Blocked Malicious URL

[essexboy]

The main malware was the Vundo jobs - now history.  You may have got the Avast alert as OTS was doing the last part of the temp file removal.  Are the alerts as frequent or just on high intensity ad sites ? 

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[JimBodkins]

downloading mbam now.

the mal.url isnt infrequent. I didnt keep records and the timing is subjective.

will report later.

thanks
Jim

Edit:
During install:

I"m getting vbaccelerator errors on a SGrid II control. Run-time error '0'
I may not have something involving visual basic installed.

and a runtime error '440' automation error.

During execution:

Run-time error '372'

Failed to load control 'vbalGrid' from vbalsgrid6.ocs. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

Run-time error '0'

It didnt run.

I'll try to find those errors.

Edit 2:

It appears I am missing regsvr32.exe

Edit 3:

I got regsvr32.exe here http://support.microsoft.com/kb/267279

[JimBodkins]

log of mbam run

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7253

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

7/23/2011 12:17:57 PM
mbam-log-2011-07-23 (12-17-57).txt

Scan type: Quick scan
Objects scanned: 237610
Time elapsed: 16 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b6b571fb-b71d-449c-ad70-82e966328795} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{16406580-14ce-4441-b904-ad56cc8064ca} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WinApp.WinSafe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\System\CurrentControlSet\Control\Lsa\UpdateWin (Backdoor.Sdbot) -> Value: UpdateWin -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\documents and settings\HP_Owner\application data\86855640 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\icinst.exe (Adware.EShoper) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\Desktop\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\microsoft\internet explorer\quick launch\antivirus antispyware 2011.lnk (Rogue.AntiVirusAntiSpyware2011) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\start menu\Programs\security shield.lnk (Rogue.SecurityShield) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\HP_Owner\application data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
c:\Bots.zip (Trojan.Agent) -> Quarantined and deleted successfully.
c:\calculator.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\SETUP.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\config\systemprofile\start menu\xp police antivirus.lnk (Rogue.XPPolice) -> Quarantined and deleted successfully




Notes.

Upon reboot I received a mal.url alert.

I was warned that I had no firewall - even though comodo was running. Comodo tray icon indicated it was disabled - the defense+ setting was disabled. it is now training mode.

I havent received another mal.url alert in 15 minutes of surfing using three different browser.

I'll update this post later.


Update 1:

as of this edit, no new mal.urls

Update 2:

there is a curse. I no sooner than saved that edit than I got a mal.url.

[essexboy]

Yep I will put his on hold until you are happy

[JimBodkins]

Lower frequency perhaps, but still generating mal.urls

[bob3160]

Lower frequency perhaps, but still generating mal.urls

How about some scree shots

[JimBodkins]

Its a red popup on the lower right that says it just blocked a malicious url and it gives the calling dll and the ip.


I tried using mwsnap but your popup vanished while mwsnap was active only to return when mwsnap completed.


... sorry, it said URL.mal not mal.url

[bob3160]

Its a red popup on the lower right that says it just blocked a malicious url and it gives the calling dll and the ip.


I tried using mwsnap but your popup vanished while mwsnap was active only to return when mwsnap completed.

is the popup happening while you're browsing on the web

[essexboy]

OK this would suggest that there is some residue I am missing

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[JimBodkins]

Let me ask a question first.

I was just nosing around with WhatsRunning.exe and noticed that DevCommondlg was started at startup using rundll32. It resides in oleobjnetm (see an early post for exact names/paths). rundll32 was running.

Here is the curious thing. Startpage can only find references to DevCommondlg and oleobjnetm in this thread - it apparently doesnt appear anywhere else on the internet. Do you find that interesting? I do. I reconfigured to not run DevCommondlg at startup and stopped the associated rundll32. I'm curious if this stops the URL.mal.


What do you know about DevCommondlg and/or oleobjnetm (that is a folder name in the path that contains DevCommondlg)?

I would like to quickly discuss this before doing the next test/fix.

Thanks

[JimBodkins]

I think this is related. Not absolutely certain.

At a point - DevCommondlg relaunch rundll32 and URL.mal reoccured. I repeated this sequence several times. Then I move DevCommondlg to a hold folder elsewhere, kill rundll32 again and so far URL.mal hasnt reoccured (in terms of restarting that rundll32 process). This file that is unknown may be a trojan (DevCommondlg). Not entirely sure as yet though. But it did URL.mal when DevCommondlg restarted (rundll32) but hasnt since I move it.

[essexboy]

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\oleobjNetM\DevCommondlg.dll

OK a new one to add to the long list of malware

Rather than running combofix could you run a fresh OTS log and I will take it out that way (along with the folder ) I will also zip it as I would like a copy

[JimBodkins]

As I mentioned, I moved it to a hold folder. I also marked that process not to start using whatsrunn.exe . Something just tried to run it. I received a dialog box indicating that something tried to run it but failed.

I have a habit of using hibernate - so something may still be scheduled. Give me a while to run a couple of tests to narrow that down. In the meantime I can send you the file as it is in a hold folder. Where should I send it? (I would rather not attach it publicly)

[essexboy]

No it still has a run key associated with it - which will need removal

Could you upload the offending file to Avast as potential malware please

With the OTS I can safely delete the run key

[JimBodkins]

Two things. I renamed it *.lld to help defeat its identification. It is in a zip that I will send, with the modified name. It is no longer in its original folder.