spg SCOTT
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #1 on: July 02, 2011, 04:00:40 PM »
Hi acuk, welcome to the forum :)

First, there is no need for the tinyurl links, in fact I think that many would not click them, because they are shortened links. (I certainly don't just click them anyway)
The full links are fine, and are listed below (for the others)

http://www.virustotal.com/url-scan/report.html?id=45fd6d7f984afba10f5a1a81647c9963-1309605771
http://www.virustotal.com/url-scan/report.html?id=edf0f0531d591f4469df935e0cacc48f-1309605952

Now for the problem at hand, I would suggest starting here:
http://forum.avast.com/index.php?topic=53253.0

Post the logs back for those that can read them to help ;)

Scott
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #2 on: July 02, 2011, 04:38:39 PM »
I don't like the shortened URLs either (always suspicious of what I can't see), so much so I have installed the LongURL Mobile Expander firefox add-on.

That said even though VT shows clean, I don't believe that for a second. It is highly suspect for this dll to be connecting to the internet and to sites that avast considers malicious.

This type of activity is often indicative of having a rootkit on your system.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline acuk

  • Newbie
  • *
  • Posts: 9
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #3 on: July 02, 2011, 04:57:34 PM »
Hi guys Thanks for the quick reply.
Soz about the shortened urls,i wasn't really thinking , innocent newbie mistake.
Actually thinking about it.. I wont be using it again , never really thought about the security issues that can arise from shortened URLs until now.. Learnt something useful already.
Funny thing also ... since coming to this forum the alerts seemed to have suddenly stopped ??? Fluke or What) but since i am very security conscious ie, run checks every week,I want peace of mind i would appreciate if someone can check the logs.
Cheers
Thanks in advance
acuk 

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #4 on: July 02, 2011, 05:06:14 PM »
Well MBAM clean but if as I suspect there might be a rootkit present, it could be hiding them.

I'm not familiar with the OTS log so someone else will have to investigate that.

In the meantime you can check if you have an MBR rootkit using this tool:
Quote from: essexboy
Download aswMBR.exe ( 1.8MB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply



Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline acuk

  • Newbie
  • *
  • Posts: 9
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #5 on: July 02, 2011, 05:15:39 PM »
Hi David your concerns about a rootkit got me very concerned , i did actually run this yesterday it also found nothing , but i will run it again now and report back.
As i said you got me a bit concerned so i ran Trends RookitBuster
Latest version http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=355&regs=NABU&lang_loc=1#undefined
And it found a few things now im really worried
I havent deleted any of the found hooks ill wait for further instructions.
Here the Trends Log.
Thanks
acuk

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #6 on: July 02, 2011, 05:23:29 PM »
Well nothing I can see that is suspect, but I would certainly use the aswMBR tool as that really has been very hot on MBR rootkit detections if present.

The hooked service mentioned, aswSnx.sys is the avast Sandbox driver. So I wouldn't go touching that ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline acuk

  • Newbie
  • *
  • Posts: 9
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #7 on: July 02, 2011, 06:07:56 PM »
Thanks Dave OK wont go touching those then.
Heres the latest aswmbr log
Also U mention LongURL Mobile Expander firefox add-on
Im running Firefox 5 , but cant seem to find it anywhere could you send me a link to that mate.
Cheers
acuk

Also im using a program called Hostman for extra security
http://www.abelhadigital.com/hostsman
But how would i enter the two suspious ip's into it so my computer would reject the sites.
Every search i'vs done on these Ip's i cant get a Hostname. ??
Any help would be appreciated.
The alerts in question have NOT re-occurred now for over 1Hr,Very Puzzling
Am i clean ? What was this i would love to know how i got this.
acuk
« Last Edit: July 02, 2011, 06:16:06 PM by acuk »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #8 on: July 02, 2011, 06:35:23 PM »
Well nothing unusual there either.

Strange that they stopped as that would only normally happen after some form of cleaning.

This is the whois of the IP address (see image, click to expand) and it doesn't seen your usual malicious site, does this ISPrime ring any bells to you (but still strange for this connection by rundll32.dll) ?

I will try and get someone to take a look at the OTS log.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #9 on: July 02, 2011, 06:56:12 PM »
A few bad boys have taken up residence

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > ->
YN -> HKEY_LOCAL_MACHINE\: URLSearchHooks\\"{1392b8d2-5c05-419f-a8f6-b9f15a596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\: URLSearchHooks\\"{1392b8d2-5c05-419f-a8f6-b9f15a596612}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\] > ->
YN -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\: "ProxyServer" -> http=127.0.0.1:49939
< Run [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\] > -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "SystemAuthenticationCtrl" -> C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll [rundll32.exe "C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll",userPadTray BthMainvga]
< Run [HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\] > -> HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "java checksys" -> [%TEMP%\rtpmp.exe]
YN -> "java system update" -> [%TEMP%\eumlm.exe]
YN -> "windows updater" -> [%TEMP%\gaspci.exe]
YN -> "winupdate system" -> [%TEMP%\icvcc.exe]
[Files/Folders - Created Within 30 Days]
NY ->  temp.01A -> C:\Windows\System32\temp.01A
NY ->  temp.01C -> C:\Windows\System32\temp.01C
NY ->  temp.01B -> C:\Windows\System32\temp.01B
NY ->  temp.019 -> C:\Windows\System32\temp.019
NY ->  temp.018 -> C:\Windows\System32\temp.018
NY ->  temp.015 -> C:\Windows\System32\temp.015
NY ->  temp.017 -> C:\Windows\System32\temp.017
NY ->  temp.016 -> C:\Windows\System32\temp.016
NY ->  temp.014 -> C:\Windows\System32\temp.014
NY ->  temp.013 -> C:\Windows\System32\temp.013
NY ->  temp.010 -> C:\Windows\System32\temp.010
NY ->  temp.012 -> C:\Windows\System32\temp.012
NY ->  temp.011 -> C:\Windows\System32\temp.011
NY ->  temp.00F -> C:\Windows\System32\temp.00F
NY ->  temp.00E -> C:\Windows\System32\temp.00E
NY ->  temp.00D -> C:\Windows\System32\temp.00D
NY ->  temp.00C -> C:\Windows\System32\temp.00C
NY ->  temp.00B -> C:\Windows\System32\temp.00B
NY ->  temp.00A -> C:\Windows\System32\temp.00A
NY ->  temp.009 -> C:\Windows\System32\temp.009
NY ->  0 -> C:\Windows\System32\0
NY ->  temp.004 -> C:\Windows\System32\temp.004
[Files/Folders - Modified Within 30 Days]
NY ->  At2.job -> C:\Windows\tasks\At2.job
NY ->  At1.job -> C:\Windows\tasks\At1.job
[Files - No Company Name]
NY ->  At2.job -> C:\Windows\tasks\At2.job
[Custom Items]
:Files
C:\Windows\tasks\At*.job
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85945
  • No support PMs thanks
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #10 on: July 02, 2011, 06:59:03 PM »
Thanks for joining us essexboy.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline acuk

  • Newbie
  • *
  • Posts: 9
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #11 on: July 02, 2011, 07:19:37 PM »
Thanks for joining essexboy appreciate it.
Here the log .. Hope I'm Clean , from your investigations.. how or what did i do.. to get this .
i thought i was quite vigilant , with all my downloads / programs scanned first etc.?
I don't visit spurious websites never use facebook cautious on what i download.
I have Avast constantly running & updated
Same goes for MWBytes
I use peerblock and hostman programs.
Use CCLeaner everday. ATF Cleaner & Old Timers TFC.
How on earth did it get through ?.
Any help to lead me to preventing Cr%P like this from happening again would be useful.
Cheers Guys
Thanks to essexboy & dave :)

Ps: Dave ISPrime means nothing to me..

Why is there no Hostname ?
http://network-tools.com/default.asp?prog=express&host=64.111.211.158
« Last Edit: July 02, 2011, 07:26:19 PM by acuk »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #12 on: July 02, 2011, 08:56:28 PM »
These were the main bad boys

C:\Windows\tasks\At2.job
C:\Users\Pete\AppData\Local\BthHelpaudio\SystemAuthenticationCtrl.dll


Variants of a trojan downloader - they were helped by a proxy within  IE

HKEY_USERS\S-1-5-21-447438009-1717116898-3675535531-1008\: "ProxyServer" -> http=127.0.0.1:49939

The server was probably taken down, but no doubt it will reappear in another guise

Could you now run a Malwarebytes quick scan and post the log please as sometimes when I remove something other files are revealed... Also how is your computer behaving now ?

Offline acuk

  • Newbie
  • *
  • Posts: 9
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #13 on: July 02, 2011, 10:35:10 PM »
Thanks essexboy
Even stranger i dont even use Ie unless a program sometimes automatically opens it .
Strictly a Firefox Fan.
Thanks for all your Help
Am i clean then ?
Am i good to go.
Cheers
acuk

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40610
  • Dragons by Sasha
    • Malware fixes
Re: Malicious URL Blocked.. Annoying problem wont go away.
« Reply #14 on: July 02, 2011, 11:05:15 PM »
Let it run for a day or so - then when you are happy let me know and I will remove my tools and tidy you up