Hi I hope someone can help me with this.

I was using the internet when avast network shield popped up with a threat detected window and now every 5 minutes it comes up again regarding the same object and threat.

" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Windows\Explorer.EXE "

After that kept coming up I decided to run a scan with Avast. The quick scan found nothing so I started a custom scan which was configured to scan memory. The scan found 28 threats, they are all different processes in memory blocks, all high severity and all stated as Threat: Win32:Zbot-NRC [Trj].
I have attached an image of the scan results

Should I delete them or move them to the virus vault?

How can i deal with the malicious URL problem

Thanks in advance.

Rish

Should I delete them or move them to the virus vault?

not possible, as they are not files. ;)

the “scan memory” setting will give some veird results and should not be used unless you know/understand the result

this is the second most asked problem in this forum
search for detection in memory or memory scan and you find lots of info

I was using the internet when avast network shield popped up with a threat detected window and now every 5 minutes it comes up again regarding the same object and threat.

this may indicate a infection

follow this guide and attach the logs…not copy and paste. http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

when done the removal experts will be notified

Hi Pondus,

Thanks for your advice as you said I searched for memory scans and I saw what has been put in other posts. I only selected memory scan and whole file scan as I thought the repeated network shield alert must be coming from something on my computer.

I will go to that guide now and attach the results shortly.

I have run Adw Cleaner and have attached the report, next I will do MBAM.

Thanks

After Adw Cleaner restarted and I started to scan my computer with MBAM avast network shield popped up again but this time it was different.

Firstly I was getting this message:
" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Windows\Explorer.EXE "

Then I got this message:
" Malicious URL blocked
avast! Network Shield has blocked a harmful site
Object: http://aurellrp.org/webserver/gate.php
Infection: URL:Mal
Process: C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe "

Does this mean that the infection\virus or whatever it is has moved?

Thanks for all your help so far.

Just finished MBAM scan, log attached below.

Thanks

Hi Pondus,

Just Finished the OTL scan but only one notepad window opened which i saved as OTL, there was no second notepad window"extras.txt"?? If something has gone wrong please let me know.

However, in the meantime here is the result please see attachment. Btw I am still getting the Malicious URL alert from avast.

Thanks

Finished the aswMBR scan, log attached also a video cd.dat file named MBR was created by the program when the scan finished but I cant change the file extension or attach the file to this post, can anyone help with that??

I hope someone can help me. Just as an update I am still getting the malicious URL pop up from avast.

Thanks to everyone who has viewed this post and I hope there is a fix for my problem.

Rish

The dat file is a raw read of the MBR at the moment I do not need that so you can delete it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon -- (CLTNetCnService)
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc;version=8.6.5: C:\Program Files\Tripleplay\TPPlugins\npvlc.dll File not found
O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000..\Run: [Yhugtaebh] C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe ()
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Ygkoi
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Iwfei
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Cuhe
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\Users\Rish!!\AppData\Local\37p0uy7hhp55hsb5e8b8j628bll7jy
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\ProgramData\37p0uy7hhp55hsb5e8b8j628bll7jy

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Let me know if this stops the alerts

Hi Essexboy,

I tried to run the custom fix in OTL, after initializing it was killing processes, a blue screen appeared :-[ saying it had detected a problem and shutdown, then my system was rebooted. I don’t think OTL had enough time to complete the custom fix before that happened. When my system restarted there are now a few files and icons on my desktop which are visible but appear transparent which I believe are hidden files. I have attached a screen shot of those.

I still completed another scan with OTL just in case it had managed to finish before the crash, results are attached as well.

Also this did not stop the Malicious URL notification.

Thank you for your help hope there is something I can try now.

Rishi

Lets try one more time with a slightly different fix

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
IE - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O4 - HKU\S-1-5-21-2120591977-3353888384-1951892941-1000..\Run: [Yhugtaebh] C:\Users\Rish!!\AppData\Roaming\Iwfei\heqo.exe ()
O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Ygkoi
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Iwfei
[2013/02/21 00:56:08 | 000,000,000 | ---D | C] -- C:\Users\Rish!!\AppData\Roaming\Cuhe
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\Users\Rish!!\AppData\Local\37p0uy7hhp55hsb5e8b8j628bll7jy
[2011/05/31 19:19:12 | 000,010,876 | -HS- | C] () -- C:\ProgramData\37p0uy7hhp55hsb5e8b8j628bll7jy

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Just completed the fix and the scan, the fix seemed to work and I have attached the log of that after my system rebooted. As the fix was working I did see that a file was transferred to the virus vault so should I delete that now?

The quick scan has just finished so I’ll attach the log as well.

Thanks for all your help. ;D

Rish

How is the computer behaving now ? You can clear the vault

Umm so far everything is behaving like it should although I did notice in the log after the fix was complete something a bit weird:
“File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.” - is this file part of avast??

So far not a single Malicious URL blocked

I do have some questions is you have the time.

1. In the first OTL log that I attached there are some strange websites under this section C:\Windows\System32\drivers\etc\hosts what are hosts?

2. All my problems started I think when Firefox did not block a pop up window even though my settings are configured to do so. Is there a plug in or add-on I can get to stop this happening again in the future?

3. I remember reading somewhere on a anti virus website that a lot of infections use java to penetrate your system so bearing that in mind I don’t think my java has been updated for ages should I update it?

4. I use Avast Free, MBAM free(to be honest I wasn’t using it regularly) and Spybot search and destroy and Windows Firewall turned on, are there any products that you would recommend to use in addition or to replace the ones I have been using?

Finally I have to say a massive thank you to you and everyone else that has helped me. Its great to have my computer working again :o.

Rish

O1 - Hosts: 127.0.0.1 www.007guard.com O1 - Hosts: 127.0.0.1 007guard.com O1 - Hosts: 127.0.0.1 008i.com O1 - Hosts: 127.0.0.1 www.008k.com

These are entered either by Spybot or MSVP hosts file.. However if you update to IE9 they are no longer required http://www.microsoft.com/en-us/download/details.aspx?id=16792 especially with webshield. It is basically a block on entering those sites

"File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot." - is this file part of avast??

yes it is an Avast temporary file

For Firefox you can use Adblock https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/

I remember reading somewhere on a anti virus website that a lot of infections use java to penetrate your system so bearing that in mind I don't think my java has been updated for ages should I update it?

Unless you really need Java then uninstall it

I use Avast Free, MBAM free(to be honest I wasn't using it regularly) and Spybot search and destroy and Windows Firewall turned on, are there any products that you would recommend to use in addition or to replace the ones I have been using?

Spybot is a bit of an overkill with the Avast/MBAM combo

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected Keep safe

OK you quoted those hosts what about the ones that have weird names such as:100sexlinks.com(Where did this come from, i doubt this is something spybot or MSVP use).

Do you use IE9 instead of firefox? and is it better?

I know this sounds a bit silly but isn’t java needed to watch videos and play games on computers?

This probably make me silly , a friend of mine who I knew years ago, was a programmer told me not to use Microsoft update as he says they just put things to spy on your computer. So I haven’t used the update feature for years, should I?

One thing that would be interesting to know is your computer spec and protection as I have seen others post that information just to see if people like me are more vulnerable because of software and hardware or other factors??

Thanks for all your help Essex boy I hope in 24 hours I don’t have to come back.

Ohhh I almost forgot I was looking in my virus vault and saw this:
Name: ADMIN_CLASS_LIB.dll
Original Location: C:\Windows\System32
Last changed: 13/04/2007 00:40:22
Transfer time: 28/05/2012 02:23:24
Virus: Win32:Trojan-gen

Is this actually a virus???

I know this sounds a bit silly but isn't java needed to watch videos and play games on computers?

https://www.google.no/search?q=whatdo+i+need+java+for&ie=UTF-8&oe=UTF-8&hl=nb&client=safari#hl=no&client=safari&spell=1&q=what+do+i+need+java+for&sa=X&ei=FoUnUem9Osfl4QTAkYGABg&ved=0CC0QvwUoAA&bav=on.2,or.r_gc.r_pw.&bvm=bv.42768644,d.bGE&fp=79d646a3be93e695&biw=1024&bih=672

Thanks Pondus.

a friend of mine who I knew years ago, was a programmer told me not to use Microsoft update as he says they just put things to spy on your computer.

He is talking through the back of his head... Updates are vital for windows as they will close security holes .. So turn it on

One thing that would be interesting to know is your computer spec and protection

I have one computer running XP, 7 and 8 (different partitions) And I use Avast Internet Security and .......... Common sense, that's it I also have IE10 as I feel IE from 9 onwards is more secure than any other browser

I do not have Java on my system and never have