Malicious URL blocked

[rwaldrep]

Hi there,

Running Windows XP Professional on a Dell D620.  I am using Avast, did a boottime scan and found nothing, also ran a Malwarebytes full scan and found nothing. Reputable links are resulting in Avast blocking them, and the links are trying to redirect me to 64.111.211.158.  This doesn't happen 100% of the time, but enough to be annoying.  Often, hitting the back button and clicking on the same link will not cause a malicious URL blockage, and I will be directed to the legitimate site.  It's still frustrating, though!

I'm tempted to follow the same procedures outlined in similar threads, but I'll wait for professional advice!

Thanks for your help in advance!
Randy

[DavidR]

Try a forum search for ISPrime as that is the IP address you posted, I believe I saw that in a recent topic.

OK this is the one and it was proving to be a bit of a pig to remove, until it was properly analysed by a malware removal specialist http://forum.avast.com/index.php?topic=80917.msg661773#msg661773.

So for the time being I would suggest you run OTS and post the log and when essexboy is back on the forums (won't be for some time, 1:10am in the UK) hopefully he can analyse the log and create a fix, what was produced in the other topic is specifically for that user and shouldn't be used.

Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS to your Desktop and double-click on it to run it

• Make sure you close all other programs and don't use the PC while the scan runs.
  
• Select All Users
  
• Under additional scans select the following

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  
• When the scan is complete Notepad will open with the report file loaded in it.
• Please attach the log in your next post.

Note: this says attach the file (to big for copy and paste, use the Additional Options in the Reply window to attach the file.

[rwaldrep]

Hi again,

Thanks for the quick reply.  Attached is the OTS log from the scan per your instructions.

Thanks again
Randy

[DavidR]

Unfortunately we will have to wait for some one familiar with this tool to analyse it.

[com155]

i saw the log its famaliar to me and i can also enlist the fix hrere u go:

 pls paste the this into the paste and fix here panel and then hit run fix.
code:
[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > ->
YN -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\: URLSearchHooks\\"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache   -> C:\Users\randy\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions\{57427a7e-7448-4510-9ee0-34a6e752b42c}
YY -> ShopToWin13   -> C:\Users\randy\AppData\Roaming\iexplorer\Profiles\nr8zccsm.default\extensions\{b9dbe2c0-031f-4cad-911a-f4a7381d79c0}
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\] > -> HKEY_USERS\S-1-5-21-3498192001-3238401358-4033018105-1001\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{30F9B915-B755-4826-820B-08FBA6BD249D}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY ->  iscsied32.dll -> C:\ProgramData\iscsied32.dll
NY ->  Free Offers from Freeze.com -> C:\Program Files (x86)\Free Offers from Freeze.com
[Files/Folders - Modified Within 30 Days]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
NY ->  iscsied32.dll -> C:\ProgramData\iscsied32.dll
[Files - No Company Name]
NY ->  573779942 -> C:\Windows\SysWow64\573779942
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]



hope this helps u out.....
 

[rwaldrep]

Thanks for your input.  I'd like the senior members to study the OTS log before I take any further action.

Randy

[DavidR]

I have asked essexboy to check in when he can, he has probably only recently got back from work.

[essexboy]

Hi I do not know where that fix came from but it bears no relation to the reality.  On completion of this can you let me know if the symptoms persist

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > ->
YN -> HKEY_USERS\.DEFAULT\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > ->
YN -> HKEY_USERS\S-1-5-18\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > ->
YN -> HKEY_USERS\S-1-5-19\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > ->
YN -> HKEY_USERS\S-1-5-20\: Main\\"XMLHTTP_UUID_Default" -> 77 22 92 11 D9 F5 CD 4C 9F D8 1F 0D 84 0E F2 0B  [binary data]
< FireFox Extensions [User Folders] > ->
YY -> XUL Cache   -> C:\Documents and Settings\rwaldrep\Application Data\Mozilla\Firefox\Profiles\2bz2icop.default\extensions\{0bba7f5b-ef03-45ed-8774-29e3999c5adc}
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\WINDOWS\system32\muweb32.dll -> C:\WINDOWS\system32\muweb32.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\psapi32.exe" -> [C:\WINDOWS\system32\psapi32.exe:*:Enabled:Windows Update Service]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\psapi32.exe" -> [C:\WINDOWS\system32\psapi32.exe:*:Enabled:Windows Update Service]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \##169.254.74.168#usb ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell ->
YN -> \##169.254.74.168#usb\Shell\\"" -> [AutoRun]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell\AutoRun ->
YN -> \##169.254.74.168#usb\Shell\AutoRun\\"" -> [Auto&Play]
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\##169.254.74.168#usb\Shell\AutoRun\command ->
YN -> \##169.254.74.168#usb\Shell\AutoRun\command\\"" -> [Y:\WDSetup.exe]
YN -> \{1455e04f-345d-11de-a8ce-0015c53b3344} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1455e04f-345d-11de-a8ce-0015c53b3344}\Shell\AutoRun\command ->
YN -> \{1455e04f-345d-11de-a8ce-0015c53b3344}\Shell\AutoRun\command\\"" -> [E:\WDSetup.exe]
[Files/Folders - Created Within 30 Days]
NY ->  muweb32.dll -> C:\WINDOWS\System32\muweb32.dll
[Files/Folders - Modified Within 30 Days]
NY ->  muweb32.dll -> C:\WINDOWS\System32\muweb32.dll
NY ->  1114984448 -> C:\WINDOWS\System32\1114984448
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[Pondus]

Thanks for your input.  I'd like the senior members to study the OTS log before I take any further action.

Randy

Smart man   

[DavidR]

Hi I do not know where that fix came from but it bears no relation to the reality. 
<snip>

Well given what com155 has done before he has probably copied one of your scripts, in the belief that the Fix works on all, but is in fact Unique to a specific system. Now you know why I asked for your assistance.

Thanks for your input.  I'd like the senior members to study the OTS log before I take any further action.

Randy

Smart man   

Very smart.

[polonus]

Hi DavidR & Pondus & essexboy & rwaldrep,

The user in this case outsmarted the pseudo-OP.
So you are welcome here, rwaldrep, welcome to these forums,

polonus

[rwaldrep]

Hello again,

Thanks for the quick reply and info on how to proceed. I ran the fix as indicated and I'm attaching the text results here.  So far everything looks fixed, but I'll send another update if things turn sour.

As for the junior member's contribution, well, I don't mind others trying to help in a time of need, but I've seen others with the same problem where the fix was different.  It's kind of like going to the hospital to be cured--you kind of want a qualified physician to diagnose and do the operating.

Thanks again for making this so easy!
Randy

[polonus]

Hi rwaldep,

With essexboy you were in the best of hands. I hope you will return to these forums, stay safe and secure online,

polonus
 

[essexboy]

Let me know when you are happy

[rwaldrep]

I'm very happy.  Thanks to all of you for you quick and professional guidance!

Randy