Author Topic: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts  (Read 39551 times)

0 Members and 1 Guest are viewing this topic.

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« on: May 27, 2012, 11:49:45 AM »
I am using Avast Free Antivirus and am getting repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts (one being: http://agrifarma.com/p/as?64206) whenever I go to my / some of my friends MySpace profiles; I have been in contact with MySpace about this, but was told that my profile was checked at their end and no issue was found. This is driving me crazy, so much so that I am considering removing Avast and trying a different antivirus, but I really do not want to do this as I am very happy with it otherwise. Can anyone help please?

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 67305
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #1 on: May 27, 2012, 11:53:01 AM »
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware.
Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.
Win 8.1 [x64] - Avast PremSec 20.9.2433.Beta1 [UI.569] - CC 5.72 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.3.3 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #2 on: May 27, 2012, 12:34:43 PM »
the problem is not avast......but that you have an infection.
so replacing avast with a AV that does not detect, does not solve/remove the infection  ;)

so follow Asyns advice

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #3 on: May 27, 2012, 01:46:34 PM »
Thank you very much for your help. One object was found and removed (see below), however, I have just visited my MySpace profile again and Avast alerted me with a different URL Mal:

Infection Details
URL:   http://www1.strongpqcleaner.dnset.com/O....
Process:   C:\Program Files\Mozilla Firefox\firefox...
Infection:   URL:Mal

!!

Shall I run Malwarebytes again?

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.27.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dell owner :: OWNER-25721C41B [administrator]

27/05/2012 11:45:51
mbam-log-2012-05-27 (11-45-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 179764
Time elapsed: 40 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 1
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #4 on: May 27, 2012, 02:57:59 PM »
you also have to attach (not copy and paste) OTL and aswMBR log

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #5 on: May 27, 2012, 05:14:54 PM »
Sorry, missed that. I hope these attachments are okay....I had already recently used aswMBR.exe.

**Please note that this issue has been going on for some months now, so it will not be linked to recent modifications**
« Last Edit: May 27, 2012, 06:09:16 PM by jesamine »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #6 on: May 27, 2012, 08:50:52 PM »
i see lots of McAfee files in your log......do you have McAfee installed ?

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #7 on: May 27, 2012, 09:33:10 PM »
I only have McAfee Security Scan installed, which runs a very short basic safety test, I installed that after this problem arose....it showed clear. I used to use McAfee before Avast, but my hard drive has since (as far as I can remember) been wiped clean by a PC World technician so I don't think that would show now? The issue only occurs when I am on MySpace, could MySpace be the problem?
« Last Edit: May 27, 2012, 09:47:38 PM by jesamine »

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #8 on: May 28, 2012, 12:54:16 AM »
Let me look over the logs and I will return as quickly as I can.  :)

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #9 on: May 28, 2012, 01:13:06 AM »
Thank you - I really appreciate you all helping me. Here are two of the public MySpace profiles I have problems with....perhaps you can test whether you receive alerts here too in order to ascertain where the fault lies:

http://www.myspace.com/merlinmallet

Infection Details
URL:   http://www1.bestdefenseij.dnset.com/i.ht...
Process:   C:\Program Files\Mozilla Firefox\firefox...
Infection:   URL:Mal

http://www.myspace.com/573275561

Infection Details
URL:   http://agrifarma.com/p/as?1015
Process:   C:\Program Files\Mozilla Firefox\firefox...
Infection:   HTML:RedirME-inf [Trj]

My two private profiles trigger alerts too every time I click on them.

UserA789

  • Guest
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #10 on: May 28, 2012, 02:16:20 AM »
Your friends, most likely with out knowing, are probably attaching malicous sites/videos/content from other URL's to their page(s).  A big problem these days is thinking we can do this without it affecting anyone else, or not understanding how code injection CAN be used in different ways.

You may want to give your friends a heads up, unforunatly like most, they will take it completly personal and tell you its your machine or even your fault.  I have had this problem myself, and even once on my own MySpace page.  Once I got rid of the URL-redirect I didnt realise was malicous, it went away.  Its why I utterly HATE >:(  the 'Share' feature on FB.

But again, to tell anyone their stuff is broken/infected is like claiming they did it on purpose.  They will get as defensive as one can fathom and say 'it didnt set off mine so its just you' and subsequently further spread malicous content.

I would advese you continue working with Asyn.

the problem is not avast......but that you have an infection.
so replacing avast with a AV that does not detect, does not solve/remove the infection  ;)
I dont know if you realise this but being that we pay for AND/OR trust Avast to prevent infection.  If our machines become infected thats EXACTLY whos fault it is.  Thats not saying that Avast made the infection, just that Avast let us be infected.  Just say'n... not tryin to change this thread.

Either way;
so follow Asyns advice

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #11 on: May 28, 2012, 03:24:33 AM »
Hi,

I went to the link and got the popup about the infection so I agree that the infection is on that particular page itself. 
--------------

Are you using McAfee or Avast for your antivirus program?  We need to remove one of them.  Let me know which one you would like to remove. 
----------

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKU\S-1-5-21-725345543-839522115-1202660629-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://uk.myspace.com/home"
[2010/05/18 15:24:37 | 000,002,139 | ---- | M] () -- C:\Documents and Settings\dell owner\Application Data\Mozilla\Firefox\Profiles\q0me9ao2.default\searchplugins\MyStart Search.xml
[2011/12/23 17:17:46 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[resethosts]
[createrestorepoint]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #12 on: May 28, 2012, 03:21:44 PM »
HELP!

I started OTL as per your instructions....it stated killing processes and my computer immediately displayed the screen of death. Nothing has happened since, I am afraid to turn it off. What do I do? I am using a neighbour's computer for this.

Offline jeffce

  • Probably Not A Bot
  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2460
  • Member of UNITE
    • Malware Removal
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #13 on: May 28, 2012, 03:26:33 PM »
Hi,

It's ok to reboot your system.  This time boot into Safe Mode and run the instructions I posted for OTL from there.  :)

Offline jesamine

  • Jr. Member
  • **
  • Posts: 59
Re: Repeated 'Trojan Horse Blocked' / 'Malicious URL' alerts
« Reply #14 on: May 28, 2012, 06:05:59 PM »
Didn't expect that and got worried! Reminded me of the time I grew impatient with a 'System Restore'....I turned my computer off and my operating system wouldn't restart....ended up with a partition, new operating system and a computer technician's bill! Does this mean that the OTL 'fix' hasn't been carried out? I couldn't boot into safe mode, nothing happened when I clicked on the up/down arrow options.