avast 'URL:Mal' pop-up

Kept getting Avast warning every 4 or 5 minutes re ‘URL:Mal’ for site I wasn’t even trying to access.

Details: avast! blocked you from visiting an infected webpage
Infection Details
URL: "hxxp://www.socialnewsworld.com/index.php?aff_id
Process: "C:\Program Files\Internet Explorer\IEXPLORER.EXE
Infection: “URL:Mal”

So I’ve tried everything mentioned in topic http://forum.avast.com/index.php?topic=53253.0 and had no warning since. Just wondered if one of Malware guys could tell me if I have anything more to worry about or has problem been erased and I can rest easy?

Here’s MBAM report
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.04.02

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
??? :: ??? [limited]

04/04/2012 09:24:00
mbam-log-2012-04-04 (09-24-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183946
Time elapsed: 17 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 4
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) → Quarantined and deleted successfully.
HKCU\SOFTWARE\Online Add-on (Trojan.Zlob) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE Safety Features (Trojan.Zlob) → Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center (Trojan.Zlob) → Quarantined and deleted successfully.

Registry Values Detected: 4
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) → Data: → Quarantined and deleted successfully.
HKU.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) → Data: ऑෲ → Quarantined and deleted successfully.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer|{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) → Data: ऑෲ → Quarantined and deleted successfully.
HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer{02FFAC45-0B10-5633-4296-1801F1A36678} (Trojan.Agent) → Data: → Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) → Bad: (0) Good: (1) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit (Hijack.Userinit) → Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (Userinit.exe) → Quarantined and repaired successfully.

Folders Detected: 2
C:\WINDOWS\system32\lowsec (Stolen.data) → Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) → Quarantined and deleted successfully.

Files Detected: 3
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) → Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) → Quarantined and deleted successfully.

(end)

Here’s OTL & aswMBR stuff

Thanks in advance. Paul

Hi that is an old variant of malware, I would recommend updating to SP 3 as that hole gets blocked

What problems do you have at the moment

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found IE - HKU\S-1-5-21-1177238915-152049171-1202660629-1002\..\URLSearchHook: CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found @Alternate Data Stream - 112 bytes -> C:\WINDOWS\win.ini:frp34d

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Hi essexboy, no real problems apparent at moment. What I had was this avast ‘URL:Mal’ pop-up for about 3 or 4 days but doing everything suggested in topic http://forum.avast.com/index.php?topic=53253.0 seems to have killed that dead.

Only minor prob I have had for about 6 weeks is that a MS ‘Security Alert’ keeps popping up now & again when trawling websites eg on Gumtree when I do a search for items I get the alert just before the results page & when I move on or off item descriptions. On ebay is similiar but only when I move on or off item descriptions not results page. This alert can be random on other sites as well, some days no show, other days it is constant popping up. I cannot understand why it should pop up, so I always close it with red x, never ok it.

Just had big problems trying to follow your latest advice. OTL would not run just kept hanging. Eventually lost all display except wallpaper & Windows Task Manager window. Had to reboot & internet explorer would not run. Going to restore point I created after topic=53253.0 seems to have put things back as normal.

Ran OTL, log attached - oh bother, red avast ‘URL:Mal’ pop-up has appeared again after about a day away.

Shall have to wait for your advice essexboy - it’s appreciated

OK that is Malwarebytes causing the freeze, I am getting tired of that programme

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Combobox coming up with message that AVG running. I cannot see what is happening, AVG not used for ages, no icon in systray, no process in WTM, so stuck.

Ignore the warning and continue - we will remove the AVG remnants next

Hi essexboy, there was no reboot after ComboFix finished - I was expecting it to, but re-reading advice it doesn’t actually say it would. Log attached.

Anyway very little testing but puter appears ok, apart from won’t go to standby (haven’t looked for cause / remedy). No avast ‘URL:Mal’ pop-up yet in 20 minutes

I would like to do one final check on the MBR

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Here’s MBR log.

Had two pop-ups for that avast ‘URL:Mal’ since last post otherwise still ok.

You appear to have an MBR for your D drive

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

TDSS log was too large to copy & paste here, so attached instead

OK that zapped it … How is the computer behaving now ?

Not too bad, some odd things happening but minor & livable. Main thing is no red avast ‘URL:Mal’ pop-ups.

Many thanks for your time & effort essexboy, it’s really appreciated. And I hope I don’t have to bother you again ;D

OK what are the minor problems ?

We may be able to fix them

Hi,

1 computer ‘seems’ slower than before, stuff like webpages & actual emails take longer to open, as if something else I am not aware of is happening. (bit vague I know)

2 This ‘security alert’ pop-up that I have had for about last 6 weeks is now appearing more often. As well as on Gumtree & ebay (see post above) it now appears on my IE8 google homepage. It pops-up when I am typing into the search box and I close it with red x, but if my search requires more typing then it can pop-up again & again till I hit enter to search.

3 In Windows Security Centre, the Virus Protection is logging that is has found more than one antivirus program on computer & one is up to date. I presume this is referring to remnants of AVG, but it doesn’t seem to be a problem.

4 sometime in all of this trying to clear the malware, another instance of IE8 appeared on my desktop, not a shortcut but actual program. I just deleted it as have it off start button - just odd.

I have updated to SP3 (what a nightmare that was) like you suggested & as yet I haven’t had much chance to fully ‘test’ everything but somehow it doesn’t ‘feel’ the same as before. And if you can remedy that I will be truly impressed!

For the security alert place a tick in do not show this again. It is just IE saying that you are using a secure connection, sometimes a tedious and very pointless warning

Now you have SP3 could you run an OTL quick scan (selecting all users) and I will look at the services and startups, then we will give the computer a little TLC ;D

Hi, attached OTL log.

OK a few questions…

Do you use your computer to watch TV ?

Is the Graphics card overclocked ?

No to watch TV

Graphics card not overclocked by me

OK could you go Start > Run
Type in MSCONFIG

Locate the startup tab and remove the tick from the following

XGIWatchDog
S3Trayp
VTTimer
RegServer
ArcSoft Connection Service

Then reboot, if the results are promising we will remove them properly

Once done we will remove the mega temp files that you now have and then defrag the drive