Author Topic: Url:Mal pop-ups from seemly sound sources  (Read 37917 times)

0 Members and 1 Guest are viewing this topic.

Sprey

  • Guest
Url:Mal pop-ups from seemly sound sources
« on: May 27, 2012, 03:31:49 PM »
Hi all,

Yesterday at one point every single website was being blocked by avast network shield, but after taking out my cat-5 cable and re-connecting it this might not happen again for a little bit, just to return later in a very random (seemly) fashion. Even the button saying "more details" on the pop-ups themselves was being blocked at times (see attached images). This has not occurred so much today, but pop-ups are still coming up and are worrying me now (at first I thought it was just a conflict between chrome and avast, and so I updated chrome to 19.0.1084.52 m). The culprit processes as highlighted by the pop-ups are svchost.exe, zune.exe and chrome.exe, mainly (google-updater.exe also threw up a pop-up yesterday as well I think), yet it appears that the connections that are being blocked are not problem websites at all, and don't seem malicious (as shown by the fact that the avast site itself is blocked sometimes, for example). I have attached three screenshots of some pop-ups, and below is a Malwarebytes log.

Any help will be greatly appreciated.

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.27.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
User :: USER-LAPTOP [administrator]

Protection: Disabled

27/05/2012 11:37:59
mbam-log-2012-05-27 (11-37-59).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231307
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Url:Mal pop-ups from seemly sound sources
« Reply #1 on: May 27, 2012, 03:36:15 PM »
attach (not copy and paste) OTL and aswMBR log
http://forum.avast.com/index.php?topic=53253.0


Malware remover will be notified when done....

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #2 on: May 27, 2012, 04:29:58 PM »
Attached the logs. Didn't have an extras.txt file generated by the OTL scan as explained in the tutorial, so I've just got the OTL.txt log and aswMBR log for you...

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #3 on: May 27, 2012, 09:25:23 PM »
Hi,

Please download and run ERUNT (Emergency Recovery Utility NT).  This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.  **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:OTL
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes,DefaultScope = {E0BC8645-5242-49F3-A1E6-B9C966A70D75}
IE - HKU\S-1-5-21-326096136-1704205804-531090515-1002\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=100488&mntrId=b845716800000000000074e50b0e6c63
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\SysWow64\*.tmp files -> C:\Windows\SysWow64\*.tmp -> ]
[2011/08/07 18:44:29 | 000,010,752 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/07 10:34:17 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Babylon

:Files
ipconfig /flushdsn /c

:Commands
[purity]
[emptytemp]
[resethosts]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #4 on: May 27, 2012, 09:56:49 PM »
I just ran the fix and it went fine, but I don't fully understand the next step... by scan do you mean I should do another pass of aswMBR and post the log? And for the second run of OTL, as well as not checking LOP or purity, should I put the code into the custom scan box like I did for my first OTL run or not?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Url:Mal pop-ups from seemly sound sources
« Reply #5 on: May 27, 2012, 10:21:49 PM »
you do a new OTL scan...with no fix.... to get a new OTL log so he can see if the fix worked as planned     ;)

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #6 on: May 28, 2012, 12:40:11 AM »
Thanks Pondus/here's the new OTL log.

FYI, I still got another pop-up when I first opened my browser to see this thread: URL:Mal detected on object platform.twitter.com/widgets.js. I just unplugged and the reconnected my ethernet cable and I can now see that page without any pop-ups.

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #7 on: May 28, 2012, 12:45:29 AM »
Hi,

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
----------

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #8 on: May 28, 2012, 02:29:29 AM »
Here is what the ESET log file said:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

Attached is log file itself, the ESET "export to file" file as a .txt file: it found two infected files (details in Eset export to text file.txt) and the malwarebytes log.




jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #9 on: May 28, 2012, 02:51:58 AM »
Hi,

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code: [Select]
:Services

:Files
C:\Users\User\Downloads\cnet2_WinDjView-1_0_3-Setup_exe.exe
C:\Users\User\Downloads\coretemp_1236.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------

In your next reply please post the new OTL log and let me know how your system is running.  :)

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #10 on: May 28, 2012, 10:10:43 AM »
Hi, I've attached the third OTL log for you. My system is un-changed, got another pop-up when I opened the zune software after the reboot following the OTL fix (screenshot attached)...

*edited spelling mistake :) )
« Last Edit: May 28, 2012, 10:27:43 AM by Sprey »

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #11 on: May 28, 2012, 03:03:36 PM »
Hi,

Ok....

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope  tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.

  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #12 on: May 28, 2012, 06:31:29 PM »
Basically the Kaspersky scan got to about 73% and then when I came back to my laptop and clicked on it it froze and I had to close the program. Up to that point the program had found 6 vulnerabilities (I think that was the wording used), rather than malware (no red exclamation point). Anyway, I'm running the scan again and will get back to you later, but I was just going to ask in the meantime (if that's ok): what you think is going on after reading the OTL logs which I've been uploading? Or is nothing decisive yet hence the extra scan by Kaspersky?

jeffce

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #13 on: May 28, 2012, 10:58:11 PM »
Hi,

Well the OTL logs look pretty good but since you are still experiencing the problems I am running the additional scans.  :)

Sprey

  • Guest
Re: Url:Mal pop-ups from seemly sound sources
« Reply #14 on: May 29, 2012, 12:23:11 AM »
Ok here we go... when I saved the automatic scan report (I was using the latest version of the scanner, version 11) it created a 160mb file that notepad and open office both couldn't open without crashing!! anyway, below is the "detected threats" report which is far smaller and sounds like it gives you the information you need.
Code: [Select]
Status: Vulnerability   (events: 6)
28/05/2012 18:10:23 Vulnerability vulnerability http://www.securelist.com/en/advisories/48281 C:\Jack's Stuff\memsitckcopy\memsitck\Jack\Else\FirefoxPortable\App\Firefox\plugins\NPSWF32.dll Low
28/05/2012 18:13:23 Vulnerability vulnerability http://www.securelist.com/en/advisories/48009 C:\Program Files\Java\jre6\bin\java.exe Low
28/05/2012 18:22:30 Vulnerability vulnerability http://www.securelist.com/en/advisories/48009 C:\Program Files (x86)\Java\jre1.6.0_22\bin\java.exe Low
28/05/2012 18:22:38 Vulnerability vulnerability http://www.securelist.com/en/advisories/48009 C:\Program Files (x86)\Java\jre6\bin\java.exe Low
28/05/2012 19:13:40 Vulnerability vulnerability http://www.securelist.com/en/advisories/49086 C:\Windows\SysWOW64\Adobe\Shockwave 11\SwInit.exe Low
28/05/2012 19:24:29 Vulnerability vulnerability http://www.securelist.com/en/advisories/48500 c:\Program Files (x86)\VideoLAN\VLC\vlc.exe Low

EDIT: just a note... I never got an option to delete, disinfect or neutralise these files, but I assume that maybe because these are "vulnerabilities" and not actual cases of malware (?)
« Last Edit: May 29, 2012, 12:39:12 AM by Sprey »