Constant "Malicious URL Blocked" warnings...

Hello, I’ve never posted here before, so I apologize if I’m not familiar with your protocol with dealing with problems! I’ve had an issue the past several days where a few times every hour Avast will inform me that a Malicious URL is being blocked.


http://img221.imageshack.us/img221/3918/mal1x.jpg


http://img204.imageshack.us/img204/4682/mal2w.jpg

I’ve ran several scans with Malwarebytes and every time it turns up results for Malware, which I then remove. Here’s the latest log from the last scan I did:

Malwarebytes’ Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6923

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

6/22/2011 11:45:36 PM
mbam-log-2011-06-22 (23-45-36).txt

Scan type: Full scan (C:|)
Objects scanned: 244415
Time elapsed: 57 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270c.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270o.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270p.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\020000007f2599ae1270s.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270c.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270o.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270p.manifest (Malware.Trace) → Quarantined and deleted successfully.
c:\Windows\System32\020000007f2599ae1270s.manifest (Malware.Trace) → Quarantined and deleted successfully.

In a further attempt to rid myself of this problem, I did a system restore to a couple of days before (I believe) these problems occurred, ran CCleaner, and it still persists.

I did a full system scan with Avast and got this, also:


http://img823.imageshack.us/img823/8558/avastnote.jpg

Although I had to cancel the scan in favor of doing it tomorrow, I’ll post those results then. Thanks for any help, and if there’s further information about my problem that I failed to provide, please let me know.

The processes in your first two images are highly suspect and avast is blocking them from accessing malicious sites, your firewall should also be involved here. What is your firewall ?

The third image again is at the very least highly suspect and I would advise following the recommended action in this case, Deletion. Generally I don’t recommend deletion as a first action, but this is quite clear.

Try and find the two files in the first images and send them to the avast chest and then to the virus labs for analysis as they are most certainly malicious and undetected in that regard, but avast is at least blocking their downloading more malware.

Given MBAM has also found other traces of malware, I would suggest that you run a specific MBR rootkit scan (see #### below) as something could well be hiding other elements, as in the third image you already appear to have a rootkit running, which could already be masking malware. So you need to allow avast to delete that the next time it appears. or Run a Full System Scan which also does a rootkit scan as part of that.

You can check if you have an MBR rootkit using this tool:

Hello, thank you for your quick reply! To answer your first question, the firewall I’m running is Windows Firewall. And when I was prompted to delete that RootKit file, I did so before canceling the scan, which I will run shortly after the scan you suggested completes (the results of which I will post below.)

Secondly, to clarify, do you want me to find the .exe file listed in the first two images, or go through the sub-folders in my System32 folder until I find the objects that are listed? And how do I specifically send those files to the Avast chest for specific analysis?

Here are the results for my RootKit scan:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-23 14:50:18

14:50:18.284 OS Version: Windows 6.0.6002 Service Pack 2
14:50:18.284 Number of processors: 2 586 0x6801
14:50:18.284 ComputerName: MABT UserName:
14:50:26.396 Initialize success
14:50:27.036 AVAST engine defs: 11062300
14:51:27.813 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
14:51:27.813 Disk 0 Vendor: Hitachi_HTS725025A9A364 PC2OC70E Size: 238475MB BusType: 3
14:51:29.857 Disk 0 MBR read successfully
14:51:29.857 Disk 0 MBR scan
14:51:29.873 Disk 0 Windows XP default MBR code
14:51:31.901 Disk 0 scanning sectors +488392065
14:51:31.932 Disk 0 scanning C:\Windows\system32\drivers
14:51:44.349 Service scanning
14:51:45.925 Disk 0 trace - called modules:
14:51:45.941 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
14:51:45.941 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85dc9530]
14:51:45.941 3 CLASSPNP.SYS[837a88b3] → nt!IofCallDriver → [0x8565dc10]
14:51:45.941 5 acpi.sys[806136bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x848bcb98]
14:51:47.033 AVAST engine scan C:\Windows
15:00:46.341 File: C:\Windows\System32\clbcatq32.exe INFECTED Win32:Downloader-HXD [Trj]
16:36:07.202 AVAST engine scan C:\Users\Keith
16:50:53.962 AVAST engine scan C:\ProgramData
16:55:33.986 Scan finished successfully
17:22:33.798 Disk 0 MBR has been saved successfully to “C:\Users\Keith\Desktop\MBR.dat”
17:22:33.810 The log file has been saved successfully to “C:\Users\Keith\Desktop\aswMBR.txt”

Try scheduling an avast Boot-time scan from the avastUI, Scan Computer, Boot-Time scan, Settings; hopefully that will get rid of the C:\Windows\System32\clbcatq32.exe INFECTED Win32:Downloader-HXD [Trj].

When you schedule the boot-time scan to speed things up, don’t scan archives or pups, I can’t recall if they are off by default or not. Personally I prefer to leave it at Ask, so when a detection is made you choose what to do, move to chest being the recommended choice (first do no harm). Once you have chosen your settings click OK and then click the Schedule now, it should ask to reboot.

It is that file a trojan downloader that is trying to access those sites. Hopefully its removal will resolve you problem.

The scan I ran turned up these results:


http://img171.imageshack.us/img171/6708/unledsr.jpg

The bootscan, however, turned up 0 threats (I unchecked both archives and pups.) I checked, and the process clbcatq32.exe is still there.

JAVA Exploits are normally associated with old versions of JAVA and it is important to keep it up to date. I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

I can’t understand why the aswMBR if it can detect it why it can’t have avast move it to the chest after all it is using the avast scanner. Otherwise the term standalone cleaning tool is somewhat misleading. Perhaps this needs modifying as it probably only relates to MBR detections of the previous versions.

OK my QuickScan finished in a little under 15 minutes.

Try right clicking on the clbcatq32.exe file and see if the right click scan can detect this aswQuick.exe (this is scanning one file) and shouldn’t take 4 hours ;D

If no joy, update MBAM and run another scan, if that doesn’t find anything you could try the More Tools and select File Assassin, Run Tool button and navigate to the clbcatq32.exe file location and see if we can’t get rid of it that way.

Aha! There we go, I moved the file successfully to the Avast chest by right-clicking it and scanning it. Do I need to go through with fully removing it through the Avast chest, or should this pretty much take care of it?

No for the time being (a few weeks) leave it there where it can do no harm and scan it again in the chest if still infected, delete.

This should hopefully bring an end to the Malicious URL alerts, monitor your system for any other symptoms.

Have you had any recurrence of the Rootkit Found alert, image 3 in your first post (or did you have avast delete it as suggested) ?

Nope, I confirmed it’s deletion when I was first prompted, and ever since then (several Avast scans later), it hasn’t found anything like that since.

So for the next couple of weeks I should probably run routine scans to make sure nothing fishy is going on, and periodically scan the .exe file to see if it’s still infected? Do I restore it if it no longer detects a threat or something during that time period?

You can. Safer will be extracting the file and submitting to www.virustotal.com
If clean, then you can restore.

Avast just told me it blocked another URL with the file in the chest. Does that mean there’s still another on my computer that I still need to quarantine, or is it possible it’s still doing this even when in the Avast chest?

Just monitor the system for anything untoward, like avast detections and get back on the forums if required.

I rather doubt that after a period of time this file is no longer going to be detected, there really was too much going on with it for that to have been a false positive detection. But, that would be the procedure after a few weeks it is no longer detected then the original detection was likely to have been an FP, so you could restore it.

The reason for saying to follow this procedure even in such an obviously malicious file is to get into a routine of first do no harm (don’t delete, unless specifically instructed to by someone you have confidence in), send it to the chest and investigate.

We need the details of the detection, without that we are just guessing. It is possible there is still something undetected or hidden either recreating the file, but we need the information.

I will leave you with another tool to run before I call it a night, 2:15am here.

I will try to pick up again tomorrow or another forum member may be able to do so.

I’m sorry, the alert was the 2nd image in my original post. I’ve only had those two alerts as far as I an recall popping up.

I’ll give this new method a try now. Thanks so much for all your help, you’ve been most helpful. I’m sorry it’s such a stubborn bug.

Yes but was it the same file name responsible for the connection attempt ?

The vista firewall has outbound protection disabled by default and that should play a part in blocking unauthorised outbound connections (which this would be). Unfortunately the vista firewall isn’t very friendly, so I would suggest a 3rd party firewall with outbound protection.

It’s been more than a day and I haven’t gotten a URL warning, and I’ve ran scans tonight and it has found zero threats, so I think the problem is now resolved. Thank you so much for all of your help and time! Take care. ;D

You’re welcome.