Author Topic: avast 'URL:Mal' pop-up  (Read 20956 times)

0 Members and 1 Guest are viewing this topic.

Pwebb

  • Guest
avast 'URL:Mal' pop-up
« on: April 05, 2012, 09:29:26 PM »
Kept getting Avast warning every 4 or 5 minutes re 'URL:Mal' for site I wasn't even trying to access.

Details: avast! blocked you from visiting an infected webpage
Infection Details
URL: "hxxp://www.socialnewsworld.com/index.php?aff_id
Process: "C:\Program Files\Internet Explorer\IEXPLORER.EXE
Infection: "URL:Mal"

So I've tried everything mentioned in topic http://forum.avast.com/index.php?topic=53253.0 and had no warning since.  Just wondered if one of Malware guys could tell me if I have anything more to worry about or has problem been erased and I can rest easy?

Here's MBAM report
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.04.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
???? :: ???????????? [limited]

04/04/2012 09:24:00
mbam-log-2012-04-04 (09-24-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183946
Time elapsed: 17 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Online Add-on (Trojan.Zlob) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features (Trojan.Zlob) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Detected: 4
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Data: ऑෲ -> Quarantined and deleted successfully.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Data: ऑෲ -> Quarantined and deleted successfully.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) -> Data:  -> Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (Userinit.exe) -> Quarantined and repaired successfully.

Folders Detected: 2
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Detected: 3
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.

(end)


Here's OTL & aswMBR stuff

Thanks in advance.  Paul

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #1 on: April 05, 2012, 10:32:05 PM »
Hi that is an old variant of malware, I would recommend updating to SP 3 as that hole gets blocked

What problems do you have at the moment

 Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
    IE - HKU\S-1-5-21-1177238915-152049171-1202660629-1002\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
    @Alternate Data Stream - 112 bytes -> C:\WINDOWS\win.ini:frp34d


    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #2 on: April 06, 2012, 02:25:37 PM »
Hi essexboy, no real problems apparent at moment.  What I had was this avast 'URL:Mal' pop-up for about 3 or 4 days but doing everything suggested in topic http://forum.avast.com/index.php?topic=53253.0 seems to have killed that dead.

Only minor prob I have had for about 6 weeks is that a MS 'Security Alert' keeps popping up now & again when trawling websites eg on Gumtree when I do a search for items I get the alert just before the results page & when I move on or off item descriptions.  On ebay is similiar but only when I move on or off item descriptions not results page.  This alert can be random on other sites as well, some days no show, other days it is constant popping up.  I cannot understand why it should pop up, so I always close it with red x, never ok it.

Just had big problems trying to follow your latest advice.  OTL would not run just kept hanging.  Eventually lost all display except wallpaper & Windows Task Manager window.  Had to reboot & internet explorer would not run.  Going to restore point I created after topic=53253.0 seems to have put things back as normal.

Ran OTL, log attached - oh bother, red avast 'URL:Mal' pop-up has appeared again after about a day away.

Shall have to wait for your advice essexboy - it's appreciated

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #3 on: April 06, 2012, 03:37:22 PM »
OK that is Malwarebytes causing the freeze, I am getting tired of that programme

Download and Install Combofix
 
Download ComboFix from one of the following locations:
Link 1
Link 2
 
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
 
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3.  If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #4 on: April 06, 2012, 09:00:41 PM »
Combobox coming up with message that AVG running.  I cannot see what is happening, AVG not used for ages, no icon in systray, no process in WTM, so stuck.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #5 on: April 06, 2012, 09:23:51 PM »
Ignore the warning and continue - we will remove the AVG remnants next

Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #6 on: April 06, 2012, 11:03:15 PM »
Hi essexboy, there was no reboot after ComboFix finished - I was expecting it to, but re-reading advice it doesn't actually say it would.  Log attached.

Anyway very little testing but puter appears ok, apart from won't go to standby (haven't looked for cause / remedy).  No avast 'URL:Mal' pop-up yet in 20 minutes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #7 on: April 06, 2012, 11:10:57 PM »
I would like to do one final check on the MBR

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 
Quote
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.


Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #8 on: April 06, 2012, 11:25:14 PM »
Here's MBR log.

Had two pop-ups for that avast 'URL:Mal' since last post otherwise still ok.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #9 on: April 06, 2012, 11:29:20 PM »
You appear to have an MBR for your D drive

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     

     
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
     

     
  • Click the Start Scan button.
     

     
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     

     
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
     

     
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #10 on: April 06, 2012, 11:51:22 PM »
TDSS log was too large to copy & paste here, so attached instead

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #11 on: April 07, 2012, 03:44:44 PM »
OK that zapped it ..  How is the computer behaving now ?


Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #12 on: April 07, 2012, 04:11:27 PM »
Not too bad, some odd things happening but minor & livable.  Main thing is no red avast 'URL:Mal' pop-ups.

Many thanks for your time & effort essexboy, it's really appreciated.  And I hope I don't have to bother you again ;D

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: avast 'URL:Mal' pop-up
« Reply #13 on: April 07, 2012, 04:18:07 PM »
OK what are the minor problems ?

We may be able to fix them


Pwebb

  • Guest
Re: avast 'URL:Mal' pop-up
« Reply #14 on: April 08, 2012, 12:55:34 PM »
Hi,

1 computer 'seems' slower than before, stuff like webpages & actual emails take longer to open, as if something else I am not aware of is happening. (bit vague I know)

2 This 'security alert' pop-up that I have had for about last 6 weeks is now appearing more often.  As well as on Gumtree & ebay (see post above) it now appears on my IE8 google homepage.  It pops-up when I am typing into the search box and I close it with red x, but if my search requires more typing then it can pop-up again & again till I hit enter to search.

3 In Windows Security Centre, the Virus Protection is logging that is has found more than one antivirus program on computer & one is up to date.  I presume this is referring to remnants of AVG, but it doesn't seem to be a problem.

4 sometime in all of this trying to clear the malware, another instance of IE8 appeared on my desktop, not a shortcut but actual program.  I just deleted it as have it off start button - just odd.

I have updated to SP3 (what a nightmare that was) like you suggested & as yet I haven't had much chance to fully 'test' everything but somehow it doesn't 'feel' the same as before.  And if you can remedy that I will be truly impressed!