Malicious URL Blocked, just like a lot of others!

[Eloquent]

Hi,
I read a lot of the other threads relating to my matter.
Like this : http://forum.avast.com/index.php?topic=80917.0
I also went through Essexboy's prelim scans and have the logs ready at hand.

Here's when it first started :
I remember reading manga (clean, I'm not that kind of person) and all of a sudden, msiexec.exe asks to be run. I keep on clicking no and exiting it, but it keeps on popping up.
I check up the program and google says it's safe, needed for installation and uninstallations.
I clicked yes, then my Avast pops up, prompting that there's a virus.

I've scanned with Avast and MBAM, finding 1 and 6 threats respectively. I thought I removed the rootkit/browser hijacker but it came back recently.

I reran the full system scans with Avast and MBAM and found nothing this time.

Hope my problem is an easy fix!

Ps. The MBAM scan logs are dated 7-2-2011 and 7-4-2011, showing the first and second scan respectively

Pss. OTS log is too big, will try to use MediaFire for it.

Edit : Editted to say that the threat is always coming from "64.111.211.158" when being redirected.

[Eloquent]

Here is the OTS log via MediaFire 

http://www.mediafire.com/?h6hc03p44ew39lb

[Freespirit]

 

I have simular issue where iexplorer.exe starts up without user input and the shield pops up saying url blocked  64.111.211.158  I have used mbam combofix gmer  rootkit revealer and still can't stop this when the browser is opened it redirects as it would I expect would be delighted if someone can help with a fix for this.

Charlie

[DavidR]

Please stick with your own topic you created and post the full information on the detection in that, http://forum.avast.com/index.php?topic=81078.0.

[essexboy]

On completion of this run can you let me know if the problem persists

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3530662894-1663572426-3511026779-1000\] > -> HKEY_USERS\S-1-5-21-3530662894-1663572426-3511026779-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{32099AAC-C132-4136-9E9A-4E364A424E17}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{D4027C7F-154A-4066-A1AD-4243D8127440}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Files/Folders - Modified Within 30 Days]
NY ->  2aecf431 -> C:\ProgramData\2aecf431
NY ->  12772417 -> C:\Windows\SysWow64\12772417
[Files - No Company Name]
NY ->  2aecf431 -> C:\ProgramData\2aecf431
NY ->  12772417 -> C:\Windows\SysWow64\12772417
NY ->  AML Free Registry Cleaner.lnk -> C:\Users\Win7\Desktop\AML Free Registry Cleaner.lnk
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[Eloquent]

I just Completed the Fix you told me to Essexboy.
Thank you so much!

I am interested in how you find which Registries/Files/Processes are to be NY'd !
Thank you for your help again!
I will reply again if the problem occurs

Ps. I attached the after log when the computer rebooted.

[Eloquent]

Apparently.. I spoke too soon..

I went to browse on Google, using Firefox.
The links I click on still redirects me to another search engine.
Same with the youtube links I click on.

Am I not done yet Essexboy?

Edit : Avast doesn't pop up anymore for "Malicious URL Detected" even though I still get redirected to another page.

[essexboy]

OK that would suggest that is in an area that I cannot see with OTS - so lets up the ante

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Eloquent]

I read your posts here and other threads
and I gotta say I like your sense of humor Essexboy 

Let's up the ante indeed.

I ran ComboFix while shutting off my AV, and internet connection (just in case).

This is the log it produced.

I am also very interested in how you look at the OTS / ComboFix files.
How do you know which files/registries/processes are bad and not needed?

Thank you for all the help so far!

[essexboy]

Yep it was hiding in firefox

I am also very interested in how you look at the OTS / ComboFix files.
How do you know which files/registries/processes are bad and not needed?

Experience and training is the short answer really, plus having a good feel for what does not look right

Any more alerts/redirects  ?

[Eloquent]

Ahh, experience is what I want haha
I wish I can be as good as you and get to your level (in reading OTS/CF logs).

There seems to be no more redirects at the moment!
I am very happy to report that!

Did ComboFix run help fix the malware hidden in Firefox?

Ps. All this time I had a feeling that you were feeding the logs into a self-programmed software that reads what's bad in the logs. 

[Eloquent]

Well.. right when I started reading Manga again..
Another alert pops up.
This time it says it's a Trojan Horse.
It blocked it..
Not sure if anything got into my computer again.
Maybe I should stop reading Manga..

[DavidR]

As they say if it hurts when you do it stop doing it.

In all seriousness, it would appear that that site (there appear to be lots of different manga sites) has been hacked and the web shield is blocking something malicious. The JS: (JavaScript) ScriptIP-inf is usually an indication that a malicious script tag has been inserted into a page and that script tag it trying to run a script from another site/page.

The idea of the web shield alert is to 'block' (abort connection of) the download and running of whatever is on that remote site/page. So it shouldn't get into your browser cache and either be displayed or run in your browser/system.

So although nothing should have been downloaded to your system, clear your browser cache and monitor your system for any symptoms you might have had previously.

[essexboy]

Ahh, experience is what I want haha
I wish I can be as good as you and get to your level (in reading OTS/CF logs).

There seems to be no more redirects at the moment!
I am very happy to report that!

Did ComboFix run help fix the malware hidden in Firefox?

Ps. All this time I had a feeling that you were feeding the logs into a self-programmed software that reads what's bad in the logs. 

Yep CF removed the miscreants within FF and alas there is no automated tool that can replace the human eye, which can spot apparently unrelated files

Oncew you are really happy after your latest alarm and I will remove my tools

[Eloquent]

Alright, sounds good Essexboy!

It's been 1-2 days since I've been using Google search engine, and every link directs me to the correct link 

Thank you for all your work!
I'm happy for your guidance and help for others too!

Thank you other mods too (like DavidR)!

As they say if it hurts when you do it stop doing it.

Haha I fully agree David, I already stopped using the site.

I'm ready for the cleanup and the goodbye  :'(